Setting the Table – WarGames 2027 & Maslow's Hierarchy of Needs as Hybrid Warfare Nears

All right, welcome to this year's Bsides I am the cavalry track. Sometimes called IATC because acronyms somehow helpful. Um I'm Josh Corman >> and I am David Bots. >> Uh don't make me have to chase you. I rolled my ankle last night, so it'll be fun. Um if who has not been to this track before >> awesome. Okay, good. So, we're going to do this track's different. Uh, appreciate you coming. The first talk just kind of sets the table for the next two and a half days. Um, we're going to try to provoke you, uh, but not just for provocation sake. We're going to ask you to be comfortable with some discomfort. We're going to tackle some pretty heavy

topics. Uh, because I saw a lot of hands, I might do a very, very, very short what the heck is I in the cavalry? Uh, and what does that have to do with besides Las Vegas? I sometimes skip that but uh, we're gonna mostly orient you to the track for a few minutes. Then I'm going to give a specific talk to try to challenge you. I want you to critically think and then we're going to give an overview of every talk for the next two days, two and a half days, so you can kind of see what the flow is. We try to say that this is not an alakart track. It tries to be a bit of a symphony. We

very deliberately invite speakers. We very deliberately sequence speakers. We negotiate with them what we'd like to see from their expertise and they push back on us and it's a beautiful little tugof-war. Uh but we believe that every talk is enhanced by the talks that came before the talks that come after it. So everyone gets more out of the the sum is greater than the the whole is greater than the sum of its parts. So we'd encourage you to stay. All of these will be streamed and will be recorded. Uh so you can watch them later if you do have to miss one. Go upstairs for like a sky talk that isn't recorded for example. Um, but you will get more out of this

and we even sometimes pick the ones just before or after lunch on purpose to make sure that it's maximal discussion. So, be prepared to discuss things. Most of these, um, we'll leave room. We have a 2-hour water block, for example. Um, but you want to do welcoming before I say what the cavalry is and where it comes from. This is your MC for the the next two days. >> Good morning. My name is Dave Bots. I'm I'll be your MC today, tomorrow, and Wednesday. Oh, that's right. >> We've got a rock and a roll instead of sessions. Um, I will be the very mean timekeepery person. So, uh, when I stand up, that means we're close. And the

closer I get to the whoever's speaking, what that means is they need to wrap it up. Um, but that's what I'm going to do. So, you'll see me and and there is going to be a lot of opportunity for audience engagement. And when we do that, I'm gonna play I'm of a certain vintage. I'll play Mr. Phil Donahghue where I'm doing this. >> Yes. >> To get your input. So it because we want your input and we need you to use the mic because otherwise our dear friends at home can't hear you and they'd be like that might have been an interesting question but I do not know what it was. >> Yes. >> So uh help us help you help us help you.

>> Okay. All right. So, I'll try uh a shortish uh cavalry story uh how we got here. Um so, first of all, let's all say happy birthday. Cavalry was born on August 1st, 2013. So, we just turned 12 years old. >> Happy birthday to you. >> Um so, I love Bides. Been coming to Bides for a while. Uh after rise researching like the rise of anonymous and activism and stuff, I kind of started getting pulled into uh the government circles a little bit, I was worried that activism may turn into cyber terrorism, which it did. Um so at one point a bunch of hacker people, you know, and respect, we all went into Fort Me for two days to

try to warn what's the hacker eye view on public safety, economic, national security so that we can give them some fresh ideas. And during those two days, um, we had breathtaking ideas from like HD Moore, Dan Kaminsky, Jean Kim, myself, Alex Hutton, and David Etchu. And we just, it was one of the most exhilarating things to take individual superheroes and put them together to form an Avengers to solve bigger problems. And it was one of the highlights of my life. Right? I'm doing abbreviated version of this. What wasn't is that um in between day one and two, I went to my car and had a ton of voicemails because you can't bring a car into Fort Me. I mean, a

phone into Fort Me. And I a bunch of people were saying, "I'm so sorry. I'm so sorry. I'm so sorry." And what I uh couldn't tell my teammates is that my mom had had a stroke and we found out it was pretty aggressive terminal brain cancer. So like I'm at the peak of like trying to like speak truth to power with really talented people, but I'm also like demoralized that I know what's going to happen over the next couple months. So on that personal journey, we close day two and we have our recommendations and they're amazing. And if someone presses me later at the bar or the pool, I'll tell you what some of the answers to the challenge questions

were. Like if you could write one sentence of legislation to have the most material impact on the hemorrhage of intellectual property from the US to China and material weaknesses in public safety, human life, what would that one sentence be and why? So we had an answer. Uh so ask me later, I'll tell you the answer. But um at the end of reading these all out to General Alexander and his staff and Anne Newberger, the answer was I can't do that one. There's no political will for this one. People will have to die first for that one. and we went the entire list. They couldn't do a single one of our ideas. And this isn't to slam on them. It's

just, you know, things work differently in the beltway. So, um, we all went to the bar. We all flew there on our own dimes. We drank at the airport bar. No one said a word for like, I don't know, 20 minutes. I finally broke the silence and I said, "Guys, the cavalry isn't coming. Uh, no one's going to save us." That was half the thought. Uh, advance. A couple weeks later, my we take my mom to uh her church one last time before she has to go to hospice. Really shitty luck. It happens to be the Sandy Hook shooting and she was a superintendent. So all her students and teachers and principals were all crying and scared to

go to school. And the preacher kept saying for mostly two hours straight, "Why is there evil in the world? Why is there evil in the world?" Uh and never quite answered the question. And I think everyone was hurt and scared and my little girls were crying cuz they're they're going to lose their mimi. they're afraid to go to school. So, that was an uncomfortable moment. And then eventually come January, she passes and we go back to that church and I have to say something as her eldest and I'm looking at her parents and her siblings and her students and her grandkids. And I felt angry like why am I feeling angry at my mom's funeral? And it was

partly because like that nagging question of I didn't like the question of why is there evil in the world? And at some point I had to go inside. I walked up and something flipped in my head and it was something along the lines of, you know, the last time we were here was really angry. It was Sandy Hook, etc., etc. The question didn't sit right with me. And I think I just figured out why. And it was basically that my mom uh so my mom was my seventh grade science teacher cuz someone got very hurt. So, she got to substitute. And she was fantastic. But one of the things I learned in science was uh

darkness is not a thing. It's an absence of light. And cold is not a thing. It's an absence of heat. So maybe it wasn't just the presence of evil. It was the absence of good. And I said, "Maybe something's missing. We got to put it there." So then I asked all the family. I'm like, "What's the absence of Marie?" And I didn't have an answer to my own question, but I'm like, "We don't get to find out because now it falls to us to do what she was doing." And that kind of squared the circle for me. And I said, "Okay, maybe something's missing. what can we do about it? So, I came here to

Vegas. I asked besides can I stick my neck out. We said, "Hey, uh, if the cavalry isn't coming, um, what's the hacker community willing and able to do to maybe be safer sooner?" So, the problem statement, uh, was something along the lines of our dependence on connected technology was growing a lot faster than our ability to secure it in areas affecting public safety, human life, economic, national security. So I was really worried about putting software in medical devices when we can't protect websites or credit cards, why can we protect hospital equipment, cars, industrial controls, oil and gas pipelines, aviation, highspeed rail. So I said, if there's a knowledge gap between how overdependent we are on dependable things, can we

maybe not be a pointing finger, but a helping hand? Can we maybe lead with empathy instead of judgment? Can we maybe build trust and coalitions? Can we meet people on their terms, learn their love language, meet them where they are, and then crawl, walk, run together. So I said, we're going to try something different. You can do the same thing over and over expecting different results or we can try to work together. So about 50 people said, "Yes, let's do it." We went to Defcon later in the week in the main stage and got a couple hundred more. Went to DerbyCon, said, "What's our mission, vision, goals?" And essentially said, "We're going to focus on where

bits and bites being flesh and blood." So, if you watched the launch video, we had a little bit more scope, but we narrowed it down to say what's an unimpeachable thing that we could show the vital unique contributions the hacker community can make for public safety. A nonpartisan thing lo it's hard to lobby against some of those things or harder, not impossible. Uh, and we said we have no idea what we're doing, but um we want to lay the groundwork and the trust that such that when there is political will, we can seize on it. So over the last several years, without getting through a history lesson, you can watch the 10-year anniversary video from two years ago, um we have

