BsidesLV 2025 - IATC - Wednesday

Heat. Heat. [Music] Heat.

Heat. Yeah, [Music]

[Music] heat. [Music] Down. [Music] Hey. Hey. Yeah, [Music] down. [Music] Down

down down down.

[Music] Woohoo! [Music] Woohoo! [Music] Born. [Music] [Music] Heat. [Music] Baby. [Music] Hey. [Music]

[Music] Heat. Heat. [Music] Heat. Heat.

[Music] Heat. Heat.

Heat. [Music] Heat. [Music] Heat. Heat. [Music] Heat. Heat. Heat. [Music]

Heat. Heat.

[Music]

Heat. Heat. Heat. Heat. [Music] Heat. [Music]

Heat. [Music]

[Music] It's

[Music] down. Heat. Heat. [Music]

Woo! Wow! [Music]

Heat. Heat. [Music] Heat. Heat. [Music] Heat. Heat. [Music] Heat. Heat. [Music]

Heat. Heat. [Music] Heat. Heat.

[Music]

Heat. Heat.

[Music]

Heat. Heat. [Music] Heat. Heat.

Heat. [Music] Heat. [Music] Yeah,

[Music] down. [Music] Hey, [Music] hey hey. [Music] Yeah, [Music] down down down down down down down down.

Down down down down.

[Music]

Hey boo.

[Music] [Music] down. Cool. Heat. Heat. N. [Music] Welcome. Congratulations. You have made it to day three. So look, look to your left, look to your right. Not everybody has done what you have been able to do. So, we're super excited. Um, this is it. This is really the culmination of three days. So, we're going to build on day one and on day two and day three and we're going to bring it all home at 11. But before we get to 11, we're going to hear from M. Grace Mena and she's going to tell us about the following. Volunteers are the backbone of cyber civil defense. If you are ready to join the community, the cyber defense fight, but don't know

where to start, this talk is for you. And I can see right now there's a bunch of people who this talk is for in this room. We'll map the the current volunteering efforts, pinpoint the crucial coordinated strategic actions still needed to scale their services, and introduce the Cyber Resilience Corps, your one-stop shop to identify which volunteering groups you are eligible to join. So, please put your hands together and welcome Miss Grace Mena. [Applause]

Okay, let's see if this thing's on. It sounds like it's working. Can you all hear me? Can I get a thumbs up? Amazing. Um, well, good morning everybody. Happy last day of Bides Las Vegas. I'm really thrilled to be here with you all today. Um, and I'm going to be talking about cyber civil defense. For a quick show of hands, how many of you have heard this term before? Okay, a decent amount of you. Well, if you haven't, um, cyber civil defense is essentially the fight to protect underresourced organizations across the US from cyber attacks um, by a coalition of people, mostly government, local universities, and individuals like yourselves to help bring them above the cyber poverty line.

And one of the groups that is a key key component of the cyber civil defense is volunteers. And so, um, in today's talk, you're going to hear me lay out a series of short-term and long-term recommendations to build a safety net for these vulnerable organizations. And volunteers are a key part of that. Um, so my name is Grace Mena. I'm a fellow at the UC Berkeley Center for Long-Term Cyber Security, which we lovingly call the CLTC. And I there um conduct public interest cyber security research on policy. and I also help co-lead a new initiative called the Cyber Resilience Corps, which is a joint partnership with the Cyber Peace Institute out of Geneva. So, quick show of hands, how many of you

saw this headline last week? Okay, a fair amount of you. Um, so if you didn't see the headline, the city of St. Paul was hit with a major attack. Um, and it forced the Minnesota governor to for the first time ever call on the National Guard to to respond to the incident. um 13 individuals from the cyber reserve unit were called in to respond to the attack. And this is happening everywhere and it's been happening for a long time. Um this is an example that I like to point to from two years ago. um in my home state of Arizona, the city of Tucson, which is the second largest metropolitan area in Arizona was hit

with a ma a massive attack um that ended up taking the school district down for two full weeks, leaving kids to not be able to go to school, parents to scramble to find um child care, and also put students two weeks behind. Right? But this has been happening and is happening across the US um in municipalities, community organizations alike. So, um, you're going to hear me use the word community organizations in the course of this talk. And when I say community organizations, I'm referring to any organization that provides essential services to the public. So, this includes municipalities, hospitals, school districts, nonprofits, and sometimes even small and medium-sized businesses. Um, and they're all vulnerable, and the status quo is unsustainable,

right? These community organizations that provide essential services to the public are the least prepared to handle cyber security threats themselves and they often cannot afford cyber security and lack the in-house expertise to implement these safeguards. And to make matters worse, the attacks actually disproportionately harm um the most vulnerable in our population. So especially those living in poverty or in rural areas, we cannot accept the risks of an action. And so out of that concept, we formed the cyber resilience corps. Um, and as part of the cyber resilience corps, we set out on a journey to map what currently exists to help community organizations and to understand what steps are still needed to be taken um to

help bring them above the cyber poverty line. And so from January until June of this year, we brought together a group of 30 experts spanning cyber volunteering programs currently in the US, cyber insuranceances, cyber cyber insurance providers, um consultants, academics, MSSPs, MSPs and indust industry leaders and investors um to better understand what exists and where we still need to go. And out of that six-month journey, we ended up creating a road map. And this road map lays out a strategic plan for addressing this challenge in the near term and the long-term future. Right? And I think it's important to to state that we're in a unique time moment right now. Um the future of cyber

security um cyber security defense is at the state and local level. That's what we believe. More and more is being asked of states and regional leaders. Um and so banding together local universities, nonprofits, and state governments we believe is the most pragmatic way forward to help build a safety net for these organizations. And so we're looking to create ecosystems of cyber support. So okay, what exists right now? If you're not already familiar with cyber volunteering programs, actually quick show of hands, how many of you have heard of any existing cyber volunteering programs? Okay, about half of the room. Um well, if you're not already familiar, um there are a series of different programs that I'll lay out in a moment,

but essentially it's where skilled volunteers volunteer in their free time proono services to some combination of um SLT governments, critical infrastructure, nonprofits, and small medium-sized businesses. And there are essentially three major buckets of these types of programs. The first is state civilian cyber cores. Um right now there are six of them in the US. Um, and these are state-run volunteer operations depending on where they're based, maybe under the Department of Emergency Management or the Department of Information Technology. Uh, the second is university clinics. So, right now there's over 30 in the US. Um, and they primarily serve critical infrastructure and nonprofits at the moment. Um, but may potentially expand outwards. And then the final is nonprofitled groups

including I am the Cavalry, which I'm sure you're going to hear more about a little later, which is doing amazing research and policy work. um particularly in regards to critical infrastructure. So these groups depending on how they're set up and where they're located provide some combination of the following services. Incident response, vulnerability or risk assessments, education training, and threat intel sharing. And they're doing amazing work, but we've identified six critical gaps when we were mapping these organizations. The first is that these services are not equally accessible. The second is that organizations who need help don't know where to go. Like I said, some of you didn't even know that these programs existed. Um, what do you

think that a nonprofit CEO is going to do? You think this that a nonprofit CEO is going to know that these services exist? Most likely not. Um, and so organizations in who need help need a more streamlined way to know what services are available to them and by whom. And uh third, legal and liability challenges continue to create barriers for volunteering services. Um right now there needs to be separate legal agreements um on the individual basis and the actual volunteer program itself to protect both volunteers that are volunteering their services and the companies that they work for in their primary capacity. Fourth, um after volunteering incidents, after volunteering um after volunteering services are rendered, there is very

little pathways of support to continue the cyber hygiene paradigm for these organizations. So we need to build more off-ramps. Fifth, um funding for these programs is incredibly volatile, which means that the programs haft often struggle to mature and expand despite the increase in demand for these services. And sixth, um programs face major difficulty collecting standardized metrics on impact. A lot of these programs are relatively new. They're run by volunteers, um and they're also set up incredibly different from each other. And so it can be very challenging to not only just compare metrics from program to program but even from year to year within the same program. And so our work is not done here. We still have a lot of

work to do to scale these programs and meet demand. So what can we do? We identified in this road map three actions that would help immediately build a short-term um safety net for community organizations. And there are essentially three different buckets of types of recommendations. So the first is to expand cyber volunteering programs. Um I mentioned earlier that accessibility is a huge issue. Um right now there are at least 22 states in the US who don't do not have any existing volunteering programs that are regional based. So that's no states state civilian cyber cores and no local university clinics. Um, and then on top of that, only eight states or only eight of these programs offer any sort of

incident response services, which means that if you live in a state that doesn't have a state civilian cyber corps and you're a community organization in need of incident response services and you don't meet the threshold for the National Guard to come in and help, then you're out of luck. Um, and so building off of that expanding cyber volunteering programs, um, we had three subrecommendations. The first is to prioritize the most threatened organizations. At the end of the day, we need to make sure that resources are being allocated where they're needed most, particularly to critical infrastructure. The second is that we need to continue to invest in the interconnectivity of of among these programs. They can do more together when

they're collaborating, sharing resources and best practices, and handing off um community organizations after an engagement to continue services. And finally, we need to continue investing in cyber volunteering. um whether that be through government funding or private uh donors or through foundations that support these these organizations, they cannot continue to scale um without continued sustainable funding. So the second recommendation is to mature cyber volunteering programs. All community organizations deserve a consistent high level of service and right now there are a number of community organizations that go to cyber volunteering programs um that are just off the ground and haven't quite figured out their their methodology yet. And so um we think that we can mature cyber

volunteering programs three ways. First is by expanding the collection of metrics of volunteering groups impact. So right now um there are actually a couple of really really great examples out there that cyber volunteering programs can look to. Um Indiana's cyber track program has a really really great methodology for tracking um the success of the recommendations that they provide to community organizations. So second um we need to clarify liability protections for cyber volunteering. It's great to have these programs, but if volunteers can't be protected from liability when actually rendering their services, then that's going to limit the amount of people that we have that are actually able to help community organizations. And third, we need to improve volunteer

