00:00hi everyone welcome to the a six in Z
00:03today we're continuing our taking the
00:04cyber at a cybersecurity series with
00:06herb Lin whose senior research scholar
00:08first fiber policy and security at the
00:11Center for International Security and
00:12Cooperation and is also at the Hoover
00:14Institution which are both at Stanford
00:17we have David D'Amato chief security
00:19officer at tinium and a 6nz policy team
00:22partner Matt Spence who among other
00:24things previously spent time at the
00:25White House working with the National
00:27Security Council the hallway style
00:28discussion ends up focusing on practical
00:30advice for changing the conversation
00:32about security in the boardroom as
00:34opposed to the Situation Room and we
00:37began with considering the term cyber
00:38security and the very first boy still
00:40here really briefly as David followed by
00:42herb Lin by the way for a quick second
00:44can I just say how annoying the term
00:45cyber security is I feel like only
00:47policy people actually say cyber and
00:50people trying to get research security
00:51vendors that's a good question actually
00:54what is the alternative this is like
00:55that word synergy where it's like a
00:56really useful word but everyone hates it
00:58there's no better alternative
00:59I guess just security let's start with
01:01the word cyber security okay as one word
01:04cyber security no space in between them
01:06it matters because the Oxford English
01:08Dictionary has which I regard as the
01:11authoritative source on the English
01:12language has a term especially on cyber
01:14because it's up to date last year was an
01:20emoji so they are pretty cyber security
01:22are those things that are taken to
01:24defend and protect computer system or
01:27the information inside notice that it's
01:30a completely defensive orientation if
01:32you put the space in between cyber and
01:35security cyber space security you start
01:38thinking that it's now it's the security
01:39of the cyber of cyberspace over this of
01:42the cyber domain which is a very
01:44different thing you if you think about
01:46the term national security nobody leaves
01:49the space out to words not one word and
01:51if you start thinking about the security
01:53of the nation that gives you a whole
01:56different perspective on it it's all the
01:59things that you might want to think
02:00about in terms of what would make a
02:03nation more secure and so depending on
02:06the context I'll use a space or not the
02:07space but of course in giving talks you
02:09can't you can't make that distinction
02:10you could actually do the air-quote
02:11thing and be like cyberspace security
02:13but the I think you know the
02:15conceptualizing it to me of
02:17cybersecurity and same sense that's the
02:18cyber is plays the same role at the word
02:20national plays at national security that
02:22puts a whole different spin on it from
02:24me a qualifier that's right that has
02:26important implications both on the
02:27defensive and the proactive thinking
02:28around it historically with the
02:30development of weapons technology there
02:32was a period where we were trying to
02:34make more and more powerful weapons so
02:36we got bigger and bigger bombs and and
02:38and and so on but nobody uses nuclear
02:43yes there has been a trend away from
02:46weapons that have a very large boom to
02:49weapons that have a much smaller boom
02:51and there's a sense in which cyber
02:53weapons can do something would just do
02:55an annoyance to somebody to something
02:58that might you know destroy the entire
03:00system or systems to which this computer
03:03is connected and I can do anything in
03:05between yeah you're right I mean these
03:07different gradations I'm even seeing
03:09people use them as a form of expression
03:10you've been doing something like daxing
03:12right or denial of service attacks just
03:14a single company because they're annoyed
03:16or even like a form of protest
03:18some people consider this like the
03:20modern equivalent of just spray painting
03:22on wall but you know it has enormous
03:24financial and other consequences so it's
03:27kind of interesting actually to think
03:28about that because you would never have
03:28done that with a nuclear weapon
03:29obviously exactly and so the the
03:31tendency here is that cyber weapons are
03:34the or weapons that are eminently usable
03:36for a variety of purposes and one of the
03:40most interesting things of the past 10
03:42years is that nations are starting to
03:43wake up to this they're starting to see
03:46that these weapons are enormous ly
03:48usable there's no legitimate use for
03:50private citizens to have nuclear weapons
03:52this is a type of weapon which is held
03:55by States who have the monopoly over the
03:56use of force cyber weapons are totally
03:58different you know we want for growing
04:00economy people within our country to be
04:03great hackers to come up with
04:04technological innovations to have that
04:07power in their hands and the same power
04:08that they have to create the innovation
