1 00:00:00,000 --> 00:00:02,000 I'd like to introduce Bruce. 2 00:00:02,000 --> 00:00:04,000 Come on down. 3 00:00:04,000 --> 00:00:06,000 Oh, her, yeah. 4 00:00:06,000 --> 00:00:08,000 You need some water? 5 00:00:08,000 --> 00:00:10,000 Okay. 6 00:00:10,000 --> 00:00:20,000 Thank you. 7 00:00:20,000 --> 00:00:24,000 Thanks for having me. 8 00:00:24,000 --> 00:00:26,000 Thanks for coming. 9 00:00:26,000 --> 00:00:32,000 So he was worried because I landed this afternoon. 10 00:00:32,000 --> 00:00:34,000 He made him nervous. 11 00:00:34,000 --> 00:00:36,000 And I landed late. 12 00:00:36,000 --> 00:00:40,000 And I made him more nervous. 13 00:00:40,000 --> 00:00:42,000 So I have a question. 14 00:00:42,000 --> 00:00:46,000 Does the other conference have better giveaways than we do? 15 00:00:46,000 --> 00:00:48,000 Has anyone checked? 16 00:00:48,000 --> 00:00:52,000 I mean, it's like the conference of people doing surgery. 17 00:00:52,000 --> 00:00:56,000 They don't have food based. 18 00:00:56,000 --> 00:01:00,000 He, that'd be awkward, wouldn't it? 19 00:01:00,000 --> 00:01:02,000 I think you, regardless. 20 00:01:02,000 --> 00:01:06,000 They, they all did you, and you probably could get some, right? 21 00:01:06,000 --> 00:01:08,000 I had, I had donuts. 22 00:01:08,000 --> 00:01:10,000 I got a couple earlier. 23 00:01:10,000 --> 00:01:14,000 I bought book, flyers, really. 24 00:01:14,000 --> 00:01:16,000 It's book. I'm going to put them down there. 25 00:01:16,000 --> 00:01:18,000 I'll also there outside. 26 00:01:18,000 --> 00:01:22,000 So, hi. 27 00:01:22,000 --> 00:01:22,000 28 00:01:22,000 --> 00:01:26,000 So what I want to talk about is cyber war. 29 00:01:26,000 --> 00:01:30,000 Actually, the title of the talk is cyber war in the future of cyber conflict. 30 00:01:30,000 --> 00:01:34,000 And last June, I participated in debate on cyber wars. 31 00:01:34,000 --> 00:01:35,000 And actual debate. 32 00:01:35,000 --> 00:01:36,000 There were sides. 33 00:01:36,000 --> 00:01:37,000 There was winning. 34 00:01:37,000 --> 00:01:39,000 It was televised. 35 00:01:39,000 --> 00:01:41,000 It was. 36 00:01:41,000 --> 00:01:46,000 The proposition we were debating is the threat of cyber war has been grossly exaggerated. 37 00:01:46,000 --> 00:01:50,000 It's actually interesting proposition goes instead of debating policy 38 00:01:50,000 --> 00:01:52,000 where debating language. 39 00:01:52,000 --> 00:01:54,000 And, and I mean, that itself was interesting. 40 00:01:54,000 --> 00:01:58,000 And on, I was on the side of the Yeses of Endurocellic exaggerated. 41 00:01:58,000 --> 00:02:02,000 It was myself and Mark Rottenberg, who's the director of the electronic privacy 42 00:02:02,000 --> 00:02:03,000 information center. 43 00:02:03,000 --> 00:02:07,000 On the other side was Mike McConnell, former head of the NSA, currently works at 44 00:02:07,000 --> 00:02:08,000 Buzal and Hamilton. 45 00:02:08,000 --> 00:02:12,000 And Jonathan Zittrain, law professor at Harvard. 46 00:02:12,000 --> 00:02:14,000 I thought it would be easy. 47 00:02:14,000 --> 00:02:15,000 Right? 48 00:02:15,000 --> 00:02:17,000 I had this list of cyber war exaggerations. 49 00:02:17,000 --> 00:02:19,000 I mean, so I'd say here they are. 50 00:02:19,000 --> 00:02:20,000 Look, they gross exaggerations. 51 00:02:20,000 --> 00:02:21,000 We're done. 52 00:02:21,000 --> 00:02:23,000 In fact, we lost the debate. 53 00:02:23,000 --> 00:02:25,000 The voting was interesting. 54 00:02:25,000 --> 00:02:28,000 They, they pulled the audience to the beginning of the debate. 55 00:02:28,000 --> 00:02:29,000 And then pulled them at the end of the debate. 56 00:02:29,000 --> 00:02:32,000 And the side that changed the most minds won. 57 00:02:32,000 --> 00:02:33,000 So we lost. 58 00:02:33,000 --> 00:02:34,000 The end of the debate. 