Thinking & Acting in Decades: Looking Back as we Look Forward

good morning are you awake okay I uh we had no air conditioner last night so I'm I'm operating on two hours of sleep and 10 espressos but I will bring the energy if you do okay so thank you to bsides for inviting me uh I feel some kinship in that uh I am the Cavalry did start 10 years ago we're going to talk a little bit about why it started and what we did 10 years is a long time so think about where you were 10 years ago so I'm deeply grateful to uh any volunteers that spend a decade trying to make the community or the world a little bit better all right here we

go so depending on my pacing uh we may or may not take questions but I will be here all day so we can generate discussions in the hallways or during lunch and whatnot in fact we're staying till Tuesday so I'm Josh I met some of you yesterday I look forward to meeting more of you um a decade is a long time we tend to think in quarters or maybe in what happened this year or what you're currently doing for your job um if you always do the easy things if you always do the Tactical things if you always solve for the low hanging fruit uh you know what you're left with the really hard problems that take years to solve so

about a decade ago um we're going to get a little bit into the backstory um I was growing increasingly concerned about the relationship between technology and The Human Condition um I'm not originally from the hacker Community uh I'm a philosopher by training who ended up accidentally in the hacker community and then I became a systems thinker and now I help write laws um and get laws passed so I'm trying to hack policy that's not a really traditional combination but it was deeply rooted in deep concerns I have that we adopt Technologies for their immediate and obvious benefits but we don't do a very good job at cost benefit U analysis until it's a little too late and with each passing

generation we've been taking larger and larger technology risks so time permitting I may tease a framework I'm working on um but let's not only look in the rear view mirror let's look forward where do you want to be in 10 years where does this community need to be in 10 years are we our best selves are we embraced by the businesses are we embraced by policy makers are we having the impact we want are we going to be doing the same thing 10 years from now at this conference that we are now um and to truly move the industry or change the world you have to think long term and then make near-term decisions to get

there so let me start with something I did 15 years ago please look at the ceiling this beautiful building steel and concrete most of you were here yesterday not one of you sat in Perpetual fear that this building would collapse upon you and Crush you why is that it's because steel and concrete are Dependable they're reliable we have professions we have Architects we have Engineers we have site inspectors people trust stealing concrete uh because Society wouldn't function if we couldn't trust these buildings now imagine we made these buildings out of some weird new element that you could point a a zero flipper at 10 years from now and caused the building to collapse on demand at will we're putting software

which is not nearly as reliable into nearly every aspect of Our Lives it's in our cars it's in our medical devices it's in our power electricity it's in our Oil and Gas We are Becoming as dependent on software as we are on steel and concrete but this room knows full well that if it's got software it's hackable if it's got connection it's exposed so Society overall has not heard us has not learned that from us and as such we continue to take bigger and bigger risks through larger and larger dependency so I wrote a a response to the agile Manifesto called the rugged software Manifesto and just said that software developers are creating digital infrastructure and unlike Steel in

concrete is not nearly as reliable and it was an attempt to try to make them care about or be conscientious about the awesome responsibility that comes of writing digital infrastructure but that was not really what they thought of when they woke up in fact uh if you look at the Modern attitudes towards software it's Mark Zuckerberg's move fast and break things uh there's a guy named Reed Hoffman who said if you're not embarrassed by your product the day that you shipped it then you waited too long now the people that built this building or built a bridge that you drive over or a tunnel that you drive through uh they don't say if you're not embarrassed by

the the bridge that you drove over then you waited too long so we have not yet reconciled that software is not nearly as Dependable or reliable and yet we continue to depend more and more so part of the origin story of this you might recognize a few faces maybe not all of them uh is I was researching the rise of anonymous and hacktivism uh it was a pretty risky proposition to do um this is I don't know 13 years ago at this point um but I kept getting things right uh I was not so much concerned about Anonymous or script kitties or denial of service attacks I was concerned that this would Inspire terrorists or non-state actors

to adopt the blueprint and the techniques and do more harm to our way of life and unfortunately at some point that's exactly what happened a an honor student from the UK in Birmingham was part of Team poison uh a hacking crew that attacked the prime minister's website Tony Blair his name a guy named trick janed Hussein was arrested as part of Team poison for his hacking escapades while in jail he radicalized and joined Isis and when he got out he moved his wife and child to Rocka Syria where he founded the Cyber caliphate and was using social media and primitive hacking skills like showed in Metasploit uh to both recruit and train others to help