dramatically influenced regulations domestically, internationally through things like the patch act for medical device, cyber security, IoT laws, really took the teeth out of things like DMCA and CFAA for like punishing or stifling good faith research from people in this room. So we really tried to take the name hacker back to show there are helpful hackers that are protectors, puzzlers, prestige, profit, protest. But that this group we really found that besides was the protectors and the puzzlers that want to make the world safer and want to tackle really hard problems. And this track is really our neutral ground to get government people that we're building team teamwork with or industry people from the water sector or nurses and doctors or technicians or

highspeed rail folks to come and learn from us and for us to learn from them and then we go change the world one year at a time. So this is now uh since 2013 the track. Did I hit the most mostly the high notes? Okay. So thank you for joining. Uh I'm not the cavalry, you are. Uh and the and the process has changed over time. We became trusted enough that whenever there was something big going on in the government that affected public safety, there was like a congressional task force for healthcare industry cyber security. Then when the pandemic was declared, some of us went in as emergency feds to keep hospitals and vaccine supply chains safe. Um and

then occasionally, you know, there's executive orders for ESBO or this or that. So we have become an honest broker, independent um voice of reason on public safety, public good and each of you get to contribute just like fight club, you choose your own level of involvement and uh some of you have had profound impact. So we appreciate that. The line is basically shifted into something like this and if you were here last year um we're going to crank up a topic called undisruptible 27. So, normally we're patiently impatient and we know it could take 9 years to pass a law or to reform some broken thinking. Uh, we're not being so patient anymore. So, we're going to get into some pretty

heavy materials and I'm going to show a talk that David encouraged me to do for the hackers that I originally did for RSA. So, I want to see how you react differently and there's definitely audience participation. So, at this point, I will start the big chunk of the opening. Okay. So, my name is Joshua. Should we play some war games? And by the way, a lot of people haven't seen that movie. So, if you haven't, please do. Um, this was mostly aimed to cause cognitive dissonance for the RSA crowd. I'm preaching to the choir here, but I'm still mildly curious. I I agreed to David's challenge. I'm mildly curious how you all answered. So, this requires

prompt feedback. Are we ready? Okay. So, you're also going to see we have stickers. This is a water hammer. We're going to talk about that later. We learned it from our trust building with water engineers. Okay. Who wants to play a game? >> Yeah. >> All right. All right. Sorry to yell. Okay. So, unlike chess checkers, the global thermonuclear warfare, here are the games we're going to play. And um maybe now that we have more funding from Craig Newark. So, what I probably should say about Unisruptible is um I met Craig Newark. He had not heard of the cavalry. Craig Newark of Craigslist. He was very taken with the mission. He was very taken with the

impact. He was mostly taken with our ability to do storytelling and to use empathy to not talk like beltway people to average everyday Americans. So he really wanted to fund the project. I wasn't I said Cavalry's never taken a penny. We're never going to take a penny. So we found a common ground with IST, the Institute for Security and Technology. Many might know it for the ransomware task force, but it's got a a much bigger portfolio. And we said, okay, why don't we use the 501c3, the Institute for Security and Technology, and why don't we try a pilot? And my pilot was based on basically three things. One, uh, on January 31st of 2024, Jen Easterly, Christopher Ray,

General Nakasoni, and Harry Coker, the four horsemen of cyber said in an unclassified hearing to Congress, "Hey, uh, China has intentions towards uh, the Taiwan Straits as early as 2027. Volt Typhoon is an army unit that's uh gaining access to US civilian infrastructure like water and power and other things which is very transgressive. It's not normal spycraft of fair play. It's putting virtual bombs and detonation charges into civilian infrastructure. Um pretty scary stuff and they were saying it out loud. And knowing what I know from my 18 months at CISA and working with the federal government, um we don't have a cyber defense force like military, we'll get into that on a different slide, but I'm like,

where's the urgency? Uh where's the collaboration? Where's the systems thinking? Because if we're still struggling on voluntary standards for credit cards and and business apps, how are we going to protect water and power and hospitals that are many of them are target rich but cyber poor? they don't participate in the public private partnerships. They're small and medium rural, no cyber security staff, no mandatory restrictions. So, um, we decided to make a pilot to say, let's look at when everything's critical, nothing's critical, and we'll get into a little bit more with some specific slides, but the basic thumbnail is we're seeing more disruptions. Our neighbors don't call it hacks or breaches. They say payroll was disrupted, patient care

was disrupted, my flights to my own wedding were disrupted by crowd strike. So, like these things were happening in a higher volume. So there's more of them. They were longer. They're more life safety. And they're starting to say, "I thought you guys had cyber under control." So with that disruption trend of being either accidents like crowd strike or adversaries that want money, what happens when this turns to weapons of war because the next conflict will be a hybrid conflict. So if we're going to have a war, you should expect uh people are going to start throwing rocks and we're made of glass houses. So what can we do between now and then to fix things? But also, we have 16 critical

infrastructure sectors. They're not equally weighted. We have 55 functions within those. They're not equally weighted. So I really said, let's focus on the lifeline basic human needs that if they're shut off for 24 to 48 hours, your family suffers. So water, access to emergency care, power, food supply, things like that. Uh we said they're also interconnected. So the federal government doesn't like to cooperate cross agency or cross- sector. They say stay in your lane. Stay out of my lane. This is your lane, not your lane. So we might organize the government that way, but harm and disasters do not present themselves that way. So I wanted to say, can we look at interdependencies on lifeline services as we approach 2027

or later and find a way to get to meet people on the ground, meet them where they are, use empathy, use love language, and see if there's some way to reduce elective exposure or to mitigate the worst consequences of failure. So this game is going to help us through that. All right. Asset prioritization. You have to pick one. What's more important? PCI data or PHI data? You got to shout. >> PHI. >> All right. Who says PHI? Who says PCI? All right. So, we think our healthcare data is more important. Okay. What's more important? Intellectual property for your employer or your PHI? >> This room. Okay. But don't you have day jobs? Do you know uh somebody else that

you work for might disagree? All right. What's more important, your medical records or your medical records? This really matters, folks. Uh, the fine print is the confidentiality of your medical records or the availability of your medical records. Which one? >> Raise your hand for confidentiality. Raise your hand for availability. >> Okay. I love my privacy. I'd love I'd like to be alive to enjoy it. And we only have regulations and laws for HIPPA for the confidentiality of medical records. We have more uh regulatory incentive to have a corpse with your privacy intact than to keep patients alive. Your wallet or your life? >> All right. So, this room's, you know, I'm preaching in the choir. I told you

they were going to get all the right answers, but okay. The needs of the many or the needs of the few. Specifically at RSA, I meant your employer. What? >> Okay. The many depends on if you're a Star Trek fan. Okay. So, we've sort of constructed a Maslo's hierarchy of needs, right? Not everything's equally important. So I kind of heard the availability of your medical records so you can get your chemo treatment or avoid a blood type cross cross contamination that's more important than the privacy and the privacy is more important than IP and PCI doesn't matter you know that much. I said, 'Okay, so RSA, why did we do the exact opposite prioritization for the last 30 years?

Because we did. It's not trit. And you could feel the room go. And it's not just that we've had the the backwards priority. It's that we're usually there for our employer, for our enterprise to drive fiduciary value to shareholders. But every single one of us live in a community. We have a family. We have a town. We have a county. And if we are applying our unique talents merely to protecting data for an employer, who's protecting the water, the health care, the power of your small, medium, rural community? Don't worry, we'll come back to that. Now, that's just assets of data types, but like I told you before, we have national critical functions. These are

specific discrete services that we all depend upon in different parts of the federal government have custodial ownership for. Francis is the national coordinator across those if their siblings let them. So let's do that same game with functions. So what is a function? There's 16 sectors. Water and wastewater kind of got the EPA. Health and human services kind of takes care of this thing called healthcare and public health. Treasury has financial services. So they all have a custodian. But when SISA came along, they made 55 national critical functions. are more discreet things like provide drinking water, provide medical care, provide electricity, distribute electricity. So each one is a service you can look at is is it available, is it degraded, is it

down for how long? What's the meantime to repair? So you can treat this like a utility just like your your phone, your dial tone. Okay. Well, one of them called provide medical care belongs in p healthcare and public health which is HHS. And even though it depends on all sorts of other sectors, you know, it gets sort of badly tracked. So back to MLA's hierarchy needs, what I kind of said after the CIS co task force is when everything's critical, nothing is. If you were to map these, you know, to the things that keep us from being lower the flies, it's going to be a much smaller list. So the stuff at the bottom is the

no kidding, non-negotiable stuff, and the stuff up top matters to somebody eventually, but only if we can actually um have water and food. So back to the idea of your wallet or your life. I think you all said pretty correctly. Um, your life. So, what's more important? Support banking or provide fuel for the eastern seabboard? I need answers. Huh? Fuel. Okay. I mean, the continuity economy is pretty important, but maybe not today. Maybe within a couple days, right? What's more important? Provide electricity or provide food? >> Can I see some hands? Electricity first. Hands uh for food. Okay. How long can you go without food? >> What's more important? Provide water or provide food? >> Okay. You can go I was told three

