IATC - Wars and Rumors of Wars - What are the implications for Domestic Critical Infrastructure?

welcome thank you for coming uh we realized that it is late in the day on the second day of the event uh you guys have all been uh jam-packed full of uh really deep thoughts and so we want to uh want you to to hang out for another couple of hours with us um we're going to try and have a little bit of fun with this uh even though it is a very serious topic um it's one that's that's very much worth thinking about out and it needs our urgent attention so uh please um as we're talking be thinking because this is not a a spectator presentation uh you will all be expected to participate uh that's what it means

to be a part of I am the Cavalry we got you in here with the free cookies and then we suckered you into work um so uh I will hand it over to Carl he'll run through uh some of the background pieces uh and then we will keep going and transition into what can we do Carl thanks B oh hang on let's just quickly adjust that thanks Bo um yeah I I think as as we've alluded to a little bit it's a pretty heavy Topic in some ways but if there's something I want everyone here to take away it's that hiding from critical infrastructure vulnerabilities and the fact that the current state of things is the current state of things is

not a great idea we all need to work together to figure out ways to fix problems part of that is being very forthright about where we are and so today's talk is on a scenario Set uh of war and rumors of War as we get close to potentially War what does that mean for our critical infrastructure so we're going to lead off here and uh you know because I like uh memes and TV um what is war is I think it's something that's talked about a lot and those two things I think are really funny because those are actually both uh derived from ulyses Grant and um you know war never changes that the nature of humanity is to

occasionally have comat combat and conflict and adversarial activity and you know we need to face that down so if we stop and step back and say well what is war that's probably where we need to start when we ask what the implications of war on domestic itical infrastructure would be and this is something that I think when I look at it you know when I think of uh the the the traditional Western View it it's you know the quotes here from Von clitz I think are pretty good war is not merely a political act but a real political instrument a continuation of political intercourse a carrying out of the of the Same by other means and when you really look at this

what we've come to know as war in the Western World tends to be State actors physical combat militaries you know massed forces in areas where we try to avoid civilians and defend our battle fields and it it really becomes quite binary uh you know we're either at war or we're not at War and our our conduct of war is important and there you know there their functions of War like the friction and fog of war and there's this idea of you know Von Claus said well there's this idea of absolute or Total War when both nations are trying to annihilate each other that generally not what happens generally what happens is is you have a real war where there are

objective sets and it's mediated by political consideration so when we think of this idea particularly I think in the Western World we think of you know war or peace and what we think about are the laws of war and the moral considerations and the ideas of you know not getting civilians involved but do our adversaries think about war that way uh that's a really good question worth asking and I'm going to sort of be cheeky and say no um in fact wake up it's time to realize that that's not the way that war works and especially when we look at some of our adversaries you know not the people of China but the state and the military and the

organizational structure of China for example there is a very very Stark realization I think people need to take away which is that there is not that binary War not war or there's a continuation and it begs the question which is uncomfortable to ask and to think about but are we already at War so if you step back and you look through the idea of warfare and you ask how does China see War there was a really interesting document published in 1999 by the pla by two Colonels called unrestricted Warfare and uh you can see in the center that's that's the original publication cover uh the transl version you can find in the internet archives is

on the left and there's a couple images from that and I I think what unrestricted War Fair did is it highlighted the fact that there is a very different way of thinking about Nation stake conflict that China in particular has if you fast forward a little while later and you look at things like the gasimov doctrine in Russia there are other folks who are looking at the idea of war and saying this has changed so really what this document highlighted and why I think all need to take away is that it highlighted that the nature and purpose of War have changed and that there are no boundaries and there's a multi-domain approach I think further to that there are these

ideas that there are no rules there are no legal and ethical considerations as this document put forth for what war is and when you think of war from you know my perspective as thinking of as you know militaries fighting and and and doing the right thing quote unquote only fighting other competence this is a a complete change in Viewpoint so uh if I look at the summary from the authors they said the new principle of new principles of War are no longer using Armed Forces to compel the enemy to submit ones will uh but are rather using all means including Armed Forces non-armed Force military non-military lethal non-lethal means to compel the enemy to accept one's own

interests so we're going to quickly just look at some of the fundamental tenants of unrestricted Warfare and this is one of the lovely images of the face of War published in uh that 1999 internet archive translation um but really what the authors were trying to say is that unrestricted Warfare is about Innovative thinking it's about thinking about the objectives of war and all the possible ways you can achieve those objectives not just with guns and bombs and militaries and so you know if we if we look at this and we break that down into into what is proposed there are a number of different approaches to that and I'm going to quickly run through a couple of

examples so that this maybe will connect a little bit but if we look at the idea of political Warfare for example we can look at Chinese Behavior over the last say 20 years and there's a couple good examples of trying to use political uh instruments to shape International perceptions and policies and I think that the example that I have here is the confucious Institute and that's something that was identified by the US state department as not really what it was purported to be at first which was hey we're going to just help people learn the Chinese language but it was also about some I would say tactful editing of certain events or certain ideas the omission of others to shape

the dialogue in the direction that the the Chinese party wanted it to go in so um you know political Warfare exists there's a couple examples there that you can look up I think the united front work development is another interesting one that's the diaspora of Chinese people around the world and there's actually really good documented examples of the government of China encouraging their citizens to try to do things like influence International elections outside of their country to go in a different direction than they might otherwise so these sort of things are how a state could project power without using their military but using political consideration another domain suggested in unrestricted Warfare was economic war and I think

that's a really interesting one that that's the use of uh Trade Practices and investment strategies and sanctions to exert geopolitical influence so there's some really interesting examples I don't know how many people have followed them here but you know if you're around uh and and remember for example uh in about 15 years ago there was a situation where there were a bunch of Chinese dissidents who Norway suggested should get a Nobel Prize uh that was quickly followed by China doing a bunch of things involving trade practice to then stop export of uh Norwegian salmon to China and left rotting salmon in their docks at home in Norway and had a a pretty big economic impact and this can be seen again and

again the the the Scarboro scholen dispute was with the Philippines and there was a situation where things didn't go quite the way that China wanted and the Philippines acted in a way that China did not or the party of China government of China did not agree with and they they sanctioned effectively uh bananas and same sort of thing billions of dollars of economic damage because the policy that another country was taking uh they they didn't like and so they retaliated out of band with an economic activity so I think uh if I carry on and Bo I don't know if you have any thoughts on any of these but please chime in as as we go through um

you know we have other examples the use of legal instruments and legal institutions and and one of the really interesting things that has played out in the last decade is if you look at the islands in between the Philippines and China in the South China Sea very very close if you look at that map on the bottom to some other Sovereign Nations China is exerting control and they're saying hey this is actually our territory and it's interesting to see how that plays through because there's there's situations where the normal International discourse and places like the uh you know places we go to for international arbitration between two countries China decided in 2016 based on a on a ruling uh of uh an arbitration

ruling that normally would have been binding they decided actually that shouldn't apply and so in that case there's this use of international law and legal manipulation and arbitration to achieve strategic objectives so this plays through in in in a number of different ways and we can start to see that actually China is being very very I would say clever in the the way they're using lots of different International instruments and lots of different methods and tactics to achieve political outcomes without actually having any military action as we step forward there's also things like psychological Warfare trying to impact the thinking of other nations uh you know having disinformation and influence operations to try to get your way the example I

would give here is when we had Nancy Pelosi who went to visit Taiwan you know that was something China didn't want because they didn't want furthering of ties between two separate Sovereign Nations and so what happened was in that case uh you know Nancy py went to Taiwan and Tai you know Taiwan was then on the receiving end of a set of what appears quite hostile uh you know exercises involving moving militaries out into the sort of Straits of Taiwan and surrounding area so we can see that the the psychological operations fit into this framework of unrestricted Warfare and as we start to step through we get to the use of high technology and the

advancing of one's technology and there's there's an interesting phenomena where the original 1990 text talked about dealing with a technologically Superior adversary and in this case the United States of America had some of the best technology in the world and there was Titan reain if anyone remembers that campaign where there was Chinese intellectual property theft of us F35 information and so we we can see how that sort of taking of technology to further one's own technological growth was was a facet and an aspect of warfare yeah I've got a uh a funny anecdote this may be apocryphal but a friend of mine uh told me about it I thought it would be apt to share it here so he works in

the uh telecommunications infrastructure uh in Mobile uh carrier for mobile carriers and he said that they got some new equipment this was like 15 years ago 20 years ago when uh a Chinese manufacturer starting up and he said they were trying it out putting it through their Paces looking to see if it could compete with the American European manufacturers um that were predominant in the market and uh uh oh I don't know what's going to happen but it can't be an advanced persistent threat is going to happen so it's time for outrageous speaker requests yet again and uh we have a request from Mr holus that uh we provide him with a soap box signed by