04:10we want can be enormous ly destructive
04:12and as the government worries about that
04:13it's really hard because you think about
04:15cyber as a threat on the one hand but
04:18the other hand it's part of her an
04:19opportunity and isn't this part of the
04:21reason why some of the best and worst
04:23attacks come out of Russia because you
04:24have a lot of code savvy kid
04:27who are very competent but who don't
04:29have a lot of economic options like to
04:31be in jobs yeah we've seen this
04:33particularly in a lot of financially
04:34motivated crimes that have been
04:36perpetrated like ransomware ransomware
04:38or even something like a lot of the bank
04:40heists that we've seen one of the first
04:41cases I ever worked on back in 2010 was
04:44a bank that lost about ten million
04:45dollars overnight it's a gang of
04:47criminals who were loosely affiliated
04:48with each other who had a reasonable set
04:51of skills from their computer science
04:53degrees from their experience and
04:55education in college who had combined
04:57with some individuals with banking
04:58knowledge and overnight were able to
05:00steal ten million dollars in a very
05:01sophisticated way and again not
05:03associated with the nation-state not
05:05associated with tremendous amount of
05:06resources you have to be a major power
05:08to be able to to operate like a nuclear
05:10weapon have a facility the
05:12infrastructure involved and with code
05:14you can be anybody but the other thing
05:16that strikes me is a big difference
05:19between for example nuclear and cyber
05:21which is a big deal is that you need the
05:24materials you need to enrich uranium and
05:27plutonium to build a nuclear weapon
05:28cyber weapons are basically knowledge
05:31it's even worse than the knowledge has
05:32already been formulated into tools where
05:34weapons they can then use is a
05:37noticeable mashable weapon crazy but the
05:40fundamental point there is that it's
05:41bits not atoms and yet the effect
05:43however can atom absolutely because we
05:48want to connect the atoms and rights but
05:50governments are oriented towards control
05:52of atoms you know that's what border
05:54controls are about and so it's really
05:56hard I did probably about a hundred and
05:57ten investigations over the past decade
06:00and Billy who were you that you were
06:01doing these investigations so I started
06:05off my career as what's called a
06:06penetration tester which is then someone
06:08paid me to break into systems I'll be
06:10honest with you I was not very good but
06:12within about a week or less I think my
06:14best was about two hours we were able to
06:16break into some of the most secure
06:17locations in the world physically and
06:19based on technology maximizes
06:22seriousness of that but one of my
06:24absolute favorite movies of all times is
06:25sneakers their job is to be like the
06:27penetration testers and they actually
06:29get like enlisted by the NSA to break
06:31into someone and it actually turned out
06:33not to be the NSA but anyway they did
06:34way cooler stuff than I did I get into
06:36all these investigations right and so we
06:38did all these these break
06:40right now I realize how easy it was and
06:41we switched over eventually about six
06:43years ago when I started doing
06:44investigations because it was much more
06:46difficult to actually find an attacker
06:48and trace it back than it was to
06:49actually break it so I went sort of the
06:51opposite side since I had that knowledge
06:53of methodology and what I found over
06:54time is not much has really changed
06:56since because we continue to focus on
06:58the things that are sexy right it's
06:59these things like hygiene that are the
07:00issue the basic solutions are things
07:02like better security for IOT devices
07:04network segmentation preventing things
07:07being accessible from the Internet these
07:09are not complex topics and that's what
07:11I've tended to see over time you get
07:13into these boardrooms and the topics are
07:15overly complex like security is a very
07:18board members are very high level
07:20they're simply really interested in
07:22things that are in the news so if you
07:23look at things like China and Russia
07:25that don't impact most organizations
07:26they want to know who's attacking and
07:28where they're from what they're doing
07:29and to be honest with you that's not
07:31something that's typically helpful it's
07:33a distraction from the real conversation
07:35it's interesting you say that because
07:36attribution is hard at a certain point
07:38like you can have all these people claim
07:39one thing or another and then other
07:40people will actually have theories about
07:42what happens by the end of the day
07:43there's politics in the attribution act
07:45of attribution itself at almost matters
07:46to focus to your point on like trying to
07:48prevent and solve an address and for
07:50most organizations that the attribution
07:52doesn't matter for the government it
07:53absolutely matters but as a corporation