59 00:02:34,000 --> 00:02:41,000 More people were convinced that we're not exaggerating a cyber war risk than we are. 60 00:02:42,000 --> 00:02:47,000 And I've been thinking about that in the seven or eight months since that debate. 61 00:02:47,000 --> 00:02:51,000 And I've sort of come to understand what's going on. 62 00:02:51,000 --> 00:02:56,000 Why people don't think we're exaggerating the threat. 63 00:02:56,000 --> 00:02:58,000 My list of exaggerations was pretty complete. 64 00:02:58,000 --> 00:03:02,000 I had Mike McConnell himself saying, and it's at the Washington Post, the United 65 00:03:02,000 --> 00:03:06,000 States is fighting a cyber war today and we're losing. 66 00:03:06,000 --> 00:03:09,000 We had a US senator talk about cyber Katrina. 67 00:03:09,000 --> 00:03:13,000 I had quotes about cyber Pearl Harbor, cyber 911. 68 00:03:13,000 --> 00:03:16,000 My favorite cyber art begin. 69 00:03:16,000 --> 00:03:21,000 We had newspaper headlines about Cuba-waging cyber war. 70 00:03:21,000 --> 00:03:23,000 So the article from the Independent. 71 00:03:23,000 --> 00:03:26,000 Hackers declare cyber war on Australia. 72 00:03:26,000 --> 00:03:27,000 Cyber war is so easy. 73 00:03:27,000 --> 00:03:29,000 Even kids can do it. 74 00:03:29,000 --> 00:03:34,000 I'm at Iran who is a cyber screening advisor under President Bush said. 75 00:03:34,000 --> 00:03:35,000 This is actually a great quote. 76 00:03:35,000 --> 00:03:43,000 Cyber 911 has happened over the last 10 years, but it's happened slowly so we don't see it. 77 00:03:43,000 --> 00:03:46,000 I don't even know what that means. 78 00:03:46,000 --> 00:03:51,000 I learned from a newspaper headline that Germany attacks China for starting a cyber war. 79 00:03:51,000 --> 00:03:56,000 If it case you didn't know this, a cyber war right now, it would be Germany and China. 80 00:03:56,000 --> 00:04:00,000 Cyber would China declares war on Western search sites. 81 00:04:00,000 --> 00:04:04,000 You could declare war on companies now, not just countries. 82 00:04:04,000 --> 00:04:06,000 Wall Street Journal cyber blitz. 83 00:04:06,000 --> 00:04:07,000 That was a new one. 84 00:04:07,000 --> 00:04:10,000 It's US and Korea. 85 00:04:10,000 --> 00:04:13,000 It's really clear, we're exaggerating the threat. 86 00:04:13,000 --> 00:04:19,000 Let's look at some of the examples that we tend to use in talking about cyber war. 87 00:04:19,000 --> 00:04:21,000 The first one is Estonia. 88 00:04:21,000 --> 00:04:24,000 This was April of 2007. 89 00:04:24,000 --> 00:04:28,000 Estonia was the victim of a bunch of the dollar service attacks. 90 00:04:28,000 --> 00:04:33,000 The press talked about that as being unprecedented of a magnitude never seen before. 91 00:04:33,000 --> 00:04:34,000 That's all nonsense. 92 00:04:34,000 --> 00:04:37,000 It was pretty much a run of the mill large scale vanilla service attack. 93 00:04:37,000 --> 00:04:42,000 Nothing new, nothing interesting happened against a government. 94 00:04:42,000 --> 00:04:45,000 It's an odd example of a war. 95 00:04:45,000 --> 00:04:51,000 It's like if the enemy army invades your country, then they all run the line of front of you with the post office. 96 00:04:51,000 --> 00:04:53,000 Because that's a vanilla service attack is. 97 00:04:53,000 --> 00:04:56,000 You can't get to do your stuff. 98 00:04:56,000 --> 00:04:58,000 A Russia was blamed for it. 99 00:04:58,000 --> 00:05:00,000 They never admitted it. 100 00:05:00,000 --> 00:05:02,000 So we actually don't know who did it. 101 00:05:02,000 --> 00:05:17,000 The only person who was convicted of these cyber attacks was a 22 year old Russian man living in Talen, who was annoyed about us, a Russian statue being pulled down in Estonia. 102 00:05:17,000 --> 00:05:22,000 So maybe a cyber war is so easy, even kids can do it. 103 00:05:22,000 --> 00:05:26,000 October of 2007 in Syria. 