IATC - M33t the Press: CyberSafety Got Real: Now What?
Show transcript [en]
good morning besides las vegas i hope you're as excited to be here as we are so thank you for attending um excited to have you back with us this year in person a few announcements um we'd like to thank our sponsors especially our diamond sponsors lastpass and palo alto our gold sponsors amazon and visiom and plextrac with their support our sponsors donors and volunteers this event wouldn't be possible so thank you to all of those that have made this event amazing this year this talk is being live streamed so please take a moment to silence your cell phones as a courtesy to our speakers and for those following online if you have questions there will be a
microphone up here so please feel free to step forward and ask questions and then no pictures without speaker's permission so with that i will pass it over to josh all right thank you welcome to day two um this is the meet the press fireside chat we are we talked about everything's on fire yesterday or things were flammable and stuff's on fire so let's have a fireside chat with some of our favorite journalists um there are a lot more puns in our wedding dolls than there will be on stage today but um so a couple things just to frame the day and then we'll get to uh introductions for our panelists or our fireside chatters is yesterday was really about we started
the cavalry nine years ago we wanted to tell people stuff was flammable that our dependence on software and technology and critical infrastructure was growing faster than our ability to secure it we were worried about where bits and bytes beat flesh and blood but we knew and we told the room that no one would really listen until there was proof of harm until we had existence groups and feel people are actually hacking these it's one thing to do stunt hacking of a car or a medical device it's another when it manifests harm and could represent a crisis of confidence in the public to trust these connected technologies and we don't want that so while any loss of
life would be tragic we realized the failure mode was not merely a loss of life but any sort of crisis of confidence for people to trust otherwise superior medicine driverless vehicles that the light switch would turn the lights on or that the water was drinkable and in the last two years in in parallel with the global pandemic we saw successful attacks of the water we drink the food we put on our table the oil and gas that fuel our cars our homes and our supply chains the schools our kids attend the municipalities who run our towns our cities are functioning of government and even timely access to patient care with uh mortal consequences as we saw with
kendra's talk yesterday about the sisiko task force findings so we have seen that delays affect patient outcomes and loss of life and protracted cyber attacks introduced delays sufficient to drive those outcomes so i think one of the head scratchers for us in the cavalry was now that people can see on john oliver on hbo or on you know it's main street news that you couldn't get gas so there have been disruptions and there's been hacks we really thought there'd be more political will and more advanced conversations about what to do about it and now we're asking between yesterday and today is how should the mission of the capillary change and evolve now that we're not telling people and
educating that things are flammable but now hopefully trying to drive down and minimize risk a little bit more fire fighting or engaging those underserved by either the private sector or the public sector and we lovingly call that the cyber poor so what i really wanted to do is we've always loved working with our press and it's always been a difficult thing to talk about future risks and slow moving risks if you saw the movie don't look up today's opening session is to say how did the world look nine years ago before there was proof of harm and how does it look now that we are having main street mainstream kitchen conversations to quote bryson from yesterday about
cyber attacks affecting food water shelter safety and maybe learn from some of the journalists that have been on this ride for a while how this room and this community should think differently about pitching stories making ourselves available focusing on the public good instead of the private enterprise good focusing on public safety human life instead of record count and we don't have good answers to this but i've started some conversations with lily and joe and i will let them introduce themselves so we can get into some content and there are microphones and if you do ask a question i'll either have to repeat it for the streaming because people are watching from their rooms and from the
intertubes or just go up to the mic and uh you'll be heard yourself but uh let's get started on the meet the press would you like to introduce yourself lilly hi hi everyone i am lilly hayne newman i'm a senior writer at wired and i've been on information security cyber security digital privacy beat for six years and i was a general interest tech reporter before that so uh going back to the start of the cavalry uh i was definitely writing about adjacent stuff uh so it's yeah i'm happy to be here and it's it's really interesting to think back to that time and sort of reflect on where we are now i think we don't always
have a moment for that type of reflection and i think it's really productive um my name is joe youtube um i am let's get a little closer sorry about that my name is joe youtube and you can hear me now uh i am a reporter for sc media um which is a business to business cyber security publication before that i was at axios and started the code book newsletter which i think they're about to bring back so hooray um i've been covering cyber security as um like as an ex exclusively covering it since just before sony so what's up 2014 2013 2015. it's weird that i can get the i now date things by news stories um