Josh Corman suitable for display in the

home congratulations someday that will be worth almost nothing that day is today I want to get up in the soap box but I'm not sure uh I I could make it work the the soap box is for display purposes it is a gorgeous displ besides besid is not liable for and all us so box please consult your lawyer before any attempt to use a talk to your doctor see if sot boox is right for [Applause] you so uh back to the story My Friends comparing these these Telecom products uh and they go to start to use uh the new one that they just picked up from the Chanese manufacturer they're like oh man all the commands are so similar it's

great they start going through the the command line interface and they hit an issue they found a bug and they're like this this bug is identical to one in the other manufacturers let's go look at the manual and so they went to the manual to to flip through that and still had the other manufacturer's name in the manual where it was incredibly clear that uh the Chinese manufacturer had just ripped off everything and didn't even bother uh to change the names in the manual um so I think at this point uh probably everyone has heard a similar story like that or has seen news reports or or things like that along the lines of intellectual

property theft uh as I think General Alexander called it the uh the giant sucking sound of billions of dollars of intellectual property being siphoned off to China I think there was actually a uh a review of that by by by the government last year two years ago you know hundreds of billions of dollars that you could definitely attribute every year to being lost in intellectual property theft so you know would make sense if you have somebody who's technologically Superior and even though through one ethical framework it's not ethical to say break into companies and steal things in another frame if that's what's going to help you advance that does make some sense so technological Warfare

encompasses that and I think this is where we get to the final point which is what I framed as Network Warfare uh and and that was a term that was used some time ago again you have to think back to the early days of the internet in the late 90s and early 2000s for this to make sense but that was anything connected to a network and we've come to call that more cyber now or perhaps you know uh we'll get into that a little bit um so uh yeah we're going to dig into that a little bit and we're going to cover off uh you know what might happen if some of our Network connected

equipment and all of our infrastructure was subjected to network-based Warfare and uh with that I'm going to just hearken back to uh and I really want to jump in the soap box now um to the fact that every time we get in an airplane uh as you remember from Josh if you were here for earlier sessions you get the the you get read the warning or the you know helpful message of in case of emergency or Landing over water when you get in an airplane it's maybe one in you know if you talk to people at MIT 1 in 7.9 million you your odds of actually having an emergency over water but every time you get in a plane you go over that so

that you're ready and prepared if it does happen so what we're going to go over here is a scenario we're going to talk about being ready and prepared and why that's important and what we can do about it so to talk about this scenario uh I will quickly uh sort of put up this slide and say we recently as of I think April had um somebody who knows something about Warfare and about what's going on in the South China Sea because he's an admiral tell us that uh that we have probably until 2027 uh and that the uh all indications point to pla being ready to meet the goal of invading Taiwan by 2027 uh which is an uncomfortable

thought and actually if we look at the ran scorecards for the United States of America where green is America has a major advantage uh red is where China has a major advantage and if you look at the scorecard that ran put together for the T A Taiwanese conflict and a spratley Islands conflict uh we can see that we started off in the 9s and early 2000s with a lot of green and we end up in 2017 with less green and the 2024 version of this report that's classified and I don't have access to could probably ask that gentleman who came before uh that I'm willing to bet is probably less green based on some recent developments and

you know I don't know if the the people who have flown planes would tell us what the results of a paternity test of a j20 were but um that looks awfully familiar to certain North American aircraft um so yeah uh there's Taiwan and we're going to have a look at this uh before we jump in here as a recap for volt typon which was a different campaign than intellectual property theft and along the lines of unrestricted Warfare as you approach a near peer or peer adversary status as opposed to a technologically Superior adversary your tactics switch a little bit and the idea of attacking another nation's critical infrastructure to gain Advantage becomes more serious and sisa told us amongst others that

there's a high confidence that we have that volt typhoon actors are pre-positioning to uh disrupt functions and why would they do that well one of the reasons they would do that is because they would uh they would do that to be able to have uh the capability to have disruptive effects in the event of a military conflict or geopolitical tension so with that we worked on a GE political tension military scenario which plays out starting sometime after midnight on December 23rd 2026 and that's the point where uh there's the initial breach activation and the preposition malware across our multiple critical in infrastructure sectors activates so this is worth bearing in mind that when you're living off the land and you

have access to credentials you don't need a bunch of zero days or exploits if you have leg legitimate quote unquote or seemingly legitimate access and that's part of the problem with that campaign so uh what would happen great question any any any thoughts as before we jump in here what's what's the first thing that might happen depending on sorry I think David's going to want us to have the mic

out I feel like in the spirit of yesterday this is going to be pretty quick to go to a black Sky event if they have the right access that power is yes one area we should be concerned about yep nothing because we've addressed all these vulnerabilities all than you for coming we're yep we're done here we're good uh that you know what that that has us all doing an awful lot of good work in the next two years I like I like that approach um okay so any other takes yep you're talking about doing this on the day before like one of the busiest travel days of the year so people are like the federal agencies are going to

be busy dealing with a pissed off populace rather than maybe paying more attention to things that are of higher urgency huh what a what a weird thing that that might be something that happens disrupt power to just cause mass panic yep that seems like it's likely I think you have to I think you have to ask what their purpose is because yeah it's one of the most busiest days of the year but what is their intent and what are they in trying to do and how does that impact our response and so on and so forth it's it's it's very complicated everything's very complicated I absolutely agree that we want want to understand intent and two

it will be complicated and there will be a lot of things that don't initially seem like they happen I I think the doctrine is clear that the scene as an act of War but then there's the question of attribution you need to be pretty pretty sure if you want to take a kinetic response which is the doctrine I think I I'm interested in that one because I think what you're saying is if there was some sort of attack on our critical infrastructure it would be perceived as an act of War I thought so right I also would have thought so um but what happens if somebody attacks say uh food processor like JBS JBS something like that I think

there's a meat processor called that yeah a a actually it's kind of hard to know when to declare war if you don't know exactly who did it so there there's a if it's clear for various definition which the lawyers get involved with that might be the case and that might be an outcome but at what point does that declaration happen and don't forget that our adversaries have different framings of War than we do they see things as continuous conflicts along a spectrum without thresholds and triggers and binary

distinctions uh so the statement is I don't think the threshold is operationally useful and I think the the carry on

please right it's a okay so the point was you can say it's an act of War but it's a slippery slope and and this is one of the big problems that we have with a scenario like this and sometimes even discussing a scenario like this because if you look at what is an act of War what maybe would have counted as an act of War 30 40 years ago it is not quite counting anymore and we've had this sort of threshold of events which are kind of near what would have been considered an act of war and it's kind of you know I kind of feel like maybe we should think of the frog that is in the pot of water that starts