104 00:05:26,000 --> 00:05:32,000 In that month, Israel launched an attack against a Syrian nuclear research center. 105 00:05:32,000 --> 00:05:34,000 They bombed it. 106 00:05:34,000 --> 00:05:35,000 This wasn't a cyber attack. 107 00:05:35,000 --> 00:05:38,000 They used planes and bombs. 108 00:05:38,000 --> 00:05:49,000 But as a precursor to the attack, they hacked into the Syrian radar and air defense systems in an effort to better conceal getting internet out. 109 00:05:49,000 --> 00:05:52,000 This is not confirmed, but it's pretty much widely believed. 110 00:05:53,000 --> 00:05:57,000 So an interesting example of a cyber component of a real attack. 111 00:05:57,000 --> 00:06:01,000 So keep this in mind and we talk about stuck-snip in a few minutes. 112 00:06:01,000 --> 00:06:03,000 This is a physical attack. 113 00:06:03,000 --> 00:06:10,000 It's a nuclear research center in Syria using planes with a cyber attack component to it. 114 00:06:10,000 --> 00:06:13,000 Also in 2000, those incidents in Brazil. 115 00:06:13,000 --> 00:06:17,000 This was used as a centerpiece for 60 minutes. 116 00:06:17,000 --> 00:06:23,000 This is the United States news television show on cyber war. 117 00:06:23,000 --> 00:06:29,000 And in that year, there were several blackouts in the country. 118 00:06:29,000 --> 00:06:32,000 That have been blamed on cyber attacks. 119 00:06:32,000 --> 00:06:35,000 They have been blamed on actually cyber extortionists. 120 00:06:35,000 --> 00:06:40,000 The story goes that somebody was able to break in or an organization of the break into the power plants. 121 00:06:40,000 --> 00:06:44,000 Demonstrated, they could shut power off and extorted money. 122 00:06:44,000 --> 00:06:47,000 We don't know if this is true, we don't know if they actually got money, we don't know. 123 00:06:47,000 --> 00:06:49,000 We don't know if we know very little. 124 00:06:49,000 --> 00:06:52,000 There's one news report I read that said it wasn't a cyber attack. 125 00:06:52,000 --> 00:06:56,000 It was so the insulators that caused the blackouts. 126 00:06:56,000 --> 00:07:01,000 You know, people who know stuff tend to think, yeah, there was a cyber thing going on. 127 00:07:01,000 --> 00:07:04,000 This has been used in example of cyber war. 128 00:07:04,000 --> 00:07:12,000 August of 08 in Georgia, similar to Estonia, there was some large scale vanilla service attacks. 129 00:07:12,000 --> 00:07:17,000 This time unlike Estonia, this precipitated actual land invasion. 130 00:07:17,000 --> 00:07:21,000 Like the Russians sent intrups and tanks into Estonia. 131 00:07:21,000 --> 00:07:24,000 Again, Russia was blamed for these cyber attacks. 132 00:07:24,000 --> 00:07:27,000 They've never admitted responsibility. 133 00:07:27,000 --> 00:07:33,000 And still, we don't know if this was a government-sponsored cyber attack, 134 00:07:33,000 --> 00:07:38,000 or if it was like Estonia, kids playing politics. 135 00:07:38,000 --> 00:07:44,000 And this is something we see relatively regularly that there's some kind of international tension. 136 00:07:44,000 --> 00:07:51,000 And independent hackers with a nationalistic streak want to get involved in this is what they do. 137 00:07:51,000 --> 00:08:00,000 So we don't know if those are the examples of cyber war or just cyber vigilanteism or something like that. 138 00:08:00,000 --> 00:08:04,000 So thinking about these examples, and we talked about them in the debate in June, 139 00:08:04,000 --> 00:08:16,000 the problem we have, and Jeff said this one introduced me, is that there's no good definition of war in cypress space. 140 00:08:16,000 --> 00:08:23,000 One of the reasons we can't determine if the risk has been grossly exaggerated is we don't know what the it is. 141 00:08:23,000 --> 00:08:25,000 We don't know when it starts. 