attack the West and also um coordinated physical attacks and it's uh it's pretty scary what one can do with census IO or showan without much skill at all especially when many of these critical infrastructure pieces have default hard-coded passwords naked on the internet so it's not about can you disrupt basic human needs like water food shelter safety it's is anyone willing and able to do so and because we were correctly predicting some of these uh developments um the intelligence community in the US and elsewhere uh invited us into to Fort me which is where the NSA is house for two days and I got to prick five of the world's best hackers to come in with us so HD Moore

wanted his destructive skills we had Dan Kaminsky the late great Dan Kaminsky um with his DNS experience Jean Kim and a couple others you may not know but we tried to warn them that uh this was not merely about credit cards this was not merely about privacy this was not merely about intellectual property uh this was about Public Safety human life and we were just just a matter of time before we would see these attacks and after several days of talking to General Alexander this is before the Snowden uh examples that probably would have ruined this remember happening uh we tried to warn them and tried to help influence us law um but at the end of the two days

while they loved our answers to their questions they couldn't act on a single one of them when we were demoralized and depressed so we went to the airport that night and I said to there's about 10 minutes of silence where everyone was depressed and I said guys the Cavalry isn't coming no one's going to save us this isn't going to get fixed we had naively believed if we just said the right things to the right people that they would go fix it and they weren't able to they said until people die we're not going to see political will to do things about this they believed us that these were real concerns they just didn't see enough will or public

recognition to do anything about it so I didn't know what to do about that and I was demoralized and without getting into the deeply personal story after 2 hours of sleep I didn't have the second half of that equation I knew the Cavalry wasn't coming uh what was going on in parallel was my mother had had a stroke and needed some hospitalization we thought she would get better but it turned out it was just the front wave of brain cancer and over the next several months we had to watch her slowly die and spent a lot of time in hospitals and it was pretty demoralizing she was quite young and when you see that an average

lifespan is not a guaranteed minimum lifespan you start to question what's important to you and you start to be very conscious of time and how little time there is so you don't want to waste time and ultimately when I went to give her funeral uh and her eulogy uh I was her oldest uh child I realized that uh if something's missing in the world maybe we need to put it there something just occurred to me during my eulogy and uh I kind of knew in that moment that if the Cavalry isn't coming I guess we have to try to do something because when you realize you're alone or that no one's going to solve something

for you it is both demoralizing but it is also empowering because that means the person your in your seat to the left of you to your right of you might be the solution so before I lost my nerve uh we went to hacker conference many months later in August on August 1st uh we originally submitted to the Defcon conference and they rejected it they said it was too touchy feely of an idea to say the Cavalry isn't coming uh it was myself and Nick pcoo um then we decided okay let's do this at bsides Las Vegas because bsides is the more inclusive mentoring Community trying to make the world a little bit better uh ultimately when Jeff Moss found out he

gave us a talk on the main stage at Defcon as well so we kind of had a dual birthday on August 1st and August 3rd but the idea was if no one's coming to save us what is the hacker Community willing and able to do uh we said it would take years before they'd listen we said people would likely have to die first uh but our idea was basically that our dependence on connected technology was growing much faster than our ability to secure it in areas affecting Public Safety human life economic and National Security and while there had been hacks of medical devices from the late great Barnaby Jack or from Jay Radcliffe or there have been hacks on cars from uh

bless you from uh Charlie Miller and Chris valis uh an academic there wasn't it was mostly considered stunt hacking or there wasn't a public Consciousness that this could get pretty bad and over time my problem statement has changed but basically we're over-dependent on undependable things and since I'm a big uh fan of Dan gear and I tried to Mentor myself to him if you haven't heard him speak he's probably one of the most measured and potent uh thinkers and speakers in cyber security but he talks in terms of relationships and generally speaking if we are over-dependent on undependable things uh if we're not nearly as dependent in stealing concrete then you have two choices you can either depend

upon these things less and have Lowered Expectations or you can make them more dependable and I I knew the answer was both but it's going to take a long time to change policy makers change software development patterns change laws and liability so I wanted to make sure that the dependence was proportional to how trustworthy and transparent that is so let's get to a little bit of jumping around in time between 10 years ago and today and somewhere in between one of the reasons I was asked to speak here was because we both started our community efforts 10 years ago another reason is um because of the work and the trust that we built with I am the