minutes without oxygen, three days without water, 30 days without food. I think it depends on who you are, but uh I don't think I'd go 30 days without food. Um interesting. Okay, good answers. Uh provide water or provide medical care. >> Hands for water. >> Hands for medical care. >> Yes. >> It's a trick question. What's more important? Protect sensitive information. Your PHI under the HIPPA law or provide medical care, timely access to care for you and your family when and where you need it? Which one? I think HHS OCR would disagree with you. Okay, I agree with you. Okay, so let's figure out I'm pretty biased. I think timely access to medicalare is important. So, you're going to see the

first of a few videos here. I did not make this one. We have drafts or two that we did that definitely need your help. But this one uh can help you understand something we learned from Christian Demf who's speaking tomorrow. Dr. Christian DeF is that time is brain. Uh so here you go. Emergency department. >> When it comes to a stroke, time is brain and every second counts. That's why at Northwell Health, we know a stroke needs a different approach to time. So, we introduced TeelStroke, a remote video consultation system that connects you to a worldclass stroke neurologist instantly, day or night. It's another way we're not just raising our standard, but the standard of healthcare.

Northwell Health. Look north. Okay. So with strokes, there's really two major categories. There's lots of subcategories, but it's either a clot choking your oxygen or it's a bleed. If it's a clot, and when you can use imaging, you can take a clot buster and it'll save brain and save life, your save your motor functions. If it's a bleed and you give that, you'll kill them instantly because it'll accelerate the bleed out. So imaging is critically important for that timesensitive time is brain. Okay, there are other time-sensitive conditions. So during the CISO CO task force, some of us that went into the government for I was there 18 months to the day, we started seeing um

quite a bit of hospital disruption from ransomware activity and because of the circumstances, I'm not going to go through the longer you can see a longer video on all this stuff, but we published the first statistical proof of loss of life from a ransom event. Um we got to see with public health information for something called excess deaths, which are tracked all the time. difference between expected deaths and actual deaths by by month, by state, by condition, by g by demographic. And we could see that in the same state with the same population adjusting hospital type and size, the ransomed communities achieved stress levels sooner and stayed longer than their peers. And these stress levels were directly associated

with excess stats 2, four, and six weeks later for time-sensitive things like heart and brain and pulmonary. The math is all published through the CDC MMWR. So like whenever someone says well no one's going to listen until people died. We had to kind of prove okay yes we have proof that a nonzero number of people died we could use you know public health information and statistics to do so longer conversation go through this in fact maybe tomorrow uh Christian will show some of that but there's a couple ways you die in this scenario number one is there's a disruption of patient care and the unavailability of certain technologies like electronic medical records or imaging which number two

leads you to divert ambulances to the next nearest facility if those next nearest facilities are 4 minutes away might be okay. If it's an hour away, you might not be okay depending on the condition. If it's four hours away, you might uh not survive that delay. But the real deaths happen in columns three and four where we could see hospital strain levels of ICU bed count associated with excess deaths 24 and 6 weeks later. On the same day we published this of October 1st, 2021, the front page of the Wall Street Journal also published a delayed story of the first named victim of a ransomware uh lawsuit. It was a 2019 ransom of an Alabama hospital and

with a complicated birth. Um they couldn't use imaging. The the hospitals were ransom. Much of the equipment didn't work. And because of that equipment not working, um they still admitted patients. They couldn't use imaging. They didn't notice an umbilical cord wrapped around the neck, which is still a treatable and deliverable baby. But uh despite a complex and otherwise successful birth, the post birth monitoring was also compromised. In a typical uh natal intensive care unit, you could have a dozen pieces of technology that force multiply the limited nurse to patient ratio and caregivers and none of them were working. So subsequently, the the poor child perished. There's an ongoing lawsuit in part because the hospital and

staff were communicating with each other saying we should never have admitted patients under our conditions. If the equipment was working, this was otherwise very treatable situation, etc. after placing. So between a statistical proof of loss of life and a named victim, we started to get some political will. And then subsequently, medical health professionals started doing a lot more peer-reviewed medical journals. Last year, if you're lucky to be here, Dr. Christian DeF showed one of his newest ones. He's going to show two new ones tomorrow. Two that I believe, maybe even a third. So this is one of the ones he shared with us which is not only in UCSD University uh California San Diego hospital where they work the Scripps

Institute hospitals all got ransoms not them they were fine but they saw the blast radius of overflow of patients overwhelmed all other hospitals in the area. So they call it the blast radius and they could quantify weight times, canceled surgeries, procedures, worsened outcomes at a macro level. But this one was even more stunning because he went really deep just into heart conditions. And when you have a heart condition, we track the survivability rate with favorable outcome, favorable conditions. And they saw a that even an unransomed hospital in a ransomed region had a t-fold drop in favorable outcomes for heart conditions. and that really got the attention of the cardio community. So, um he will share some of that

tomorrow. Then we said it's not just the individual health because we know that when you're degraded and delayed and there's um a ransom making unavailable health records or unavailable workflow, it could be change healthcare where one payment middleware for the country at United Health shut down patient care and workflow for 75% of the nation's hospitals for weeks. Well, we also know that many of the nation's hospitals, we had 7,000 when I did the congressional task force in 2016, we have 6,000 now. So, we've lost a thousand to mergers, acquisitions closures financial insolveny, some of which is exacerbated by ransoms. Why? Most small medium rural hospitals according to Beckers that studies the space have four to six weeks

of their cash reserve on hand. So, their burn rate if they're not getting income is four to six weeks. If a ransom shuts down your patient care for four to six weeks, you could either close forever, like St. Margaret's in Illinois, or maybe be weak enough to be acquired and be lucky enough that the next time there's a a ransom in common spirit in Portland, Oregon, you'll shut down hospitals in the same network in Connecticut. So, we're seeing um you either go down for the count, you're weaken enough to be acquired, and they take your doctors, your nurses, your services. Some of these acquired hospitals have bats and the fifth floor in Florida uh from just being under uh

invested in. They're functioning hospitals with bats in them or uh you're lucky enough to be in extended blast radius for the next big ransom. So we are not comfortable with this. And when you really look macro, not just your hospital, but maybe nationwide, uh University of North Carolina tracks hospital closures. So Audi and I made a time lapse. Every single one of those dots is a hospital that's gone for good. So again, not all from ransom, but ransom can make it worse. Uh, so we're with 700 plus ransoms a year on hospitals, you're rolling a D20 each time and hoping that you don't actually close. Okay, so which is more important? You're protecting your HIPPA data or provide

medical care? We already answered this, right? So why is it that every single time Children's Hospital of uh Chicago gets breached and they call their instant response firm and they tell them what they should say to the press, they say something along the lines of in an abundance of caution and in accordance with industry standard best practices, we've decided to shut down operations to contain the breach. So what they did is they took a privacy loss of PHI that was the horse had already left the barn and they voluntarily self-inflicted a denial of patient care on provide medical care. They also voluntarily shut down workflow for billable financial cash flow and if it was for longer than four to six weeks

they might shut the doors forever. So our best practices are taking a HIPPA optimization over patient care. So back to this idea of Mayazo's hierarchy of needs, I started saying maybe we should look at downtime tolerance. So which of those 55 national critical functions if you shut them off for 24 to 48 hours, do people die? And it was about a dozen of them. And not only are these particular dozen atomically important, they depend on each other. So if you have no water, you can't provide medical care. If you have no chemicals to clean things, no blood supplies, no transport for pass uh patients. And when people die, it starts affecting your workforce for things like

water and wastewater, chemical treatment. So we saw this was a pretty dangerous cycle. Hence the undiscruptible project was saying, let's focus on those dozen or so lifeline critical functions. Okay. So let's talk consequences. I was going to give some freedom of choice, but we're going to a little compressed. So power. So let's pick one. Somebody say hostiles. >> Hostiles. Okay. Picture a hospital. Picture your hospital. When was the last time you were there? Was it to welcome a baby into the world or to say goodbye to a loved one? No one wants to need a hospital, but when we do, we depend on timely access to care when and where we need it. Irrespective of cause, delayed

and degraded care for time-sensitive conditions can affect worsened outcomes and even loss of life. A 5-minute longer ambulance ride has a significant impact on 30-day mortality rates. Time is brain where even an hour or few could determine if you walk again, if you talk again, if you even survive. Now, picture your hospital. What if that hospital was not available to you? If your hospital was disrupted, where would you go instead? Is it across town, more than an hour away? What if they are also down? The chance is not as remote as you'd hope. Hospitals have become a top target of ransomware, cyber attacks that technologies in the vital path of care delivery. Worse, your hospital