142 00:08:25,000 --> 00:08:28,000 We don't know what it looks like when it's happening. 143 00:08:28,000 --> 00:08:31,000 We don't know how to tell when it's over. 144 00:08:31,000 --> 00:08:42,000 And it's not just newspaper headline writers or government officials, even security experts don't have good definitions of these things. 145 00:08:42,000 --> 00:08:47,000 And that makes the debate hard. 146 00:08:47,000 --> 00:08:52,000 But clearly we're not, we're not actually right now fighting a cyber war. 147 00:08:52,000 --> 00:09:00,000 And I clearly, the term is being used more rhetorically than actually. 148 00:09:00,000 --> 00:09:05,000 And you know Americans have a very weird relationship with the word war. 149 00:09:05,000 --> 00:09:09,000 We hate using it when they're actual wars. 150 00:09:09,000 --> 00:09:13,000 We love using it when they're aren't wars. 151 00:09:13,000 --> 00:09:16,000 War in crime, war on drugs, war on terror, war on poverty. 152 00:09:16,000 --> 00:09:19,000 We love rhetorical wars. 153 00:09:19,000 --> 00:09:23,000 It makes us sound, I don't know, it's, it makes it sound big. 154 00:09:23,000 --> 00:09:27,000 But in this case, it's also damaging. 155 00:09:27,000 --> 00:09:36,000 Right, that the war rhetoric being overly broadly applied has actually some serious policy consequences. 156 00:09:36,000 --> 00:09:39,000 I'll talk about them later. 157 00:09:39,000 --> 00:09:44,000 So I think is going on and if there's one sentence that you're going to write down from this talk, this is it. 158 00:09:44,000 --> 00:09:47,000 So get ready. 159 00:09:47,000 --> 00:09:56,000 It's not that we're fighting a cyber war, but that we were increasingly seeing war-like tactics used in broader cyber conflicts. 160 00:09:56,000 --> 00:09:59,000 That's the problem. 161 00:09:59,000 --> 00:10:07,000 Right, it used to be there was a set of things we would call war that only nations were able to do. 162 00:10:07,000 --> 00:10:14,000 But in cyberspace, the capabilities are being diffused broadly through the population. 163 00:10:14,000 --> 00:10:21,000 So non-nations can now employ war-like tactics. 164 00:10:21,000 --> 00:10:24,000 It's like a bunch of criminals getting a tank. 165 00:10:25,000 --> 00:10:27,000 Now what do you do? 166 00:10:27,000 --> 00:10:35,000 Because tanks used to be the sole purview of governments of militaries. 167 00:10:35,000 --> 00:10:40,000 My technology is broadly spreading capability. 168 00:10:40,000 --> 00:10:49,000 So now that we have sort of a better definition that we're talking about these more broad cyber conflicts, let's look at some other examples. 169 00:10:49,000 --> 00:10:53,000 That's some of them fit into what people are calling cyber war and some don't. 170 00:10:53,000 --> 00:10:57,000 But they're all fit into these broad cyber conflict idea. 171 00:10:57,000 --> 00:10:59,000 So ghost net is a good example. 172 00:10:59,000 --> 00:11:08,000 Discovered in March of 09, this is a very large widespread well put together surveillance network. 173 00:11:08,000 --> 00:11:14,000 It was discovered when some security researchers were cleaning up the Dalilama's computers. 174 00:11:14,000 --> 00:11:24,000 And as they rolled up this network, they found it was targeting not only Dalilama, but political economic media targets in about 100 different countries. 175 00:11:24,000 --> 00:11:30,000 You looked at the list of targets that is basically a who's who of who China wants to spy on. 176 00:11:30,000 --> 00:11:36,000 So of course, China is believed to be the perpetrator of ghost net. 177 00:11:37,000 --> 00:11:41,000 It's embassies, it's foreign ministries, it's government offices. 178 00:11:41,000 --> 00:11:45,000 I was actually a really impressive surveillance network. 179 00:11:45,000 --> 00:11:47,000 China of course has never admitted anything. 