Cavalry and governments when the pandemic was declared in 2020 um and they recognized that they weren't very good at Cyber physical system security yet sisa was still quite young sisa is the cyber security infrastructure Security Agency um the director that agency Chris Krebs asked me to come into emergency government service said how do you like to serve your country for a year it turned out to be longer um but I became the chief strategist for what became known as the sisa covid task force so our job was to keep hospitals as safe as possible from a scourge of ransomware attack and disruptions to supply chains but also to protect the development and distribution of vaccines and medicines and treatments

to make sure we lost fewer citizens globally so even though it was a US effort we worked with the International Community and uh hacker philosopher systems thinkers don't belong in the federal government um but we had to try to do whatever we could if we're about saving lives we better try to save lives so we hired a few of the Hackers from the hacker Community Systems thinkers doctors infectious disease experts and we tried to actually live it and walk the talk uh when it really mattered um so while we were there I'm going to give a few lessons from that incredibly uh unique uh experience but also incred incredibly traumatizing experience in fact I'm not sure my

career will ever be the same after I'm having a hard time can't I'm too competent to be in the government and I'm too civically minded and publicly minded to be in the private sector so we'll figure out if I can find my footing again but um think of Maslow's hierarchy of needs uh it has different manifestations over time but the idea here is you can write poetry and art and create movies and invent iPhones when you feel safe at the bottom of the pyramid but if you don't feel safe if you fear for food Water Shelter we're animals we're Lord of the Flies and we tend to just to turn on each other pretty quickly so the idea here is

you're only as you're only able to operate at the levels of the pyramid where you feel safe and secure and increasingly we are messing with the bottom of masa's hierarchy and what do I mean here and this has not hit Europe as much much as it's hit the US the Russian uh criminal groups tend to like picking on the US a lot more than other countries but think about the disruptions we've had during since 2020 we had successful attacks on the water we drank we've had numerous parts of the country attacked the water and wastewater facilities with default hardcoded passwords we've had attacks on the food we put on our table one of the largest suppliers of meats in the

Americas was disrupted significantly over 20% of the meat Supply we had significant and protracted disruption on the fuel we put in our cars our homes and that fuel our supply chains people were filling garbage bags with gasoline and petrol because they couldn't get enough gas during the colonial pipeline attacks their attacks on the schools or children attend on the municipalities who run towns and cities on governments across the globe on a regular basis uh we don't seem to be able to protect anything if there's a determined enough Predator we are prone and we are prey and when they want to they disrupt us with impunity but the one that scared me the most is we had

successful disruption of hospitals with now fatal consequences my team was able to study and prove that ransomware disruptions led to loss of life during the pandemic so this idea that we'll have to wait until people die first we've crossed that threshold and now um many governments are listening and taking action but before we ever got there some of the things the Cavalry did to be in a position to run security for 7,000 hospitals was we tried to use empathy and team building and get outside the hacker circles and learn how medical people talk learn how Automotive people talk learn how oil and gas and Industrial Control Systems people talk so they don't care about cyber security

in hospitals they're starting to but for long time they said we said if we give you $10 million to do cyber security 10 million euro what would you do with it and they said Well we'd hire more nurses or buy more ambulances they're mostly concerned about patient safety or Hippa uh patient privacy when we studied and tried to learn what they did care about one of the most important papers in 2017 was that um if you have a heart attack during a a marathon a marathon Race if you're in a city that's running a marath Marathon you're more likely to die in a statistically significant way the reason is there was a 4.4 minute longer

ambulance ride and with that 4.4 minute longer ambulance ride they could measure a 30-day mortality rate so what is a 4.4 minute delay have to do with cyber security in some ways absolutely nothing but what it showed us is that delayed and degraded care irrespective of cause was sufficient to lead to loss of life with heart it's 4.4 minutes could be the difference with brain or stroke it's called the Golden hour where one three or four hours could be the difference between if you walk again and talk again there just time is brain is how doctors talk about it so we we paid attention to that I was asked to serve on a task force for the US