07:55what will you be able to do you're not
07:57going to be able to hack back that that
07:59country the reason why attribution
08:01matters in the situation room is is
08:02Russia trying to influence United States
08:04elections you know is this an act of war
08:07like the questions that happen in the
08:08Situation Room need to be these big
08:10questions about how cyber relates to our
08:14when you're in the boardroom maybe the
08:15first question you'd be asking is have
08:17you trained your employees of how to
08:19address the most common cyber threats so
08:21if something's really hard to use and
08:22people aren't gonna use it you know this
08:24is how it is you know most people look
08:25at the cyber training video like I do
08:27the airline safety video when you board
08:29your flight and you're like well I fly
08:31thousand miles a year I know there's an
08:33airbag I know they're windows you just
08:35ignore it recently we heard about an
08:38attack on the domain name system
08:40infrastructure against the company
08:43called Dyne what was newsworthy about it
08:45was that it was a large distributed
08:47denial of service attack that was
08:49largely caused by compromised Internet
08:53things devices specifically a component
08:55within them that had malware that's
08:56right there was malware that had been
08:58used to infect the whole millions
09:01literally of of IOT devices and the bot
09:05master put them all together to create a
09:07DDoS attack on nine wait the bot master
09:09is that a real thing it's a comic book
09:11hero right there he wears a cape and as
09:14a black hat but no it's it's the it's
09:17the party that's responsible for the for
09:19the botnet and may not even be a single
09:21individual but anyway what was
09:23newsworthy about it was that it caused a
09:25bunch of consumer facing websites that
09:28relied on this infrastructure to be
09:30inaccessible to you and me and what's
09:32interesting about it is that we've been
09:35predicting this we've known that this
09:37was possible for a very long time
09:38honestly I think most people woke up and
09:40are like what the hell just happened
09:41isn't certainly not surprising to any
09:43technical person there had been other
09:45smaller IOT based attacks on stuff but
09:50yet it got all this attention and people
09:52said hey you know it won't people up
09:54seven years ago when Stuxnet hit the
09:57news the Stuxnet was the alleged
10:00American and Israeli cyberattack against
10:02the nuclear facilities enrichment
10:04facilities in Iran my friend Kim Zetter
10:06wrote the definitive book on Stuxnet and
10:08that was by the way the first case ever
10:10that we know of where at least the way I
10:13heard it where computer malware had a
10:15physical consequence because it took
10:17down a nuclear facility it did have
10:19physical consequences it was certainly
10:21not by any means the first time I'll
10:23tell you a very embarrassing story the
10:24first time I was interviewed about
10:26Stuxnet person said and what do you
10:28think the impact of stuck cent is gonna
10:30be and my answer was nothing there was
10:33gonna be no impact on it at all because
10:35every computer person knew that it was
10:37possible and this was nothing new I was
10:40totally wrong about that because what it
10:42did was it woke States up policymakers
10:45up to the puck to the possibility that
10:46this was a possible feasible thing to do
10:50it may have been the first documented
10:53instance of a large-scale attack on
10:55something physical that people noticed
10:58but certainly there have been people who
11:00have caused physical damage by computers
11:02before and lately we've missing more of
11:04the DDoS attacks in the news and at
11:06about the smaller gradations in the
11:08annoyance cases you see a ton of DDoS
11:10attacks when they're like personal
11:11vendettas against like an a gruntled
11:14employee like leaving a company or
11:16something it could be anything the
11:17specialists usually differentiate
11:18between three different attributes that
11:20you want to that you want to defend
11:23ironically the acronym is CIA right
11:26confidentiality integrity and
11:27availability a DDoS attack is an attack
11:30on availability that is it mean it means
11:32that your system is no longer available
11:34to do the things that's supposed to do
11:36for the people who are supposed to be
11:38able to use them violation of
11:40confidentiality means I steal your eye I
11:43steal your credit card numbers you still
11:45have the credit card in your hand it's
11:47not like a dollar bill I take a dollar
11:48bill from you you don't have it anymore
11:50these like identity hacks and that's
11:51right that there are hacks of
11:52information and since information can be
11:55duplicated perfectly without your ever
11:57knowing it I can have the information
11:58and you could have the information and
12:00you won't know it until I use this for
12:01somehow in some way that's bad for you
12:03and attacks on compromises of integrity
12:06are changing the data or the program or
