IATC - Rivers on Fire; Shaping the next phase of the mission

so on the same day October 1st um of 2021 we uh the Wall Street Journal published uh the the loss of that baby in Alabama um but we knew that we dismissed as anecdotes or random or just one uh we also on that same day published um the first statistical proof of loss of life that um cyber attacks can degrade a hospital and a region sufficient to drive access deaths both for time sensitive conditions like heart brain and stroke uh and Pulmonary but also through some excess death analysis our data science team did and then number uh three on the panel is uh Lisa young systemic and risk management and cyber physical citizens person from the team

so that's going to be session two is some of the things we saw where bits and bytes were meeting like uh you know flesh and blood on a daily basis um I think several of us have PTSD from that but um these are some of the superheroes from different backgrounds than hacking that brought their skills to Bear along with Beau and others um and Spanky and many others that had a very different pandemic experience than many of you uh next up will be um rivers on fire and David Batts is going to walk through since many of you didn't even see all these but we had existence proofs of the attacks on water on food supply on oil

and gas pipelines on municipalities and we have a a tour de force through some of those existence proofs and possibly how parts of government are are and are not reacting appropriately so that'll simmer you in maybe things you knew half of but you'll know more of uh followed by um one common thread through most of these victims is they are Target Rich cyber poor we just took a riff on winning ether's poverty line but in a much more applied and operational way and one of the uncomfortable truths here is even though the government sponsors ice ax and uh or information sharing analysis centers for all 16 critical infrastructure sectors and even though they sponsor sector

coordinating councils of leadership from the public private partnership and even though there's lots of free information sharing and free indicators of compromise and free resources from sisa and the different agencies responsible for those 16 like Health Care is HHS or the healthcare industry most of the participants in there are the Cyber rich they're the haves not the have-nots most of the attacks and the victims or the have-nots they're below that poverty line so if the private sector sees no money in helping the Cyber poorer and the public sector says let's partner with the private sector we have a very circular problem so I have a deep passion and burden on my heart for fit for purpose

help to the Target Rich cyberport owners and operators of critical infrastructure we cannot say just do best practices just do zero trust just do this just do that they don't have a single cyber security person on staff we have to meet them where they are identify and buy down risk and we do that every single day uh and this is Task Force with what we had available I'm hoping maybe part of our next phase of our mission is crowdsourcing and creating tools that actually help people because the private sector won't my framing for that is if you think of a pyramid with a Fortune 100 and 500 up top and then there's everybody else down

below ransomware gave the adversaries the attacker as a way to monetize the cyberpore Defenders have not figured out how to monetize the cyberpore so it's a Feeding Frenzy attackers can monetize the poor Defenders have not figured it out so they are prone they were always prey they were always prone and now Predators have taken notice so we have a Feeding Frenzy for the foreseeable future and when you press my former agency and their teammates in government they say well we partner with the private sector um and that's a sincere answer but it's not a helpful one so there are some existence proofs that some of my assistant teammates are going to talk about where we did things for the

cyberpore like get your stuff off search or was I like to call it get your [ __ ] off showdan um free skinning Services uh we coined this thing system.gov bad practices you're going to hear about so not just best practices or what are the most dangerous things that we encounter and how can those become the negligent standard or eradicated strategically and while they are common practices that are also dangerous so that's going to be maybe a nudge and inspiration for tomorrow uh Jen Ellis has assembled uh some Guppies as well a lot of progress has been made over the last two years so we're gonna have a policy update with our friend Leonard Bailey from doj on strides to further

decriminalize good faith security research which is one of our day one goals so that's amazing and uh we have a hacker as a senate staffer uh and a pretty important Senate uh position who's going to talk about some of the other things that have happened and things that are coming because a huge chunk of what we do is not fixing a single flaw on a single device from a single manufacturer but maybe changing the rules to make more defensible maintainable reliable digital infrastructure and then we'll have the feedback loop from you so that was a lot of stuff for day one uh you're gonna hear much more detail from our assembled team um but this is to simmer you in the