Congress and we briefed um the UK governments and lots of Ana in Europe but uh we spent about a year studying is Healthcare adding more hyperconnectivity in a way that's going to help medicine or hurt medicine and our general conclusion at the end of one year was that Healthcare was in critical condition at least in US hospitals out of the 7,000 hospitals we have only 15% have a single qualified security person on staff 85% don't have a single person doing cyber security so if you had actionable intelligence there's no one to act on it uh they tend to be running Windows XP devices they never patch them they don't have segmentation isolation you're going to hear talk later about um

isolation they tend to have 1,400 known vulnerabilities there's tons of reports on this this isn't the point but we knew things were bad in 2017 in fact as we published this W to cry hit the UK hospitals pretty pretty badly so what we said at the time is well maybe if you can't afford to protect your hospital then you maybe you can't afford to connect it and they didn't like that and they basically said look we're doing the least we have to do until there's proof the people died no one's ever died from this so just like good hackers what did we do we started killing people so we started another nonprofit called the Cyber Med Summit

and in simulations in the emergency room we would use real doctors who didn't know what was happening we would use demonstrable hacking of medical devices to see if we could introduce confusion or panic and if it affected patient care in the several years since we've been doing this every scenario we've done has led to a patient coding and or a simulated loss of life they have an implicit trust in all the technology and these were not exotic fiction these weren't even hacking at pacemakers where someone might just get tired this was taking a bedside infusion pump and emptying a three-hour dose of a calcium channel blocker in 30 seconds so it's the right amount too fast cause cardiac

arrest and they lose the patient we've also started doing uh simulated ransomware events to take out the single hospital to take out every hospital in the region to see if and when uh patient care was affected so for years prior to the pandemic we were testing how ready we were as a medical community Community with helpful hackers trying to save lives through preparedness now these that was the fire drills but we had real fire uh occur with the pandemic so everyone was panicking we didn't know how bad it was we didn't know if there were vaccines capable of being made for that particular type of virus so there a lot of unknowns we know more now than we used to but try to put

yourself back in early 2020 um I did not make this picture but my friend was making fun of me lovingly um but we had two jobs secure the vaccine Supply chains and secure hospitals um on the vaccine Supply chains first um I study Deming I study devops I study Toyota Supply chains um somebody mentioned esoms yesterday uh I'm the daddy of es bombs so if you like them you're welcome if you hate them I'm sorry but not that sorry because I think the world needs them but um in studying Supply chains in other Industries for many many years when I got to sisa and they said we know there's seven vaccine candidates we know there's about 23

suppliers that they want us to protect to make sure they don't have a cyber disruption or they don't have a physical disruption to their manufacturing but there's another thousand entities and we don't know how to prioritize them can you take care of that so on my very first day I said it looks like you're prioritizing the really big Brands what about the small ball bearings and that's from World War II when um the Allies were fighting the Nazis uh they said hey we have this new invention we can hit we can do bombing on just a very specific Target it's called Precision bombing what should we bomb because once we do this the Germans will adapt their

defenses we'll get one shot at a surprise attack what should we hit and the Air Force wanted to hit anti-aircraft guns and the Navy wanted to hit submarine manufacturing and the Army wanted to hit tank and Jeep Manufacturing but the Geeks the economists they said no no no hit ball bearings every single War fighting device needs ball bearings so whether that strategy worked or not um I asked what are the ball bearings in the vaccine Supply chains and we used you know simple weighted data science we used some couple professionals we tried to figure out of the 4,000 different players what are the small unguarded weak links in the supply chain that if you disrupt you'd have millions more

dead people and we found 66 I only mention this at all I usually skip this part but Thiago when I was meeting him just after this his own open source analysis had determined some of the very same risky small unguarded weak links in the supply chain so uh you don't need a big government budget you just need interest to figure out who's dependent on which things and how Dependable they are and this becomes important a little bit later but uh one of the scary things about these B B bearings is they were tiny uh one of the most important ones had one manufacturing facility on the whole planet it was needed for three of the top vaccine candidates they had

three it people zero security people and their was all over showd in you didn't need any hacking if any bad guy figured out I can disrupt this I can hold them Ransom even if they didn't want to kill anybody they would have killed millions of people there was just too much risk on too small a Target and I call these Targets target rich but cyber poor so they're not a Fortune 100 company they're not a Fortune 500 company but depending on what basic human needs you have they may be the single most important organization on Earth to protect so we had to find them warn them and do whatever we could in a matter of weeks or months to try to make

them a harder Target I'm going to skip parts of this but sometimes our hackers didn't do any hacking at all when the vaccines were invented we found out that we could lose a third to 2/3 of the first batches of fizer because it needed to be ultra cold not just cold but ridiculously cold for the entire Transportation until it was applied to the arm we did not have enough refrigerators in the country to handle how cold they needed to be so we had to turn to dry ice so even though we're a bunch of hackers and systems thinkers we had to remember dry ice evaporation rates and where it can be made and what it's made from so we started using wly