12:10deleting it or somebody somehow
12:11affecting the actual bits that are their
12:13attacks on integrity mean that you've
12:16actually changed the data or zeroed it
12:18out or something like that malware can
12:21be used to do any one of those things or
12:24all of them it's the generic tool that
12:26you it's the computer program loosely
12:29speaking that will create compromises in
12:32any of those attributes and integrity
12:34tends to be one of the most devastating
12:36attacks because you typically don't know
12:38what's happened the best example that I
12:40have of integrity versus confidentiality
12:42yeah this little I'm trying to have a
12:43little bit of a hard time just mission
12:44you have your you go to a physician your
12:47medical records are in a computer would
12:50it be more concerning to you to have
12:52your records published on the internet
12:54or to have somebody screw around with
12:55the data inside to change your blood
12:57type or you get the wrong drug that's
12:59result the difference is on the one hand
13:01you're embarrassed on the other did you
13:03can be dead I think the theme here too
13:05is we're very reactionary so it takes
13:07certain types of breaches to wake us up
13:09to a possibility we all knew about if
13:10you walk through the time line you go
13:12back and start with Google in 2010 when
13:14they're the first company that come out
13:15and actually talk about Chinese
13:16state-sponsored actors this is something
13:19the government and a
13:20of people knew about at the time and
13:21it's the first commercial organization
13:23that actually came out and said it and
13:24made people aware and we need to take
13:26note of that I mean there's a there's a
13:28phrase historians always use it says
13:29there are always we're always fighting
13:31the last war what does that mean
13:32it means that you're you look back and
13:35like let's prevent an ex-pro Harbor
13:37well the next Pearl Harbor doesn't look
13:38like what happened it's a new set of
13:40threats it's coming from an enemy not
13:41expecting somewhat Direction you don't
13:43even think about and so rather than
13:45trying to win what calls yesterday's war
13:47let's think about the new threats you
13:49know in a pause for a moment because
13:50it's actually really interesting you
13:52said about the last war because we're so
13:54oriented as human beings on what we
13:56already know we're very bad at seeing
13:58the consequences of things that we built
13:59that are complex systems that evolved it
14:01with behaviors that we cannot predict
14:03and I'm even thinking of things like
14:04Facebook where you think you're just
14:05friending people and its social and
14:06you're seeing cats and then actually
14:08that becomes a whole new paradigm for
14:10all this data that's powering deep
14:12learning so in a way the very thing
14:13you're describing begs the question of
14:14what the appropriate response is like do
14:17you just only know the appropriate
14:18response based on your current toolkit
14:20like what happens there's a lot of
14:22companies that are now doing advanced
14:25threat modeling and they're doing
14:26something called red teaming where
14:27they're bringing individuals and then
14:29simulating attacks and practicing their
14:30response and they're actually running
14:32through a real attack they're constantly
14:33running simulated attacks and the
14:35defenders are practicing their response
14:37and they're looking at the results to
14:38see how they're improving over time but
14:40isn't the very point that we can't
14:41always predict they're basically getting
14:43the operational machinery in place to be
14:45able to know how to respond but you
14:46don't actually know a lot of these
14:47threats circum no I think actually
14:49they're they're not unpredictable a lot
14:50of them are following the same trend an
14:52attack isn't made up of one action it's
14:54usually made up of multiple actions and
14:55so what you may see is one different
14:57action in that attack and probably multi
15:00ten or twelve of the steps that you've
15:02seen in previous attacks so in most
15:04cases you're looking to detect those
15:05things that are not new in the
15:07organization are not new during the
15:08attack and I think that's a reasonable
15:10understand your network better than
15:11anyone few people realize it's it's kind
15:13of like you know know thyself first know
15:16yourself of course is is the classic
15:18thing the Sun Tzu and there are very few
15:20organizations that really understand
15:22their environment there's a really great
15:23quote by Rob Joyce who actually headed
15:25up the NSA ta Oh which is the arm and in
15:28it and a saying that plans and carries
15:30out hacking attacks against foreign
15:32nations and this was at the Enigma comm
15:33in San Francisco last year one of the
15:35things he said in his talk was that most
15:38organizations don't really understand
15:39their own organization their environment
15:41and then many cases attackers understand
15:43the environment much better than the