doesn't even need to be the one attacked to endanger you or your family. We've seen a 10-fold decrease in favorable outcomes for heart patients merely due to excess strains of a ransomware affected region. Now, back to your hospital, back to your family. You and your family deserve better. If we want timely access to patient care and more resilience in the face of accidents and adversaries, we're going to need to advocate for ourselves. Now, as we head into an era of hybrid conflict with threats to water and power, these disruptions stand to get a lot worse, but we'll talk about that in another video. That is one of our draft videos for the first year pilot that ended about 2

weeks ago. So, we would love feedback if we're going to invest in making them bigger. But usually we think of a disruption as an inconvenience or a breach or ransom or a fine. Uh but if it's happened in your community, you know, it could dramatically affect your access to care. So, let's talk consequence number two. You're going to get stickers that have these on here. Anybody know what that is? A water hammer. No, it's not an ice hammer that someone thought yesterday. It's a water hammer. I didn't know what a water hammer was. You probably heard one in your house, but the when they're much bigger, they're much more devastating. I learned of the water hammers from our

teammates like Dean who presented on water. He's a professional water engineer. Part of this empathy and getting on the ground and meeting people where they are and learning their love language. When we started warning them about things like Volt Typhoon, we said, "What's the worst that could happen?" You know, there's lots of bad stuff that could happen. What's the worst thing that could happen? Like, well, first thing, the water manes could be bad. So, when you hear it in your house, it might sound like a little you're hitting like a radiator with like a little pencil or something. It's like a ting ting ting. But if you have a 24-in water mane or a 36-in water mane, they can be 30 40 foot

high uh burst pressure loss, that's a truck driving underneath it. Uh they don't necessarily happen where you want them to. So the weak points in the line and aging pipes and the aging millions of miles of pipes that we have across the country uh could create a downtime event. So what's your downtime tolerance? And uh so water hammers could be pretty bad. There's other scenarios they gave us as well like an overpressurization event, an underpressurization event, chemical adulteration, etc. So we started leaning into this water hammer idea. We'll come back to that. Who wants to see the power video? >> Yeah. Woohoo. >> Yeah, me too. But it was not in the scope of the pilot. Okay. All right.

That's why we needed to get more funding. Okay. So, let's test some assumptions though. At some point, usually, especially a circumspect crowd like this one, because we are critical thinkers, someone's going to be saying this wouldn't happen. Why you talk about 2027, etc.? So, let's go through a couple of the top the top assumptions of the who, what, when, where, how, why. So, who would do this? Well, remember we have accidents like the crowd strike thing from a year ago. We have adversaries that want ransoms and money or intellectual property. financial crime, right? But we also see hybrid conflict being used a little bit. Uh and there are four countries on our map. Um three of them have reached out and

touched water already. Uh so there is Volta Typhoon, which is the one I I talked about that stimulated this conversation. So this is uh prepositioning an access campaign to get in and stay in living off the land on the nation's unguarded infrastructure. But there's also Iran, the Cyber Avengers, maybe you've heard of um considered a activist group of some sorts. They hacked Israeli made equipment in Alipeka, Pennsylvania, and other states. I think 21 other states uh so that we know that they can reach out and touch things. They defaced the interface as opposed to did damage, but that same level of access could be used for something else. And then Russia, the cyber army of

Russia Reborn, not the actual army, but a criminal group um hacked equipment in Texas and overflowed two two reserve tanks. So they were doing it for money. They weren't trying to cause the physical damage, but it's pretty easy. And as Bo Woods likes to say in the cavalry world, malicious intent is not a prerequisite to harm, right? So you don't even necessarily uh I'd prefer they don't have access and they aren't trying, but we have wide open water infrastructure. So, all three have demonstrated the means, motive, and opportunity to reach out and touch water. So, this is a office of the the director of national intelligence put out a two-page PDF. It's public and shows some of the states and dates and

campaigns where Iranian hackers hit US infrastructure. Um, I'm shocked that they did it in public open source as opposed to classified. There's other stuff if you're in that world that's more serious than this, but this is the part they were saying out loud. Um, okay. So, why 2027 is usually the second question. Well, um, I I hinted Jen Easterly, Christopher Ray, Nakason, and, um, Harry Coker pretty clearly, like pretty resolutely, pretty consistently warned of Volt Typhoon. Uh, Xiinping says he wants to unify China with Taiwan um, in his his term. Um, he told his military to be ready to do so as early as 2027. If you're following people like uh our guest speaker in a minute here or

Demetri Alovich, some people think it may be a year or two later, but we're in the vicinity of um declared intent to take Taiwan or reunify with Taiwan. And they said to the US uh we'd prefer you stay out of it. So part of the stated objectives of Volt Typhoon are to undermine public support for our intervention and or uh if we do interfere they could um do allout chaos on US infrastructure uh in retaliation. Perhaps there's a baby step in there like a brush pack pitch. But uh it doesn't take a lot. Takes two towers for example to have us go to war for 20 years. So even a demonstration of force could be pretty devastating to otherwise

unwitting civilians. So, this became uh if you're what's that Maya Angelou quote? If someone if you're someone tells you who they are, believe them. So, we at least have their stated doctrine and we've talked about it in open source uh public hearings and you can watch them. This one can take a while, but I'm going to go faster, especially because uh Bryson's going to do a guest sit rep. But someone says, "Well, don't doesn't the military protect us? If this is a war, aren't they going to protect us?" And without being mean, I'm just, you know, been up close and even at times in the belly of the federal government. Um, what people don't realize is the in other countries

in Europe like critical infrastructure lifeline stuff is publicly delivered and publicly owned and operated. Uh, whereas we delegate that to the private sector. 85% was a wild guess with no actual math behind it, but it's actually come up and they did the math and it's about 85%. Uh so 85% of owners and operators of lifeline infrastructure are um private. Some of them are price fixed at the state level. Might cost you more than a dollar to give you a dollar of water. Um so they're really prone and you might have heard the term we coined but target rich but cyber poor. You know kind of building off Wendy Nether's notion of living below the security poverty line.

Um then people said well don't we have cyber command? Doesn't cyber command protect us? Well cyber command's an offensive unit. It's not defense. And then someone says, "Well, I heard that CIS is the nation's cyber defense agency, right?" Well, they don't have authorities to go into your networks that are privately owned and operated. They're an inform and advise and assist function and a national coordination function. Uh but they're not actually authorized to go do operational security and patching for you, and nor would you want them to, per se. So, that doesn't really happen. And that was always kind of true. People didn't know it. It got worse uh with executive order 14239 in March, I think it was. Um where there's

a strategic shift whether you like it or not. Um maybe it's the right call eventually. I think the timing is probably pretty unfortunate, but the shift is saying we want to shift the bulk of the work for cyber security resilience from the federal government to the states. So, um, if we're going to shift that, um, one of the very important institutions that could help is the MSIAC, which stands for the multi-state ISAC. And yet, maybe independently, that one lost its funding, too. So, we both are doing a strategic shift on the when you can hear the drums of war. Uh, bad timing and some of the graceful transition has been hampered by defunding of the multi-state ISAC.

So, what's an SRMA and CPAC? Um well, SRMAs are the sector risk management agencies. So each one of these 16 sectors has a custodian. Many of them had significant budget cuts uh uh voluntary attrition, some Doge effect and or their committees of jurisdiction and oversight are mad at them for some reason or another. Uh that includes SISA and then CPAC. CPAC is the way that the public private partnerships are lawfully legally allowed to talk to each other without breaking other advisory committee laws and lobby lobbying things. And so CPAC got suspended back in February and I don't think it's been turned back on yet unless someone can tell me. So CPAC is what allows them

once a month or upon emergencies to talk to each other uh under TLP red and amber and they can't actually do that. So even the free collaboration that had existed at least is temporarily still turned off. That was not on purpose. It was by accident I was told. But so this is not a good situation. And then SISA as I said it's it's advertised as a cyber defense agency but um it is an inform advise assist not uh operate function. Uh, and then Congress, um, even if Congress is pretty bipartisan on the China Volt Typhoon, salt typhoon stuff, which they kind of are, um, if you pass the law tomorrow, the normal cadence of how a law metriculates

into a notice of proposed rulemaking and commentary period and all these other things, uh, it probably wouldn't manifest any direct impact on the affected time zone for which we speak of 2027, which is now under 18 months away. Okay, insurance. The next thought terminating cliche we tend to get as I try to go a little faster is but I'm insured. Um, I'm working with Cyber Accust collective of the top 20 underwriters or cyber insurance in the world. Most of them are the big ones that do other forms of insurance. Uh, have you heard of acts of war exclusions? Um, so none of them believe that you are covered for the things that you believe you are