discomfort that shits on fire most of them are the target rich in cyberpore they're not ample Solutions or engagement models and in some of those sectors like food there's not even a nice Act so uh just like I said the Cavalry isn't coming nine years ago I meant it for different certain specific details but for now there's a lot to do and there's no one stepping up to do it so we can either get them to the starting line with us or we can fill a void temporarily but um there is much that has been accomplished that we should be very very proud of and there is much much more to do which will pivot us into tomorrow and in

case I don't have an opening session I'll do a much faster version tomorrow uh press coverage has been one form for cyber security for a very long time so we've asked Lily hey Newman from wired to help us assemble some press to say how should press change if shit's on fire now we always say well until bad things happen you know this is theoretical well they're happening and I want to ensure that we don't always have a private or commercial voice giving you know corporate talking points when there's people dying or that whenever I say hey there were losses of life in this particular ransomware in a hospital we don't have someone say yeah but what

about the patient record count and the fines like we want to make sure that we're focused on the right things and this will be a conversation tomorrow about how can we best make ourselves available to the press and how do we ensure that coverage of consequence um makes deliberate conscious Choice changes and there are some obstacles that are unobvious that Lily and I were discussing a couple days ago it's going to be tough right press works a certain way we work a certain way we're gonna have to work a different way if we want to make differentiate corporate security from cyber physical safety uh and Public Safety uh followed by s-bomb s bomb is a double

talk uh spam software bill of materials um this is one of those uh day one Cavalry ideas it's across the chasm and is in an executive order it's happening uh it's inevitable uh it is not easy there's some opposition but s-bomb is a dual dual talk tomorrow it's really both showing how things like software build materials software transparency software trustworthiness could be part of the answer for starter it's cyberpor maybe they can't invest in security but they can get more of a head start and a leg up on some of these things but also um one of the coolest things in the espa movement was an open source project called daggerboard that was a hospital said hey

no one's building anything for us we're going to build it ourselves and they open sourced it so it's not a solution for all things s-bomb but how do people consume and operate and Avail themselves of things like s-bombs from plural places and plural levels quality next time there's a log for Jay and there are still hospitals calling me even last week saying it's been eight months Josh I still don't have an impact analysis from my vendors eight months later we still don't know where log4j is for some of the medical devices no no promise of patching so that's part of why we want to talk about s-bomb and I think it's in decent universe and a grain of sand that may

Inspire why we need more developers in the Cavalry ranks why we need to build more tools that can meet a wastewater treatment facility where they are solve their problems for their most egregious exposures while we're waiting for the Cavalry to come from either coin operated private sector and or um the government figuring out who swim Lanes or which swim lanes and how to help so that's going to be um both informational for s-bomb but also hopefully inspirational for the kind of things we might want to do in the next phase of the cavalry um trying to do this for memory uh we have an ICS talk um on how to talk to uh stakeholders about ICS and OT security

issues and I might have this in the slightly wrong order and then we also have a basically what I've been calling acting black act Global act local act Global uh talk which is there's been some state level experiments and Ray from Michigan is going to talk about one of the state level experiments in the state of Michigan for hackers working at the local state level there's been a lot of efforts from Beau from others the national government Association in the past but this is more tailored fit for purpose at each state or municipality level and then we have some people from the Cyber peace Institute that are talking about how that is a part of an

overall Patchwork of parallel experimentation internationally and there have been some national and Global movements like the Cyber threat intelligence leagues CTI League that helped operationally with these Hospital attacks early in the pandemic and continues to so there are new parallel efforts Cavalry in shape uh or in spirit and this is potentially one of the areas where we're going to have to go hire internationally bowled a really incredible uh initiative with the world economic forum that is one of those global examples of maybe minimum pledges for how iot should not have hard-coded passwords for example uh or be patchable things that you might have heard from this group for a while so um this could be part of our future