and client matching. Making sure that the right client organization, community organization, is matched with the right type of volunteer is essential to high levels of service and continued engagement and trust building. Right? So in improving, expanding, maturing um these programs is great. Um but the end goal is to get these community organizations to be able to stand up on their own. Um and so we think that we can do that three ways. One, by centralizing common handoff resources. So like I mentioned earlier, the offramps for these community organizations are very limited. And so giving them resources that they can use after the service engagement ends will be immensely helpful. whether that's incident response plans, um business

disaster recovery plans, um a list of different types of groups that they are able to contact based off of different types of incidents or situations that they're dealing with is really really helpful because we want to keep the appetite for cyber hygiene ongoing with your these organizations after services are rendered. And so building off of that, we want to bolster hands-off procedures after engagements. So sometimes that means passing the baton. So, if you're a state civilian cyber corps, passing the baton to a local university clinic who can help provide proactive services that continues that spectrum of um cyber hygiene after the incident response services are rendered. And finally, help organizations find full-time support. Um right now, it is

incredibly hard for the majority of community organizations to obtain MSSP or MSP services. Um, not only is it incredibly expensive, but a lot of these organizations don't know what to look for when going through the contracting process. And so creating some sort of guidance for these community organizations to use when they're going out and trying to build relationships with MSPs and MSSPs will be immensely helpful to getting them to be able to have that full-time support. So these are those were those three recommendations were for the short term, right? We believe that those will help create a safety net immediately. And we recognize this is not a long-term solution, right? Cyber volunteering programs are doing a lot of amazing work

and they are incredibly important for the current um moment and we want to get to a place where hopefully community organizations are not relying entirely on cyber volunteering organizations to help catch the gap. And so we identified three long-term solutions that we believe will help. So the first is that companies must simplify cyber security for non-experts. I'm sure you've heard that a lot during the course of this besides right. Um this is everything from um encouraging secure by design and secure by default practices. Um pushing more vulnerability um liability onto the actual software providers themselves. Um but also encouraging businesses to see that that secure by design and secure by default is a competitive advantage

particularly when working with community organizations. community organizations may be more likely to go with a particular vendor if they believe that a a vendor has secure by design products. Um and so we believe that's one way. The second is um venture capital should continue to invest in products and technologies that simplify cyber security and automate a lot of these tools for community organizations because most community organizations do not have the time or expertise to execute these controls by themselves. and if an MSP or an MSSP is out of reach for them, they're out of luck. Um, so that's the first recommendation. The second is that states have a role to play here, particularly when it comes to

pooling services. Um, so right right now, like I mentioned, it's very difficult for a lot of organizations to um, be able to contract with MSPs and MSSPs. And so we've seen other successful models of these shared poolled services. Um the UN has one for their international computing program. Um and they provide shared services at cost for all UN affiliates and we believe that states particularly should be doing this for um utilities that are important for critical infrastructure. So water utilities, electric utilities, other things where it's important to have a high level of functioning and to be able to provide these at cost. And finally, we need to embed cyber knowledge in our communities, right? And

this is done in two-prong ways. The first is that we're finding boots on the ground. It is incredibly hard to educate the general public about cyber security principles, right? Um and and continue to upskill as security evolves. And so we've found that the most effective way to do this is through trusted community messengers. So, a lot of these community organizations already work with other organizations that they trust, whether that be their local credit union, their business association. Um, and so we want to tap into those networks of people to help be catalysts for this culture of cyber security. Um, but second to that, um, we also need to start early, right? um if we start embedding cyber security

principles and skills in the school system, we will end up with a population that has at least a base level of cyber security fundamentals um that then will translate into the community organization workforce. And so this is a much longer term goal, but we believe that this is this should be the way that we're moving in a similar way that um going and doing typing classes in school was important, right? How do we teach students basics of cyber security and security thoughts mindsets? So, right, key takeaways from this are that cyber volunteering programs are doing a lot of good. They're helping catch organizations that are falling beneath the cyber poverty line. Um, but there's still a lot of work to be done

to scale them and make them more effective. And they're not enough. We need more long-term effective solutions. So, how can you be how can you help be part of the solution, right? Um, I have a few recommendations. The first is to read our road map. Um, it's linked up here on the slide. Um, we go into a lot more depth about the actual ins and outs of how to execute these recommendations, but we also map the different cyber volunteering groups and we also quantify the risk to these organizations. Um but at the very end of this roadmap report um you can find a state guide book which is essentially a clearing house of actions that states can take to help

build this local ecosystem of support. Um and in it we outline the different types of cyber volunteering programs, how they weave together and how you can set them up. We even link to model bills that states can use to establish their own state civilian cyber cores. We also outline effective funding strategies for local um education initiatives and we also um set up we also outline different ways that private sector companies can help partner with nonprofits to set up private volunteering programs. Um but the most helpful thing that you all can do is to go back to your policy makers and help start up more of these state-run and state endorsed volunteering programs. We just need more

boots on the ground. We need more students at universities offering services. We need more volunteers on the state level who are able to come in particularly in local and rural locations to help boots on the ground organizations. Um and so please go knock on your policy makers door and tell them about the amazing work that these types of volunteering organizations are doing. And of course join us um on our platform. We have cyber it's cybervolunteers. us um and check us out. We're doing a mainstage talk at Defcon on at 10:00 a.m. on Sunday where we're going to outline the different types of volunteering groups in much more depth. Um share some stories from more stories

from boots on the ground. Um and also tell you a little bit more about the current volunteer distribution networks. And you can reach out to me here. Um and I'm going to open the floor up for questions. Thank you. [Applause] Thank you, Grace. That was a lot of words in 20 minutes. That was fabulous. So, if you've got questions, come on around here and ask them, please. >> Here we go. >> Grace, I've known you for a while, kind of indirectly. So, um, I started off a community college student, right? And I'm pretty much self-taught cyber. Um I attended George Washington University thanks to you know uh programs like women in cyber security and during my

time at uh George Washington University. I started women in cyber security at GW is the most popular cyber club in the DC Maryland Virginia area and we helped George Mason and uh uh Georgetown start their women in cyber clubs. Right. So these little seeds that you're talking about, I've seen it in real time because it helped me grow as a person. And then from there, I, you know, had my internship at Intel Corporation and government affairs, met I am the Calvary through some pretty cool people, did Hackers on the Hill, and then full circle, right? Now I'm a community college professor after being doed. Uh but the good news is I joined one of the

best uh you know community college districts in in California, the North Orange County Community College District. And so now that I'm kind of like full circle, the wheels are are spinning, right? Like the it's turning, right? We have a community college cyber center and it's actually doing well, but I think it could like go up a notch. And my dean is also into cyber policy. He's getting his PhD at at uh at uh UCLA in policies. And so I'm kind of like wondering for community college professors, how do we take what's pre-existing and take it up a notch? Right? Because I've been there. A lot of us in this room have been there before in their own

journey. So, like how can we kind of like level up? And I I know the work CLTC is doing. I mean, I've followed them throughout grad school. So, yeah, I'm here to pick your brain. >> Yeah. Are you asking how we can scale up the existing volunteering organizations at the community colleges? >> Yes. Yes. >> Okay. Um, so, right. So, there's amazing resources out there. Um if the community college is not already a part of the consortium of cyber security clinics um I highly encourage the community college to check out um the consortium website. There's a series of different resources that are available to different to everybody right to use to to set up and

mature um different cyber security clinics. But I also think right um we've found that clinics benefit the most when they are in direct contact with other clinics and other places to share knowledge and to also just um kind of point out potential um pitfalls that you may have in the first year or two years in setting up. Um but I think that what we're seeing is that um there are there are a couple of challenges, right? Like getting um buyin from the admin of a particular university can be hard. Um and so increasing funding for that is really important. Um, but I think that the best recommendation that I'd give to a community college hoping to to skill

to scale their service offerings, um, would be to find another community college or university that's doing similar work and partner with them to sort of tag team the problem and see where you can learn from each other. Um, we're finding amazing success with that and the consortium of cyber security clinics. Um, and if you're interested, I can give you a list of different people from the consortium that I think could potentially be a good fits for your university. >> Dope. Dope. Thank you so much. >> Yeah, of course. >> Hi, Grace. Thank you so much. Uh, longtime fan. Uh, I am Hi. I'm curious as to um whether you could talk more about the liability side. Um,

>> is it a for hackers specifically looking to do this sort of work? Is it a lack of resourcing like the volunteering corps doesn't necessarily have a series of template contracts or waiverss or is it that the companies or public sector or uh SLT organizations are unwilling to sign such things? >> This is a great question um an incredibly complicated question as well. Um so there are a couple of things happening here right um the different governance structures of these different types of cyber volunteering groups um have different built-in thresholds for liability built into them right so if you're a state civilian cyber corps um and you're a volunteer that is volunteering for a state civilian cyber

corps you are protected at a base level from liability more than you would be from a different organization just by the virtue of the fact that you're working for the state um and so when when folks are going in on the state level and doing some of this incident response work, they have much more peace of mind. Um, that being said, other nonprofit volunteering groups have developed really great templates like you mentioned um that they're using. So, the cyber peaceuilders that the cyber peace institute is doing is running um has a really really great template they've been using and has been um has put the confidence of a lot of really big private sector companies um to ease.