covered for. Um, but there are some edge cases and some nuance and I've been collaborating with them on clarifying to their policy holders what is and isn't covered in the case of uh the People's Liberation Army destroying water in the community and having downstream and secondary effects of other things. So, they have some public statements they're working on. There's going to be some tabletop exercises. Um they also even without acts of war exclusions they don't cover business continuity disruptions instituted by a service disruption for infrastructure. So if you get ransomeds they'll cover the business loss for a certain amount of time for the ransom but if your water goes out uh not usually covered. So it

depends my may uh mileage may vary and there's talks for years and years about a cyber security backs stop. Some of them mean a vertical one for the whole industry. Some of them mean horizontal for certain topics. Like we have a TRIA backs stop for terrorism after 911. So people would build property that gets renewed every couple every 10 years or so. But there isn't really a cyber backs stop. But there's on and off again discussion. So maybe Congress could do something there or the White House could do something there. But don't look for a lot from the federal government and don't look for a lot from insurance. What we're really looking to do is

clarify your expectations about what is and isn't covered. And then the last one is well in the world of national incident management systems and NIMS which you're going to hear about later today. And in the world of disaster science for wildfires we don't have to have enough firemen for wildfires. We can call on mutual aid mutual assistance agreements with other states and we can snap into things like NIMS. Well um mutual assistance uh is predicated on a concurrency capacity assumption. So Wisconsin firefighters are very happy to help LA uh firefighters unless Wisconsin's also on fire. So when in these attacks are everything everywhere all at once, um most of the concurrency assumptions fall apart real fast. And by the way, so do

the insurers. The insurers said, "We'll still help you if we're not covered. We'll do the instant response. We'll we'll assist you." Said, "What's your maximum concurrency to assist your install base? Do you prioritize based on first come first serve on declared state of emergency on biggest customer? Do you get to decide or does mania get to decide? So there's a lot of unanswered questions on concurrency. So most of our mutual aid things are pretty much going to fall apart within the first few hours. So those are fun. Uh but let's pull some of these things together. You have the hammer time stickers we're going to give you. You saw the hammer, the water hammer. So let's play another video,

shall we? This is the first video we made.

We are too dependent on undependable technology. The systems that we rely on every day for everything from water to food to power and emergency medical care are subject to escalating harms by accidents, bad actors, and nation state adversaries. These attacks could quickly move from disruption to destruction. For example, an intentional water hammer that abruptly stops or reverses water flow, sending a shock wave through the system. Attacks on our water systems would be devastating, not just for lack of access at home. No water means no coffee, no toilets, no laundry. No water also means no hydrants to put out fires. No water means no healthcare. The hospital can't run without clean water. No water means no sterilization, no

surgery scrubbing, no laboratories, and eventually no access to life-saving care. Our dependence on connected tech has grown faster than our ability to secure it. And there is evidence that foreign actors are already weaponizing these vulnerabilities. But who would actually do this? In public hearings, Congress and US government cyber security leaders have warned the public of Vault Typhoon, an ongoing campaign of successful attacks on US water facilities, led by a People's Republic of China state sponsored cyber actor. But China is not the only aggressor. We've seen cyber attacks on our water systems from Russia and Iran. These attacks pose a broad and unrelenting risk to critical water infrastructure and could escalate to large-scale destructive attacks on our water systems

as early as 2027. The good news is we have time to make changes. We must strive to make our lifeline basic human needs undisruptible and where we cannot ensure that our communities are more resilient under fire. This means divesting our reliance on connected technology, better securing our existing systems where we cannot disconnect, and ensuring analog solutions are in place when those systems fail. If this sounds overwhelming, remember if you can't afford to protect it, you can't afford to connect it. Undisruptible 27 will prioritize the safety, security, and resilience of three lifeline basic human needs, especially at the local level. >> Okay. So if you take the your hospital video of there's it's not your privacy

there is a time and space risk of diversion to the next nearest facility and then now we combine that a disruption of water shuts down hospital operations in 2 to four hours and then if you try to go to the next nearest facility and they are also disrupted do you think the body count's going to be zero so um we're pretty concerned concerned about hammer time. We're pretty concerned about this. So then it comes what can be done. If we already told you the federal government's not going to help much and insurance will be after the fact, but probably going to exclude things. We started leaning into what is the art of the possible. Just like with Y2K, we

had to work backwards against certain date and said what's doable. So is the best defense shields up. Do you want to add cyber? They don't have budget. They don't have staff. they've got about 12 to 18 months by the time we get to them. Or should it be connections down? Maybe it's being less dependent on undependable things until we can pay a responsible risk mitigation. It's more likely physical mitigations. And this is why I'm really trying to get a a lot more heat and light on some friends in the room. Uh things like Idaho National Labs has consequence informed engineering. We'll talk about that in a second. So maybe I can't disconnect and maybe I can't cyber up, but I can make

sure that a compromised system can't blow up a water mane on the hospital network. So the best defense against hammer time is not cyber. It turns out it's really unintuitive. So uh Virginia, can you raise your hand? All right. So we have a a speaker later today and doing some free training over the Padium today and tomorrow. He's going to talk about uh consequence of foreign engineering, but I'm going to grossly oversimplify their massive body of work and say if you want to reduce the probability of a compromise in cyerspace, you add cyber. But if you want to reduce the consequences of a successful attack, you add engineering. And we realize we are not going to cyber

our way out of this in the next 12 to 18 months. So what can we do is say what's the worst that can happen and are there available familiar engineering mitigations for something like a water hammer and the answer are yeah there are uh if you Bryson may mention critical effect the conference we ran in June in DC but we had a water engineer come and say here's a $2,000 pressure sensor with a physical wire back to the pumps that can notice you're out of acceptable uh pressure ranges and disable the pump. It's like a circuit breaker for water. So for 2 to 10,000 for that pressure zone, maybe you can get punched by the

Chinese military, but you can take that punch without a burst water mane. Now I'm not trying to say it's that simple in every case, but this is going to be the mission. Cyber exposure with life and limb consequences and available familiar tangible engineering mitigations. So let's try that prioritization game again as we round it to in five minutes or so for our guest on sit. Okay. What's more important, provide water or provide medical care? >> Yes, water. >> Trick question. No water, no hospital. But now it gets harder. Do I restore water to the dialysis center on the on the west side of town or the trauma center on the east side of town? These are hard choices.

These are probably these are probably not your choices. Okay, next one. It's harder. Do I protect the town with one and only one hospital or do I restore one of the three hospitals in a town with three hospitals? This might not even be your town's choice. This might be county choice. There's only one level two trauma center >> that you're talking >> that that matters. But these these should be answered left of boom, not under fire. And we're going to have a talk closing in the closing block today from people in public health and emergency management, disaster management who know how you do these things. But have we asked those questions or pose them to our leadership

yet? So which is most important removing exposure, adding cyber or engineering down consequences? >> Engineering. >> You're cheating, right? Okay. So I'm going to mostly compress this part. This was mostly for the RSA audience, but just if you're wondering what I I said I'd come back to it. Um, the reason we have our priorities backwards, it's not all their fault. Let's give each other some grace. We've been incentivized to do so. Part of that is, if you know the William Sutton quote of why do you rob banks? It's where the money is. Um, forever prior to ransomware, attackers, the shields, excuse me, attackers, the sniper rifle scopes, and defenders, the shields focused on the Fortune 100 or