is scaling up and down and laterally and seeing what you can do to help your local municipalities for your food your hospitals your state governments and then uh I think I'm doing I didn't miss any but we're also going to do a very large chunk of workshopping to hear from you as to what you think we can and should do and commit to do and how we can get some scale and uh Jen and others reminded me that um while Beau and I and some of the other long-standing Advocates and public speakers and ambassadors do the best we can we really need logistical and organizational back office support we need project management we need to get better at

being historians capturing the truth maybe having records of what happened when in what order by whom um so there's a lot more roles to be filled that would give us more scale more staying power and more parallel action and clouds I don't see clouds in the room it closes been the volunteer coordinator in Wrangler for much longer than any single person should have to so we're really looking for more uh Welcome Wagon and onboarding that can whenever someone says hey I would like to help how do I get started so there's a lot of volunteer roles to be filled and maybe we can identify some of those in our two-day two-hour session tomorrow I just gave you an avalanche of

logistics as opposed to inspiration how much time do I have left where's my Proctor huh how many okay all right any questions on that Avalanche the overall theme and feeling we want you to have is nine years ago we said stuff was flammable and we wanted to be left a boom to prevent harm and maintain trust we've done some incredible things and I hope for a few minutes now to share some of the highlights in the last nine years um while I pull up some slides but uh now that things are on fire I do think the mission needs to change um I just don't know how you know we could say mission accomplished I don't

really think that's apt uh we could definitely get some new leadership and new blood into the mix but I think it's going to have to be um a reorganization of the focal points and how we measure success all right um would you like to share a couple of your favorite accomplishments over the last nine years or compare and contrast yeah sure so as as I was thinking about um what we could talk about today uh it occurred to me that like nine years ago uh as Josh said there was a lot of kindling there's a lot of things that could catch fire some of them we saw catch fire and we paid the most attention to those tended to to look at

those the most because they're in the press or the hype cycle uh but that's not all that's happened in these so for every highly visible failure there is at least one measurable uh piece of progress in that area so if you think back um you know nine years ago I think that was a year or two after uh we saw people drive cars off the road uh through hacking them um the Auto industry said oh well that only happened because you were sitting in the seat next to the driver uh that can't happen remotely and then the next year they made it happen remotely they said well yeah but that's theoretical and it can't happen

um this is where uh when we came in we started talking to some of those car makers started talking to Nitsa the national highway traffic safety administration um some of those different organizations pulling people together we published something we called the the five-star Automotive cyber safety framework playing off the five-star crash rating system uh and started talking about that trying to get some adoption and awareness and managed to actually I think incept quite a few car makers um who you know some of them hired sizzos because they saw an increase in talks at black hat but uh when they got there what they got there they didn't have a tool kit right you tend to apply

what you have and most of the toolkits we have are for how do you operate an environment you know how do you build your corporate network not how do you build a product and so what we put out was actually really helpful for those individuals to think through as well as contribute to it and then go apply it in their own organizations and so we've actually seen within the car domain a couple of things come out for automotive cyber safety Nitsa published one the automotive ISAC published one and we've got a couple of friends in the automotive ISAC the person who ran the aviation ISAC for a while went over to the auto ISAC and

she's very very friendly to hackers um so we had some successes there and the industry had some successes there uh also if you go back and you look uh you had people at black hat Defcon b-sides talking about medical device security issues and there was a lot of uh kind of fear around medical device security because there are people walking around probably some even in the room today um who have a higher quality of life or who wouldn't be alive without a medical device connected to them at all times and at the time you know the industry and the hackers were at odds with each other fortunately the FDA stepped in and said look we don't know what's going on we're

not cyber security experts but there's something here we need to figure it out and we need to figure it out together and help bring together the hackers the manufacturers the doctors the patients everybody else that we published something else called Hippocratic Oath for connected medical devices again playing off of something that that most people already associate with that domain um and I it's on the screen here I won't read through it but the idea was that uh just as doctors take a symbolic oath to act in the best interest of their patients when they're delivering care the same should be true with devices that deliver care now that they are the primary way that doctors interact with