And so they've actually volunteered a bunch of their own cyber security analysts to go and do this work through cyber peaceuilders. And so I think the problem is um I think there's promising promising solutions to the problem. But the problem is that um all of these programs are set up differently and have different needs. And so you essentially need different customizable templates for every different type of program based off of the governance structure. And on top of that, some volunteers depending on who their employer are might have different needs on liability. And so having um customizable templates and also the help of proono legal services is huge. So, um, one of the things that we're hoping to do in the

next phase of CRC potentially is to explore partnerships for cyber volunteering programs with, um, legal clinics across the US, um, to help essentially provide some of these free services to volunteers and to the volunteering programs themselves to help bridge that gap and increase the number of volunteers that can be scaled. >> Awesome. Thank you. >> Thanks, Vona. Okay, >> last chance for questions. Any more questions? Oh, we Mr. Ray has a very important question. We do not want to miss this. I really just I I just want to foot stomp what Grace is doing. I was uh the leader of one of these uh state sponsored cyber sec uh ci civilian organizations for about six years and we

learned a lot of lessons. we ran into some roadblocks and those roadblocks are what the the uh cyber resilience corps is going to try to take into account and teach you how to solve. So if you are in any way thinking of doing something like this, now is the time. There's people that have have the the arrows in their backs and the blood. So we're around. If you need need advice of what to avoid, come come talk to us. We have uh Michigan had legislation that you can copy. Texas did. So, uh, we're around. >> Yes. Thank you so much, Ray. Thank you so much, Ray. Yeah, to foot stomp that. Um, >> community cyber security is national

security. So, um, yeah, please get involved and thank you all so much. [Applause] >> That was amazing. Just show of hands. How many of y'all do volunteer? Or how many y'all in the community? Oh, we gotta get that number up. Come on. Come on. Thank you. That I feel like I should have been here my whole life. David Josh, thank you. Um I believe most of you have just stayed the whole time, which is awesome. But housekeeping. Thank you to all of our sponsors. Without you, we'd have no money. Not just sponsors, you all lovely people being here and our volunteers. What's up, girl? How you doing? Thank you. Adobe Aikita Profit Run Zero Drop Zone. The Yeti was out yesterday.

Um, please silence. Where are you guys going? You'll come back. Come back. Please silence your phones. Let's be respectful for our next speaker who's going to be equally awesome. Um, we will take questions at the end. This is a 30-minute talk as well, so you know the drill. Line up.

I believe those are all the housekeeping. You ready, sir? >> Ma'am, I am definitely ready. >> You are so ready. >> So ready. Good morning, Las Vegas. Woo. >> Okay, let's give it up for Give it up for our next speaker, Mr. It was me. I'm your next speaker. Um, very self-referential. Okay. So, uh others have done this. So, I am going to do this as well. The views expressed by me today do not represent those of my employer, the federal government, Clark County, or the state of Nevada. They represent my views. Uh if you hate what I have to say, you should tell me. But if you love it, you should tell Mr. Josh Corman that

you love it. Uh there will definitely be time for questions. So as you think of them, please jot them down and save them for the end. And I want to just start by saying this session is really I would call it a thought experiment. And the the question that we pose for you today is could you or how could you your family and your neighborhood support themselves survive without external help for 30 days? That is what the question is today. All right. Here is our agenda. Please look at it on the screen. I'm not going to read it to you because reading is boring and people don't like to be bored, especially in Las Vegas on a

Wednesday morning. Um, but this is this is where we're going. So, this is where I tell you what I'm going to tell you only. It's on the screen. You can read it. But this is this is what we're going to talk about today. And now I'm going to tell you what I'm going to tell you. Join with me, will you, as we start story time. Once upon a time, there was an old man who used to go to the ocean to do his writing. He had a habit of walking on the beach every morning before he began his work. Early one morning, he was walking along the shore after a big storm had passed and found the vast beach littered with

starfish as far as the eye could see, stretching in both directions. Off in the distance, the old man noticed a small girl approaching. As the girl walked, she paused every so often, and as she grew closer, the man could see she was occasionally bending down to pick up an object and throw it into the sea. The girl came closer still, and the old man called out, "Good morning. May I ask what it is that you are doing?" The young girl paused, looked up, and replied, "Throwing starfish into the ocean." "The tide has washed them up onto the beach, and they can't return to the sea by themselves," she replied. "When the sun gets high, they will die

unless I throw them back into the water." The old man replied, "But there must be tens of thousands of starfish on this beach. I'm afraid you won't really be able to make much of a difference." The girl bent down, picked up yet another starfish, and threw it as far as she could into the ocean. Then she turned, smiled, and said, "It made a difference to that one." So that is how we are starting our discussion this morning. Making a difference. Even a difference for one person is still a difference. So uh I showed you what we're going to talk about. I want to talk for a minute, just a brief minute about what we're not

going to talk about because sometimes sometimes it's useful to compare and contrast. We are not going to talk about this. We today we're going to talk about neighborhood and household resilience. We are not going to talk about full-on prepping. I if if you're a prepper, I do not mean to be offensive. Okay? This is not what this is. We're not talking about prepping. Um, I recently heard like yesterday about a person talking about prepping culture and he said that anyone with less than six months of supplies is not being serious. Well, we're not going to do that here. We're not talking We're not going to talk about ammo and guns and 1000 other things. We will take questions at the

end. So, >> photos. >> Oh, yeah. Yeah. Take take all the photos you want. especially of the slides. Uh most uh all of the slides were created by environmentally dangerous AI, just so we know. Uh so there's no copyright issues. Uh it's just AI destroying the environment that was used to create our slides today. Also, I didn't pay any actors or models um because the budget was low. Um so we're not going to talk about this. We're also not going to talk about this. We're not going to talk about billionaires who rather than spending a little tiny bit of their money to solve or address societal problems have decided to rather protect their own selves uh by

digging holes into the ground, spending multiple millions of dollars to protect themselves and their families. um without naria care for anybody in this room. We're not going to talk about them. I would suggest that this is not the approach uh for long-term sustainability. Um this message brought to you by the Times of India uh August 3rd. So this is a very recent story. Feel free to read about it later uh at noon or after that. Okay. So let's but we want to talk about this. This is the thing that we want to talk about. The first step might seem the easiest. It might even seem silly, but many of us do not. We don't know our

neighbors. People move in and out all the time. Sometimes we are satisfied literally not knowing the person who's next to us or across the street or down the street or the apartment next to us or you know the the flat at the end of the hallway. I don't want to uh just propagate uh cultural stereotypes. So I'll just talk about me. me. I I'm not talking about you. I'm just talking about me. It might be hard for me to get out of my comfort zone to actually leave my house, walk across the street and talk to somebody else, leave my apartment, walk across the hallway and talk to somebody else. There is there is this typ cast of, you know, nerds being

very insular and talking to their computers and not talking to humans. I'm sure that's not the case in this room. But for me, this can be a little bit of a challenge to break out of my shell. It's all right. The reason why it's important is that this is about humanity and being a good human. It's about helping others, not just yourself, and being able to bring uh comfort and relief. Our discussion today is really going to focus on low tech, yay, low tech and no tech approaches. It's going to be about breaking out of our comfort zone. And fundamentally, this is about being the Calvary. Let us presume for a second that no one

is coming to help. No one is coming. So if no one is coming, who's going to do anything? Well, I can do something. You can do something. I am the Calvary. You are the Calvary. That is why we're here. All right. Uh another uh another statement. I do not know about you. I don't have any idea about you. I don't know where you live. I don't know your geography. I don't know your finances. I don't know if you're in a high density housing, low density, if you're out in the middle of nowhere, in the middle of 10 million people. I have no idea what it is that's going on with you. So, this this I let me put forth a

challenge for you to listen to my words. Think about what I'm saying and apply the lessons that are relevant that are gerine and make sense to you in your situation. A lot of this is going to be a choose your own adventure really where I'm asking you to take the part the parts that I share that make sense to you and then do something with it. We're going to have a slide later that reviews all of our homework assignments because because this is an I am the calvaryary presentation. There will be homework. You will be graded. Uh anything that's talked about in this presentation will be on the test. So that's all right. No, no

pressure. I just I want to set expectations. All right, let us dive in. Who are the people in your neighborhood? Who are the people that you meet each day? Who are the people as you're walking down the street? They are the people in your neighborhood. I searched for a long time for that clip from Mr. Rogers and I could not find it. The good people at Pennsylvania must be very, very well trained on their intellectual property protection because I could not find that song and it made me crazy. That's okay. But who are the people in your neighborhood? Maybe there is somebody in your neighborhood who could use a helping hand. Maybe you've got somebody who's elderly

in your neighborhood. Maybe there's somebody who's disabled, somebody who is hard of hearing, somebody who is mobility challenged, somebody who is language challenged, English is not their first language. It might not be their second or third or fourth. somebody who is transportation challenged. They do not have a vehicle for whatever reason uh which is unfortunately the case in many American cities. Public transportation is not an option because for reasons that I don't not understand uh investing in such things have not been deemed uh efficient. They might need oxygen. They might have other medical needs that you know what you cannot see because they are not externally presented. Here's another one. They might be single. They might be a

single parent. They might be a parent uh with a child or more than one child with special needs. These are the people in your neighborhood. How would you know? Well, you might know by talking to them and learning what is what is their situation being a human to those of you who are around. Now, this is not all bad news because there's also people some of the same people that I just mentioned that are also they know about construction. They are plumbers. They are trades people. They are electricians. They might be a physician. They might be a nurse. They might be a teacher. They might be able to fix cars. They might be a tinkerer.

They might be a ham radio operator. Very interesting. Uh I forget the the quote. Uh I am a multitude. All of us bring a lot to the table and we can find out what is going on by talking to each other by being actually part of a community.

What is going on in your neighborhood? I do not know. But you have an opportunity to understand what is happening in your neighborhood. What makes it special? What risks are present? Is your neighborhood at risk of wildfires? And uh after reading about wildfires in the burrows of New York, for God's sake, um almost every neighborhood, frankly, today almost every neighborhood is at some risk of wildfire, which seems crazy to me. Uh, is your neighborhood on a flood plane? Is your neighborhood in or adjacent to evacuation routes for things like hurricanes? Maybe. Is your neighborhood uh specially situated as it relates to crime? Are there other environmental threats within your neighborhood? Do you know? If you do not know, or maybe you

think you know, here's some homework. Reach out to your local community and state officials for information on this question. What are the risks that are present in this neighborhood? Create a checklist of these risks. Prioritize the hazards that pose the highest risk. Can you reduce the risk to your family, your community, your your neighbors? What is the time horizon that you have to reduce these risks? Does your school have an emergency plan? Does your employer has the plan been tested? Because having a plan is one thing, but if that plan is not exercised, it may not be as valuable as if it was actually used or exercised. What is the one thing that you can do

that your neighbors can do working together to mitigate some of this risk? Your neighborhood. Now, let us talk about your household. Maybe your house looks like this. Maybe your house is an apartment. Maybe your house is something entirely different. I encourage you to think about these questions. 30 days. What would it take for you to be able to survive without external assistance for 30 days? I would like you to think about this one step at a time and not to be overwhelmed because it very easy. I will tell you, you turn on the news. Oh my god, it is very easy to be overwhelmed. But here's the good news. You do not have to be overwhelmed.