out cold and starts getting hotter um camore please the back yeah so because this is happening right before a major Western uh holiday there's going to be minimal response resources available across the all sectors not just any one given every sector that's an excellent point and part of the clue of intent in this scenario is when this happened so yes that's uh you have discovered a clue um unless we want to get into Talon manuals and Norms that haven't me in come treaties and things we've already kind of met the the deao declaration of war from the Talon manuals Estonia that we've helped with is any attack on designated critical infrastructure confirmed from a nation state could be

considered an active War etc etc that thresholds already been tripped several several times like not pet you was Russian campaign did a billion dollars of damage in one day to Merc a US company on us soil no declaration yet so Chris painter State Department used to remind us that attribution is a political choice and to your point about bullying the Frog we're having more and more uh things I'm not sure where you're going with your scenario I'm participating as well but um a lot of folks don't think that uh superpower would declare war through these types of means but would use them in hybrid conflict if a war was underway use it as deterrent or warning shot or a way to

upset political support in the US to be engaged in Taiwan that kind of stuff as opposed to going straight for the gold I mean when you said Talon I I just assumed you were going after a crowd strike there but I it's refreshing to actually think of NATO stuff um yes but that excellent point that we have a very difficult position now because this has become normal and we haven't declared war when things have happened in the past so one more here and then we're going to step forward I just want to know when we get to this point how wide of the wind how wide is the window of acceptable things we've taken at this

point because every day as you said we're boiling the water we're widening what we find acceptable and what we've taken so what at this point is unacceptable that yeah this is an excellent point what and I I don't I don't have answers to that I mean I hope that we're thinking about that it's a really interesting question to ask like where and how could we respond and there's certain you know certain actions that you might have to respond to but what is that so I mean one of the things that we don't talk about is our counter capabilities you know to quickly grow and cause the same kind of impact down right so is that a consideration that

the threat actor would have before the right water so the the comment was around and and sort of the question was around uh well we also have capabilities and I think this is one of the really interesting um points about asymmetric Warfare and around unrestricted Warfare is that you know unlike traditional conflict where if we show up in a field with a bunch of uh tanks and the other side doesn't have tanks you're not going to win it's like well if we have offensive capability my point would be this just because we have offensive capability to cause them damage that might act in some ways as a deterrent but it still leaves our national critical infrastructure

potentially in shambles and it leaves us as the citizenry in a very uncomfortable position so I I I do hear what you're saying we do need to think of response but at you know we come to a bunch of problems first and last one with that gentleman there and then we'll step forward I mean from a national response perspective politically the big question be asked at the moment is in the coming hours days weeks or week as an initial response is anyone going to die or get hurt that's the first question that's going to happen nobody's talking about response at the moment everyone's literally just talking about crisis and making sure that nothing really bad

happens and what are the likelihood of that do we need a politician or a minister to go in front of the press statement stuff like that response options aren't anywhere close at the moment that's a really interesting and good point and I will say right now we're sometime after midnight so this begs the question what next um so we step forward from Midnight to 2: in the morning and the first step of what happens is uh our water supply our water supply gets compromised uh or our water systems I should say because we learned from Dean that actually that that's not one big thing that's an awful lot of small things and in this case uh you

know I found out from Dean that maybe this isn't 100% accurate it's hard to actually cause contamination of the water uh despite what you might read online and in various Publications but what we did learn is that there are other methods like using water hammers that can cause destructive damage to our water system so we're going to say first thing that becomes clear at 2: in the morning is uh yeah they're being attacks against IC Systems in water and wastewater and there have been over pressurization events which have caused destruction to some of our systems and at this point I would I would do the phone a friend and I would going to ask Dean I'm going to pick on Dean and say

what do you think would happen just it's 2 in the morning do you get a page do you get a phone call what's the water sector's response here I first of all this is not going to be unified in any way right everybody every locality is going to be fighting this on their own they haven't turned the news on this hasn't made it out to anybody yet so everybody thinks they have an isolated problem so there won't be any kind of reach out to anybody for anything um it'll be days before that occurs so each individual utility is going to be looking to figure out you know immediately they'll be jumping on they don't have really forensics

capabilities all they're going to know is that they have a a main break somewhere they got to find that which will take take many many many hours there will likely be multiple main breaks um that'll take days if not weeks to repair um and so it you know back to our cascading failures thing so you know those things are going to be play havoc on there Will no will no longer be fire hydrants so anything that occurs in emergency situation is going to be a big problem um but I I think that the big kind of the trend I I saw everybody go to was we're immediately going to know that this is a nationwide problem and

and that's not going to occur for days and so each of these folks are going to be fighting individual problems until they finally realize wait a minute you know again one of the arguments my fears in the talk that I had was there's no centralization of this information each of these utilities is going to be fighting this problem all by themselves so from the point this happens at 2: in the morning how long before anyone even knows um yeah that'll take hours right it'll be well into the next day before we even understand that we've got a water main breake where it's at you know all we know the the plant operator is the only one that's on staff and a lot

of those smaller utilities don't have those operators on staff so they'll be getting alarms or calls to go and figure out what's going on all they know is they've got a low pressure event low pressure event immediately means boil orders that it's just an automatic so the entire system will be under a boil order

um so this is the first thing that's happened is 2 a.m. the first thing that's happened is so they're going to get a lot of that sort of stuff some concerned citizens are going to be um in water main brakes generally there's the potential for loss of life because you know a 5 foot main breaking is a lot of water that shows up in somebody's basement or house or at the bottom of a of a of a road um and that can cause some very dangerous situations cars being swept away I don't know if anybody's ever seen some of that it's amazing so we're at 2 in the morning the other so the other question is scope

there's depending on how you want to count there's 150,000 discret not connected Water Systems so my question to you is how many well I think if we looked at what we were told about a extremely sophisticated threat actor group who have been making a concerted effort to get into lots of our infrastructure we'd have to think of this as not being one or two systems but many and from what I'm hearing at 2 in the morning we're probably going to have at this point a few concerned citizens there's a and uh how many hang on how many do you need to hit before you lose trust in the other ones that have not been hit before you

start to wonder how many is this uh 150,000 is it500 is it 150 is it two and if you have a certain pattern of evidence your brain will naturally fill in the rest and so we'll have uncertainty around the rest of the supply and suppliers uh just a clarification question so is this in one time zone or is it multiple time zones so we've been going by Eastern Standard time okay so it's actually 11:00 in on the Pacific coast yep okay and does this include non non US noncon continental US we were constraining to conis okay great so one of the one of the rules we forgot to give you some of the rules before we

start this one of the rules is um roll with the scenario don't fight the scenario got it uh this has been put together by amateurs who know a little bit but like we didn't quite go down to the street level uh of which streets are affected and not affected so you can ask some really really insightful probing questions and I am sure that uh the executive function of our governments would be asking those exact types of questions we won't have those answers for you in this just you know take it on faith that this is uh this is where we are and to Dean's point we may not know the answers to those just yet sure fair

enough the reason I ask is if you look at crowdstrike that the timing on that the East Coast gave warning for West Coast and so in this case it's the opposite that the West Coast would still be up it'd be 10:00 it would be 9:00 when this happened so you now have the alerting going out significantly faster just like we had happen in crowd strike so we could start the mitigation process in an earlier phase thank you that's a a really good point and it begs the question that we're oh Dean's got a another way hold on we're going to we're going to step forward here cuz we we we got to we got to move don't get obsessed

about the details of this roll with it high level here high level so uh because also at 2 A.M in addition to the water sector uh somebody earlier said the power yep uh the power also gets hit in this scenario and um uh you know localized blackouts start to happen how big we're not exactly sure yet um but we also then have malware activated to start uh delaying recover effort recovery efforts so if we think of uh you know our our bonus element here as you might have heard yesterday about uh a a crowd stried situation on uh renewable energy inverters uh yeah at this point uh we also see a change and new upload or a mass upload probably