but yeah since around then um it has changed a lot uh i think back in uh when i was starting out i could not show up to the office and nobody would know and now now it now it would be a thing if the cyber person wasn't that yeah during our prep i was trying to say so i guess this is a good a good place to go which is um if we try to do a deliberate compare and contrast between 2013 uh and now um one of the things i pointed out is we had just had the snowden revelations and there was probably the worst levels of trust between hackers and government that we were going to see for a while
and quite a few white hat hackers or helpful hackers were pretty angry and looking at maybe uh going a little gray or a little charcoal colored in their hats and people were upset and it was really difficult to say let's try to be a helping hand to drive safer outcomes with government partnerships but we also were pretty worried about that we'd seen some medical device hacking from barnaby jack in fact he tragically lost his life just before we launched in fact he was supposed to be in the room with us we uh saw some car early car hacking but it was considered theoretical or it's not hacking at times um and one of the things we told the room
was people would have to die first before they're really going to listen to us and then somebody shouted out why do this then and i said well we want to be have a head start and build the trust and lay the groundwork and the scaffolding so that they turn to us instead of lesser people with lesser motives and lesser ideas so that we don't have an overreaction like a cyber patriot act or something but the whole goal here was to maintain the trust of the public so if you situate yourself in post-snowden revelations anger and distrust between government no fda regulations and what did coverage look like um and now just free of pre-associate i
guess well i was just thinking we were talking about data you know dating the passage of time with news stories and it that era was really like a data era i feel like where like data can be accessed or it exists in tropes like that was the big concept because i'm thinking about i think it was early 2014 like maybe february or march that the target breach was revealed and like neiman marcus and i don't know this is feeling very retro in my mind i'm like wow we're back in this era but um i feel like that was those were some of the big mainstream discussions that year along with you know what you're saying
about the snowden revelations so it's sort of like a you know bulk surveillance collection corporate data troves what if people were to access this data like moment or that that was like where people were at in sort of the mainstream in terms of what the press i think was trying to convey to the mainstream audience um i sorry i almost did the same thing again um it's strange like a lot of the result i don't think we quite knew what we were covering yet because so many of the threats hadn't materialized so a lot of things were very speculative but crime was since it was crime was as as always mostly data breaches and the the nation-state
kind of level was still very very driven by um it was still very uncertain like we people didn't understand how attribution was going to work there was the north korea thing where people sort of sort of reject it um i think since then we've seen sort of the rise of news covering um every breach and making that the big event like a breach by breach by breach and that being the big news story of the day and not really taking a broader look at it um i think that's sort of dying down but only because they've been concentrating on single breaches longer but it seems to be very event-driven now um whereas in the past it was more
speculative if that makes sense yeah and i'm also thinking about like we used to cover i don't know even thinking you know i always and i'm sure you the same way like we were always trying to uh have the most context possible and do smart journalism like joe and i are both trying to like do good reporting and not just go breach to breach or something but it feels quaint to think back to some of the coverage like you know even five years ago or something stories that wired readers were super super interested in like massive traffic which not for its own sake but in terms of who was reading like the number of people who were reading
uh i'm thinking about like stories about what's the biggest volumetric ddos attack that's ever happened it would be like now github was hit with the biggest one now this was hit with the biggest one or cloudflare whatever and like people were very interested in reading those stories and it would cause you know maybe outages for a few minutes or an hour or like the company wanted to talk about it because they didn't have any downtime at all or like whatever but it you know it's just to say that that was where we were at in terms of the collective conversation of cyber attacks and impacts one thing that we don't get to write anymore and it's for the better
around 2016 and for for obvious reasons there was the rise of the um that wasn't hacked news story like where there would be a power outage and you'd have to write a new story about how that wasn't hacked or apt