patients either directly or through proxy um and this had a lot of success uh the FDA you know I won't go through all of the successes in this because as Josh said we've had a ton of success in healthcare and medical but the FDA put out something that they call pre-market and post-market I won't get into all the the wonky policy details of that of those two docs but essentially if something is going to go on to the market and be sold in the U.S it has to follow certain guidelines the FDA reviews that once it's on the market if there are issues that come up that could impact Effectiveness or patient safety the FDA wants some ability to have the

manufacturer address those and if you put those two documents side by side and align them with this Hippocratic Oath for connected medical devices it's like one for one almost everything that we wrote about is now the law of the land it's it's instantiated in this guidance um for medical device makers that this is how the FDA is going to evaluate you so it's not suggested it is effective if you want to get on the market and stay on the market you have to follow these rules of the road um tons of thank you um tons of medical device makers are out there we have the biohacking village device lab which uh if you haven't been

I highly recommend it a bunch of medical device makers come in and bring devices put it in front of hackers and say we know you can hack this we just want to know how so we can fix it that is 180 degrees from where we were nine years ago there's been an amazing amount of progress there if you look at the household iot so uh you know household iot is a bit of an outlier there's not as much human life Public Safety attached to that but it is a huge issue and I remember um flying to Austin Texas uh one October for an ntia event where Allen had gathered a bunch of people to talk about

software updateability upgradeability in iot and there were a lot of people from industry there some of whom were all about it and others said ah it doesn't matter it's not a big deal like if uh if something doesn't work you know we'll just disconnect it from the network that'll be a fine that's a fine solution um and I think I said something like uh you know it's not the individual attacks um against a single device that matter it's leveraging all of those exposed prone devices on the internet to cause harm and what was it Alan like a week later that the Mirai botnet hit and you know people in the room are like oh you're wrong it's not going to happen

no one would ever do that literally a week later this happened and that caused a whole lot of things to happen in government I I sometimes say that government lost its Collective [ __ ] um because this was such a pronounced impact uh that they thought only a nation state could have this kind of impact cause this kind of harm on the internet well it turns out it was some uh College dropouts who were trying to knock a competitor's Minecraft server off the internet so this is like hobbyists extremely low level of capability folks who were able to have a huge outsize impact and so there were many many initiatives that started in the US

government as well as others um that led to I think a lot of progress uh in that area up to and including you know some of it uh kind of snowballed and people were saying well if this is the impact that could happen to home iot devices what about bigger systems pipelines industrial control systems and so you've seen in the past couple of years a series of executive orders Congressional actions and other things looking at what we can do and it turns out um most of the government's action in this area has been how do you operate the equipment more safely well I think a lot of us were saying and have been saying the the hackers in the

in the world hear the Defcon black hat and all the other b-sides around the world is once you get a vulnerable exposed uh thing on your network it's already too late to do a lot of the critical safety critical steps that can only be done when you're designing building it and implementing it so let's move way left not just left of Boom but left of by and get to a place where we can influence those standards so you've seen a lot of things in executive orders uh and in some other government requests and right now they're trying to figure out how they can get left to buy because in some cases their authorities don't let them

um so they're working on uh you know new types of ways that they can actually equip organizations rather than hamstring them or allow them to be hamstring hamstrung so that when they buy something they can know what the security posture of that thing is they can put measures in place and they can choose alternates um if what they see in the market uh in some segments of the market doesn't have the security capabilities they need so for all of the the Badness we still are in there's been a lot of progress in our day one thesis was can't be just us doing it and it can't be any part of any sector any industry any government doing

this it's got to be all of us working together and so where we see some of those successes I think it's our responsibility to highlight them to promote them to Dogpile on them to jump in and and help lift those up to make those road maps for success for other Industries to build on them to extend them and just to make sure that they they get the effect that they need to have yeah there's so much to be proud of and so many of the people in this room and not in the room people streaming online people at home that have done some things so maybe to punctuate that um a couple of the things as I reflected