unknown at this point to every every one uh of new firmware to those energy inverters doesn't do anything yet but it's just worth considering but there's definitely at this point we start to get multi- sort of CrossCountry localized blackouts um so just stop and sort of think like of the people you know who work in energy utilities and water utilities having a very bad early early morning December 23rd and before we go into questions comments and everything else for this phase we're going to step forward to well then we hit 3:00 and at 3:00 you know because if we rewind to what our friends at sisa told us if I I recall it's it's Communications energy transportation and

water and wastewater that we know have been actively targeted by Vol typhoon and we know are being prepped to have functional disrup so at 3:00 the Telecommunications networks start to have problems and we start seeing major isps and mobile operators going down in this case we picked on the Soho routers that have been compromised as sort of reflecting things back but I think as somebody who used to work in Telecom uh some of that gear that had vulnerabilities you know the core routing functions of Telecommunications Network you would hope are extremely well defended and very very robust and have no vulnerabilities whatsoever and you would hope that somebody who's an authorized user and has legitimate credentials can't just

turn things off but some things start happening and uh you know the emergency responses that we're having to water and power would probably be somewhat ered if your internet and your mobile phone systems started not working very well there's a question over herey you have no system any in this and you will lose manyel channels as well yeah so there's a clarification that you'd have no phone system the way I view this is we're fragmented enough that that probably wouldn't happen drop out it wouldn't drop out all at once uh I suspect what probably would happen is you'd have different operators having different outage problems and uh you know there might be some targeted dos

things that take out certain equipment but you wouldn't see the distributed impact of that right away and it wouldn't be obvious that these things were all connected because it's 3: in the morning and most people are still sleeping it's only really the emergency responders who are well maybe not getting the pages or messages from their systems anymore and hopefully gosh haven't gone back to sleep with a Christmas party hangover um but uh good point so 3: in the morning we see our telecommunication systems starting to be disrupted uh and bad news at 3: in the morning our Health Care Systems also start being targeted and in this scenario we have our Hospital networks have malware and ransomware

executed in them and there's also uh the possibility that medical devices where there's compromised products might also start causing problems and um the early targeting of Health Care Systems in a scenario like this is designed to ensure that the hospitals are overwhelmed which uh yeah combined with what we saw from Christian yesterday is a little bit upsetting to think about uh for those not at Christian things yesterday or didn't watch our cyber meded DC videos we asked some emergency physicians and Hospital administrators how long can a hospital operate without water so I don't even think this step would be required because many Hospital functions drop off within a matter of hours no surgeries can't care for patients can't do

Laboratories can't have HVAC uh cooling sanitation Etc so this one's just insult to injury I think the water alone would do the job well that's an interesting point and you're right but unfortunately it gets worse um because if we are looking at really a scenario where we're trying to examine what could happen based on the data we have uh it's pretty likely that the transportation system at some point would be hit and uh this this can get really really bad if you start thinking of compromise of logistics companies too and if you start thinking of all the automated Fleet systems and let's just take like package delivery companies and things like that where couriers need to

go out and things need to get moving in the early morning to make it somewhere and all of the food logistics companies who have trucks if those were also targeted and either denied or if those systems were conversely told to send things out uh if you send everything out and then you Breck the traffic lights that's a lot worse than bricking the traffic lights when nothing is on the road so uh in this scenario yeah we see a transportation attack and we've got a mik's in the way um hi if I wanted to really mess things up I'd wait till 7 or 8 where everyone is going through rough shower and just lock down the belt wav you know Park

waves whatever free waves are running through major cities you're 100% right and I think this brings us to Bose's point when we were constructing this scenario we we didn't uh you know bunch of amateurs up here we didn't uh try to get this perfectly right as to exactly what could be done to maximize damage but that that is an excellent point and it's a concerning Point uh one more over there I think one of the things we're forgetting here is that we're 3 hours in nobody's talking being said it take days for people to start talking to each other we're not even sure that people have been activated and they're actually getting the right people on the systems trying

to figure out what the hell's going on uh and so here we are looking at a scenario we forget that 3 hours into a a a one incident is nothing right thank you that that's a really really good perspective and that is worth keeping in mind that you know all of our emergency dispatch systems are are trying to cope with these emerging panics and oh no Well turns out that the Emergency Services dispatch and the Distribution Systems for those are also hit and I won't get into the fact that you could probably set up a bunch of Robo dialers to automatically flood all the 911 centers in addition to that and you could Target traffic at all the IP

systems and their known end points to slow anything else down Beyond actually damaging those systems with malware but uh yeah if you were trying to create a coordinated outage you are only a few hours in most people aren't even realizing this yet so uh one question or comment here so one thing that strikes me about this is that this scenario looks a lot different now than it would have 3 weeks ago I'm wondering if because it is that because it is that widespread I'm almost wondering if the first people reacting to this would assume that it's some common software across all of that it's another crowd strike and not even be thinking about it being a malicious thing

precisely because it is that widespread oh absolutely a fantastic point and part of the part of the really concerning thing about the scenario is it's going to take a while to figure out what's going on I don't know about all of you all but I would still hopefully be in bed at 4 in the morning even if something emergency was happening cuz for the vast majority of people it wouldn't affect us until later uh a and you know as we step through further and I think there's probably a again I'm picking the fact that I maybe know a little bit more about core Telecom ring than most people um but if you have years of dwell time

and time to map systems you're going to know exactly what to do and that's one of the things about a campaign that started in 2021 with a five plus year time frame to execution o of a further attack that that's going to change how this works so uh coordination efforts let's just say are going to be quite difficult at this point um but fortunately probably somewhere around 5:00 a.m. eastern we would start having some government response and I suspect that somewhere about 3 hours into this uh and and please don't shake your head like that I want to believe um we would have a state of emergency declared and everyone would start trying to do something but you

have to remember in this scenario no this same day next day uh in this scenario where we're hopeful that 3 hours in with a coordinated attack even though telecommunication systems down your emergency communication systems are down there is definitely still going to be some coordination and and we're going to have some defensive response and there are going to be people in places like cyber command and sisa and a lot of Defenders who are on the ball and totally with this three hours in this is going to happen um because we're going to think about this um okay so we' made it through the dark part of the night and as we start into the morning people

start becoming aware of what's happened uh the bad news is our adversar is also prepared for that and has prepared fantastic deep fake videos which are circulating any social media networks that can still be accessed on any mobile network that still works um so uh a common technique of ransomware actors when they don't have the effect that they Desire by the time that they desire it is they start going to the media so it might not be the National Security Council that wakes up and realizes that this is happening first it might be a journalist who thinks they've got a scoop or 10 journalists that think they have Scoops that start getting uh information from

adversaries either as ad posing as adversaries or who are posing as average citizens and so somebody's going to find out real quick when our adversary does want us to know these things questions in the B we'll stop for just a few comments questions and carry carry on here um go ahead please U with the attribution like with with uh if they contact the news directly they could attribute it to somebody else or start you know creating a a different narrative than what's happening right that that seems very plausible um so in addition to public awareness hopefully at this point our govern government because they've started their emergency response a few hours earlier has an ability to

communicate out and they would start actually you would think uh working internationally with our partners and and uh you know I I did see some eyes around earlier we had we had four eyes somewhere earlier um but if we did have a situation where something like this happened you have to think there's going to be emergency communic going out saying this is potentially a very disruptive intentional act please help and please try to deescalate um the downside is if th the if if our Communications networks are mostly or partially owned uh there is the ability to gather intelligence on those diplomatic efforts and we won't necessarily step through all that would happen there but that that's certainly