um i think people are a little bit more [Music] a little bit less on edge that anything could be any anything that went wrong could be hacked well i mean it isn't really anything that can be wrong for that it was really all power grid um and i think that's uh so but yeah sorry yeah it's it's hard for me to even ask these questions because i've always been on the i care less about my credit card and more about my access to patient care you know we've been here for nine years we've been trying to get the world to catch up a bit but you know i would say that as you think of how we
used to characterize stories it was record count or dollar amount was the unit of impact and now it's potentially quality of patient care or how long are you without oil and gas or how long can a municipality not function and perform the duties it needs to to keep its citizens safe and you know one of the supply chain cascading impacts of a meat packing facility getting hacked or cream cheese my daughters were about to riot because they couldn't have cream cheese for their bagels for a while and people didn't know why and part of why was there was a hack of one of our concentrated uh developers of cream cheese um exacerbated by trucker shortages
exacerbated by other covent factories but the net outcome here is if there's not enough slack in the system you know even these seemingly unimportant ransoms of a single entity could have cascading rippling effects on you know if my kids are going to riot for cream cheese so i care a little bit less about cream cheese and more about losses of life but it is often difficult and this group has found it difficult to get these stories told that are about the public good instead of a specific victim so we're all ears for advice on how editors are shifting focus or what stories have a chance and which ones don't you know how we might both respond in organic changes but also
try to affect maybe some deliberate changes so that we can ensure there's not always and i can't i still find people who say well yeah josh people might have died but what about the record count like there's just a really palpable part of us that is painful yeah i think there's a belief that and it may it might bear out in in traffic numbers but there's a belief that if unless it's kind of unless it's unless there's an enterprise angle unless you're talking about um you're talking to businesses it's tough to sell advertising uh um at least that was the sense i got at axios um where uh they wanted it to be more more either about controversies from big
tech brands or um more about businesses or know i i hope that's changing um i i've been at a been at something that solely covers the enterprise for the past two years but uh i think that there's as people have seen real-time chaos engineering um you know the power outages in texas or like you were mentioned colonial pipeline people have a better sense of what can go wrong but i think it's one at a time yeah i don't know if there's i think that people are very driven by stories like not not necessarily um people like a narrative rather than a fact and that's it's easier to tell a narrative about people lining up for you know lining up
for gas to put in their trash bags than it is to say um to cover the you know the effect of copyright law on uh on on [Music] hacking hardware well and yeah i i want to add like we should talk a little bit josh about what we've been discussing about the interdisciplinary nature of some of these stories because i just want to say first that you know i think what we were saying about what you said about it used to be i could take a day off and no one even noticed and now it's like where is the person who needs to write about this every single day like i've that is a real thing and that's a real issue with
getting stories written and getting them to break through is that there's just so much going on i mean it used to be when i would come to black and defcon and and b-sides and cover talks at all the conferences like there was nothing else i needed to be doing that week but that right like that that was the you know news that really needed to get out there that week and now it's like 30 other things are happening this week and i'm like like what you know my editors and i are like what do we do because you know so anyway i think and so especially you know to transition to you know what we
had been talking about like stories and what you're saying about narratives and real human stories that are the most important stories that we all really want to be telling that are the most impactful those stories take a lot more time a lot more sensitivity and and various types of expertise and it's just a very there's like a lot of cooks in this kitchen you know i think one thing that's worth noting um and this is for the better um more people who write about cyber security are focused on cyber security now than there were um at any other time in history it's a fun thing to be able to say um i think that if you remember
uh norse um with the aei report that uh um speculated that iran was hacking the united states hundreds of thousands of times a day it just turned out it was you know background noise and ppu um that can happen those kinds of stories can happen the uh the the power grid story in the washington post i think that that was the vermont was that there was a there was a time that they had said that some did have the power grid that turned out to be the ms blaster from 2013 that one no i think it was around 20 well yeah the fact that there's more than one example point um a lot of those things slip through