on the flight here um there wasn't a lot of ice act when we started you know we helped get that off the ground the five star has become a blueprint for how do you avoid failure take help avoiding failure without suing the help or capture study and learn from failure respond to failure contain and isolate failure uh we affected the shape of the FDA policy for the US and the planet we caused the first safety communication and recall with zero dead people first and that was like the moment when we really knew that we were on to something we uh extended our reach into other areas when that Mirai botnet happened we wrote a [ __ ] law hackers wrote a [ __ ] law

now obviously there were Partners in the senate in the house and it took two entire Congressional sessions but in late 2020 that thing passed into law it's a minimum hygiene standards for iot purchasing uh he mentioned the executive orders we knew that this isn't just about responding to failure but this is making more rugged defensible survivable uh anti-fragile things and then we've really tried to ensure that the Next Generation regulatory is focused on threat modeling and Patch ability and maintainability and embrace of hackers acting in good faith with coordinating vulnerability disclosure programs which is now required for all federal agencies all federal agencies have to have a coordinated vulnerable disclosure you're gonna hear from Leonard they'd be

actually giving guidance to not prosecute hackers acting in good faith so we are increasingly making it easier for us to keep people safe and then when the planet was going through a once in a hundred years um very dangerous very lethal event they turn to several calorie people to both design and Implement what the federal and Global Response should look like um so we got to put on get conscripted to a certain extent and put on go time um and we could only do this because of the collaboration and creativity of every single one of you and we hacked the government in in lawful ways and hacked the planet I mean I don't think they fully realize the impact the

long-term impact is some of the things that we published like bad practices this is going to this is already changing insurance we have just declared what bad looks like what negligent looks like what dangerous looks like and the student you walk past as a sinner you endorse and just in case uh you don't come for Don's part the at least the two we got through initially was the use of unsupported end of life software in service of critical infrastructure and National critical functions is dangerous and material elevates risks to Public Safety economic and National Security this dangerous practice is especially egregious in Internet reachable Technologies we've now put a stake in the ground could enable

Insurance exceptions wrongful death lawsuits FTC consent decrees you name it regulatory action and then number two is the use of hard-coded default and guessable maintenance password is is also dangerous so this is a growing list of things and some of those hacks will have long-standing future implications but these were powerless hackers at b-sides being bold and trying to make sure that we hold ourselves a better standard so before I shift to the last 10 minutes of Ramon's concert um I'm going to say one of the lines we got into the executive order um because I think this is me trying to channel my inner Dan gear uh but now that things are on fire it's just a riff on what our day one

problem statement was I said that in the end the trust we place in our digital infrastructure should be proportional to how trustworthy and transparent that infrastructure is into the consequences we will incur if that trust is misplaced and I've always looked at this group as we trust things without them deserving the trust and we want to you know narrow the gap between overdependence on undependable things and ensuring that our neighbors and our loved ones can enjoy the benefits of those connected Technologies the promise without the Peril and I've always said the failure mode wasn't the specific losses of life it's any crisis of confidence in the public to trust these Superior Technologies so we are in my opinion the

lighthouse Keepers to be that heat be light be heat be good to try to ensure that we're warning both the promise and the Peril of these choices in that order dependence and we're in a very dangerous moment in history where we're out of balance there and your actions to date have put us on a better footing but there's so much more to do for the next couple years and I hope to answer the question what should the Cavalry look like with you today and tomorrow and throughout the rest of the week and through Defcon but Bose really taken some of this Spirit into the Defcon policy track Village whatever we want to call it and just walk around the

Villages Maritime Village Aerospace Village ICS Village a biohacking village we have a large Auto hacking Village we have a large and growing tribe of tribes that are all learning from each other and making each other better through parallel experimentation so I can't wait to see what you bring to this all right harsh uh transition to the last maybe 10 minutes I'm not going to show you everything but I was spitting fire in uh New York City two weeks through two three weeks ago I'm just going to show a few things there from there all right so Andrew matuition um had said No One's Gonna listen to you it's not gonna be like a cyber 911 or cyberpole