possible and as we carry on through the morning you're going to start to see some restoration efforts begin I mean hopefully 6 hours in at 9:00 in the morning we're going to have people who are going to start uh or or be actively working on restoration and IR teams are activated and people are doing things to try to fix the situation we're in across these sectors and um and more importantly than the incident response teams you have Physicians who are being called in to deal with the reduced ability to deliver care through uh computer systems you have uh water facilities that are maybe stepping up at that I'll give you the benefit of the doubt and they may be

stepping up you've got uh electrical um facilities that are that are ramping up you've got some of the transportation folks that are realizing they've got an issue they don't know the SK size and scale of it yet telecommunications carriers so people are going through the steps to restore uh what we call for shorthand I'll just call them National critical functions but these things that we need to do to deliver Medical Care to uh keep cars on the road flowing smoothly uh to ensure that we've got fresh water waste water to ensure that we've got electricity so these are the things that that actually touch Our Lives those people are working at the same time the incident response people

are working and even they probably start earlier than the incident response people you may not know that it's a cyber security incident until after you get through at least a bare minimum of root cause analysis so com I need to throw a small monkey wrench into the monkey wrench um most util most cities um in the US that are going to have it's the same it guy for police fire hospitals anything County or public owned is going to be on the county or or city Network and that's a centralized resource so there's not going to be an army of people to show up to start troubleshooting stuff stuff I so you're probably right but we're going to

actually hope that you're you're you're wrong and we're going to say uh you know we we are going to carry on with restoration efforts and we're going to carry on with economic stabilization elements uh because you know you can make this a lot worse if you really wanted to and that doesn't necessarily have to be compromising the banks and financial infrastructure it could just be uh triggering algorithmic trading platforms but we're we're not going to go into that too deeply because we're focused on our critical infrastructure that we need of the lower levels of maso's needs so I I want you to sort of stop and say this has all happened from 2 a.m. until sort of 3 4 5

in the afternoon our response teams might or might not be responding extremely efficiently we have people out it's been a really long day people are having trouble getting places cuz the cars can't move through the Traffic Systems don't work we're having trouble dialing in to respond to things and organize and coordinate because our Communications networks aren't working and um you know here's the question like what is everyone working on at that point like if you're the if you're part of an IR team or if you're trying to work on a response to this in one of these sectors how stretched are you and how how good or maybe not is your decision- making I was going to say at least the

physical aspect of this sounds a lot like hurricane response and that's at least reasonably well practiced right in Hurricane areas so at at a national level and I know that there are some folks in here who work at that level at this point we're imagining and you could pick apart the scenario if you wanted to I'm sure and say this is wrong but the scenario that that Carl and I built uh imagined that you had National Security Council um working from really early in the morning you had uh executive leadership at the nationville state and local level uh keyed up for this they've been working local problems you have members of Congress you have Business Leaders

trying to figure out what's going on with them you have everybody focused on their uh the issue isues that they have locally and or starting to realize that there is a nationwide uh whole of society crisis unfolding before their eyes they're trying to figure out what's going to drop next they're trying to get ahead of things they're trying to understand what's happening they're trying to uh roll trucks to restore things they're trying to control and contain the situation not at a computery level but at a human scale level and that's where the top level decision makers uh again at the the national federal state levels at the business levels um uh they start to activate and and spend a lot of

Cycles focused on this uh emerging issue rather than some of the steady state issues rather than some of the other things that they were working on anybody who's worked any kind of incident knows crisis pops up you drop what you're doing you run to the where the ball is uh and so that's where everybody is focused exactly that uh it's an uncomfortable scenario and we're in an uncomfortable position because everyone's tired at the end of this day and no one's making good decisions and that's when the intent of that action becomes clear because in this scenario while America's in chaos that's when a Chinese invasion of Taiwan begins and if you looked at that statement that

that Admiral made at the beginning about uh China is preparing for an invasion scenario of Taiwan if you were going to do that and you were sure that there would be an American Military response it would be a logical move to try to delay and degrade an American Military response and a domestic disaster or a series of domestic disasters would definitely have some delayed degrading functional elements consider consider the media what are they going to be focused on when this happens when the invasion of Taiwan happens are they going to be focused on the domestic things where they can get you know b-roll of people panic buying things in the store shelves when they going to have the national

leaders on TV saying I'm going to get to the bot of this we're going to fix this we're going to get you gasoline back in your cars and water back in your homes um or are they going to have you know b-roll footage of of carriers in the straight of Taiwan probably more the domestic thing and if you think of 14 hours or 16 hours or 18 hours of communication networks being down Transportation networks being down while everyone's trying to get to a Christmas Eve somewhere while a bunch of your Defenders are getting ready to go on Hall I don't know about everyone here but when I observe things in that couple of days before the holiday break often

things aren't happening really really quickly stuff slows down well it's already slow people are traveling people are moving systems are not built for extra resilience at that time in fact they're often maxed and so what would the resp response be and you know if we step through you know what would happen in the following days and what would happen in the following weeks and why would CH to do this what were what were they trying to achieve what do they need to achieve and did they achieve that in this hypothetical scenario I think we could look at it and say if there was some sort of military action delaying and degrading a military response it would

actually be very effective to have domestic disasters in series with inters sector dependencies affecting all of our normal operations there's we'll stop for a couple of questions comments and thoughts sorry going back to the time zone question and also the uh the uh impacts all of our Frontline forces are in other countries along Taiwan and those areas they would not be affected by this in any way shape or form All The Radars are up all of your carriers are deployed you're going to have the advanced knowledge of ISR all of that is in place and if our military is at least a little confident they're going to be looking at those fairies and other things that have been accumulated for

this Invasion so I supect that this would have zero impact on the ability for the first 5 to 7 days to respond to any of this activity even with distractions that may impact the longer term infrastructure questions that these types of attacks would impact that that's an interesting point I have a slightly different point of view which would be that um actually one of the most damaging things that would happen is our decision-making processes would be slowed down if you have a situation like this happening domestically there are a lot of people in places that deal with emergencies that are dealing with emergencies and I think it interesting point uh I you know I think it's worth

worth considering but I I would say there's also a possibility this might uh might cause some decision-making problems of delays right you you mentioned Boll earlier of like you know the National Guard in the streets of the US like we're you know the world's form of superpower basically what psychologic would this do to people in other countries who are just kind of watching this whole thing play out even if they're not directly impacted by it uh that's a really great question and I um I don't think it would be good uh but I I that will'll say We'll shell that one for a little bit later uh I think we saw a little bit of

this by a far less competent adversary in Russia and Ukraine right there there was there's some attempt at Cyber operations and I think we talk about cyber capabilities in um used against us uh we're talking about water and power and the remediation of those things um would happen in the coming days and weeks but I think you know as this drags out over time it becomes less effective in the sense that China does this in uh I guess with the intent of gaining um hopefully in their view complete control over Taiwan um and if that's not accomplished in their time in the time frame that it takes us to respond um in the region then it's

ineffective because I think over over time we've seen um you have a more capable adversary in Russia you know on paper fighting a less capable adversary in Ukraine um and with the support of others that's it it it's kind of their plans have fall fall to pieces and so I think as time goes on in this scenario unless China is able to control all of Taiwan and embargo that then it's not going to be effective in the coming weeks and months and that's a a really great point and I I do want to acknowledge that and I'll step back and say the reason we tried to put this scenario together was not just to explore the exact event of an

invasion of thawan hopefully that will never happen there can be peaceful ways of achieving means that don't require that but I think the the addage or or the the I I have a colleague who uh is former military and he he said one thing we know for sure is the next war is not going to be fought the same as the last war and I think that if we look towards War type scenarios and if we look at this idea of uh you know the gasimov doctrine or unrestricted Warfare as the idea of the concept of war no longer just being about bullets and tanks and carriers but actually encompassing all possible activities and if we think in China