mapping and value chain mapping to identify weak links and one of the most terrifying Parts was not defeating biology it was not even defeating hackers it was defeating um physics but these are systems thinkers where we don't want to just find a single flaw and a single device we want to find the things that actually matter to the actual outcome because the goal of operation warp speed and its successors was invent the vaccines keep them cold get them into people's arm to save elderly people that were dying at very large large rates 85 years old or older so I'm going to skip a lot of that um let's turn to hospitals briefly so I had a lot of experience with hospitals

being on the Congressional task force uh there were 7,000 hospitals uh Europe has been quite lucky relative to the us we have over 700 ransomware disruptions each year on our 7,000 hospitals these disruptions are getting to be larger they're getting to be longer they cost more than other industry ransoms and they um have now been proven to lead to loss of life but I couldn't communicate that to hospitals when you talk to hospital administrators anywhere in their own language they'll talk about the three s's uh remember I told you they said we won't fix anything until people die when you give them money they're always trying to spend on one of these three s's space supplies or

constraint if you have a 100 Beds which is your space you don't have a 100 bed hospital if you only have supplies for 80 of those 100 beds and you don't have an 80 bed hospital if you only have enough staff for 60 of those 80 beds in the 100 bed hospital so their capacity is what they're solving for and whatever the constraint is they need to spend more money on so there's no room in there for cyber security and in their world there never would be now what we saw during the pandemic is whether it was biology or supply chain disruptions all three of them had record high stress so depending on which hospital it was

and what month it was there was a different constraint and most ly we were doing National coordination on those in fact sometimes a strain would hit Europe first so the us would get to learn from Europe's mistakes sometimes the US did stupid things and Europe got to learn from our mistakes um but what we noticed is their model was incomplete because at the one-year Mark of the pandemic so April of uh a March April of 2021 the US had lost about half a million people to covid but on top of that they had lost one 150,000 additional humans to non-co excess deaths above and beyond expected and I had a hunch based on studying those

Marathon studies I'll bet you these are time sensitive conditions like heart like brain like lungs where minutes or hours are the difference between life and death so I added this row and I said where hearts are affected by minutes maybe it's not caring capacity for patients maybe we should ensure that there's not excessive delayed access to care the other thing we noticed is that medical technology is a force multiplier in 1990 a single nurse taking care of babies would have one nurse to one baby one nurse to two or three babies that was about the ratio of nurses to babies but now armed with modern technology they can handle 10 12 15 babies concurrently use using a dozen or more

remote monitoring stations and Technologies here's the deal if technology is a force multiplier for our staff then the unavailability of that technology is a force divider and when it goes away very bad things happen because the hospital that used to safely handle three babies now has 15 so you have the technology to handle three babies but you have 15 per nurse so what we saw is this can lead to worsened outcomes for time sensitive care or technology dependent care and this is exactly what happen happened in Alabama in 2019 so two important things happened on October 1st of 2021 on the front page of the Wall Street Journal there's a court case revealing that a baby admitted to a

ransomed hospital in Alabama uh was born through complicated um delivery there was an umbilical cord wrapped around their neck and while babies live and die all the time doctors and nurses exchanged information saying that had their technology been working they never would have lost the baby they didn't have Imaging to tell it was going to be complicated and they didn't have good monitoring after the baby was born and it subsequently died in a given natal Intensive Care Unit there could be a dozen pieces of medical technology that assist our staff in extending the reach and quality of care in a safe manner but when that technology goes away it's the patients who suffer so big deal number

one is we've heard of the first named victim that has not been refuted or disputed and it's likely to settle in case law the second thing that was published that same day was by my team we studied the effects of these ransomwares and other factors on us Hospital capacity in a number of different ways through qualitative and quantitative analysis and using some data science where we could see that every single time the US hit above 75% use of its intensive care units we saw very large numbers of excess deaths two four and six weeks later so using some published data in the CDC morbidity IM morality morbidity and mortality weekly report we could see that if the US us hit 75% capacity you

would see 18,000 dead Americans in 2 weeks if you hit 100% capacity you would see 80,000 dead Americans in two weeks so very large numbers related to hospital strain now armed with this instrument to meal Hospital stream we looked at the state of Vermont which got hit really hard by one of the ransom attacks it was down for a month for all of its systems in this particular community and it was down for about 5 months before it got back to its full capacity and measuring in the same state with the same uh population adjusting for Hospital type and size we could see that communities hit by Ransom achieve these stress levels sooner and stayed there longer so