because the people who ended up covering cyber security stories were people who had no infosec background and can be easily swayed by the um by things that sounded very impressive um but not but didn't really have a sense of how to evaluate whether or not they were true wow there's so much i want to unpack from this i'm just going to scatter shot a few things i heard that we could play it on us choose your own adventure because any one of these could turn into an hour conversation one of the things that surprised me um i'll just enumerate them uh not prioritized one of the things that surprised me is i've actually seen a
thinning out of journalists um a lot of really good journalists and really good beats have gone away and now some of those excellent journalists are in sponsored corporate journalism they're still doing good stories but there's always that risk that there's an editorial slant towards that market or that product set and i still love and respect these journalists and it's it's sad to me to see so many of them not working for a news outlet or independent news outlet but doing news under the inframater of some corporate entity so number two um a bunch of us are observing there's stunningly few journalists here in vegas this week and it's possibly kova it's possibly competing stories it's possibly that
this isn't sexy anymore um but that is an observation i think worth noting i'm very glad you're both here um number three um i worry um about where lily was going we talked about this in advance some of the stories that came out of our code task force were so multi-disciplinary in nature you couldn't find a single journalist with a single beat that felt comfortable doing it and unless there was capacity in their medical companion or their government oversight companion these stories couldn't get told so there was a level of complexity that created enough hesitation for the harder the the more substantive stories to get told so pick apart any of these are none of
these but i have some concern over this i i guess working backwards um it's easy it's easy for me to say uh lily should do it but um the uh i think i'll take all your scoops too the d i think that there you with uh things that are extremely multi-disciplinary you might have better luck with magazines where they have time to do thought out coverage uh compared to newspapers where we're expected to increasingly put out a story not only every day but every few hours when i was at the hell um i was at the hill but also i didn't say that in my bio um but the expectation was four or five stories a day wow um
and by the time i was leaving they were trying to figure out which four or five stories a day and i remember they were really excited about a lacrosse team that was hacked because i thought that would be very popular it did not turn out to be very popular um but uh at least i got to learn that there was a professional lacrosse league so that's that's something but in terms of the uh the five story a day model isn't great for things that we have to learn outside uh learn something new um one story a day isn't great for that but it's possible um or but the people who have time to really write things out
uh probably have the best chance of understanding something that covers more than one thing but i think you really hit on it because the thing is i think the jbs uh meet you know ransomware attack supply chain attack uh is a great example because it's like to use the example of wired the thing we don't have at wired is someone who's sourced up on the meat supply chain right right like who does or who does like meat futures or like we have no meat coverage guys so i i think this really raises a good point that some of the blind spot or some of the like you know best intentions where stories don't end up happening that josh you're
saying like how do we get these stories to happen comes from the fact that certain publications potentially have the like institutional expertise if you put multiple people together but there's the pres those are newspapers and like wire services and stuff that have their own pressures right like reuters for example they do amazing cyber security coverage um they they were an organization that i was like okay they're more likely to have solid stuff on jvs i'm just using this as an example because they've got cyber security reporters they've got you know meet people they've got you know all the different like um whatever import like you know reporting expertise or import export all the different things you'd need but they
don't have time right they only do a certain type of story like the the the sort of 200 word or 400 word reuters uh and i mean occasionally amazing long investigations whatever but just to use this example whereas wired can go really deep on something but can only put one or maybe two reporters on like a deep investigation uh so yeah i think that's really getting to there's an interesting thing that goes along with that um kim zetter once made the point and uh that um one of the nice one of the ways you could tell it was going to be a good news story is if one of the names in the byline was the the
research person you know the person who um many newspapers have a not just an archivist but somebody who's in charge of sort of be doing background and research fact checking and things like that that sometimes will get their name in print um as part of a story and that creates a great sense of institutional knowledge and i don't think that cyber security really has that a lot of the reporters are young um and i think that that sort of gets some one of the other things you're saying a lot of the reporters going to either either becoming a lot of the older reporters moving towards um public relations or um the you know things like the record which i