You can take one step to help protect your household. You can take one or two steps this month to protect your household and then next month, guess what? You take a couple of steps. Do you solve everything in one day or or one week? No. Please don't do that. Because you will make yourself and your your significant others, maybe your children, maybe your neighbors. You'll make them all crazy if you try and do this in one day. So don't do this in one day. Don't do it in one week. Don't do it in one month. Give your make a project plan. Consider 18 months. In 18 months, I want to be here. Define what here is. I've got some ideas about what

here the definition of here is. And then you just take simple steps toward the objective. Dave, Dave, Dave, Dave, Dave, why are you why are you getting us all worked up and talking about this? Why are you doing this? Well, we've heard already over the last two and a half days about things like Taiwan 2027, but maybe it's not 2027. Maybe it's 20 2030. I don't know. Maybe having some household resilience would be really nice in the event of other hazards or events, maybe pandemics. That could never happen. I There's no way. There's no way we could ever have a pandemic. Or maybe there is. As you think about your household, please, and this is the goal, think

about your neighborhood because we we're we should be thinking about others as we think about ourselves. Think about your space storage limitations. Think about rotation um and etc. So, now we're going to get into the details. Where to start? the game. >> You start with some no regrets items. No regrets or no regrets. What? However you want to do this. Get yourself some plastic bins and start to collect the following items which might be very handy to have. Markers pens pencils notebooks index cards. Batteries. I would tell you batteries are awesome. Many of them can last for years if left unopened and stored properly. What are some other no regrets things? Uh toilet paper, paper

towels, disposable paper plates, uh disposable pl uh utensils, forks, knives spoons bleach, unscented bleach, liquid soap, liquid hand sanitizer, other cleaning supplies, Xacto knives, kitchen knives, can openers. I cannot tell you how important this is. Can openers, not just one, but more than one. We're thinking of our neighbors. Basic tools, a hammer, a saw, screwdrivers, a crescent wrench, a socket set, cash. Cash is good. Small bills, uh, not Fort Knox. Don't Don't go nuts with this, but you know what? Having a little bit of money in tens and 20s can be very helpful. blank notebooks. Medicine uh medicine is very important for some of us. Medicine is critically important in the sense that we will die in some

number of days if we don't have medicine. So we should think about medicine, kids stuff, hygiene products, tampons pads diapers catheterss flashlights, flashlights with batteries, flashlights that are known to work. string, twine, fishing tape, gloves, PPE, ey droppers, matches, waterproof is even better, toothbrushes, extra for your neighbors, toothpaste, floss, basic medical supplies, bandages, tourniquets, rubbing alcohol, topical antibiotics like neosporin. As we're thinking about these no regrets items, also think where are your vital records? Insurance cards, passport, driver's license, birth, marriage certificates, social security card, pet ID, and pet vaccination records. Think about those. Now, this is a big one. Water. What do you do about the water? What do you need? An adult human generally needs one

gallon per day, unless you live in Las Vegas or Phoenix, Arizona, where you definitely need more than one gallon to live. So, where do you start? You can start the commercial route. You go to a a camping store and buy one of these big old blue things. You wash it out with dish soap and then you put tap water into it. Cool. You can buy commercial water. You know, it's fit for purpose. That's great. You can use 2 L soda containers. You clean them out. You you clean them out with with soap. And for the uh the the leaders, you put in, let's see, uh you add a little bit of bleach or I'm sorry, a little bit of chlorine

um to like a drop per liter. So you can build reasonably a water supply that is low budget, very doable. There are options for water treatment if you can't get it ahead of time. Uh this includes boiling, chlorination, and distillation. There are options uh if you can deal if you're dealing with an untrusted water source. The best option I'm told is boiling. U but there are other options including chlorinate chlorination and distillation. In addition, there are other options including LifeStraws and alternatives to LifeStraws. Because if you look at the LifeStraw very on on the very edge, probably every time you want a drink of water, you don't want to grab a LifeStraw, lay on your belly next to a

water source and drink because that that'll get old after about the first time you do it. So, there are other ways that you can approach this issue. Um, take a look at the commercial options that are available and make informed decisions about what makes sense for your budget. Shelf stable, low prep food. I am not recommending that you run out and you invest tens and thousands of dollars into MREs. That is not my suggestion. I am suggesting that you think about shelfstable, low prep food that you can use. Salt-free crackers, whole grain cereals, peanut butter, canned tuna, other canned meat, canned food with high liquid content. Choose items that do not require refrigeration or special preparation. Consider the

special needs of the household, allergies, etc. Also, can openers, you think about your food and your water storage. You you want to store the stuff into a a cool, dry place. You want to store your food in containers that will resist local vermin because if they find it, they will help themselves and you'll have a bunch of nothing. So, um they don't care about your water, but they do care about your rice and your other food. So, uh, metal or glass containers for those objects is good. Uh, mice can eat through plastic, no problem. So, uh, keep that in mind. Rotate rotate your food. Rotate it. Rotate it. You can actually eat the oldest stuff and store

the newest stuff. Um, I'll mention to you, uh, we're not going to go into it, the list. These are the top 10 vegetables that you might consider growing within a victory garden because they're easy, they're low impact, and this is a thing you can start on now. Either your victory or community gardens. Okay, assignment time. This is your homework. You are leaving with homework and this is going to be on the test. What is going on in your neighborhood? What are the risks? What are the things that you can do to ameliate the risks? What is your neighborhood risk profile? And who are your neighbors? Think about signing up for a Red Cross first aid class so that you can be a

part of the solution and not only being a part of the problem. Think about your supply reservoir. And think about your neighbors and think about your elderly neighbor next door to you who may not have the means or the information for their supply. I want to uh give you uh a URL where you can do more reading on your own uh if you trust me. If you don't trust me, don't don't look at this QR code. If you do trust me, go ahead and use this QR code. These are from the good people uh at Utah put together uh a a series a large long series of all kinds of videos most of which are helpful. Um but this

is for reading afterwards. Um and now we have a few minutes for questions. And that mic need to might need to be turned on because I think it's currently off and the on switch is at the bottom.

Well, I feel better. Just had trouble with that. >> Um, so my question has to do with the reality of people with lower incomes being able to do this. >> Yes. >> Uh, I'm a community college teacher. I when I talk about uh disaster recovery from a computer sense, I'm like how many of you are ready for this? And of course when students are dealing with housing uncertainty and all those other challenges, the idea of oh and be ready for 30 days, you know, like so how do we address that that inequality where people are just trying to survive and we want you to be able to be on your own for 30 days? It

>> it's a great question. I I think the answer probably needs to happen within a community to think about our neighbors who maybe they're unhoused, etc. I like I don't have all the answers, but that's we have to work with our communities to start to drive toward answers to deal with with the have nots. >> Okay, this was for a tall person. Okay. Hey, so I have an answer to that. Uh, first I'll say I was an emergency manager, so I won't I don't mean to offend any of my other emergency managers, but the focus on gathering stuff instead of doing stuff is the thing that alienates the people who don't have. They have more than they think, but we have to

reframe that message. And we did that in my community. But what and I'm not I can talk about that later, but here's some things to help you cheat on your homework that Dave just gave you. Uh, if you Google for a a program called Map Your Neighborhood, that was created in my state, Washington. It's no longer supported, but the info is good. So, if you don't know how to have conversations with your neighbors, it tells you how to sit down and have the conversation with your neighbors, focusing on not the gathering of things, but on the inventorying of skills and the inventoring of needs of your community, your neighborhood, as it were. The other thing I'll throw out there is community

emergency response teams. Lots of communities have those. They give you basic disaster skills. Uh and every state and nearly every county in the country has what's called a hazard mitigation plan which lists all the bad that can happen in your community. So find those because >> oh >> mic dropped itself but it survived. Anyway, that's how to help you with your homework that Dave gave you. There you go. >> Thank you. >> Thank you. >> Thank you. Big round of applause for our previous speaker. [Applause] >> So, next up, Mr. Josh is gonna bring us home. Josh, >> thank you. All right, give yourself a round of applause for most of two and a half days of content.