we could quantify minimum maximum and most likely number of excess deaths associated with that Ransom disruption but more specifically in that state we could correlate that with the actual um heart brain and Pulmonary excess deaths in those regions so we may not know which named people Di died but we knew a very substantive number of people died bless you hopefully this pace is good um I'm going to have to cut some other things um but what we know is if you have a disrupted ransomware there's two ways to die one is you may not survive the ambulance ride to the next nearest facility if it's more than 4.4 minutes away more than an hour away this could

alter your survival rates for heart and brain but we also knew in the larger capacity that if the overflow of your patients to other facilities um made a hospital too busy you would see excess deaths later on and then more recently there's been several medical journals that read this and have corroborated there was an attack in UC University of San Diego excuse me scripts Institute in San Diego in California and some people at UCSD a nearby set of hospitals studied that even though they were not ransomed their weight times and admission rates in their own hospitals were elevated due to the other Hospital being Ransom so even if you're not a victim of ransomware your patients can suffer as you try to

take on the Overflow specifically long and protracted overflow so when I got out of sisa I was talking to Thiago and others about what do I do now I'm not even sure I'm a cyber guy anymore I've just paid attention to what um the the federal government and and the UK government and the Mia government and the Japanese government everyone's doing for critical infrastructure I felt in my bones it was the wrong way to approach it so I'm going to criticize the US for few minutes here but some of these criticisms are equally applicable here so one thing is um I'm not going to do the entire thing but the US government has 16 categories of critical

infrastructure don't even try to read them but they're things like water and wastewater oil and gas electrical health care so there's one called Healthcare and public health and it belongs to Health and Human Services and just like the silos depicted here it's one to one so if you have a critical infrastructure sector you have one government agency who technically owns that eventually sisa was born 5 years ago in fact it just turned 5 years old yesterday and cis's job is to help all those so if each of them is a silo CIS is supposed to be cyber security Talent physical security talent and free services to help all 16 sectors the problem is the other agencies don't like

sisa don't want sisa to exist yet they're getting over it but the idea here is that um one agency owns US hospitals the problem with that model is that there you can't have a hospital without clean water from a different agency without chemicals from a different agency without transportation from a different agency these are incredibly cross- sector multidisiplinary items and anytime one agency tries to help another agency they're basically told to go away stay out of our lane this is our lane why are you in our lane it's very siloed and what I started to realize is that might be okay for banking that might be okay for certain industries like software or technology it's not okay for things at

the bottom of Maslow's hierarchy of needs so not only are all 16 not equally created the people who write the Angry Birds game for your phone count as critical infrastructure so do the people who make medical devices that keep you alive so when everything is critical nothing is critical and I felt that this was not a good way to look at it those things up top are called National critical functions there's 55 of them and smaller and they're more like a service like when you turn the water faucet on does water come out when you turn the light switch on does the electricity work can you get timely access to Patient Care when and where

you need it and on that last front that was the most disrupted during the pandemic was timely access to patient care so I started thinking like more quantitatively more quantitatively I can't just make a list that I think is the most important I can't just say anything at the bottom of M's hierarchy water food shelter safety should be more important so I started thinking about delay and latency sensitivity if you map those 55 things if you shut it off for 24 to 48 hours does anybody die and the answer is less than 10 of these are so latency sensitive and time sensitive that if disrupted through denial service through unavailability really bad things can start to happen but more importantly

they're not bad on their own A disruption to water could affect your ability to get timely access to patient care so not only is not everything equally important some things are more dependent on others they too have ball bearings and when you start to realize this the 10 most urgent time sensitive life sensitive things that cyber security people could find and fix flaws in are inherently multi- sector so when one and only one agency takes ownership of these bad things happen and people die in fact what's really bad specifically about Healthcare is as we struggle and fail in healthcare we're cutting into the talent Workforce for water and wastewater Engineers for truck drivers for manufacturing for chemical