there is a competition between two superpowers where they don't have that same view of War not war there's a range of activities that build up to this scenario that are quite concerning and I I think that you know if we if we do sort of look at that and say you know I I'm it's an excellent point I don't necessarily want to walk through the if this then that with Taiwan what I want us to think about is here and our domestic infrastructure here and I was once told the best way to prevent war is to be prepared for it and I think what we're trying to highlight here is that our domestic critical infrastructure is

not ready for heightened levels of conflict whether they go all that way or not uh and I'll just sort of go for a couple more questions really quickly um I love all the enthusiasm in the room we're going to flip to a different type of questioning and so after one or two more of these uh I want you to save your creative brain power and juices your executive decision-making facility for the what do we do about this to prevent prepare uh respond and recover portion so yes go ahead just quickly I think this is kind of a best case scenario for America because um to have all this done to degrade our ability to help somebody

else is much different than it being to prepare the battlefield for a kinetic attack on us which is usually I mean any kinetic Warfare is going to have that preparing the battlefield cyber component of it and so for China or whoever to burn all that capability and Equity without us eating one missile I mean you know that it's bad for Taiwan because we can't come to their aid but it's it's almost uh couldn't have gone better for us that's an excellent point and you know again not not in the military uh you know bunch of amateurs who look at critical infrastructure and go wow whatever the event is and that is definitely a worst scenario um and and it you know might

not be China there are other adversaries who do not love the United States quite as much as we might hope they would otherwise um there are a range of scenarios where our infrastructure can be used in conflict and it can be used to cause a variety of outcomes and we're not ready for any of that is I think the the one of the takeaway pieces uh that I I want some people to at least think about and there are things that we can do to make ourselves more resilient and that's the next you know I think that's the next phase that we're going to jump into here pretty quickly is well what what can we

do and what can we do here and what can we do now what can we do in the next six months what can we do in the next year but we'll we'll yeah now that you had the preview we'll tag off in a couple more questions I wanted to just back up and challenge one of the assumptions here sure if you were to go back and look at some of our documentations on Emergency Response plans for some of the things we suspected the USSR might do in an allout conflict it was always thought they would do small nuclear bombs in strategic locations and not set all of them off leaving some as stay behind to

Ransom the US to make certain actions if they were making other actions in the world and we have seen some indications come out of China they might look at something similar in a cyber realm so what happens when you don't lose everything and they have that power to leverage us to make certain actions that's a great point I'm not I'm not fighting the scenario here um it's just very different than I had conceived how this could play out and just as we shift to solutioning I want us to think there's a there's an acronym that I can't find published in the federal government but the in the risk lexicon is the closest I found it after 911 with

DHS and then early sisa they came up with four types of consequence effects and the acronym is hemp there's a human consequence which is like loss of life in or injuries there's an economic consequence which is what it does to confidence and markets and GDP and everything there's a mission impact which is our ability to continue doing what we have to do for society and there's the p is the one that's always forgotten which is the psychological consequences and without the thought termining cliche of 9/11 we had a couple planes hit some Towers the human soul was quantifiable the economic toll was eventually quantifiable the mission Etc but the thing that hurt the country the most

wasn't that everyone everywhere was hurt it's that no one felt safe it's that the longtail psychological consequences is enough so I'm not saying I'm smarter or different just what the scenario I've been contemplating and trying to see as we shift to the solution set is on an escalatory ladder I think they've already had a success in letting us know if they wanted to shut some stuff down they can shut some stuff down so that's kind of like the deterrent of stay out of our business in Taiwan if we didn't stay out I could see the next rung could be something like a demonstration of force not everywhere not concurrent but just as a reminder mess with us a little bit more

of this and then there's you know potentially south of tactical nukes and things like this it could be more widespread I think the the Deep concern I have is we don't think they're stupid enough to declare war by a preemptive strike which is what this one was but that even a demonstration of force could have the psychological effect that a 911 did and since we are so prone what is the longstanding I think that what that does to to public support for the conflict is it's gone so you don't have to do something that would absolutely necessitate a superpower retaliation you could just do enough to Humble us and Scar us and on that front any of the

responses we do one of the reasons I am so bullish on trying to make sure we disconnect the things that we can afford to and we prepare and we have contingency plans is I think the psychological consequences are the most devastating consequences and part of our response should be how do we preserve and deserve the trust and safety of the public that's a harder thing to do but we don't even need all out doomsday scenarios to have long-standing psychological consequences and the last thing I'll say is so far heard many many happy things not happy encouraging things from the Brain Trust in this community last two days but the one thing that scares me the most is almost

everybody takes it on the assumption that we'll repair in a couple days and they haven't really been listening to Dean and others which is with Justus in Time Manufacturing and no Surplus and razor thin margins we don't have enough parts to fix all these cities reaches it'll be not not days or weeks but months or Years it'll be like the Key Bridge in Baltimore so if we had enough healthy workers and enough parts and enough time to can currently fix them all I'd be shocked so I really think we don't get to decide how widespread or what sequence at 3: in the morning or what day it is but we do have a way to control what we can control

which is we can prepare the communities for the scenarios we can reduce idiotic elective risk we can try to have some non-cyber responses to weather or storm and this is why I keep treated this more like a natural disaster or disaster science or FEMA type response which is we may see bad things they harm us less when we're we know they're coming and we know what we can do about it so I should shut up and let the scenario unfold but I I don't think we have to go as widespread to do serious psychological harm and I think some of our Focus collectively should be how do we make sure that we are obvious and available

helpers to help and be helpful before and after some sort of disruption yeah and especially uh on the supply chains if our number one uh microprocessor par supplier is now off the table even if China doesn't take Taiwan we don't have silicon anymore sorry what does that do to the supply chain degrades it even further and it would be months and months of us trying to recover which is why the political decision- making would probably pause us before we got ourselves involved in an active conflict which would um possibly not let us get involved until after the uh invasion was already complete so you only need to delay it for maybe a few hours maybe a couple of

days I I think you know looking around the room everyone now looks thoroughly demotivated and uh upset uh and I I would just sort of say one we are going to look at a second scenario where it's not that catastrophic initial multi- sector attack it's you know we're going to look at a different type of event which is just a a larger impact or a large enough impact but not one that you know not one that would go all that way something that's a step closer to what we might consider an act of War but if you if you did look at that and you said what would what would somebody do if they were trying to cause

disruption if they didn't want necessarily to have attribution or even this become obvious that this is part of that sort of scenario I I think that when we were talking about it one of the things that could happen would be cyber attacks against water because of the interdependence between water and healthc care and the interdependence between water and other things and there there this is where the rubber really hits the road because there are actually things that can do about it and we're we're not in 2027 or late 2026 yet we're we're here and now and we have a bunch of people who sat and listened to this for a really long time and there are

things that we can actually do I think the first thing you know part of the reason to agree to this talk was we said we need to have it be okay to talk about this because sometimes it's really difficult to talk about a scenario that's not nice and not comfortable and would have a significant impact on our our normal way of life but if we don't talk about it we can't think about how we should fix it and if we don't think about how we can fix it you're probably not going to autocorrect on its own uh so this is a chance for us to ask the question what can we do about this how

can we take steps to become more resilient and that's what we're going to transition into now is I'm hoping to ask everyone here to start throwing out some ideas of what could we actually do to prevent these scenarios or to mitigate the damage what could we do left and right of Boom of an event either a larger event or a smaller contained event against a particular sector how can we increase observability prevention you know what can we do to improve our technical response and to p p basically to preserve the continuity of our national critical functions so and when we're when you're thinking about these ideas I know that we all live on computers and we think about computers a

lot but that's computers aren't the things that we need in our life the way that we need water the way that we need air the way that we need electricity the way that we need medical care think about those hum scale things how do we ensure preservation of the continuity of those things computers are one way but there are others so uh and as people give suggestions um the moderators have asked that you give suggestions without commentary so so that more suggestions can be given given that U critical infrastructure is a federal over I mean it's a federal function making sure that there are common minimum security standards for specific elements like knowing your system better understanding