Harbor it's going to be like the Cuyahoga River in Ohio right it caught on fire and stayed on fire how do you put out a river on fire you all heard this from me if you've been in these rooms before um we have had fires folks we had Oldsmar water facility the water we drank has been on fire fire the food we put on our table with JBS and other meat and food supply chain attacks fire the oil and gas that fuels our cars and our homes fire the municipalities the schools the people who function our local governments and our federal governments at the National Security level have seen compromises and even fire timely access to Patient Care which

Kendra's session is going to go through in extreme detail but we have had losses of life so with the precursors were when I started that we served on a congressional task force for healthcare industry cyber security as part of this is a 2015 law and in Spring of 2016 a single Java flaw in a single uh it was a deserialization plot a single JBoss library in a single Medical Technology took out Hollywood Presbyterian hospital for a week uh you had to divert ambulances in LA traffic even a block in La is maybe not a survivable reroute they actually cancel surgeries move patients throughout the week it was harrowing later on when we were about to publish

or just had published the Mirai botnet that we referred to we published our Healthcare task force report saying uh overtly Health Care cyber security is in critical condition I'm reminding you of this slide because Kendra may have a slide that says provide medical care is in critical condition the national level but the idea here was these were the Cyber poor they didn't have security people on staff they were defending Windows XP or older they were over connected to each other flat unsegmented networks and reachable by the outside world this wasn't about privacy I love my privacy I want to be alive to enjoy it and uh and yet everything was about HIPAA uh and then lastly Billy Rios

pointed out a typical medical device could have a thousand or more cves in it and while most of those are not exploitable it just takes one and we said this is not good and we talked about well there's no money and we said we can't afford to protect it you can't afford to connect it or my Stan Lee friendlier version of great connectivity comes great responsibility and then our UK Partners had 40 of their UK of their National Health Service disrupted for Mother's Day weekend within days of us trying to publish this so the U.S got quite lucky but not patchy actually did more damage to U.S infrastructure including nuanced software and a bunch of medical devices

and some hospitals shut down for time and some kids in this book couldn't get they were cleared for surgery so kids had potentially delayed surgery because of the entanglement and brittleness of I.T systems little kids couldn't you know get surgery without some heroism from maybe somebody in this room um and what we know is that delays cause uh patient outcome harm so you've seen this from me before but I'm reminding us as a primer for Kendra's session here we know from a seminal piece of New England Journal medicine a study that has nothing to do with cyber security that if you have a heart attack during a U.S marathon in a U.S Marathon City during a

marathon you're more likely to die uh and the reason is the 4.4 minute longer ambulance ride to get around the runners had a statistically significant mortality rate after 30 days so we know time equals mortality for some of these immeasurable quantifiable ways and I said okay so this is from Christian demaff one of our fantastic teammates and Jeff Tully board certified Physicians that grew up going to uh Defcon quality and replicant and they helped us understand that certain time sensitive conditions um any delay irrespective of cause can affect mortality so if we know delay affects mortality for brain for heart for pulmonary on a certain graduated timelines if cyber security can introduce significant delay cyber security can

introduce loss of life so we started killing people at the cybermed summit which is now its own non-profit cybermed is doing a lot more and formalized including the first DC event recently uh where I think Senator Warner gave our opening remarks and we showed that you could introduce real hacking in contrast with real um physiology to see if doctors can notice what happened save the lives and through demonstrable real world hacks like insulin pumps like Jerry Radcliffe like the bedside infusion pump from Billy Rios like the hacking of pacemaker defibrillators maybe with a three-digit universal access code that maybe caused a recall um that these Physicians is well trained as they are implicitly trusted this

technology and were gobsmacked we then started doing more tabletop crisis simulations to test their assumptions um and saw different failures we hacked the Integrity of blood banks in the or so that you put the wrong blood type in the surgical field and it coagulates and bad things happen and we found you could even hack people without touching them uh if you can't tell if a stroke is a rupture versus a clot the clot Buster is a miracle drug that will save your brain and save life time is brain but if you can't diagnose it quick enough if you give that to a rupture you'll kill the person they'll bleed out so it's merely disrupting Imaging and not having next