500 or 5 or 2,000 because that's where the money was. Um, ransomware was not a technical revolution. It was an economic one. And what they found is um the unavailability of anyone can be monetized. So we had an unmititigated feeding frenzy on the cyber poor. The RSA crowd still has not figured out how to monetize down market. So they don't try. So we're kind of doing what economics tells us to do, not what our community needs us to do. Uh because this target rich cyber poor stuff is not participating in public private partnerships. I'm going to skip this from the Cisco task force, but let's go look at the three. When we have public private partnerships, what that means is

there's a government custodian, a sector risk management agency like HHS or EPA for water, there's a sector coordinating council, which is the voices of the private sector defending their honor and doing the trade-offs and there's usually an ISAC for the technical exchange of indicators of compromise. They said usually water emergency care and energy and power. There are 151,000 water plants in the US, not not even including water and waste water treatment. 151,000. A third of them service homes. So let's just say let's focus on 50,000. Do you know how many participate in the ISAC? Somebody not you. >> 650. We have 0.4% of the nation's water plants even in the ISAC. Do you know how

many hard cyber security requirements are thrust upon water operators? You're up. >> Do you know that when the White House and EPA asks the water sector that at your next annual sanitation survey, please indicate which of the 38 CISA cyber performance goals you do and don't have in place. Inventory them. You don't have to do them. Just tell us which ones you have. We want some ground truth. You know what the response was? >> We're suing you. Uh and these three states and several trade associations successfully sued the federal government for daring to ask. Yes. Uh so when I talk about participation um the water is sac whom I love and I'm working with and I'm trying

to get them more more love they've got 650 of the halves not the have nots AWA's um American water and waste water they have 4,000 members so they're a little bit bigger so they're at 1.4%. uh hospitals. There's 7,000 hospitals down to 6,000. There's about 300 in the ISAC. It's the halves and the have nots. The national footprint needs to go further down below the poverty line. Energy and power is doing much better. You got Edison Electric for the bigs. You got uh Nca for the tiny rural co-ops. You have APA for the public power. They have a lot more participation in part because they have Nerk and Furk regulations. They have Caesar from Department of Energy. they

have CEOs coming to the sector leadership instead of IT staff, but they're still, you know, in the crosshairs. So, what I'm trying to say now that we've done a year of undisruptible pilots is let's look at the nexus of these. So, we can't fix them all. Out of the 151,000, there's 6,000 that service a hospital. So, let's make a hospital town the center of our bullseye and let's look at the dependencies it has on weak water and power and other things. So the undisturbable project was looking at this as we close the track. You're going to see different talks throughout the next several days on pieces of this project. But we have changed our theory of change and I'm

going to outline how we can directly get you involved and maybe even your community involved because we learned a lot in the last 12 months. But it was originally going to look at these four basier needs just the life safety stuff just water emergency power uh and food supply. We started with the nexus of water and emergency care for the first 12 months. And if we were going to get more funding, we were going to weave in power and food supply. Uh this is too much of an eye chart, but the theory of change was let's go to owners and operators of water and healthcare first. Then a year later, we're going to go to the municipal town

leadership, city planners, so that when they freak out, the water people already have a great answer for the risk that we identified. We're giving people time to go through their stages of grief and be the hero of the story instead of flat-footed. And then maybe a year after that, we might go to the public. And Bryson gave me lots of great feedback on maybe we shouldn't go to the public and maybe we won't have to go to public. But I reserve the right to go create public demand for their to leadership and their owners and operators if it comes to that. And then we also need that long band of helping the helpers be helpful.

So I need you left a boom and right a boom to start learning more about consequence informed engineering. How to talk to national incident management systems and your state local public health people how to be helpful instead of the ignored and uh maybe the questions you can ask and the offers you can make to your local teams. So we don't get to sit this one out, right? I can't say not to play the game, but maybe the safest move is not to connect. There are towns that aren't yet connected. Maybe they should stay that way. There are towns that more recently connected. Maybe they should maintain the continued ability to do manual operations, which is increasingly

disappearing. There are new valves that one of my college roommates helps make that don't have a wheel on them. So, if the computer that powers it goes out, there's no wheel for the human to turn. So, we can play some chess, but once again, at a much higher stakes than when we first said this 12 years ago, that calvary isn't coming. like you may be the one that introduces Volt Typhoon or Consequence Inform Engineering to your town. And what I really would like you to understand is uh the way that you could be most helpful and we're going to pivot to this towards the last day is knowing how to protect your household because if you're looking

over your shoulder for the water needs, the medical needs, the food needs of your household, we don't want you to be doomsday preppers, but we do want you to be prepared. And the UK government's already asked their citizens to have three weeks of food and water on hand. They didn't tell them why. So, there's a way that you can make sure that your household's okay, maybe your neighborhood's okay, and then you can start to help your town. We're going to equip you with critical questions to ask and suggestions and resources to provide. And maybe instead of top down central push from the federal government out, we can get to individual targeted cyber cyber core communities and raise

up Craig Newark's family of um grantees have kind of decided we all take volunteers. Maybe we can make a unified volunteer platform where people can say I'm willing to volunteer on the following topics in the following places. And people who increasingly want volunteers can look one-stop shop to say who can help me on water, who can help me on power, who can help me on hospitals. So it's not just about cyber physical systems, but the cyber resilience core CRPS is a way that people can start to volunteer. And uh Greg's in this whole cyber civil defense idea of he wants you to do your part just like Rosie the Riveter or like they had to do when he was a kid. Um and

if the cavalry isn't coming, same kind of sentiment. So that is mostly the talk from RSA. I would like to have a guest who knows way more about national security and warfighting doctrine than I could ever know. And if you were lucky enough to see him upstairs, he was the morning keynote. So I'm going to try to transition to a 15minute sit wrap on that you are national security >> and we'll take questions after him. >> Yes. >> Yeah. >> Did you provide at all? >> Okay. You did because I saw some of your slides. I didn't answer that. Okay. Um, but it's uh hopefully you're getting some stickers while they're switching laptops here. Um,

I'm not saying every single one of you has to take responsibility for national security, but I am encouraging you to take some interest in your household and your community. And then Bryson's going to give his perspective. Okay. I think we should clap for you. >> Oh,

>> so I actually uh got started as an army officer in tanks. I was a qualified tank commander. I commanded a tank platoon. And ladies and gentlemen, there is nothing better on this planet than commanding a tank. I'm not kidding. Just sort of you look and let's make this real. We had a name for everybody that wasn't in a tank. Anybody know what it is? >> Crunchy. Not kidding. That was what we called dismounts. Um Josh talks about how the US government had a different philosophy on defense. And let me take that to a very pointed time. 2015. Until 2015, the US government said this is not our problem. Cyber security for me, good luck.

We're not even talking critical infrastructure. We're just talking the concept of cyber security was not even something the US government looked at domestically until 2015. I co-founded the ICS Village with Tom Van Norman and we've been doing this for a long time and until Colonial Pipeline, no one paid attention. Nobody cared. So the US government didn't care about cyber security until 2015 and until Colonial Pipeline, going back to Josh made the comment about educating the public. Well, that was an incident that educated the public because it wasn't about cyber security. It was about the fact I couldn't get gas in a hydrocarbon economy to live to do what I want to do. And so I work with Josh and Silus who

was just here um at the Institute for Security and Technology. So how does the electric grid work? This highlights the shift. 50 years ago, electric grid was simple. generate electricity, send it over there, somebody uses it. Easy, no problem. We don't need computers to do that. Well, and then something changed. The electric grid no longer went that direction. We have renewables. We have market economics that requires computers to work. And all that means is surface area. Anytime we add a computer to equation, we have exponentially increased the surface area. Turns out that's what this whole cyber security thing is about. How can I do something that I want to do generally unauthorized on your computer? There's

no computer. I can't do that. There is. I now got a shot. So, what is industrial control systems? It's any computer that's at least 20 years old.

And this is what we're up against. So at the start of the keynote, I anchored it with we don't work in cyber security. We all work in national security. And that applies whether you're in critical infrastructure or not because our opponents are the proverbial nation state. That's who we're up against. And that's what makes this discipline so interesting is every day we wake up and go, how do we stop the Russians? How do we stop Russian sanctioned ransomware gangs? That's our lives. That's what we're dealing with. And the problem is is it morphed from 2015 where it was going to businesses. And this is where uh Krebs and I when he was the director gave a keynote at RSA talking

about the coming scourge of ransomware because while ransomware had happened, it hadn't yet tripped to being a national security problem and it is now. Current estimates are that there are over 100,000 trained cyber operators in China. That's one country. And do you think that number is static? They are investing. You hear about asymmetric warfare all the time and it's kind of this buzzword and I don't know and I don't want to get into the rabbit hole of whether we are at war or not but we are definitely in something and that is what we face every single day. That's the pit in your stomach when you try to take a vacation because you don't know.