end to endend what components your systems use and ensuring that they stay up to date just minimize the initial Vector as much as you can okay so initializing initial minimizing initial vectors that's that's one thing I'll just say because a lot of us in this room we law of hats I'm Medical erve core so when something like this happens I disappear to the health department I become unavailable right so you would already be going off to help what you know and maybe a follow on is well what else could we do to help the medical core in a situation like that okay but um with the water you know having that slow role for for awareness I kind of think too

understanding the classification of the incident and how to communicate that within the decentralized environment of the different Water Systems okay all a couple suggestions I'm a little bit biased because int intelligence is my role but uh I strongly feel that intelligence is really the only proactive cyber um discipline so getting intelligence to these uh groups whether that's um encouraging them to uh join their local isacs or their industry isacs and um getting more funding for those isacs and then the second thing I live in a small enough Community where I could probably be on a first name basis with um the IT person at the um at at at the water um provider or the electricity

provider so being involved in that way are you with the am I do I know them not not yet recently moved so you're assuming that there is an IT person provider you're assuming that they can join an ISAC you're assuming that there is uh someone who can take the intelligence and I think that those are um in most cases in most critical infrastructure areas we looked at those are unfounded assumptions so I don't disagree with that but I want us to to start thinking about how we scale this down to organizations if you're going to have a computery thing it's got to be somebody something that you're nextdoor neighbor who's never touched a computer can operate has to be that simple so one

of the things we can do also is help uh good faith security researchers and help the companies understand how to deal with them when they do disclosive vulnerability into some of their systems uh there's a lot of them that just don't know how to deal with that I good faith disclosure is an important point I think if I were to weigh in on that one I I would agree but I think that maybe the horse is out of the barn there um you know we're at a point where we have a ticking clock to actually take action and we I think it's helpful to think of what we can control and I'm going to say

you know one of the things that occurs to me is while that's important I think we have to be thinking of uh further outside suggestions you know the idea that that Josh has put forth in the past of if you can't afford to protect it disconnect it like we need to start thinking about things like that like if you you know absolutely we need to help the security research Community but that will prevent things probably further down the road if you can't patch your systems because you don't have an IT person you probably aren't going to get to your vulnerabilities but it is it is an important point but that's probably a longer time Horizon to to get things down to in

everyone very personal level I would recommend that FEMA stepup advertising ready.gov that talks about how to prepare for natural or man-made disasters how to put together 3 to 7day emergency kit and basic things that everyone can do and further if you want to do messaging to the other side if you suspect that they're going to try to do something you step up the advertisements to make sure that they know that you're ready to go right showing that you're ready is fantastic and and this I'm going to just dwell on this point before we move on because to defend we need Defenders and if I you know if I think of my own preparedness and what I can do

you know if I if I think of hey maybe I wouldn't have water or power for three four five 10 days uh you know am I ready well okay I do have a box of LIF straws so maybe I'm slightly further ahead but we all need to be thinking about what we can do to be ready to help our families our communities our country so I just you know I would say keep that in mind as we go through IDE but please let's keep the ideas going and going back to the airplane analogy first put the mask on yourself before you help others yeah if if we have outages like this we got no electricity you're going to wake up

in the morning you're going to go out your front door the only person you're going to be able to talk to is your neighbor so now is the time to get to know your neighbor find out the skills that are in your neighborhood you might have you might just be three degrees uh of removal from the Emergency Management coordinator in your community and that will give you some some ability to to begin to prepare in a distributed way because we're talking about a distributed attack we're going to have to have defense in every neighborhood civil defense cyber civil defense y'all so we we're talking about you probably should to bottom up things as as as well as stop down and I'm European

so for me this feels much more comfortable than for you all I think but you need to regulate you need to measures to force companies to take Ser cyber security and uh resiliency seriously it's disruptive to your company when the Cyber resiliency act or something like that lands and uh determines that multiple product lines you have our critical infrastructure and need to meet this list of Standards but it does add value I would agree with you I think if we look at this and we say we have two years to do something and given the track record of trying to get companies to be you know gosh I kept thinking through series of events that

now now we'll have new regulation now we'll make change well nope that's maybe we're past that and maybe we actually need to think of what we all can actually do without relying on somebody else I think probably one of the other great things that we could look at would be de isolation of some of these issues can we rely on on you know develop the help develop the infrastructure in Canada Mexico so that in the event of something of like this our allies can come to our assistance because their systems are more verbose through our help yeah and uh my plan is I'm going to go stay with Carl for a little while in uh one thing I'm not hearing anything

about is how it's paid for so there's two components one is how to address the risk mitigation because traditional risk mitigation approaches uh go probability of effect and how much it's going to cost and that's how much money you have we need to change that formula somewhat the other one is how do we incentivize profit companies to do these things so if we look at Transformers in the United States those former monopolies which are now operating as independent for-profit businesses are eliminating things like Transformers and things things assuming that they can have the open market to come in there and fill those at a cost effective way so the under uh the underlying key is understanding the cost

model and promoting a profitable way to do all of these things good point thank you I I would like to say that as this is is playing out I would like you know my friends and family maybe not to be vectors through which disinformation might spread but honestly I don't know how to do that and I don't know how to keep myself maybe In the Heat of the Moment from becoming a vector myself the it's easy the internet's [Laughter] down so I come from the local government space and uh at the municipality that I worked for a few years ago we would actually drill Community resilience workshops where we did a scenario very similar to this not as a result of a

Cyber attack but just for any reason all systems go down where can you turn in the community how can we as a city bolster those hugs uh to support the citizens that would come to them and then also crucially to the psychological aspect if you already have this built-in sense of Readiness and community and preparedness then it kind of tones down a lot of the fear and like uh like as it's muscle memory so you don't feel as kind of Jarred if you're drilled in responding to this yeah you know I think as you talk to your local communities I mean we don't necessarily have to talk about this exact scenario which is uncomfortable we can talk about hey you

know how about a product class fails Al crowd strike there's lots of unfortunately there are lots of reasons that we could end up in a situation where our infrastructure is not operating the way in which we need to and we've sort of run down the line of uh you know on a spectrum of efficiency to resilience where one you have no spare parts at all and everything works perfectly to one you have a spare of everything and you can fail gracefully and repair and replace everything we maybe need to start having discussions about tuning where we are in that spectrum and that that the conversations we need to have and the the drills that we need to do

probably aren't these ones this was the the the point of this talk was to bring forth a probably worst case or near worst case or very uncomfortably bad scenario to examine what happens if hopefully that will never happen and if we work together to try to figure out ways of drilling and being ready we decrease the chances of it happening I was going to bring up drilling like we teach our kids at grade school what to do in case of a fire where your fire exits are where to go it reduces their Panic it builds muscle memory and without spending lots of money on the cybers or waiting for Federal Regulation to patriate for the next 15

years we could do lightweight tabletop crisis simulations in the heart of what B and Christian and I and Jeff did with cybermed Summit is we shattered assumptions with two-hour exercises with no budget no money no not a whole lot of planning we just got people to figure out what would you do and make mistakes in a game instead of in real life and on the same front to your point that you were starting to get at if we go to introduce ourselves during a live fire crisis with our Mohawk or or our hacker t-shirts especially after not showering for three days it'll be like Defcon every day um that's not the time to make friends and

build trust so I think some of this is making sure we introduce ourselves and obviously we want to equip you with some curriculum or talking points or well vetted approach patterns but each of you live in a community and you could be a local resource if you make yourself known available we could also become advertising for a lot of the free Federal services and grants that no one Taps into right now so I think we got a lot of the raw materials we have not done the communication and connection stuff that would either make it less likely this will hurt as much or more likely it'll still hurt but we will be less panicked in our response and know