say that they are independent so uh just to be fair to right um um there are great farm systems now uh i think cyber scoop has created a bunch of really good reporters um chris ping came from there um a few other and we were supposed to have a cyberscooper on this panel right make the flights for that one yeah suzanne's had some great initial stories shannon you know like a bunch of really good people have come from that and one of the things that's really difficult in journalism is finding somewhere that will train you to do something well and so um while some of the more venerable people may be doing more things that seem
that seem distasteful i think that there's a group of people there are more people who exist who might be able to okay to handle them and um it's hard to jump off my own shadow when i ask this it's a bit of a loaded question but as somebody who i think has kind of rallied the public interest public good public safety subset of the hacker community we often cringe when we see people we like and respect for their enterprise perspective or their corporate for-profit perspective being quoted on public safety stories when the message is optimized for private interest instead of public interest and i think some of it i've seen is just people get used to you know reliable
sources or people that are quote worthy or might get more clicks because their name but they may exactly be the wrong person to ask like we'll see something where there's collectively 100 years of experience in the room and somebody who spent no time on that topic is the lead quote um and you know i know that that's some journalism 101 stuff but is there a need or an opportunity to differentiate between corporate security and consequential security or private interest security and public good could there be a discipline where it's easier for any journalist to find sources in category a versus b or am i just butchering my articulation here i think lily might have a better sense of
it than me uh because your beat is more business to business right he's more business to business um but i think that that's the fact that there are publications that are business to business and not publications that are public to public right um sort of says something that uh the uh people are interested in the enterprise point of view because many of the readers of these stories are in fact enterprises uh and want to know what they should be doing and want to know how they won't be in the next one of these news stories um i don't want to say that the public doesn't matter but um from our perspective yeah don't say that yeah
from yeah from from from we have a business model and you're yeah from the business model that i see is to talk to enterprises about what they should be doing rather than talking about public good yeah and uh i am no longer in cisa i didn't work on the colonial gas example so i'll ask a question from a distance without inside knowledge but that's an example where typically in a country a public good like oil gas public utilities it's it's a responsibility of the public sector but in our system of government we delegate a lot of that the ownership and operation to private entities so when you have a breach like that and people come monday morning
quarterback the decisions made it seemed to me from the outside that the right thing for shareholders might be to preserve integrity and billing and shut things down but that that unilateral decision might hurt the public interests of the eastern seaboard for a while so when you have a tension between what's right for the enterprise and what's right for the country or the region um i think there's an incredible story here of have do we need to recalibrate the social contract between the public-private partnership and you can delegate operation from the government to the private sector but you're still accountable for it so are we actually able to govern reliable maintainable access to critical infrastructure or have we gotten out of balance and
i i found it really there were a couple of decent stories about what happened but maybe not the strategic implication of that public-private partnership yeah i'm having trouble organizing my thoughts but i think it's because of what you said that th this is like a societal level recalibration that one could argue needs to happen in the us but then i'm also thinking about how globally like a thing about when we're thinking about this you know the years of the cavalry or you know since 2013 or just like recent years of cyber security and the security industry like the the private sector has been so uh just has has led so much of the narrative and and
shaped so much of the narrative uh and and sometimes in good ways and sometimes in like court leading the horse ways um so there's like a sort of parallel thing there but i think that issue you know some of what you were talking about just now is us uh centric but the the larger security industry and like what people understand to be the scope of cyber security topics uh and even like uh uh thinking about like the concept of cyber war so much of that has been driven by the private sector that i i can see why there is this like decoupling that needs to happen or that someone might feel needs to happen because it that's sort of how all of
this has sprung up and i guess that's sort of the classic like black hat versus defcon thing of well where's the space for all the vendors to be and where's the like you know economic engine of this whole thing um and then you know like other folks in the community feeling like well i just want to do my research and focus on like what's actually impacting people like i think it's a big big issue so i'm going to float in a opinion you've triggered um i also want to remind people that we do have the mic in the room we also have the streaming chat um so if there is a burning question you would love to ask