15:44defenders do it's so counterintuitive
15:45how is that possible even well you know
15:48I think it goes back to how distracted a
15:50lot of security leadership is so I'll
15:51give you a great example I was talking
15:52to a chief security officer the other
15:54day and they were talking about how to
15:56protect mobile phones meanwhile when I
15:58asked them how many systems they had in
16:00their organization how many endpoints
16:01they had computers and servers and
16:03things like that they had no idea so
16:05that's pretty common you ask how is it
16:08that the attackers know the system
16:09better than the defenders the attackers
16:11know it because they have to get the
16:13details right that's a must for them to
16:15succeed and you never see the attackers
16:17who don't get the details right because
16:19they're never in your system it's only
16:21the guys who are in your system that
16:23have gotten the details right yeah the
16:25other thing to do is they know human
16:27behavior you know systems very different
16:29systems are very complex but humans are
16:31humans get frustrated they get impatient
16:33they take shortcuts they get annoyed
16:35yeah when I was at Parc we had a special
16:37group dedicated to it was called usable
16:39security for that very reason because
16:41the fundamental break point in any
16:43system will always be the human the
16:45error that you know that the psychology
16:47of a person and the details related to
16:49that I say the other challenge is that
16:50as an attacker I can keep trying my
16:52attack as many times as I want so every
16:55time you catch me I simply restart my
16:57attack because there is no
16:58accountability there's nothing to lose
16:59and everything again exactly okay so
17:01just to switch gears then you've talked
17:03a ton about hygiene and some of the
17:04basic stuff that needs to be done but
17:05how do we need to then think about what
17:07happens in the boardroom there's just
17:08this tremendous gulf between what's
17:09happening in the Situation Room and
17:11what's happening needs to happen in the
17:12boardrooms if you're in a situation room
17:14the members of the president's national
17:16cabinet look around the table and look
17:19at each other wonder who is attacking us
17:21is it Russia is it Iran is it North
17:24Korea how do we find that out and how do
17:26we make sure that we're knowing where
17:27it's coming from obviously okay so the
17:28attribution matters in the Situation
17:30Room because you then know who to go
17:31after obviously I mean part of the
17:33attribution is how do you deter other
17:35states from acting against us how do you
17:37respond to them when they've done and
17:39how do you talk to the American people
17:40about what's happened that these are
17:42like the sexy high-level cyber issues
17:44you know the ones that you read about in
17:45the newspaper yeah the
17:47or room issues are very different you
17:48know the boardroom issues are how do you
17:50have the basic hygiene to stop yourself
17:52from being attacked the equivalent basic
17:55advice from a doctor would be you know
17:56eat less sleep more drink less and don't
18:00the Seibert Harbor stations that often
18:02have in the Situation Room more of the
18:03fad diet you know they're dealing with
18:04the most advanced threats to companies
18:06right now and those frankly aren't the
18:08major threats that most companies need
18:10to deal with is they're sort of a
18:11boardroom 101 for what people should do
18:13with this information there should be
18:15and and the challenges right now there's
18:17no standardized way to report
18:18information to the board so if you look
18:20at when I report financial information
18:21on my 10k or 10 Q I'm reporting
18:24financial metrics in a similar way so
18:26that if I'm a board member on multiple
18:28boards I can interpret that data and
18:30make sense of it each board is getting a
18:32different set of data and that's not
18:33always complete and so one of the things
18:35that probably needs to happen in the
18:36near future is defined on a set standard
18:38that ensures that boards are first
18:41educated on what cybersecurity is so
18:43they have to be knowledgeable about it
18:44just like they have to know about
18:45financials right you wouldn't expect the
18:47board member to join and have no
18:48understanding of financial information
18:49so I think that's incredibly important
18:51you have to link it back to the impact
18:53in the organization to make it relevant
18:55to the board member so they actually
18:56understand there's a risk but what's my
18:58impact what's the cost quantifying
19:00exactly how does it impact my business
19:02and how are we trying to mitigate that
19:03how do you measure something like
19:04reputation though that's a really tricky
19:06one there's no financial quote Angela
19:08number for reputation dress loss that's
19:10right it's sort of finger in the air and
19:12that's a lot of the insurance companies
19:13really struggle with this as well when
19:15their insurer but that's not a cyber