So why are we here? We're here because we have a simple system that is never in isolation. Turns out pretty much everything isworked. And so when we start putting those systems together, whether it's direct, whether it's through something else, or whether it's the supply chain because there's a dependency on the back end. This is what starts to make this problem. So what aren't we accounting for? Nobody expects Elon Musk. people remember Oldsmar that got so much attention. But what actually happened? Nothing actually happened. It was a human error. But the problem is that human got really afraid when the FBI showed up and was like, "Ah, I think I've been hacked." Human error is still

most of the challenge that we have. You see this every day. In fact, I joke that's the reason we work in cyber security is because we're bad at it. We need to account for the human in this. Computers didn't get there by themselves and they don't continue to operate by themselves. So why are we here really? Because it's cheaper to bring computers and to remotely manage things. A lot of what Josh was talking about goes back to that because this is delegated down to private industry. Efficiency is the driver. We got to hell in a hand basket because it's cheaper and it's convenient. Right there. So what is a threat? It starts with somebody with a motive. You

have to want to do something. Nobody accidentally attacks an electric utility. It's not an accident. It's on purpose. But motive isn't enough. You waking up in Moscow and saying, "I'm going to get you drink a fifth of vodka for breakfast and throw it in the direction of America." It only goes so far. You need capability. You need capability. Capability is tools, access, tradecraft, infrastructure, trained operators. That combined is the threat. And this is where I flip the trope because there's this we talk about the defender always needs to be right and the attacker only needs to be right once. That's wrong. That only means what it looks like for them to break in. Once they're in, they

need to be perfect or they will get caught. That's your opportunity. That's what you control. They can't hack what they can't touch. Which means they're constantly looking how do they get that? How do they get in? Well, those are your computers. You put that computer there. That's your computer. You decide how that computer speaks, what protocols it uses, and then the attacker is constrained to only being able to work on those hosts that way. We have the power. It's not meant to be a pun. We are in control of this. And I wish Casey Ellis was here, but he summarized this so well. Threat actor, someone who wants to punch you in the face. A threat is the punch being

thrown. Vulnerability, your inability to defend against the punch and your risk, the likelihood of getting punched in the face. So, who is the threat? Long time ago, when I first started public speaking, I went out of my way to name the countries that were behind things. That was not common. We didn't do that. Attribution does matter. We should understand because again this isn't a cyber security question. This is a national security question and who's doing what matters. Since I'm really short on time, I can't go into detail here, but um Jay Healey um who's a department chair at Columbia University has a really good article um with the Atlantic um the Atlantic Council and he talks about the spectrum

of state responsibility because again there is almost nothing that is happening today in offensive cyber operations that does not have some level of a adversarial state that is involved. These are not happy accidents. So, I'm going to pull up some quick case studies here. So, last year, um, this might have been RSA or Blackhead, I forget which. I I had a video interview and I was talking about, and a lot of people didn't understand because I was like, look, we need to take the temperature down. I had just met the week before with a small municipal um, and they were like, oh my god, the Chinese are going to get us. And here was the thing. We had turned up the

temperature of attention which led to fear. And all we had given them was fear, not direction. And so I met with them and they had this list of priorities that they were going to do. I was like, well, let's back up because what I'm about to do in these slides is I walk through, well, what exactly does the threat do? Because that's theoretically what you should be improving against. And it wasn't until the sixth thing on the list that it even affected what anything that the Chinese might do at all. We had made them afraid. They were spending money. And this is one of our challenges and part of where Josh and the community, we take

this so seriously because when we get it wrong, when somebody spends energy and time in the wrong direction, that costs us more because it's going to be really hard to earn that trust again. It's going to be really hard to go back to the well to try again. We cannot afford to do this wrong. We don't have the time for it. So the reality, it's now been zero days since stuckset's been mentioned. I think you laughed before I even finished the joke, David. Have I said it that often? This is not our problem. Uh Dale Peterson published uh um actually this ties back to the congressional testimony. So, there are a few folks who uh testified to Congress on stuckset 15

years later and pretty much all of them were like, "We were really surprised there wasn't more stuckset because there isn't. We aren't up against the Hollywood military weapon. We've seen a few of them, but it's not the primary threat because the reality is, let's look at the Purdue model. It's the nominal enterprise architecture for industrial control systems. I've got it at the top. I then cross over into an OT boundary where I typically want to have some kind of shared service level, routing, file servers, remote access, and then we get down to the individual segmented control zones. And here's the thing, the same way that this works for all of us in real life, it's job is to be on the

internet, which makes it the easiest surface area to access. I realize you are an industrial control system asset owner. I pivot through your network. I cross over and all the hard work I had to do to get through your IT. I'm now on a high level industrial control system that is a three generations old Windows or Linux and I don't need to do anything other than to tell it what to do. That safety instrumented system is alreadyworked with all those devices it's monitoring. All those really unique weird this version of Modbus or Trophy. It knows it. I don't have to build anything. Hackers are lazy. I will tell you as a former intelligence community guy, we were lazy, too. I only did what

I had to do. We will use whatever you have. And you already have all of this. That's the common threat model. So, we're not alone. What is the red line? You haven't heard of the Talon Manual? The Talon Manual is the utopian answer to how we should be looking at this problem. But here's the thing. It's academic. >> Being right doesn't make it. So, we have a political willpower problem, not an idea problem. But we're not alone. There's a reason there has not been substantial impact to all of these operations. And one of them is that if you do something, the US military will say hello. We will not cyber you back. we will do what we're best at, which is not

nation building. I was I was an officer for Afghanistan and and Iraq, and trust me, it didn't make sense to us back then either. We're good at blowing things up, not keeping it. I got it. Um, so the US military is still a deterrence factor, but this leads back to what are their motives. So PW Singer came out with a book called Ghost Fleet, which was how the uh Chinese were able to directly hack military ships to support the invasion of Taiwan. I don't think that's how it's going to go. So, back to the tank that we started with, the best tank to fight is the one that doesn't show up on the battlefield. And the US military has yet

to figure out how to teleport tanks. So, we still need to coordinate and to ship them, which means that's our weakness. And that's the wobble that they're going to put in the system. And we did a project at the Army Cyber Institute called Jack Voltaic where we looked at the force um uh the interdependence of civilian critical infrastructure and force projection. Um there's public reports you can read about this. And what we we showed was how easy it is to throw that wobble off in a water plant near Fort Liberty and then those tanks don't deploy. So in summary, what do I see? And this is what Josh hinted at. I think Taiwan will be invaded in the

early 2030s. There is certainly a cultural reason for 27, which is why it is a consensus opinion, but as somebody who has experience doing combined arms, trust me, it is not so easy. The reason that the Russians have struggled so much in Ukraine is a demonstration of how hard it is to send people, even in that case, just pretty much on land, and it's still difficult to coordinate a combined arms effect. Hollywood cyber weapons aren't the problem. Risk is still a basically three to five on the list of how anybody is looking at this. Surface area is increasing faster than control control structures. We're vioding our way to the next generation critical infrastructure. We're shifting this to states. You are

the cavalry. So how you can help? Um Josh mentioned the CRC. I will throw in also there's another one standing up called the civilian reserve ISAC which we're partnering with at the village um at Defcon they're going to have a booth if you want to talk to them I am the cavalry of course you can read this stuff another thing is our nonprofit the IC village is doing workforce development so people don't need a degree to get in the game and some more resources the one I just want to highlight here is because I've got Krebs Easterly and our next director Sean Planky that is Shawn uh trying to cook >> on Unicorn Chef and if you Go watch the

episode. You will understand why I say trying to cook. >> Thank you.

>> Thank you. All right, so home stretch. David and I are going to rapid fire tell you what you're in store for for the rest of the next two and a half days. Okay, so you just saw setting the table uh for the most part. Um, we're going to break for lunch. There's some other good content upstairs. The next talk is a two-hour block on water. We're going to have Virginia Wright from Idaho National Labs and Consequence for Engineering. Andrew is going to be the primary speaker and we have a unfortunately Dean had a crisis because he's a water professional and water professionals have crises. So, he recorded something and if it works, we'll play some of that in that mix. But

this is one of the ones where we want a lot of discussion because of all the weak links, water is the weakest. So our highest consequence is denial of patient care in the nation's 6,000 hospital communities. The weakest link to cause that is likely water, but not exclusively water. So I would highly recommend you stick around for the water talk. That's why it's so early in the flow. No water, no hospitals, no kidding. Any comments on that one? >> It's important. >> You have your uh lab or no? Do you have the the oneliner? >> Yeah. >> So for water and we're also going to talk about a training. There's uh uh consequence informed training that is

going to be available. As to water, take a tumble down the rabbit hole of the wa water sector cyber landscape and emerge with real world strategies to outsmart today's most dangerous cyber threats. This session blends high stakes insight with a touch of wonderland whimsy. >> Wow. uh showing how cyberinformed engineering can create resilient water systems. If you work with water ICS or just want to avoid hearing off with their heads, then you definitely want to show up to this session. >> So, we asked each speaker, can you give us a 140 character description? Not 140 words, but so we'll we'll go a little faster, but it's going to be a great session. And um can you two raise your

hands? Okay. So, and uh Professor Kitty as well, right? Uh the training is in the platinum. You had to use event, right? There might be some seats left. There's a a session today and a session tomorrow for free training, 4 hours on consequence of horn engineering for water and there's a panel. So, try to find them if you want to get into the training. We're going to go a little faster on the rest of the sessions. The afternoon block is a couple different talks. Uh Blake, please raise your hand. Is your co-presenter here? Okay. We have a happy warrior we met through the launch of Undisruptible who does public health and emergency management in in a county in Arizona and has been