Engineers so not only are you having disruptions but some of the very people you're killing are necessary for other Lifeline critical infrastructure services so the bad news is also whether it's hacking or just flu season every single time our hospitals get overwhelmed we lost more and more of those people and each winter we tended to see a pretty big spike so what happens when people start dying policy makers start paying attention now not everyone in this room likes government not everyone in the room likes policy we sure didn't in fact when we started eyeing the Cavalry we saw an increased criminalization of good faith research I think we've done a lot of work maybe you

don't all realize how hard of a battle it was but we've decriminalized research in most countries we've normalized the value of coordinated vulnerability disclosure how did we do that it wasn't hacking websites it was showing that disruptions to Health Care devices or cars could lead to public Panic or public safety issues we have a unique uh we are both willing and able to do a unique service to find these flaws and help fix these flaws so one of the lessons that we got out of the pandemic is whether it's hospitals or vaccine suppliers um Small unguarded Things is that you could be Target rich but cyber poor which means they can't just do zero trust they can't just hire

a huge security team most of them don't have a single security person on staff yet so we started saying stop pointing to best practices what are the bad practices so at Sako bad practices we enumerated three of the most dangerous in critical infrastructure and by the way the best advice for critical infrastructure tends not to be the same as the best advice for Enterprise security or privacy so some of our advice advice is very biased to the Fortune 100 Fortune 500 but also very biased to the confidentiality of information instead of the availability of critical infrastructure service so some of our advice is terrible and we're going to have to start being clearer when we give it as to what the mission

is and what the cost of failure is other things I had to do when we met those Target Rich diber reps get your off showan although I couldn't say and I couldn't say showan so we said get your stuff off search but said your assets are showing your adversaries can see them see what your adversaries can see get your your cyber physical Systems off the network if you can't at least get them scanned at least you can't patch everything at Le focus on the network facing exposed to have a known exploited vulnerability Associated so we started getting sisa to start publishing the Kev these are known exploited vulnerabilities out of a given calendar year just less than 3% of all cves ever

get exploited so if you're just patching randomly on CVSs please come in the Modern Age and look for epss ESS like we heard yesterday from tago or the Kev list because the Kev list are the ones that have known to hurt people so think about this we went from saying everyone should do best practices in zero trust to saying what are the most dangerous practices for cyber critical infrastructure uh can you at least look for the known exploited vulnerabilities um and since some of them want to start their journey to go from crawl to walk to run we also started get the white house like this and asked sista to build upon those bad practices for something called the Cyber

performance goals or cpgs and other countries are modeling after this as well which is out of the entire 400 page n cyber security framework here are a handful of things you can do to start one of the things that I've been very proud of um there was a little bit of discussion on it yesterday but if anyone wants to talk about it more is es bomb so right around the time we started IE am the cavalary we said transparency is coming you can't blindly pass risks on to all your customers anymore people should you should know what's in your software and your customers should know what's in your software it's not um that's a longer conversation but we

knew esbon was coming um I've been part of the sbom push for since the beginning um I tried to get a law pass in 2014 it didn't work but fast forward in December of last year we did pass a law after nine years so when people say it can't be done or it's not being done it's already law as of December technically a um March or April this year all FDA approved medical devices in the US and reciprocity globally now have to do quite a few minimum cyber security things like be patchable have a threat model have a coordinate disclosure program and have a machine generated machine readable software build materials and they're doing it because

they want to make money there's other places like executive orders that are also asking for it if you sell the federal government but we're trying to take these losses of life situations the reason this past despite lots of lobbying dollars against it is because uh Republicans and Democrats in the Congress realized that once people start dying U it's time to do something so the most obvious place to do so was after a testimony to the Senate on the loss of life in healthcare the White House is acting as well the UK government is acting as well uh CRA has some things I'm not super thrilled with uh but there's a lot of international push to do things like more focus on

critical infrastructure than just privacy more things on software liability or shifting accountability to the producers of products that should be free of known exploited vulnerabilities should be patchable should have coordinated disclosure so we're taking the microcosm that we got past the law through the Cavalry on the medical devices and we're trying to make sure any critical infrastructure is more trustworthy so my basic plea to this community on things like this is not that I want you to go to any government or be a policy maker but we have been messing with masa's Hier of needs so when we choose what to hack when we choose how to communicate it the things that can lead to disruption of water

food shelter safety command our greatest level of attention so a lot of us got into this profession because it was we did this as a hobby and a curiosity some of you accidentally turned it into your career and now after the last 10 years a group of us have turned this into a way to make the world better and make the world safer so like I said there's less than 10 of these critical infrastructure sector uh services that are Life Safety 10 plus or minus a few so we have to treat those ones with the greatest level of care they're inherently cross sector governments are very poorly set up to do this so in the meantime once again the