All right, so I'm going to try uh the schedule is wrong. We don't want to make you late for upstairs, so the hacker tracker kept changing our time block. Theoretically, I have an hour. I'm not going to take an hour. I'm going to try to get our exposition and discussion and synthesis of the two and a half days of amazing content to give you 15 minutes to get upstairs. So, I'll be happily talk to anybody beyond that, but we're going to try to keep this shorter than is advertised. Okay. So, I'm Josh Corman. I founded I am the Cavalry in this track. Uh we launched 12 years ago on August 1st. How many of you were here for the opening on

Monday morning? Some of people were traveling. Okay. For those who were not here, I'm going to quickly play the two twominute videos that we did during the first year pilot of Undisruptible 27. Undestruptible 27 is very similar to the cavalry, but it's a funded project initially one-year pilot from July to July from Craig Newark of Craigslist at the Institute for Security and Technology, a uh a 501c3 nonprofit educational institution bridging Silicon Valley to national security things. So, I have been designing and driving the pilot to see if there's any there there. And the good news is there is. We just got sec Well, we'll get into some of the details, but we secured a lot of funding. So, if you

saw the opening, we talked about the hypothesis and theory of change for the one-year pilot, and I'm going to give a tiny amount of refresher in case you missed it, but most of this is going to be doing two things. explaining what the the next two years of funded work is going to look like and the role that you can play in that small, medium or large and uh try to synthesize the incredible insights we unearthed across our great speakers on Monday, Tuesday and today. So, let me jump to the videos in case you're wondering why the hell are we talking about 2027 so much? So, here is video one. How many of you have been to

a hospital in the last 12 months? How many you think you might need a hospital in the next 12 months? Okay. Okay. Here we go. First one. Picture a hospital. Picture your hospital. When was the last time you were there? Was it to welcome a baby into the world or to say goodbye to a loved one? No one wants to need a hospital, but when we do, we depend on timely access to care when and where we need it. Irrespective of cause, delayed and degraded care for time-sensitive conditions can affect worsened outcomes and even loss of life. A five-minute longer ambulance ride has a significant impact on 30-day mortality rates. Time is brain where even an hour or few could

determine if you walk again, if you talk again, if you even survive. Now, picture your hospital. What if that hospital was not available to you? If your hospital was disrupted, where would you go instead? Is it across town, more than an hour away? What if they are also down? The chance is not as remote as you'd hope. Hospitals have become a top target of ransomware, cyber attacks that technologies in the vital path of care delivery. Worse, your hospital doesn't even need to be the one attacked to endanger you or your family. We've seen a 10-fold decrease in favorable outcomes for heart patients merely due to excess strains of a ransomware affected region. Now, back to your hospital, back to your

family. You and your family deserve better. If we want timely access to patient care and more resilience in the face of accidents and adversaries, we're going to need to advocate for ourselves. Now, as we head into an era of hybrid conflict with threats to water and power, these disruptions stand to get a lot worse, but we'll talk about that in another video. Okay, so some of you have seen that once, some of you seen that two or three times now. If you were lucky enough to see Christian MF yesterday, some of those studies were peer-reviewed studies by him and his team at UCSD and elsewhere. Um, these are drafts. These were drafts done with our limited pilot

budget to see can we use creative arts and storytelling to meet people where they are, use their love language, avoid cyber jargon, and try to communicate that these are not merely HIPPA violations. These are public safety human life consequences. Now, did you see how many uh raised your hand I think from Grace's talk uh saw that the St. Paul, Minnesota has been ransomed last week, right? I don't know what the current state of that is, if it's back up yet. Uh, how many of you seen a news telecast from a big hospital saying, "We've been ransomed and they they give their press statement." Okay. What they'll typically say is something like, "In an abundance of caution, in

accordance with industry best practices, we have chosen to shut down operations to contain the breach to protect your privacy." So, I hate this statement and it is the muscle memory reflexive statement. And the reason I hate this statement is the horses have left the barn for your data. The access necessary to encrypt that data and ransom you was sufficient to make a copy and excfiltrate it and they often do. Moreover, most of you have lost your intellectual I mean your healthcare data plural times and you don't get a new history. So I'm not indifferent to privacy. But what we did on top of that spilled milk is we self-inflicted a denial of patient care or minutes or hours or difference

between life and death. And depending on how long you self-imposed that denial of service, your cash flow could run out and you could close your hospital forever, which has happened a thousand times of the 7,000 hospitals we had in 2015. And I think Christian showed a a graphic of 700 at extreme risk of financial instability to close in the next 12 months. that's independent of cyber but accelerated by cyber. Okay. So, some people, this is where you, you know, audience participation with hands and and comments is encouraged as we round this out. Some people told me this video is too scary, too much FUD. Some Congress people we talked to on both sides of the aisle

said it's not scary enough. Uh some people said, "Who's this for?" Right? And we're going to have lots of stakeholders. So that was a really effective one for medical professionals because then at the end of it we get to say HIPPA kills people. So if I had to describe what's the summary of this it's that irrespective of cause there's a time space risk for a denial of patient care and a location and if you don't know your next proximal alternative care if it's not reasonably close to you uh we are advocating for the wrong things. It's not about your HIPPA, it's about your life. Right? That's in peace time. Can I play the second one, which is Who thinks this is

too scary? It's okay. You're not going to hurt my feelings. Nobody thinks it's too scary. We hate thud. I hate thud. >> It's not. It's not. >> So, some people think it should be more scary. Now, here's my attitude on this, and I said it last year. I want to say it once more because I don't know if you were all here. We have to walk a really like the edge of a knife. We have to be forthright when there's a hurricane coming. FEMA and national security and public safety people do not say, "Well, the person in panhandle, Florida can't do anything to stop the hurricane. Let's not bother telling them, right? It is scary. It's

going to do harm." You can't just like infantilize them and leave them out of the equation. They're a stakeholder in the in in harm's way. So, what do you do? I think the more consequential something is, the more forthright we have to be. You cannot exaggerate it and you cannot downplay it. You got to be honest. Tell them what you know. Tell them what you don't know. Answer questions. Yeah. >> I did not get the thing that I didn't get from the first video. >> I'm getting there. >> That was you should have a backup plan. But we should all have backup plans for everything. If my clos >> Yeah. The other thing is we don't

believe any single video is going to work. The original thought was we're probably going to have three videos, two minutes or less each, per stakeholder type, and they may not have the same nouns and verbs. So, the types of stakeholders we're looking at is owners and operators of water or power or hospitals. local leadership like a city planner, town selectman, uh CIO for the city, helpful hackers. How do we help the helpers be helpful like you? Uh ultimately, everyday Americans, but not yet. Way too premature for that, even though we're running out of time. And probably some state level emergency management type people and public policy people. So, we're gonna have maybe two dozen, three dozen of these things, and

they're going to have to be attenuated to the risk appetite, and they might have to start like boiling the frog. Less scary, a little bit scarier, and then much uh more motivating. But let me play video number two, which is was the first one we started with. So, that was a peacetime truth that you are already suffering from severely diminished patient care right now just due to the state of healthcare and uh latestage capitalism. But here we go. Ready? >> We are too dependent on undependable technology. The systems that we rely on every day for everything from water to food to power and emergency medical care are subject to escalating harms by accidents, bad actors, and nation state

adversaries. These attacks could quickly move from disruption to destruction. For example, an intentional water hammer that abruptly stops or reverses water flow, sending a shock wave through the system. Attacks on our water systems would be devastating, not just for lack of access at home. No water means no coffee, no toilets, no laundry. No water also means no hydrants to put out fires. No water means no healthcare. The hospital can't run without clean water. No water means no sterilization, no surgery scrubbing, no laboratories, and eventually no access to life-saving care. Our dependence on connected tech has grown faster than our ability to secure it. And there is evidence that foreign actors are already weaponizing these vulnerabilities. But who would

actually do this? In public hearings, Congress and US government cyber security leaders have warned the public of Vault Typhoon, an ongoing campaign of successful attacks on US water facilities led by a People's Republic of China state sponsored cyber actor. But China is not the only aggressor. We've seen cyber attacks on our water systems from Russia and Iran. These attacks pose a broad and unrelenting risk to critical water infrastructure and could escalate to large-scale destructive attacks on our water systems as early as 2027. The good news is we have time to make changes. We must strive to make our lifeline basic human needs undisruptible and where we cannot ensure that our communities are more resilient under

fire. This means divesting our reliance on connected technology, better securing our existing systems where we cannot disconnect and ensuring analog solutions are in place when those systems fail. If this sounds overwhelming, remember if you can't afford to protect it, you can't afford to connect it. Undisruptible 27 will prioritize the safety, security, and resilience of three lifeline basic human needs, especially at the local level. >> Okay, that's video number two. This is this is what our theory of change was hinting at for the first year. We have to blow up and start over our theory of change. But I'll get to that in a minute. Uh any hot takes, reactions to what you just saw? Like like it, don't

like it, more this, less of that. You in the back? And I'll repeat it for the camera.

>> Yeah.

Okay. A couple things uh to repeat that for the camera um and people who couldn't hear. Um like the water focus especially given what happened in LA. Um, water was a big problem both for putting out fires, although mostly that's not how we put out fires, but uh, and people who needed water. Um, I knew that water would be a weak link in the chain. It is absolutely the weakest link in the chain, but we've come to realize, and I'm going to show a little bit more how we've changed our theory of change. This video was made mostly by building trust and empathy, meeting water engineers where they are partly like people like who Dean Ford who presented

here the last two years and attended the the third year before it. You saw yesterday with Andrew and Ginger like we really tried to meet them on their turf, have them teach us what's the worst that could happen. I didn't know what a water hammer is, but now I do. And it's not the only thing they're concerned about. It's just one that around which we can tell a really compelling story. It's just a property of physics that can happen with the access that Volt Typhoon already has could do significant damage for water mains and the like and would be motivating and if there's reasonable mitigations to that particular storyline and maybe others similar to it, then we

can say something scary combined with something actionable and tangible and realistic, not cyber up, but engineer down some consequences are really common sense and familiar things. So this was not for you per se. This was for the water engineers, but we're going to have to make permutations of flavors. This Blake. >> Yeah. So, uh, one key element that we need to remove from this video is, uh, time to prepare. That has not been shown to be linked with a preparedness activity. >> But to build on what you're talking about is the ability to prepare. like we we're showing the risk and then let's go to that solutionoriented approach where we're talking about like okay let's

let's talk about some solutions like the Idaho National Labs with a consequence informed engineering or other stuff like that that'll help our water utilities they see the risk you're explaining honestly the the explanation of the risk is incredibly strong the next part is okay what what's next what do I do now and then you don't have time to prepare. We got to just remove that entirely. Not not to scare the be Jesus out of these people, but like that allows Oh, well, I can do that mñana. Yeah, there's there's a lot of changes we had to make. So, when we did this, it was on the cheap with initially some proono work. We eventually signed a

statement of work with them with the the table scraps we had left from year one. We did just get a big surge of support from Craig for the next two years, which I'm going to talk about in right after this question. Go ahead. I just wanted to follow up on my my comments on the previous one. The thing that I felt was missing was exactly the first thing I saw in the second one. Watch was >> we and it's the first thing you say here. We're too dependent on undependable things. So that's >> Yeah. So I mean if you can remember what he said the first time and the second time the reason we we started with this