180 00:11:47,000 --> 00:11:50,000 So we actually don't know. 181 00:11:50,000 --> 00:11:56,000 July of 09, there were attacks against South Korea and the United States. 182 00:11:56,000 --> 00:11:57,000 Now of course, you're new here. 183 00:11:57,000 --> 00:12:03,000 The victims being South Korea and the US, you merely think North Korea is the perpetrator. 184 00:12:03,000 --> 00:12:14,000 The tracing we were able to do showed that the attacks came from from either China or London or Florida. 185 00:12:14,000 --> 00:12:21,000 I mean, there were some US congressmen who wanted us to attack back, you know, 186 00:12:21,000 --> 00:12:23,000 Connecticut with real-life weapons. 187 00:12:23,000 --> 00:12:28,000 It would have been awkward if it was Florida. 188 00:12:29,000 --> 00:12:43,000 January of last year, Google announced they were the victim of a very organized cyber attack from China out to to steal email accounts from Chinese dissidents and others. 189 00:12:43,000 --> 00:12:46,000 They actually threatened to pull out of the country because of that. 190 00:12:46,000 --> 00:12:50,000 Again, China has never, never admitted to me. 191 00:12:50,000 --> 00:12:52,000 And this is a common theme we're have, right? 192 00:12:52,000 --> 00:12:54,000 You know, we don't know who does it. 193 00:12:54,000 --> 00:12:55,000 We don't know who does it again and again. 194 00:12:55,000 --> 00:12:57,000 And we don't know who does it. 195 00:12:57,000 --> 00:13:05,000 You know, more broadly, there have been attacks emitting from China against a wide variety of government and corporate sites. 196 00:13:05,000 --> 00:13:07,000 And this has been going on for years. 197 00:13:07,000 --> 00:13:15,000 If those who study this believe that it's not the Chinese government that is directing these attacks, 198 00:13:15,000 --> 00:13:22,000 but more that it's independent hackers in China who are tolerated by the government. 199 00:13:22,000 --> 00:13:25,000 So this is some tacit understanding in the hackers in the government that the government, 200 00:13:25,000 --> 00:13:28,000 that the government leave the hackers alone, the hackers find something cool. 201 00:13:28,000 --> 00:13:30,000 They pass it back to the government. 202 00:13:30,000 --> 00:13:34,000 So it's not government sanctions and government tolerated. 203 00:13:34,000 --> 00:13:40,000 In a sense, I think this is a little more unstabilizing because at least government show restraint. 204 00:13:40,000 --> 00:13:45,000 You know, independent actors might show less restraint. 205 00:13:45,000 --> 00:13:50,000 And that's been going on for years and still ongoing. 206 00:13:50,000 --> 00:13:55,000 More recent example, and we all know about stock net discovered in June of last year. 207 00:13:55,000 --> 00:14:09,000 Right, stock net is a very well designed, very well written, very well executed, very targeted worm, targeted against an Iranian nuclear enrichment facility, 208 00:14:09,000 --> 00:14:16,000 targeted against a specific centrifuge inside that Iranian nuclear refinement facility. 209 00:14:16,000 --> 00:14:19,000 Seems to have been effective. 210 00:14:19,000 --> 00:14:21,000 Again, we don't know for sure. 211 00:14:21,000 --> 00:14:26,000 Now, but you know, when it first appeared, there's a lot of speculation of what the target was. 212 00:14:26,000 --> 00:14:27,000 I was skeptical at first. 213 00:14:27,000 --> 00:14:34,000 I'm convinced now there's been some great investigative reporting about stock net in various magazines and newspapers. 214 00:14:34,000 --> 00:14:42,000 You know, once you believe the targets I ran, you immediately believe that the perpetrator is the US or Israel. 215 00:14:42,000 --> 00:14:49,000 And we now believe that it was both the US and Israel that that launch stock net against Iran. 216 00:14:49,000 --> 00:14:53,000 And you know, you can read about some of the design work and the testing work. 217 00:14:53,000 --> 00:14:56,000 They tested it on actual facilities. 