either these two fine journalists um please do um while he's heading up there um i think one of the areas that this dynamic got it wrong was ransomware i think the the hacker elite rockstars thought it was boring and we just kept paying it and we created this juggernaut that's unstoppable and i think one of the ways i put it after rsa we were sitting in the garden i said the attackers have figured out how to monetize the cyberpoor defenders haven't and it's going to be a feeding frenzy it's so big now there's no stopping it there's no single even international move that's gonna stop the business model of unavailability no matter what you do
your unavailability can be monetized and unless and until this becomes interesting to either rockstar hacker voices and or commercial coin operated we've got a real public health issue that was possibly preventable in its infancy but it's it's it's not going away anytime soon the uh the government will set a lot of the narrative there and i think that the government right now is putting a lot of the prep pulling out of that pressure into two spaces one of the of international uh partnerships um which doesn't get as much coverage as the other one which is you know forcing uh which is you know requirements for security requirements through the executive order and things like that
um it is a much broader topic than that but i think that for the most part when people look for coverage it's going to be what the government what the the cover what the what the elected person said they were doing um oh yeah all right we have a question i do i have two questions one is how do you keep up i mean like cyber security is my job and it's it's like my job right it's bigger than what i can do so i wonder how you keep up and the next question is an offer how can the i am the calvary community help not not just you too you're great but i'll i'll just say
the press more broadly uh when it comes to stories and pitches and background etc um how do we keep up yeah it's really tough i always go back to um just trying to it's gotten tougher and tougher like we were talking about but i i just try to go back to having as wide a source space as possible people i know people i sort of know but who won't be freaked out if i dm them or you know whatever and just really trying to always be in touch with people and hearing about what they're thinking about from as many different uh perspectives as possible and that ties into what you were saying about how how to get the right voices into the
right stories but there is you know every journalist like that's our job and we pour a lot of work into it but there is a limit to just like how many people we can know or how many sources we can maintain and relate you know those relationships so i think it's like an important ongoing question of combining all the journalists like networks and um efforts to do that to to try to do the full coverage you know because you really the beat is way too huge now for just like a few reporters to cover alone so that's on on that piece um in terms of uh how i am the cavalry can uh sorry i missed the microphone again
in terms of how you can get more stories placed um reaching out is a good start i don't and not just reaching out through press releases and things like that if you pick your shots and just occasionally say this is important um i think most people will will listen um at least most people who have a sense of what you're what you're talking about will listen but i also think it's like the proactive thing of you know by the time you like implement network segmentation or something like it needs to have already been done it can't happen once the crisis is going on uh i think maybe it's sort of like that with reporters that
it's it's helpful to just like be in each other's orbit so that you can then you know if one you know if i know one of you and we've you know met at b-sides and chatted a little bit and we keep in touch and send each other memes or whatever and then if you dm me and you say this is really important i really want you to look at this you know that helps a lot versus like my my email or what like my inbox is just like a hellscape like i can't keep up with and sometimes there are really important things in there signal tip line same way like but it's so difficult i'm always worried
that i'm missing stuff so i think that personal connection you know like befriend your neighborhood journalist like now before you need them you know all right do you have a question i do oh there we go not step on the mic uh thank you for coming and i have a question since a lot of the news seems to be uh very kind of western-centric i was wondering if in your experiences and in your connection circles and your professional kind of working lives do you see a similar investment or divestment of resources of opportunities in international partners that you may or may not have places in like europe is obviously a big one but other non-like english-speaking countries you
see kind of like a similar uh like oh we should kind of cover these like security things or do you believe that certain governments are more oppressive in that manner and that they go you should not report on these things otherwise your family will disappear forever that's a good question um we certainly have some good uk journalists but that's a fairly close partner to the us yeah joseph is great joseph cox yeah great dude he's one of the top joes we have a lot of joes yeah just a bunch just one too many i think there definitely is in uh and and like has been for quite a while but you know it's very fair that