this second video and what we found is no one found it personal and um the attention span is too low to say everything in one video although we're about to try uh but it's not going to work I don't think so what we ended up doing is saying okay what's something that I can relate to whether it's just normal ransomware or just normal the hospital closed because we ran out of money that's cute. We already have 7,000 to 6,000 and then ransom's making it worse. Well, what if water disruptions could just be the knockout blow? And what if it's not just yours, you'll get ransomed, you can drive an hour away. What if an hour away is down because of

the same water hammer or something else? Okay, so this is going to get very nasty very quick if it happens. And we have bipartisan agreement on that. We have White House agreement on that. We have Department of Defense agreement on that. Somebody outed sort of outed maybe suggesting that he saw some DoD slides that took stuff from ours. So no one's disagreeing that Xi Jinping has said he wants his the PLA the army to take be ready to take Taiwan as early as 2027. What we're debating is is it will will it be 2027 28 29 30 mid30s. No one's debating he said he's going to do it. No one's debating that. He said and

or they said uh if the US interferes they will retaliate and one of the retaliation prepositioning is vault typhoon. You probably heard assault typhoon more which is espionage and spycraft and considered fair play for spycraft. An army putting digital remote detonation charges in civilian infrastructure like water is outrageous. So have they hit the button yet? And the one thing I'm going to change in that video for sure is they have not had successful attacks. They have had successful compromises. They the attack would involve a consequence. So I don't like the sword of Damocles over every one of our water facilities heads. I don't like it and you shouldn't like it either. And we should not persist at the

appetite of our adversaries. And by the way, they said if you interfere with Taiwan, we're going to bring chaos. The other part is we have to interfere. Um, so I'm going to go fast through a couple slides and then we'll get some more discussion. Okay, it's not going to be easy and there's not and tone challenges. We might have to make a super scary version and a less scary version and we're going to have to figure that out. But I want your help. This is an invitation to get in the Slack and help. Okay, I've been saying some variation of this since we launched the cavary 12 years ago. Uh but it's really about overdependence

on undependable things and we should rightsize how much dependence we are to how dependable it is and to consequences and that's not what we do. We put 15 gallons of in a 5 pound sack. Uh in normal engineering we would never do this. You know you have to rate the bridge for the the load that's going to go across the bridge. You're going to rate the skyscraper how many floors it has maximum occupancy. Like we we have not we've thrown caution on the wind on our digital infrastructure. It needs to look a lot more reliable like steel and concrete. So I'm going to this is a slightly modified version of an internal doc I gave to

tell uh the think tank what we did. So in the pilot year, some success factors were empathy, empathy, empathy, which is the heart of the cavalry from day one. You know, coming out of the grief of my mother's death, I realized my woundedness was not a liability. It was enabling authentic human connection I had never encountered before. So we had to find a way to build empathy muscles. It's not like you have it or you don't have it. It's a muscle and we were puny weaklings on empathy. So now we're like big strong empathy people in this room. Okay. Uh and it's that muscle gets stronger with effort. Um we had to make stakeholder specific love languages.

This is more about storytelling than anything else. We we had always in the cavalary said be patiently impatient. The real challenge this time is it might be urgent and a year and a half left for what we know, but the person we're talking to heard it for the very first time today. So you you got to have a way to get them on board before you overwhelm them. So it's a lot by feel. I'm not going to read every single thing on here, but we had like an hour conversation on just this slide alone. Um I've kept some deliberate imperfection. One of those bullets there I will touch on. people that feel like they've contributed to something.

Not only is it expensive to get re-edits every single time, so I'm going to batch them, but it's also the more people we hear, the more nuance we get, the better the story gets, the better the script gets, but also like someone says, "I helped with that video." Right? You get a shared sense of ownership. If we tried to make it too polished, it may look like a a sales presentation. Well, you actually like the rough cut. Like if you've ever heard Craig Newark speak, he doesn't like super polished things. He doesn't like big words. He doesn't like policy speak. He doesn't like white papers. He wants how do you talk to everyday Americans in a way they

understand and will act upon. So we've been trying to keep this a deliberately roughedged. Okay. We launched here uh last year in the cavalry track. Wired article did a launch uh piece that was very effective for opening doors. We basically said, "I'm worried about more disruptions, larger disruptions, longer disruptions, more life-saving disruptions uh from accidents like crowd strikes that had just happened a couple months earlier or adversaries that want money, but what if it gets already unsustainable for my neighbors? What if it gets to weapons of war, which it will as early as 2027?" The pilot couldn't chase everything. So let's say not just are these four lifeline basic human needs more important than banking or other stuff or

IT or Angry Birds, they are uh the things that keep us from being Lord of the Flies, but they're also highly interdependent. So the pilot said, "Let's look at the interdependence between water and emergency care." So back to Maslows, it's just the bottom, the stuff that keeps us being Lord of the Flies. I'm not worried about continuity of the economy for this project. There's plenty of people that care more about contin. I'm not worried about force mobilization, which is a fancy word for can we get our tanks to the country we need to fight in. Uh you someone else needs to be. I'm not doing that. And it's an interesting when we overlap which uh national critical

functions both of us need and it's nonzero. But we said, let's do these specifically in the first year, water, wastewater, emergency care, and then if we got more funding, we weave in power and food supply. Hence why you heard some talks on all four of these domains over the last two days. And the staged idea is because this is heavy and disruptive and confusing and scary and no one wants to be the villain in the story. Everyone wants to be the hero in their own story. We're giving each stakeholder group upstream couple months of engagement to go through their five stages of grief and get their footing and realize I can do something about this. So, I'm going to

go to the owners and op I went to the owners and operators first like the water engineers before I go to city hall. When they go to city hall and they freak out, they're going to call in water. They're going to call in power. They're going to call in the hospital and you know what? They're going to get good answers, competent, confidencebuilding answers because we gave someone a chance to win. And I'm just going to do the same thing after that to go to Everyday Americans. And like I said the other day, Bryson does not want me to go to Everyday Americans. Some of my friends have good reasons why they don't want me to go to Everyday

Americans. And maybe I don't have to, but I'm pretty sure I'm going to have to. But I'm willing to not do so if we can solve it without them. Um, so it becomes a forcing function that when I give five questions you should ask at town hall, the people at town hall know what those questions are, have good answers for them. So let's give everyone a chance to orient and succeed. That last grow is you. We want to help the helpers be helpful. One of the cool things we learned is the highest consequence failure is a water hammer, for example. And this is something that and especially in the nation's aging pipes that are way past their expiration

date. Uh the 24 inch main I think is that one maybe 36 but they can get as big as 48. It's a lot of force and water. You don't always get to pick the time and place of where the burst happens. There may be more than one burst on more than one pressure zone. Think of this like a circuit and you might have circuit breakers. So I had to learn a lot about this and we learned it because of the empathy. Back to the point about hospitals that Ry was making, an individual hospital going out could hurt you and your family, but you might have one that you can drive to, but not when everybody's water, no

water, no hospital. If you didn't get the stickers, hold up the stickers. We have no water, no hospitals, no kidding stickers. And we have the water hammer sticker so that you can remember how to spell this thing and how to get involved. So, if you want to fight a water hammer, do you add cyber shields up? >> No. Uh maybe, but probably not in the next 12 to 18 months. The time to prep for that was a long time ago. So um thanks to the great work from Idaho National Labs, raise your hand. Did anybody see Ginger and Andrew yesterday? Uh Monday in their talk here. Amazing, right? Did anybody go to their free 4hour training on how to do

cyberinformed engineering? I like to call it consequence informed engineering. Uh free applied to water. Anybody go to that? I heard some people over the moon yesterday at the bar. They loved it. We got to do we're gonna do a lot more of those together over the next 12 to 14 months. The idea is don't engineer, don't add cyber engineer down consequences. You're going to be hacked. You're going to be compromised. The punch will be thrown. Can you take the punch? Not can you restore and recover. Everybody says resilience is well you're going to get knocked down. How quickly can you restore and recover? When you when it's a ventilator and the patient dies, there's no restore and recovery. I

don't have resurrection powers. Right? If there's a burst water man, the restore and recovery is replace a water mane, which could be a couple days or a week if it's the only one in the city or the town or the county, but when they're everywhere, good luck being first or second in line to get all those repaired. So, the notion that we could just recover quickly from a backup, test your backups, no. When it comes to OTICS and this kind of stuff, it's prevent or absorb. It's not recover. So we talked about engineering consequences. Circuit breaker in your house is what allows a spike of power to not burn down the walls. We can make similar things and we

talked to engineers about if this is the worst case, are there available familiar solutions? And the answer was an analog pressure sensor on the pressure zone of the hospital that knows it's never supposed to be above X psi. If it sees it goes above that, we'll have a physical wire go to the pump and shut it off. not through the hackable, you know, uh, ICS and SCADA systems, but just a physical kill switch. And yes, it's a temporary denial service, but it's not an explosion of a water mane on the pressure zone for the hospital. Can't do it everywhere, maybe, but it was like $2,000, $10,000. You have to do some planning and testing and maintenance for

sure. I'm not trying to trivialize that, but there is an available countermeasure for that thing. There's other scenarios our adversaries could do that that wouldn't work for, but that's why we're trying to teach CIE. We talked about ways to do this at RSA. You saw some that Monday if you were able. Grace Mena talked about volunteering and one of the ways a lot of us I'm helping to advise this thing. It's called the cyber resilience corps cos not co e. It's getting its legs. It's probably not going to be to its full intended fighting force by 2027. And if you get on there you're going to see most of these ways to volunteer are not

consequence important engineering or cyberform engineering. are mostly privacy things, website hardening things, but this group can and should put out a shingle for how to help on water or power or or whatnot. So, and we are we're already in communication of setting up our intake. In fact, I hired someone started Monday while I was here um that's going to be managing most of the community intake and actions. We did critical effect with Bryson Bort. Bryson Bart had a a conference called Hack the Capital. Sounded like we were attacking the capital, it was going to be its eighth one. And because people hated the name but love the ICST content in DC, I said let's merge and join