Cavalry isn't coming I'm most concerned about water and wastewater about food supply about oil and gas electrical especially Target Rich cyber poor and deeply concerned about hospitals so I'm uh a little low on time for some of what I was going to cover but one more little thought experiment um I know Healthcare is different in different countries but I want you to close your eyes and picture the hospital you would take your family too if someone was injured what does it look like what's its name now if it was unavailable to you where would you go instead is it across town is it the um very far away is it more than an hour away what if that one's owned and

operated by the same software and it's down two so in the US with those 7,000 hospitals we're seeing six to eight six to 12 week disruptions 700 times a year one of the things that is very I'm very proud about is we passed some federal laws for iot cyber security decriminalizing security research s bombs for medical devices one of the things I'm terrified about and this is just my map you can do the same for yours this is a time-lapse photography of hospitals that have closed forever so out of those 7,000 we've lost 200 hospitals because they ran out of money not all of those were hacked but recently a few of them Clos their doors

because what put them over the edge was a ransom attack many of them have only enough money to run for 1 to four weeks cash flow and if you have 1 to four weeks of money to run the hospital and you're down for six to 12 weeks it might not just knock you down for six weeks it might knock you down for good and as we see more and more hospitals closed depending on where you live there may not be care nearby for 3 to four hours away from your home so hopefully that does not happen here as much as it's happening to the US but there's no technical barriers to that being the case

you're using the same crappy equipment you're using the same crappy electronic medical records so once again even though I was very proud of what we did I'm very very concerned going to the next decade and I've been asking 10 years later does the Cavalry end does it transform into something new or does it combine with other initiatives and I'm still trying to answer that question three months later and I would love your help to do so so we're not going to get to this today but um unlike what we discussed yesterday with llms um I have deep concerns again about our dependence on technology without understanding its implications I don't think we have the right language to talk about technology

risk it's not the cost benefit on red teaming it's not the cost benefit on writing reports it's not the convenience of AI assistance it's things like how complex is the system is it knowable is it debuggable it's things like what's the velocity of harm is it slow moving and we can see it coming and avoid it or is it snap your fingers and people are in big big trouble and is the blast radius contained to a single person to a single state to a single country or does it affect the entire planet like bioengineering can make a a virus kill millions of people so on something like our aggression and our avarice to do more and more faster faster on AI

looking for the benefits we need to be very careful on one of the most complex Technologies we've ever adopted with the fastest velocity to harm and the largest blast radius so but mostly what I'm loving to discuss with you yesterday and today is how should we change ourselves we like this community we enjoy this community and we have choices about the things we hack or how we do it or the professions we take and I'd like to suggest that as your family and as your livelihood increasingly depend on connected technology that means Society increasingly depends on you and I want to make sure that we're ready for that because this community has a few interesting features and that we both

hate the way way things are and we hate change and one of those things has to give now quite a few of my siso friends are leaving the profession because they can't keep pace and we have some soul searching to do and I don't have all the answers for you but I know if we keep doing the same thing over and over expecting different results the world is getting more dangerous so we do need some Heroes I'm asking you to consider being one if you're a humble Seeker that wants to find find the truth if you want to think like a systems instead of just protecting your company or your industry but rather society and if you're willing

to cross boundaries we urgently need it and we need you to uh find your courage and find your footing because the Cavalry isn't coming and uh I'm hoping we can find fresh and new ways to raise the alarm without being alarmist we've done incredible good now we need to figure out a way to scale it thank [Applause]

you to thank jorh was a great keynote thank you very much for coming uh I think we can uh one or two questions if you have it anyone El questions well Carl takes we have one here hello a great uh great talk why do you think that European hospitals are not so Target as uh us hospitals one more time uh why European hospitals are not so the they don't they don't have so much ransomware attacks than us so that has been a question for a while my general attitude for years has then has been that um the target rich but cyber poor have always been vulnerable and exposed but the Predators have not been interested and for a

number of reasons including that the US tends to pay um and that people hate the us more than other countries the adversaries have liked picking on us initially they did it by accident I can talk more about this in the hallway but the first hospital ransomware was not on purpose it was in 2016 in Hollywood California and they were surprised they hit a hospital the hospital did pay and very quickly hospitals became the number one target of ransomware in the US so some of it is the industries that pay to get more targeted and some of it is the countries that retaliate the least get more targeted so I think you're just as vulnerable I think you've been fortunate

but I don't think you can count on that forever okay again thank you very much Joshua joshu will be around so feel free to reach out to him thank you thank [Applause] you