like the effects you haven't necessarily seen the fruits of this so much but i i think there has been like long-standing interest in doing more and more international coverage um like you're saying i think reporting uh getting uh working with sources in a way that's safe for them is difficult in a bunch of countries uh so that is like a factor but means it's all the more important to do it and just one other thing i would say quickly is like i think um [Music] this is another area where the the private security like threat intel juggernaut is like good but also you know limiting because that's a lot of uh how journalists but also the community in
general uh hears about certain types of attacks and especially government uh or like apt uh activity in a bunch of different countries globally and um so we're all sort of at the mercy of those um that framing or or that uh yeah mindset yeah i think i think the the the the company with the most visibility in china is 360 right um and they publish in chinese and you'll have to forgive me for not knowing which which version of chinese because i can't tell the difference and that's one of the problems is uh there's a language barrier to the sole source to the person with the most telemetry on on a field on an area
um i don't know how to fight that yeah it's a it's a fair question and i the cavalry is a pretty international movement and we i have been personally burned because of just translation issues um like when i was at the atlantic council for a while i made out of my way to call it cyber safety instead of cyber security to differentiate the cyber physical impacts and in some of the countries covering us they were the same word like there wasn't a different way to put it so here i am trying to mince and nuance u.s language and one of the stories almost got me attacked by anonymous i mean this is before the cavalry but like i said what
i said i said it cleanly and clearly but it was lost in translation and an op was declared trying to destroy me and my family so it got called off you know we had some people from anonymous call it off but i'm probably more timid myself even though i'm a confident media trained person to get lost in translation so it's probably an error we could put some more deliberate focus into and specifically on things like our hippocratic oath for connected medic and medical devices or the s-bomb work we were delighted to see translations in french and german in japanese because when you're speaking some of the strategies are universal and translated and we've had some
really powerful partners in singapore or elsewhere who cared more about some of these topics than some of our us partners did but i think we could be more deliberate in international reach than having researcher friends who could maybe be more confident in those areas this might seem like a hard transition but one i really want to get to because lily and i had some fascinating precursor discussions how many raise your hand if you've seen the the documentary film called um don't look up okay it really hurt for me to watch that um probably kendra too anybody this is a code task force it felt autobiographical um we have a i have been surprised and i'm usually a
pretty grounded expectations even though i'm a dreamer it's usually pragmatic idealism but i was really shocked to see how how little people actually cared about loss of life and health care and i'm gonna do a little bit of an exposition here we keep hearing from health care that there's no money there's no staff there's no appetite there's no political will we're doing the best we can people die and they say until somebody dies you know we're doing the best we can so there was a story in germany of a woman who had a branson had her go too far away a very long ambulance diversion to the next near facility and now we have our first loss of life
and it has since been refuted and debunked but maybe less so than you probably were told because we know that delays affect mortality and that in cyber introduces delays so if cyber introduces delays and delays and introduced mortality you know we we shouldn't be in even in the proximity of this but there's a palpable desire for the private sector in the hospital to say that no one's ever died no one's ever died and that one we let go of because it was debatable enough we let go of it and then on october 1st 2021 uh wall street journal front page talks about the baby who prior to the pandemic in alabama potentially um was a victim of degraded technology
assist they said if we had had the imaging if we had known this we wouldn't there were text messages between the physicians saying had we known we wouldn't have treated the pregnancy this way so people are like okay we finally have a named person but then we say oh it's just an anecdote it's a one-off you know we can't shouldn't change policy over that well that same day our team at cisco task force public statistical proof that we could measure hospital strain associated with excess death in pretty large numbers and we could analyze regions hit hardest by ransomware to show that they were in those excess death stress zones for a projected amount of time so non-zero
numbers of people lost their lives due to delayed integrated access to patient care in vermont in san diego and other parts of the country so we we kind of have this proof but what i was talking to lily about now that i'll get past the exposition is even really intelligent people even leadership people in the isacks and the secretary councils in the hacker community we still continue to say no one's ever died from cyber like we can actually have a smoking gun with a named victim we can have a smoking gun with statistical proof we can have them come out on the same day but there's something about slow moving this is a human psychology thing that