19:16I mean Johnson & Johnson had to deal
19:18with that when I had the contaminated
19:19Tylenol it you know incident way way
19:22back in the Sony case what do you say
19:24that there is sort of a reputation of
19:26course of course there is but what I was
19:28saying is that it's not new to cyber ah
19:31you just have reputational risks all the
19:32time that's right no matter whatever
19:33stupid thing you do damage is your brand
19:36I would actually argue something
19:37slightly different though because
19:38there's something intangible and
19:40dangerous and more subtle and pervasive
19:41involving cyber trust as a shaky thing
19:44you when you have like a specific actor
19:46a person you can pinpoint see that guy's
19:48the who gave our secrets away
19:50you feel okay that you have an escape
19:52goat when your scapegoat is this treated
19:54nebulous baseless attacker that means
19:58reputation management very difficult I
19:59would argue yeah so the other
20:01other thing I would add to reporting to
20:03board members is there's two things that
20:05are important one is the metric should
20:07communicate risk a lot of the metrics I
20:09see are things like the number of
20:10attacks hey I don't know what that means
20:12and two is I don't know what the risk of
20:13that is right what is an attack what is
20:16an event the other component is can I
20:18measure that over time board members
20:20don't want to pick up a packet and then
20:21see a metric that is different from
20:23quarter to quarter in fine Angeles you
20:25exactly so we want to see trends so then
20:27we can ask questions on odd trends we
20:29want to see or reom proving or worried
20:30not improving and then be able to ask
20:32questions in those areas so I think
20:33that's incredibly important and
20:34something I don't see a lot of there's
20:36one other aspect of this which I want to
20:39raise it's not necessarily a board issue
20:41it could be a senior executive
20:43leadership issue but the problem is the
20:46following that we are asking
20:49in our computers to do more and more we
20:52want more and more functionality the
20:53only way to do that is to have your
20:55systems become more and more complex
20:57complexity as everyone knows in the
20:59security business is the enemy of
21:01security and so what we're really trying
21:03to do is we're trying to make
21:06information technology do things and we
21:09don't know whether or not we can do them
21:10securely let alone where they come from
21:13very definition of complexities you
21:15don't know the source the cause anything
21:17and that's right and so it may be that
21:20in the future and I think we're actually
21:22there now we're sort of at a tipping
21:23point that we need to find a way of
21:26having a disciplined conversation about
21:29whether the security risks are too much
21:31to say no we're not going to go down
21:33that path and we're not going to ask
21:35them to do the functionality that we're
21:37asking them and we're gonna scale back
21:39our expectations the security people
21:41have to be in the room when they're
21:43trying to think of a new offering and so
21:46on they have to be involved from the
21:47start they can't be given the security
21:49as a here's what we want to do now go
21:52make it secure that can't be the way it
21:54goes and you have all these other
21:55companies now coming to the arena that
21:57warn technology companies you know
21:58manufacturing refrigerators or ties or
22:01cars and now they have to now be
22:03responsible for security so it's
22:04actually really new for them right and
22:06in many cases a lot of these companies
22:07don't even have security measures right
22:09and it you can't outsource it you would
22:10never joke and say I'm not a numbers guy
22:12so I don't really know you know sort of
22:14like what our debt load
22:15we're all security and security
22:16basically this is interesting because
22:17it's a it's following the arc of
22:19evolution of tech you know we always say
22:20like you can't silo the internet
22:22division back in the day when there was
22:23an internet like you can't silo the
22:25chief technology officer you can't silo
22:27technology now you're saying you just
22:28can't silo security it has to have a
22:31seat at the table and maybe returning
22:32your first question is why is cyber
22:34security the wrong term because security
22:35is not just about what we consider cyber
22:37it's not about your laptop it's not
22:39about your mobile phone you know it's
22:41about increasing your patient health
22:42records it's about everything use every
22:44day it's about things that you touch
22:45that you want for convenience and
22:47suddenly that all becomes a security
22:48threat so it's not this narrow thing
22:50it's everything we're doing and that's
22:52why we should be worried about that
22:53we're not doing enough everything
22:54related to information and and anything
22:57that touches in for me which is
22:58everything well clearly we're living in
23:00the future as you said thank you for
23:01joining the xnc podcast guys thank you