forces undisruptables, time-sensitive focus and mission on target-rich cyber poor owners and operators of water, power, access, emergency care, food supply, and give homework to all the speakers that we want ways to buy down risk in 12 to 18 months. no more naval gazing, no more 10-year cycles, like what can we do now? So, we invited way more owners and operators and got a ton of water content and many of the speakers here were also there. One of the things we announced there uh through Craig Newark, um it's a little blurry is he liked the mission, he liked the pilot's results, we needed to change our theory of change, but he committed $3.2 $.2 million over the next two years for a very

specific plan of action under a new theory of change that I'm about to outline. So, we didn't want to build a bridge to nowhere, but now that we have gas in the tank and a refined theory of change, it's time to go. So, what is that going to look like? Notice food's not on there. It's not that we don't care about it. There's things in the center of the bullseye and there's things that are going to be adjacent to the bullseye. But we think teaching people the muscles of CIE and multistakeholder planning will radiate outwards. Some of the pictures I'm going to show you were given to me this morning. So I haven't even really stitched together the

narrative, but that's okay. So what do we got here? I have a hospital at the top. Let me try to make this a little brighter. There's a hospital at the top. The center of our bullseye for the next path forward is the highest consequence failure is going to be a denial of patient care for one of our 6,000 communities. So that is the center bullseye. How do we make sure none of our nation's hospitals go down? In order to do that, we think the weakest link is likely the water. So we're going to convene water owners and operators, probably a water hammer. It's also power and it's also gonna involve both that town hall or municipal leadership and

probably Blake type people, emergency management, uh incident command center people, uh public health officials. So we have a a five stakeholder cell that we need to make sure that we inform, influence, inspire. Initially the theory of change was we had an information gap. No one had heard of this. If we just tell them, they'll be they'll go fix it. Nope. Uh we also have a motivation gap and an enablement empowerment gap that the new theory of change will bridge. Don't read this all. You don't need to memorize this all. But after like back and forth and back and forth and back and forth across the cyber civil defense network and Craig, it kept getting more and more confusing

to people. So, I just did this run-on sentence that finally got us somewhere to a new place where I said, "We can prevent losses of American lives by getting on the ground with a dozen hospital communities, helping them blunt the worst punches China can throw at their water, plus run regional exercises and demonstrations with these stakeholders, record and amplify their voices and stories to their peers, and then ensure these strategies conceal nationally within available time and resources." dot dot dot. And if you saw Grace's talk, dot dot dot, and then create more awareness and demand for many of your other funded activities. I actually don't want most people to avail themselves of the cyber resilience core

offerings yet if they're in these lifeline critical infrastructures. Before we go into cyber, I want to make sure we can take a punch. And then I want to hand them to initiatives like Defcon Franklin which are also doing water that can help with initial crawl walkon on cyber mitigations to maybe make it less likely to be hit maybe but probably not against the PLA probably not in the 12 next 12 to 18 months. PLA is the people's liberation army. So so the bottom line is real world action to help hospitals and the water systems that they depend upon to protect their communities. And then we're going to show what works so others can follow. We believe the best ambassadors for

change will look and talk and dress like their peers. So, it's not going to be me or somebody in Washington. It's going to be somebody wearing flannel and car hearts talking at their conferences to their peers about this is what we learned. This is the feel, felt, found before, during, and after. We tried this stuff. It worked. You can too. Okay. And again, storytelling and meeting people where they are. So, there were four five aspects to this. We're going to work directly with communities, a dozen. We talk talk about that visually in a second. We need to capture and share their stories in various methods. We need to anticipate scaling risks. When I ran this co task force, we

weren't supposed to do non-cyber stuff initially, but we were really good at cross- sector cascading failure type things. So when we knew that the initial batch of Fiser vaccine needed ultra cold refrigeration and there were only so many ultra cold refrigerators in the country then we had to find alternative platform like dry ice and dry ice is normally ab abundant but it's a byproduct of gasoline enrichment which no one was driving. So we didn't have any of that. So we had to get really really creative about even if we have this pressure sensor artor that's 2,000 bucks what if there's not enough parts? What if there's not enough technicians to install it? So we want to innovate

narrowly with these pilots and then replicate widely and that may require pretty interesting cross- sector supply chain analysis and mitigations which my team had a great experience doing and I just recruited someone who left SISA to help me as one of my hires. Okay. Um running hands-on cascading failures. Sometimes you got to blow up. Uh, if anybody ever seen the Aurora attack at Idaho National Labs, the diesel generator. Okay. Unfortunately, got eclipsed by the Google Aurora espionage campaigns from China that everyone complains to. Uh, I don't know if you know this, but that that Aurora attack at Idona National Labs was the inspiration for a uh, Democratic congressman from Rhode Island named Jim Langan to get to found

the cyber caliphate with bipartisan sense, not cyber caliphate, the cyber caucus. Uh, sorry, Jim. Uh, you might recall Jim and Will Herd were the first congressman to come to to Hacker Summer Camp uh at Defcon 25. Bo and I brought the two of them as a delegation from DC to Defcon uh to build trust and build work. But Jim started the cyber caucus in the House, then was driving force on the bipartisan cyber salarium commission, which passed most of the positive cyber we've seen. And the wind beneath his wings in a lot of ways was Nick Lizerson, the one of two congressional staffers with a computer science degree back when I went on the hill in 2014.

The other one you've met before was Jessica Wilkerson who ended up at the FDA eventually. They had been a force of nature standing up things including the office of national cyber director where Nick was the first hireer and now Nick works on undisruptible. So we're really happy to have Nick as well. But one of the things we have to do is show people that a failure in the water can cause this problem, can cause that problem. And that might mean going to a military base or a national lab or something like Plum Island and blowing some stuff up. And storytelling sometimes includes media. So we'll talk about media in a minute and Congress. And then we want to build

on-ramps to all the great cyber core event, you know, cyber civilian uh uh cyber civil defense network and the cyber resilience core volunteers because they do need cyber as well. We just have to live to fight another day and avail ourselves of that. So we pitched some metrics of what are we going to do in the first several months and one of them that you've already tasted is that the training the trainer workshops for consequence of porn engineering which is really called cyberinformed engineering. Like I said, I'm deliberately blurring those lines and Ginger has given me some dispensation to do so. Okay, so the changing theory of change in my last couple minutes here and remember I could

talk all the way up till the um keynote, but none of us should miss Casey's keynote. It's got a lot of heart um pun intended, but theory time, theory time, theory time if you know heavy spoilers. We thought we had an information gap, but we also have a motivation enablement gap. And I didn't want to get on the ground with 12 communities for a couple weeks at a time with a pretty a big expensive entourage, but we're going to have to do it because we want to remove every single excuse. We want your senator or your congressman to have nominated your town, for example, and put pressure that, oh, we better do something to look good for the

so- and so or whatever. And then we want to pay for if we have to some of those small engineering mitigations as we create recipes and playbooks and document them capture the stories before during and after not just the facts but the feelings and the belief structures and then we're going to replicate those. So we have to pull the thread on all three. So that's innovate narrowly. So what do I mean by that? Let's take the water example because I've really bound to water in the pilot. 151,000 water plants across these United States. 50,000 of them service homes. 6,000 of them touch and support hospitals. And I'm picking 12 of those. And I need your help nominating them

because we need to cast a wide enough net to not miss any edge cases. So, see these little tiny specks? They'll probably be more visible if I share the deck. These are 6,000 hospital communities. Um, I'd like to say they're blue, but they're more likely not blue right now. Almost none of them have only 650 of those 151,000 are part of the ISAC. We have a point4% participation in the ISAC. None of them have mandatory cyber controls like Nerk and FK for power. I don't know how many of them serve a hospital, but probably a much smaller number than 650. So, this is if this is the current idea, we want to pick 12 of them. I have three picked

already. Might not tell you what they are. We're going to nominate them. We're going to pick some red and blue states. We're going to pick maybe at most two cities at most. It's mostly going to be urban, suburban, rural, and unique environments. That could be topography is unique like a flood zone. It could be strategically important like this water, this river goes to supply these things at these points. It could be a near a port. a major port for the US. But we have to pick 12 that surface anything we've overlooked as best as possible. And if we are lean, maybe we'll do more. And if people want to make more cities, maybe they can add more fuel.

We thought the information gap was the only thing. So you can fix that with education. But we have a motivation gap and an enablement empowerment. So the assess is when we get on the ground with those stakeholders. We're going to experiment and fuzz this and co-create. I could give them a solution. and I'd rather we make one together. So, there's buy in, participation, ownership. We might be educated by Andrew's new book on CIE for water. Uh we might come up with new recipes because those aren't practical in some of these edge cases. We're going to capture those stories as many ways as we can. interviews, film, uh long form podcasts, um short social media things, um 60 minutes style

exposees, and then we have to once we have things that work replicate in probably the next 9 to 12 months after we've gotten what we think is diminishing returns on those. If we use those beach heads of these 12, we can then replicate to the other six thou of the 6,000 hospital towns. And then someone's going to say, "Well, I'm not a hospital town, but we have dialysis centers or we have a data center or we're the we make 40% of the country's supply of medical oxygen. We need it too for oxygen." I agree. Uh you heard yesterday the really uncomfortable talk uh about AI data centers might be more important. I talked to someone who

did an international exercise And I said, "Did you guys restore the data centers first or the hospitals first?" And they said, "The data centers." And I said, "Okay, do you restore the data centers or the this first?" Like hospitals were not in the first four answers. So I would like to think we're going to keep our citizens alive. So far, none of the exercises I've seen have have prioritized hospitals. And if you don't like that answer, we have to do something to change that answer. They might be right, which is what I'm wrestling with from the amazing provocation we got yesterday on stage first talk. Go watch it. But we really entangled. So the time to