maybe we could all try to simmer ourselves on which is these slow-moving threats these strategic threats we're really really bad at risk management as a species and we tend to like these bite-sized things where we have a control sphere maybe there's something we feel we can or can't do about it but i think my hyperbolic slightly exaggerated concern is nine years ago we were too early and now no one's coming back to tell the fuller story of these things and why we should be we should listen to the warnings and there are stories covered and you i don't want to put words in your mouth or um or tell them about the dumb thing i said
is that true it wasn't done no no the uh but you said there are certain people that every time someone's like why aren't you covering this or why didn't you cover this there's usually evidence of it so can you get into the pro public like we're i'm trying to wrestle with why don't we have an easy way to talk about high impact slow moving threats like climate change or oh okay no this wasn't uh i thought we were talking about uh i know examples of stories and i i gave like a silly example uh but no i i just trying to think how to summarize i i do think there's a bit of there's a
concept in general or like a thing that happens in general not just in this field where sometimes people will say why isn't the press covering x and often right we hear this all the time currently and uh my response just to myself you know internally as i'm seeing these you know arguments or whatever is like but there is coverage just no one wanted to read it no you know it didn't like come above the baseline of noise because no one was amplifying it no one was interested in it from the readership um and yeah one example i gave was like often when people say this there's like a big propublica investigation that happened five years ago or whatever about xyz
thing that just everybody forgot about and you know but and there's other examples too uh you know and and sometimes it's my own coverage or joe's coverage or whatever where i'm like no i i did cover that like a lot you know and just no one read the stories or or one of them was big but you know then no one read the other stories to follow the narrative or whatever so i think that's one component of it but i and and so that's where we were talking about you know climate change as like i think that is a big potentially analogous example where people always said why isn't it on the front page why isn't it you know every
single day and it's like well it's actually i i think genuinely a more complicated question about like the service that you know of news and what is newsworthy each day and it doesn't mean the coverage isn't happening but what people want to read more of is relevant to what gets covered more and there's just all these feedback loops that are kind of complicated but it's i mean it's not to make excuses at all i i you know i think it's just to say like these dynamics aren't so it's not always just why isn't it being covered sometimes things are based i think when people say why isn't it being covered they usually mean why isn't that
the conversation on twitter this thing or why isn't it on the the prime time opinion shows or you know talk shows um and reporters don't really have control over that uh we can just you know go about our beats and submit things uh as we can but um i think for specialized news coverage areas um and that includes homeland security and national security there it's harder to for the public to keep multiple stories that are outside of like a very narrow set of parameters in mind at a time and i think people still view infosec as a specialized topic as opposed to something that no matter what your job is and no matter where you live
it affects you at home and at work so i guess this is a i i got the hook we have like three minutes left so um we can continue the conversation in the hallway and throughout the day but um i guess where i'd like to end is maybe with a semi-rhetorical question which is i think this group has done incredibly important work to warn and to be calm voice reason and lay the groundwork so that we can be better prepared for when things go south i think now that things are going south a concern i have is when you let it go too far south and there's victims then you have knee jerk reactions and the
entire thesis of what we started here was to be left a boom and be prepared for a more thoughtful planful response if you have advice of either the right all you know sibling organizations like propublica or documentary films or the use of fiction or alternative ways to enhance the yield of this mission whether it's right now or later i do think it's worth you know our own family's access to care and food water shelter safety that this group gets better at it i think everyone's trying really hard but we are very humbled and open to increasing our yield in alternative and creative ways and would treasure any advice you'd give us any last words from
either of you yeah i would just say um same like appreciate all of you and um just want to be in touch uh those were good last words you know that thing nothing yeah okay okay well let's uh thank our journalist friends here um we should invest in them we need them they're a very important independent voice that can tell stories that uh can be in the public interest in public good and i'm very grateful for the two of you [Applause]
Related talks
51:51
32:48
33:48
54:33
31:06
20:51