proximal Alternative Care in driving distance or helicopter distance meant people died that didn't need to and then you don't even have to hack the device at all there was an incredibly expensive radiation delivery precision machine that heavily relies on cloud computing the cloud was down for a very long period of time during the pandemic and so those incredibly expensive otherwise functioning uh radiation delivery devices couldn't do their job they were bricks big heavy paperweights because we always assume the cloud will always be there except for when it isn't so during the breaking points here um when the con this is where I get heavy okay um and I may say more during the week but this has really messed me up from my

public service and I'm getting over it I'm trying but when the country hit 500 000 dead Americans from covid we also hit 150 000 additional Americans who lost their lives from uh non-coveted excess deaths the CDC tracks checks xss all the time it's a rolling average of who died in which state in which month from which condition so if you normally see a hundred from this place in this state and you see 110 you have 10 excess deaths I asked my team hey I bet you these are time sensitive conditions what's killing these people let's study it and remembering the four 4.4 minutes can lead to loss of life for a heart and four hours one to three to four hours is

loss of life for strokes what could four weeks do four weeks a regional outage to the state of Vermont so I said we need to study this we need to understand what happened and my team is going to take us through that in the next session but um while we were racing the publish and it took much longer to publish than I'm comfortable with and a lot of extra people died in the meantime The Wall Street Journal put on the front page is that that baby um is possibly the first victim of cyber disruption uh degrading and delaying care enough we are surrounded by technology this is the bonding moment Beau and I had nine years ago in the

speaker Lounge about was it confer on the the NICU infant fetal heart monitors if you degrade these technology assists you degrade the care we have more patients admitted because we have been able to scale with technology take that technology away and you're more much more dangerous moments so the patient has to be at the center of this and lives have to be at the center of this we should care less about record count and more about human life timely access to care so we published some stuff it took a long time a lot of people in government did not want us to publish this but we are tenacious and stubborn and creative and we did a turducken within a

turducken but we got uh we got it published and essentially what we found was uh back in February uh March of 2020 2021 at the one year mark um we said are there any leading indicators any leading indicators that correlate to this um excess death surging we had and what we found was another public data source called ICU bed count or intensive care unit um bed count 75 is usually optimal during the pandemic it was fatal and we measurably so and for example what we saw is if you hit 75 percent ICU strain Nationwide you'd see 18 000 dead Americans two weeks later an additional months four and six weeks later if you got to one hundred percent

you'd see eighty thousand dead Americans and unlike covered deaths these were primarily 25 to 44 year olds these are younger people that needed timely access to care I myself almost didn't get timely enough care for surgery because of the strains on these hospitals so we wanted to warn people that if you could manage your ICU strain you could avoid elective loss of life we published this um something that Kendra is going to walk through called provide medical care is in critical condition and uh and through this analysis we could see that systems hit by ransomware for protracted amounts of time could be strained sufficient to lead to loss of life and I recently testified to the Senate

on the record that these attacks have led to measurable loss of life so it's in the ecosystem now and when I'm asking each of you for the next couple days is not just to up and renew your participation but how do we change the conversation so that whenever someone says there's an attack we don't just go back to well how many records were there or what was the cost of the ransom or is there a HIPAA fine none of those things matter what matters is timely access to patient care for you for your loved ones because the a growing toll from these attacks is that we have seen 10 20 and 30 losses of critical

infrastructure Workforce the people who make sure we have drinkable water who make sure we have food supplies and groceries stocked we make sure we have timely access to Patient Care we make sure the oil and gas and electricity works and we are [ __ ] with Maslow and we can't so as the world is increasingly depending on digital infrastructure they are increasingly depending on us so what role will you play and how should we change over the next two days because we've done some incredible things over the last nine years we've been left of Boom more times than I ever expected but there's a lot of booms right now shit's on fire what are we gonna do

about it thank you for being here and I'm out of time