where the helpers are thank you that's excellent points and there's probably I mean looking at the question that there's multiple layers to that I mean at uh in the UK for example we have local resilience fors so lrfs where it's sort of the local authorities the police the fire everybody comes together if there's a if there's a big incident and that's where everyone goes so there's a local solution to this I mean a lot of people shouldn't be expecting big government to lean down to be able to help when it's at this scale and the capacity and capabilities that you had yesterday are the capacity and capabilities you're starting with at the start of the

incident and there's a lot of people expect magic to happen and people to turn up to help where that just doesn't exist the spares you had yesterday are the spares you have today um in the middle of all of this but I think it's also really important to to work out why we're doing it it's not just to recover Services it's this is about deterrence if we nationally can maintain pain levels that our adversaries may look to impose on us then that itself is a deterrence I mean in this scenario so far there's only one Nation that's actually suffered an armed attack and that's Taiwan so if you go to the cloud fitan definition of War it's it's a use of

force typically because something was exploded and moved but at the moment that hasn't happened on the Cyber piece of it so really even if we wanted to trigger something like NATO we're at the sort of article four are we at Article 5 stage by definition not quite yet we haven't done attribution yet so this is about giving the the political head space nationally by having the resilience to be able to cope before we have to do something that the pain level is such we have to escalate um so we've got to keep remembering why we're doing this it's not just recovering services and saving lives this is this is a proper National challenge thank you feel like David's probably put in a

100,000 steps in the last two days thank you uh excuse me if I come off pessimist for a second but I want to take the time to kind of analyze and step back to a greater scenario So based on my experience I'm based on my experience I'm 38 years old I've been in the country since 1992 you know I I I have a decent education but this scenario this checkm scenario that I understand has taken China decades to get to this point to get to this checkmate with that said to change or to basically solve this in 2 years is to me almost nearly impossible CU you would have to have a top down approach what we're talking

about here are great Solutions But ultimately Band-Aids little pocket Solutions because we know that the top is really you know the ones that trickle down a final solution but we know that the top is only interested in one thing the next term getting elected right so I think if we have a way to penetrate the top brass the top political leaders within 2 years to make a complete dedicated solution to this scenario maybe we have a hope but pocket Community Solutions I don't think might be able to get to where we want to in two years I appreciate the comment I would probably counter that and say uh by that rationale we should do nothing and I

think that there are things that we can do to be ready and and my experience actually isn't that it's that there are a lot of services and government agencies and a lot of the time you know sisa for example has a lot of things that can be done and a lot of people that don't know about that and I think there is a push to be thinking about resilience and there is a push to try to fix our infrastructure and to make these things happen that that is you know we heard earlier from somebody who is at the White House and there there are things that are being done and we need you know we can help act as connective

tissue to our community to make sure that flows faster so I I actually am am maybe more optimistic and bullish I understand that perspective but I think that there are a lot of people in the right places in government who actually really do care about this I think there's a lot of people in our broader uh defense Community who really care about this there's a lot of people who are tasked with critical infrastructure who care about this but there's a disconnect sometimes between that and the people operating the local Municipal Water company or you know we need to prepare for resilience in all kinds of ways not just for a scenario like this but for a hurricane or for a

extreme weather event that might hit we can become more resilient and prepare for a wide range of things and benefit in all scenarios so I I I would counter that and I would say actually I think there are a lot of people in the right places in government who do care there are a lot of solutions that are being worked on and we can help bring that message to the people who need to hear it and we can help communicate and help build that resilience more quickly we can act as an accelerate and get a lot done in two years if everyone works together yeah I think uh I understand your perspective and I I understand how

you came to it uh I think it is right in that we will not prevent any bad thing from happening it is impossible to prevent any bad thing from happening so between there and there are no humans Left Alive in America there's a a spectrum and a gradient and we can go more towards a better outcome than a worse outcome by acting even if that means uh we still have some impacts we're still degraded um we can have a a much better set of fixes in place uh to prepare prevent uh respond and recover uh our society more quickly um than we would otherwise uh because I don't want to I don't want to go down the the nihilism rout just say

like well time to move to Europe or you know do something else um I think that there are things that can be done um to address many of the things that would cause this long-term permanent severe harm so um I'm going to take the opposite View right so to defend we need Defenders we've got the Defenders we need to let them defend right we need to you know we need a massive streamlined grants program to fund them we need to give all those um you know cyber security graduates who can't find jobs because they need four years of experience to get an entry-level job we need to put in place the road maps you know the mentors to put the funding in

to you know have mentors accompany them to these organizations that need the help we need to have those organiz ations not be tied up with a whole bunch of grant writing to do that I mean Heaven Knows the number of fire departments have had to help write grants right you know we need to make it easy for the Defenders who we have who want to defend to actually defend and as a former teaching academic the fact that that the people who want to do this have so many roadblocks before they can actually do this pisses me off I'm sorry right there just they want to do this they have the skills and everywhere they turn they get

kicked why change is hard now I don't have a good answer to that but I think part of the reason we're here is to look at what we can do and and that's a good point there's lots of things that can be done there's lots of things that we can do probably finding a way to to let Defenders defend is something that needs to be done I meant this or we meant this in the context of what can you do and if you don't do anything to prepare for an event of any variety when that event hits you don't want to be the one you know if if if I'm going to try to help

when something happens I need to be able to have water to drink food to eat I need to be prepared to be able to defend so uh I'm being subtly told that we'll have about five five minutes left um to respond to your point uh one of the things that we can do is maybe accelerate the national uh program um for getting more people in position so if I were to go back and tweak this slide to defend we need defenders in defensible positions yes yes exactly so what else you on I mean do you want to wrap up no I'm happy to let you wrap up okay um well I think this has been a productive session

clearly there's a lot of people with a lot of passion for this type of a topic um there's a lot of good ideas that I heard uh coming from all across the room which was really nice uh I think the the thing that I would want to leave you with is uh first even if you believe that this is an implausible scenario one in 7.9 million odds we prepare for uh much less plausible scenarios every single day uh we do at hospitals we do tornado drills in places that don't get tornadoes uh hurricane drills places that don't get hurt we do other drills in places where um you won't see those types of disasters we can also do those

types of things for much more likely types of scenarios because whether it's a war or uh friendly fire from uh software vendor these types of crises will happen they will become more increasing as our dependence on connected technology continues to increase um I think that it sounds like there's a lot of uh excitement to do things I heard several suggestions about get involved locally meet your neighbor I think is a great one um meet other people uh is also a great one go and talk to people about what you're passionate about um I've had great experiences like finding random people uh I recently moved and there was a guy moving stuff into my house uh like from

a big Warehouse someplace um and he came in and he saw at deathcon he's like oh you went to Defcon one time I'm like yeah let me tell you about this and like we just sat there and talked for like 20 minutes about cyber security and about hacking he's like this so cool I love it so people are really excited to engage about something that you're excited about and also something as cool as what we get to do every single day cuz it is kind of rad so I think uh like I think it was Josh you said yesterday go out and stare at somebody else's shoes or maybe that was sick codes um I mean case

John Ellis uh so uh getting out and and meeting people and being prepared for things in that human way uh is a good next step to take um also continuing to be passionate about the things you're passionate about to fight for getting more people employed uh in good positions who are capable and have those uh experiences in back grounds uh these are all going to be effective practices um and to look at some of the programs that are standing up uh you know there have been severals that stood up in the past few years in addition to I am the Cavalry there are things like the CTI League all volunteer programs uh there are things like um the uh civilian cyber

Corp uh there are other uh nonprofit and for-profit uh and just your volunteer opportunities to get engaged and get involved uh to get outside of uh the work that you do maybe every single day and do it more broadly to serve your community so that those are my takeaways from this please join me in thanking these two fine people [Applause]