IATC - M33t the Press: CyberSafety Got Real: Now What?

good morning besides las vegas i hope you're as excited to be here as we are so thank you for attending um excited to have you back with us this year in person a few announcements um we'd like to thank our sponsors especially our diamond sponsors lastpass and palo alto our gold sponsors amazon and visiom and plextrac with their support our sponsors donors and volunteers this event wouldn't be possible so thank you to all of those that have made this event amazing this year this talk is being live streamed so please take a moment to silence your cell phones as a courtesy to our speakers and for those following online if you have questions there will be a microphone up here so please feel free to step forward and ask questions and then no pictures without speaker's permission so with that i will pass it over to josh all right thank you welcome to day two um this is the meet the press fireside chat we are we talked about everything's on fire yesterday or things were flammable and stuff's on fire so let's have a fireside chat with some of our favorite journalists um there are a lot more puns in our wedding dolls than there will be on stage today but um so a couple things just to frame the day and then we'll get to uh introductions for our panelists or our fireside chatters is yesterday was really about we started the cavalry nine years ago we wanted to tell people stuff was flammable that our dependence on software and technology and critical infrastructure was growing faster than our ability to secure it we were worried about where bits and bytes beat flesh and blood but we knew and we told the room that no one would really listen until there was proof of harm until we had existence groups and feel people are actually hacking these it's one thing to do stunt hacking of a car or a medical device it's another when it manifests harm and could represent a crisis of confidence in the public to trust these connected technologies and we don't want that so while any loss of life would be tragic we realized the failure mode was not merely a loss of life but any sort of crisis of confidence for people to trust otherwise superior medicine driverless vehicles that the light switch would turn the lights on or that the water was drinkable and in the last two years in in parallel with the global pandemic we saw successful attacks of the water we drink the food we put on our table the oil and gas that fuel our cars our homes and our supply chains the schools our kids attend the municipalities who run our towns our cities are functioning of government and even timely access to patient care with uh mortal consequences as we saw with kendra's talk yesterday about the sisiko task force findings so we have seen that delays affect patient outcomes and loss of life and protracted cyber attacks introduced delays sufficient to drive those outcomes so i think one of the head scratchers for us in the cavalry was now that people can see on john oliver on hbo or on you know it's main street news that you couldn't get gas so there have been disruptions and there's been hacks we really thought there'd be more political will and more advanced conversations about what to do about it and now we're asking between yesterday and today is how should the mission of the capillary change and evolve now that we're not telling people and educating that things are flammable but now hopefully trying to drive down and minimize risk a little bit more fire fighting or engaging those underserved by either the private sector or the public sector and we lovingly call that the cyber poor so what i really wanted to do is we've always loved working with our press and it's always been a difficult thing to talk about future risks and slow moving risks if you saw the movie don't look up today's opening session is to say how did the world look nine years ago before there was proof of harm and how does it look now that we are having main street mainstream kitchen conversations to quote bryson from yesterday about cyber attacks affecting food water shelter safety and maybe learn from some of the journalists that have been on this ride for a while how this room and this community should think differently about pitching stories making ourselves available focusing on the public good instead of the private enterprise good focusing on public safety human life instead of record count and we don't have good answers to this but i've started some conversations with lily and joe and i will let them introduce themselves so we can get into some content and there are microphones and if you do ask a question i'll either have to repeat it for the streaming because people are watching from their rooms and from the intertubes or just go up to the mic and uh you'll be heard yourself but uh let's get started on the meet the press would you like to introduce yourself lilly hi hi everyone i am lilly hayne newman i'm a senior writer at wired and i've been on information security cyber security digital privacy beat for six years and i was a general interest tech reporter before that so uh going back to the start of the cavalry uh i was definitely writing about adjacent stuff uh so it's yeah i'm happy to be here and it's it's really interesting to think back to that time and sort of reflect on where we are now i think we don't always have a moment for that type of reflection and i think it's really productive um my name is joe youtube um i am let's get a little closer sorry about that my name is joe youtube and you can hear me now uh i am a reporter for sc media um which is a business to business cyber security publication before that i was at axios and started the code book newsletter which i think they're about to bring back so hooray um i've been covering cyber security as um like as an ex exclusively covering it since just before sony so what's up 2014 2013 2015. it's weird that i can get the i now date things by news stories um but yeah since around then um it has changed a lot uh i think back in uh when i was starting out i could not show up to the office and nobody would know and now now it now it would be a thing if the cyber person wasn't that yeah during our prep i was trying to say so i guess this is a good a good place to go which is um if we try to do a deliberate compare and contrast between 2013 uh and now um one of the things i pointed out is we had just had the snowden revelations and there was probably the worst levels of trust between hackers and government that we were going to see for a while and quite a few white hat hackers or helpful hackers were pretty angry and