have these conversations is now. But I'm going to go to those 6,000 hospitals. And then I want if you ever saw the per plus commercials cuz I'm really freaking old. I told two friends and they told two friends and they told two friends. So maybe instead of a top- down regulatory push or government push from a very politically divided country, each individual community that wants their h their themselves safe starts and innovates and then we use things like the National Governor's Association and Nasio and Nachio and Blakes's conferences to give people not just problems but problems with effective proven solutions and testimonials. Okay, so this is the heart of the team. This is the minimum viable team. We're

going to make as many of them as we can. Uh we want to go from really prone to at least safer for the 6,000 hospitals. There's a couple reasons for that. The replicate widely. Um when we did the Cisco task force, we only had six months to fix some of these target rich cyber pore. Um we had 66 ball bearings we called them, but they were small unguarded weak links in the vaccine supply chains that had three IT people, zero security people. you could sneeze on one of them and you'd have a lot of dead Americans because they were the sole source manufacturer of something required for seven of the vaccine candidates. So we did practical things like get your

off showdan. Um just fix the kevs, do a nightly scan for free from SISA, just fix the kevs. Kev was not published prior to this effort. What are the bad practices? Screw best practices. What are the bad practices? So that's why even before we do those, we're doing the consequence informed engineering or cyber informed engineering. As we get these stories, everybody's got a podcast, right? So I'm I'm sort of kidding and I'm sort of not. We might want long form empathy building harmonization of terms with water operators with hospital leaderships and nurses like Dena from yesterday. We might want to capture these slice them up and as we get a really good story of what is a water hammer after all. Then

we make the animated explainer that comes out of those long form conversations. And if you want to listen to one bit, you do. One segment, you do. All of it you do. Um but we're going to capture those stories. We're going to animate the things that matter. Um, with a dozen communities of really motivated ambassadors, guess what we have on a silver platter? A segment for something like a 60 Minutes or a Night Line or whatever. So, when we do want to go to every Americans, we can bring something super scary and super manageable. Part of the reason to do that is we also want to have readily available witnesses for Congress. Not that they're going to

do a lot to help, but they can convene and help us amplify with a bully pulpit. And there's a stretch goal. I'm not a sports ball person, but I I've heard that once in a while, maybe I used to play sometimes is really easy to catch pot fly and people don't catch it. They stumble. They hesitate or they crash into each other. You know, maybe the confidence and the brazeness of our adversaries to throw this punch could be, oh, maybe they could take the punch. Maybe we don't throw the punch. or maybe our boss, we want to throw the punch, but our boss won't let us throw a punch. So, you know, maybe we maybe if we're

really really lucky, we can also cause some hesitation. I'm at two minutes left. So, the one thing I'll do in a rapid fire, maybe I'll take a few more minutes, but um let's go through what we talked about in this track just to remind people. And if you didn't see them, great news is we recorded them. So, here we go. We opened up with what is the undisruptible concern and what and asking you to be comfortably uncomfortable. We even had a guest appearance from Bryson to talk about the doctrinal philosophy of how China specifically conducts all unrestrained warfare and what they hope to accomplish with something like Bolt Typhoon, which is both a deterrent to

keep us out of Taiwan, which we won't. It's to undermine public support for our intervention because if we're all starving for water and food and Lord of the Flies, it we may not support continued intervention. And it's also to delay, degrade the mobilization of tanks and war fighting equipment, which this would absolutely do. So, we set the table. Then, we had a two-hour water block. Unfortunately, Dean could not come as a water engineer. He was dealing with an actual water crisis. But luckily, we had resilience and tolerance and had incredible presentations from um Idaho National Labs, Ginger and Andrew previewing his book and also both of them previewing their 4hour free training over next door that many of you

were able to take. Uh and you will have additional chances in the future to take. In the afternoon block, we talked to Blake and Scott about ICS, not industrial control systems, but incident command systems, NIMS, the national incident management system, and maybe ways to look at uh birectionally learning from each other. But what I really wanted you to take away from that is if you want to help write a boom, you have to learn at least those two courses they talked about. You have to learn their language. You need to snap into their crisis management. All crisis management is local and you will be ignored if you're not prepped and certified or credentialed prior. So if

you want to be doing that, start the process now. And we'll have much more from him and his other and others later. We had an EMT and emergency 911 folks give us a presentation on cascading failures. And then we ended the day with me, in my opinion too short. Uh I left me wanting I loved it, but it left me wanting more. But an overview of Meshtastic and Laura and other alternative communication technologies you could use if the phones go out from Salt Typhoon, if the landlines go out, which they almost likely certainly will. So what are ways that you can now play with cheap technology to have nonzerocoms with each other and with maybe the water plant and the hospital

you you wish to help? Yesterday we started with the power block with a really uncomfortable if this was the 101 on how screwed we are. They took it to level 800 and I still have to digest a lot of what I felt and then process during that. But they're basically saying, don't just look at the 10 pounds of in a five pound sack we have now because we're rapidly building AI data centers with massive power demands, massive water demands, and economic prioritization above and beyond our own concern of these cohorts. They don't even need to be attacked to cause denial of patient care just from how dynamic and chaotic the load and and unloads can be. So, watch that. We then

had an amazing two-hour block on healthcare. We also had uh Joe Sloick talked about ransomware was the carry in the coal mine to show us some of how disruption can happen from a nation state but at a wider scale. We had a two-hour block on healthcare with Dr. Christian DeF who helped start uh cybermed summit. He's been coming to Defcon since he was a teenager. uh nurse Dena Carlile who was one of the victims of Ascension Health Multi-State Outage and McLaren Health and wrote a demand letter on how nurses need to be trained and how you have to adjust nurse to patient ratios to keep patients safe under fire and Bo Woods from day one of

the cavalry. Um always worth watching, but I was really excited to see two things from Christian that we had not heard before. One is um his cyber crash cart way to assist a single down hospital. you can see how amazing that could be, but also we're not going to be able to do it to all 6,000 concurrently. So, great idea that we might need to hypers scale faster. And he also looked at their ability to notice the impact of the crowd strike outage on at least a third of the nation's hospitals. They were able to study in great detail. So, please watch that if you haven't. We then did hackers kind of like to eat

with a different Andrew uh and we were able to tell it uh over the inner tubes and um Curtis from the bioacc. The bioacc is not the food I sac. They kind of catch the things dropped by both. Um and he both showed some of the national security cascading failures for the nation's water food supply, but also uh much like David's talk this morning, some thoughts on your own food resilience at home. And then today we started with how can you volunteer? Oh no, we added uh at the end of the day we had end of life devices should not lead to end of life for humans and we took some people that are looking generically

at IoT policy, end of life support contracts uh and things like that. But then we asked them to say, can we look at obsolete end of life unpatchable devices in water and power and hospitals and maybe use that as a crucible to finally get some of those policies across the finish line much like the cavalry did to get the patch act passed in a law for medical devices to have minimum cyber security hygiene even though almost nothing else does. So, we went really narrow on a life safety thing that can now be replicated uh to other life safety things and we're hoping that that stimulated some conversation. And then this morning, Grace graced us with her presence on

volunteerism both through cyber civil defense, cyber resilience corps, things like I am the cavalary and undisruptible and we are in fact asking you to volunteer in some way, shape or form. It's like fight club. You choose your own level of involvement, but there are many levels to this and now we have a community manager to help us do it. David, give you some preview of here are the people in your neighborhood and what you can do. And I'm trying to bring it home that these are hard. They're uncomfortable. We have little time. We might get a bonus year or two, but we're going to have to learn storytelling, empathy, pick these 12 cities. The first three

are going to be messed up. We're going to make tons of mistakes, but please nominate something in your state or where you grew up and why. Uh because we're going to go really quickly into the selection process, like maybe as early as the next two, three weeks. So, this is your invitation to join the Slack. Uh, because no hospital, no water, no hospitals, no kidding. Here's the sticker for the water hammer. We're going to make more stickers. This is just this batch for this time. We do know we're going to need introductions and help for things like the National Government Association, State EMS, and Cert is not computer emergency response. It's community emergency response. They

wear a green hat. The CLTC communities, different universities already have a footprint. Those will give longer, deeper trainings to fewer people, but that could be one of the the arrows in our quiver. We're going to do some demonstrations and exercises. And we also know the insurance industry has to play a role. So, I've been helping cyber ACU, which is a consortium of the top 20 underwriters of insurance. We probably need to do a concerted effort on specific bad edges, bad edge devices that we know are already implicated in Volt Typhoon. So, if your community is using them, we probably need to replace them with something better. uh secure by design, secure by def fault. And I'd like to think this

project can nicely add secure by demand because nothing done today to make a better device is going to get there in time for now. But what we can do is make these water plants beg their current suppliers to do something to ameliate their legacy risk. So there might be a nice opportunity to team secure by design and secure by default to do secure by demand. liability has been on the table and not existing. But this could be the thing that finally gives us software liability after 354 years of not doing so after the the 25 machine. And just like operation warps, we may see an oper named operation and people in this room might be called to serve to

make sure the national security public safety needs are there. This barcode, which no one should ever do QR codes, right? um we'll get you to the undisruptible 27 site where you can get in Slack and that's currently the intake for our volunteer platform for how you can say what you're willing and able to do and where you're willing and able to do it for how long you're willing and able to do it into the cyber resilience core platform. It's hammer time folks because we are overdependent on undependable things and the wolves are at the door. They're in the house so they cavalry is not coming. I thank you for your time for the last two and a

half days. I hope that you go upstairs to be inspired by Casey. I hope you had a wonderful Besides Las Vegas. I hope you enjoyed the 12th year of I am the Cavalry and you can go back and look at the entire back catalog if you like. And I hope that you consider being one of our teammates in this noble fight.

I will talk until even all the way upstairs but you are released but I will definitely take questions and feedback until we walk upstairs and maybe walk together. Bye-bye. >> Are the videos available? >> My videos the two. Yeah, they're available >> uh on the website is one of them or if not both of them and they will be there next week if I have to. Okay. >> Thanks. Hey. Hey. Hey.

[Music]