incredibly helpful to helping us understand that if there's a disaster, how can we best snap in? So, we're going to have cyber incident command systems and there's lots of names space collisions like ICS is industrial control systems. It's also incident command systems. It's super confusing, but they are happy ambassadors and translators and that's one not to miss. Immediately following them, we have cascading failure unified defense with an honest to God EMT and some emergency 911 stuff. So, not only maybe could you learn how to keep first aid for your family if healthcare was down, you can also look at like the cascading failures across these sectors. And then this is anybody have one of these or something

like this or know what this is? >> All right. So, we're also going to have a small talk. We were hoping to do training. We will definitely next year. But meshtastic type, Laura type, non ham radio type. If 5G goes down from Salt Typhoon or your phone lines or your internet, can we still have nonzero comms with each other and with our community that we wish to serve? So there'll be a small session on that to close out today. Any other comments for today? Okay tomorrow. This one's stressing me out a lot, so I'm I'm not gonna miss it, but I am losing sleep over it. Um, Dr. Abba Stewart from INL, chief scientist for

the grid, uh, I think is how she sometimes describes it. Uh, returning hero for the third time in a row, I think third year in a row with Manish. Uh, they're going to talk about power and the power block, but they chose to go the AI data center route, which stressed me out. And the more we talked about it and thought about it, we have to talk about it. So, as bad as things are now, um, with the frailty and fragility of no water, no hospital, no kidding, no power, no pumps, no pumps, no water, no water, no hospital. And even circular, you need power to have pumps to have water to have power generation. So, it's very uh

interconnected. All these rapidly built AI data centers are going to make it 50 times worse. So, you both need AI to fight the risks introduced by AI. And we're putting 50 pounds of in that 5 lb sack. So if you want, you know, nightmare fuel, come tomorrow morning. Okay. Um Joe Slowick in the same block is going to show how ransomware was a good training lesson for critical infrastructure disruption. These are not confidentiality of data per se. These are availability of lifeline services and ransomware is the unavailability of many of those lifeline services. Backed by popular demand, after the lunch break, we are going to have hackers. Oh, excuse me. Emergency care. So, this is going to be a trio. Dr.

Christian Meth has come back with two new peer-reviewed data science things and a cyber crash cart overview from his ARPA hf funded project at UCSD. We also have Bo Woods recruit an MVP number one from the I am the Calvary movement 12 years ago uh who started in healthcare and he's going to bridge the gap between Christian MF as a cyber hacker doctor and a nurse that we met and spoke to last year at Cyber Meds Summit in DC. This is the head nurse at Ascension Health and Mlullen Health McLaren Health who got ransomed hard and they wrote a demand letter for their union saying we are not trained for this. We don't know how to do our job.

patient safety is at risk. So, she's going to talk about how harrowing it was to be a nursing professional. Amidst these, we often look at this as an IT problem or data problem, not a staff and a patient care uh problem. So, the three of them are going to walk us through a lot of conversation, everything from peer-reviewed science to how disruptive this was to care delivery. Uh so, please um try to give Dena, our nurse, uh your full attention and empathy. And then, uh and she's really brave, too. She doesn't know cyber at all, but she's a sponge. She sucks it all up. She asks great questions. She gives good feedback. She's awesome. All right. And then who

likes to eat? Okay. So, we're going to have a hackers like to eat session. So, we have some people from the bioacc um and they do lots of different intersections of things that mostly get orphaned by other sectors. And they're both going to tell you some of the food supply constraints and choke points, but also maybe how you might think about your own food stability for your own home because it's not the way you think. So I'm pretty excited about that hourong block. Anything to add on those? Just trying to go fast because of the time limit. And then uh to end the day, Silus was in the room, but Silus Cutler uh who works

at Census IO now, but is also uh faculty for IST uh he published. So you saw the Purdue model that um uh was just shown as to how many owners and operators segment and isolate their OT control systems and ICS and and everything. Well, he found 400 uh OT controls naked directly accessible on the internet with no passwords or validation. He worked with the EPA to get them offline quietly and that happens pretty often. So, you know, we like to have this multi-layer defense. We don't always get it. So, some combination of Silus with some of his findings for his current ongoing projects to scour the internet for the lowest hanging fruit, but also Paul

Roberts with several nonprofits like Right to Repair uh and other things and Stacy Higin Bothotham from Consumer Reports Advocacy. They're kind of looking at how end of life software policies or SUAX and end of life software can lead to end of life for humans. So, some combination of we know some of the problems, we have some policy proposals, none of them had political will, and we wonder if this typhoon suite could create political will somehow. So, they're going to wrestle and talk through EOL software should not be EOL for humans. And that will close out day two and then why don't you start day three because you're one of the speakers. >> Okay. So, Wednesday um we open up with

cyber civil defense volunteers to the rescue. Volunteers are the backbone of cyber civil defense. If you because you're here, I think you are ready. If you're ready to join the community cyber defense fight, but don't know where to start, this talk is for you. This is Wednesday morning. We'll map out the current volunteering efforts, pinpoint the crucial coordinated strategic actions still needed, and be your onestop shop to identify which volunteer groups to join in. So that leads us off on Wednesday morning, followed by neighborhood and household resilience, a month without external support. So I will be talking about things that you can do at low cost, relatively low effort to make your household and I

would say even more importantly your neighborhood resilient to crisis. We're going to talk about it. There's don't feel overwhelmed. Feel simply welmed because you can definitely do it. And then finally, Josh is going to close us out with tying it all together and trying to bring forward lessons and vignettes from each of the sessions to to build a a single unified model and really a a course for action moving forward because we want to leave everybody with some homework to do when you go home because your really your work is not done here. The work starts here, but it continues when you go back to your home, your community, your school, your work, the people you

interact with every day. So, um, part of that session is the slides that he encouraged me to do from RSA for you this morning were the first year's pilot. I am very happy to say part of what we're going to do to close this out besides synthesize everything is we're going to dig into what is the next two years. So, uh, to his credit, Craig Nemark didn't only fund the first year. He announced and we announced on stage at Critical Effect in DC. Um, he's provided $3.2 million to fund the next two years for a much more aggressive, robust project plan and roll out that you could participate in. And we're going to show you how you could snap in.

The uh, without killing all the cool details, part of the idea is our theory of change is we had an information gap. We did not just have an information gap. We had a motivation gap and an enablement empower gap. Uh the other thing is with so many to reach and so little time, we're going to innovate narrowly and replicate widely across a two-year project plan. What does that mean? We are going to have funding for 12 cities, 12 towns, 12 communities. is diverse a composition of philosophy, budget, red states, blue states, urban, suburban, rural, near floodwaters, near cities, near ports, whatever. We're going to pick 12 really diverse communities that have a hospital in them. And we're going to mean the

hospital, the power, the water, the municipal leadership, and emergency disaster management for the state and county all together. And we're going to cross through the motivation and the enablement. will even pay for some of those mitigations and we're going to make playbooks and capture their stories before, during, and after. We believe the best ambassadors for their peers of people who look and talk just like them. So, the co-creation, the storytelling, and they spread to the other 6,000 and then the other 151,000 of water plants across the US. So, people are never surprised and they have proven playbooks from people who look and talk like them that are practical and deployable using consequence informed engineering. We're going to do a bunch of tabletop

crisis simulations, but also some physical damage demonstrations and including using mainstream media sources and congressional teammates. So, we want you to help us pick over the next two days. Think about what you're hearing and say, "My community might be one of those 12, Josh." So, we're in the target selection mode right now, like right now. We hired an amazing project lead today and we're still hiring some more. So this has gone from a concept to an aggressive campaign and I want the people in this room to help us target those. So we're going to get into more details on how that can happen to close out the session for our two and a half days of awesome sauce and then we're all

going to go upstairs and hear Casey John Ellis close the keynote. So if you're interested come back. It is lunchtime but I will talk to anybody for as long as you want. >> Yeah. >> Give him the mic. Yeah. on the training emphasized water, but in reality, engineering applies all over the place. And so, you might learn some water if you come, but if you're at all interested in how to engineer this problem out that part of that slide and you're not a water person, come anyway. >> Yes, the water hammer is not the only threat. It may not even be the right threat, but it's a great storyline to get people to the table. solve

something, learn CIE, and then rinse and repeat on the other hazards that we may encounter. All right, give yourself a round of applause for hearing for an hour and a half, >> and we hope to see you at the water block after lunch. 2 p.m. 2 p.m. >> 2 p.m. 2 p.m. Thanks, everybody.