looking at maybe uh going a little gray or a little charcoal colored in their hats and people were upset and it was really difficult to say let's try to be a helping hand to drive safer outcomes with government partnerships but we also were pretty worried about that we'd seen some medical device hacking from barnaby jack in fact he tragically lost his life just before we launched in fact he was supposed to be in the room with us we uh saw some car early car hacking but it was considered theoretical or it's not hacking at times um and one of the things we told the room was people would have to die first before they're really going to listen to us and then somebody shouted out why do this then and i said well we want to be have a head start and build the trust and lay the groundwork and the scaffolding so that they turn to us instead of lesser people with lesser motives and lesser ideas so that we don't have an overreaction like a cyber patriot act or something but the whole goal here was to maintain the trust of the public so if you situate yourself in post-snowden revelations anger and distrust between government no fda regulations and what did coverage look like um and now just free of pre-associate i guess well i was just thinking we were talking about data you know dating the passage of time with news stories and it that era was really like a data era i feel like where like data can be accessed or it exists in tropes like that was the big concept because i'm thinking about i think it was early 2014 like maybe february or march that the target breach was revealed and like neiman marcus and i don't know this is feeling very retro in my mind i'm like wow we're back in this era but um i feel like that was those were some of the big mainstream discussions that year along with you know what you're saying about the snowden revelations so it's sort of like a you know bulk surveillance collection corporate data troves what if people were to access this data like moment or that that was like where people were at in sort of the mainstream in terms of what the press i think was trying to convey to the mainstream audience um i sorry i almost did the same thing again um it's strange like a lot of the result i don't think we quite knew what we were covering yet because so many of the threats hadn't materialized so a lot of things were very speculative but crime was since it was crime was as as always mostly data breaches and the the nation-state kind of level was still very very driven by um it was still very uncertain like we people didn't understand how attribution was going to work there was the north korea thing where people sort of sort of reject it um i think since then we've seen sort of the rise of news covering um every breach and making that the big event like a breach by breach by breach and that being the big news story of the day and not really taking a broader look at it um i think that's sort of dying down but only because they've been concentrating on single breaches longer but it seems to be very event-driven now um whereas in the past it was more speculative if that makes sense yeah and i'm also thinking about like we used to cover i don't know even thinking you know i always and i'm sure you the same way like we were always trying to uh have the most context possible and do smart journalism like joe and i are both trying to like do good reporting and not just go breach to breach or something but it feels quaint to think back to some of the coverage like you know even five years ago or something stories that wired readers were super super interested in like massive traffic which not for its own sake but in terms of who was reading like the number of people who were reading uh i'm thinking about like stories about what's the biggest volumetric ddos attack that's ever happened it would be like now github was hit with the biggest one now this was hit with the biggest one or cloudflare whatever and like people were very interested in reading those stories and it would cause you know maybe outages for a few minutes or an hour or like the company wanted to talk about it because they didn't have any downtime at all or like whatever but it you know it's just to say that that was where we were at in terms of the collective conversation of cyber attacks and impacts one thing that we don't get to write anymore and it's for the better around 2016 and for for obvious reasons there was the rise of the um that wasn't hacked news story like where there would be a power outage and you'd have to write a new story about how that wasn't hacked or apt um i think people are a little bit more [Music] a little bit less on edge that anything could be any anything that went wrong could be hacked well i mean it isn't really anything that can be wrong for that it was really all power grid um and i think that's uh so but yeah sorry yeah it's it's hard for me to even ask these questions because i've always been on the i care less about my credit card and more about my access to patient care you know we've been here for nine years we've been trying to get the world to catch up a bit but you know i would say that as you think of how we used to characterize stories it was record count or dollar amount was the unit of impact and now it's potentially quality of patient care or how long are you without oil and gas or how long can a municipality not function and perform the duties it needs to to keep its citizens safe and you know one of the supply chain cascading impacts of a meat packing facility getting hacked or cream cheese my daughters were about to riot because they couldn't have cream cheese for their bagels for a while and people didn't know why and part of why was there was a hack of one of our concentrated uh developers of cream cheese um exacerbated by trucker shortages exacerbated by other covent factories but the net outcome here is if there's not enough slack in the system you know even these seemingly unimportant ransoms of a single entity could have cascading rippling effects on you know if my kids are going to riot for cream cheese so i care a little bit less about cream cheese and more about losses of life but it is often difficult and this group has found it difficult to get these stories told that are about the public good instead of a specific victim so we're all ears for advice on how editors are shifting focus or what stories have a chance and which ones don't you know how we might both respond in organic changes but also try to affect maybe some deliberate changes so that we can ensure there's not always and i can't i still find people who say well yeah josh people might have died but what about the record count like there's just a really palpable part of us that is painful yeah i think there's a belief that and it may it might bear out in in traffic numbers but there's a belief that if unless it's kind of unless it's unless there's an enterprise angle unless you're talking about um you're talking to businesses it's tough to sell advertising uh um at least that was the sense i got at axios um where uh they wanted it to be more more either about controversies from big tech brands or um more about businesses or know i i hope that's changing um i i've been at a been at something that solely covers the enterprise for the past two years but uh i think that there's as people have seen real-time chaos engineering um you know the power outages in texas or like you were mentioned colonial pipeline people have a better sense of what can go wrong but i think it's one at a time yeah i don't know if there's i think that people are very driven by stories like not not necessarily um people like a narrative rather than a fact and that's it's easier to tell a narrative about people lining up for you know lining up for gas to put in their trash bags than it is to say um to cover the you know the effect of copyright law on uh on on [Music] hacking hardware well and yeah i i want to add like we should talk a little bit josh about what we've been discussing about the interdisciplinary nature of some of these stories because i just want to say first that you know i think what we were saying about what you said about it used to be i could take a day off and no one even noticed and now it's like where is the person who needs to write about this every single day like i've that is a real thing and that's a real issue with getting stories written and getting them to break through is that there's just so much going on i mean it used to be when i would come to black and defcon and and b-sides and cover talks at all the conferences like there was nothing else i needed to be doing that week but that right like that that was the you know news that really needed to get out there that week and now it's like 30 other things are happening this week and i'm like like what you know my editors and i are like what do we do because you know so anyway i think and so especially you know to transition to you know what we had been talking about like stories and what you're saying about narratives and real human stories that are the most important stories that we all really want to be telling that are the most impactful those stories take a lot more time a lot more sensitivity and and various types of expertise and it's just a very there's like a lot of cooks in this kitchen you know i think one thing that's worth noting um and this is for the better um more people who write about cyber security are focused on cyber security now than there were um at any other time in history it's a fun thing to be able to say um i think that if you remember uh norse um with the aei report that uh um speculated that iran was hacking the united states hundreds of thousands of times a day it just turned out it was you know background noise and ppu um that can happen those kinds of stories can happen the uh the the power grid story in the washington post i think that that was the vermont was that there was a there was a time that they had said that some did have the power grid that turned out to be the ms blaster from 2013 that one no i think it was around 20 well yeah the fact that there's more than one example point um a lot of those things slip through because the people who ended up covering cyber security stories were people who had no infosec background and can be easily swayed by the um by things that sounded very impressive um but not but didn't really have a sense of how to evaluate whether or not they were true wow there's so much i want to unpack from this i'm just going to scatter shot a few things i heard that we could play it on us choose your own adventure because any one of these could turn into an hour conversation one of the things that surprised me um i'll just enumerate them uh not prioritized one of the things that surprised me is i've actually seen a thinning out of journalists um a lot of really good journalists and really good beats have gone away and now some of those excellent journalists are in sponsored corporate journalism they're still doing good stories but there's always that risk that there's an editorial slant towards that market or that product set and i still love and respect these journalists and it's it's sad to me to see so many of them not working for a news outlet or independent news outlet but doing news under the inframater of some corporate entity so number two um a bunch of us are observing there's stunningly few journalists here in vegas this week and it's possibly kova it's possibly competing stories it's possibly that this isn't sexy anymore um but that is an observation i think worth noting i'm very glad you're both here um number three um i worry um about where lily was going we talked about this in advance some of the stories that came out of our code task force were so multi-disciplinary in nature you couldn't find a single journalist with a single beat that felt comfortable doing it and unless there was capacity in their medical companion or their government oversight companion these stories couldn't get told so there was a level of complexity that created enough hesitation for the harder the the more substantive stories to get told so pick apart any of these are none of these but i have some concern over this i i guess working backwards um it's easy it's easy for me to say uh lily should do it but um the uh i think i'll take all your scoops too the d i think that there you with uh things that are extremely multi-disciplinary you might have better luck with magazines where they have time to do thought out coverage uh compared to newspapers where we're expected to increasingly put out a story not only every day but every few hours when i was at the hell um i was at the hill but also i didn't say that in my bio um but the expectation was four or five stories a day wow um and by the time i was leaving they were trying to figure out which four or five stories a day and i remember they were really excited about a lacrosse team that was hacked because i thought that would be very popular it did not turn out to be very popular um but uh at least i got to learn that there was a professional lacrosse league so that's that's something but in terms of the uh the five story a day model isn't great for things that we have to learn outside uh learn