218 00:14:56,000 --> 00:14:58,000 It really isn't impressive worm. 219 00:14:58,000 --> 00:15:03,000 You know, worth reading about, worth studying. 220 00:15:03,000 --> 00:15:09,000 You know, compare this as an Asian comparison to what the Israel did to Syria in 2007. 221 00:15:09,000 --> 00:15:14,000 But in the first case, they attacked nuclear power plant with airplanes. 222 00:15:14,000 --> 00:15:18,000 The second place they used USB sticks. 223 00:15:18,000 --> 00:15:22,000 Right? If one is an active war, the other one is two. 224 00:15:22,000 --> 00:15:25,000 And if one isn't, the other one isn't. 225 00:15:25,000 --> 00:15:27,000 It's certainly using bombs. 226 00:15:27,000 --> 00:15:30,000 I think had probably had more collateral damage. 227 00:15:30,000 --> 00:15:37,000 In terms of lives lost, using USB sticks had more collateral damage in terms of computers infected. 228 00:15:38,000 --> 00:15:49,000 So, you know, so we get out, see that a country might have a choice of tactic depending on what its aims are. 229 00:15:49,000 --> 00:15:57,000 Also, along the lines of politically motivated attacking, I think we should look at some of the things that happened in the last couple of United States elections. 230 00:15:57,000 --> 00:16:01,000 I mean, it might have happened elsewhere in the world, but I know United States is best. 231 00:16:01,000 --> 00:16:05,000 And we saw quite a bit of political hacking. 232 00:16:05,000 --> 00:16:12,000 Not by candidates, not by parties, but by individuals who supported candidates or parties. 233 00:16:12,000 --> 00:16:17,000 So we had candidates websites defaced in the Donald service attacks. 234 00:16:17,000 --> 00:16:27,000 We had, you know, three years ago, Sarah Palin's, if I suppose, candidates, her email hacked. 235 00:16:27,000 --> 00:16:34,000 Right? More recently, we've seen email hacks against climate change scientists. 236 00:16:34,000 --> 00:16:41,000 We, and this is all cyber attacks designed to change political landscape. 237 00:16:41,000 --> 00:16:44,000 And actually, with very high aims. 238 00:16:44,000 --> 00:16:53,000 November of this year in Burma, in what passes for elections in that country, they were a series of cyber attacks designed to disrupt the election. 239 00:16:53,000 --> 00:16:58,000 We don't know why, but they did happen. 240 00:17:05,000 --> 00:17:09,000 Should I add all the, you know, I'm not sure if it's, uh, think about WikiLeaks. 241 00:17:09,000 --> 00:17:19,000 And, you know, less WikiLeaks as, you know, as WikiLeaks and more, the idea of WikiLeaks, which, you know, could be any name of a website. 242 00:17:19,000 --> 00:17:23,000 In some ways, that's nothing new for any of us. 243 00:17:23,000 --> 00:17:30,000 You know, I'm actually to feel like the US State Department has finally learned what the music and movie industry learned 10 years ago. 244 00:17:30,000 --> 00:17:34,000 That bits are copyable. 245 00:17:35,000 --> 00:17:38,000 And, and, and didn't have the WikiLeaks, that didn't exist. 246 00:17:38,000 --> 00:17:40,000 And the guy could have put him up on a bit, aren't. 247 00:17:40,000 --> 00:17:45,000 Right? And once bits are copied and distributed, you can't get them back. 248 00:17:45,000 --> 00:17:52,000 So there are a lot of lessons here about the, the nature of secrecy in the information age. 249 00:17:52,000 --> 00:17:54,000 That's kind of different. 250 00:17:54,000 --> 00:18:03,000 But WikiLeaks as a phenomenon is definitely an organization that are using cyberspace to change politics. 251 00:18:03,000 --> 00:18:08,000 I mean, that using cybertax, just using publication. 252 00:18:08,000 --> 00:18:16,000 Right? And lastly, I think, as a really interesting example is, is anonymous versus HP Gary. 253 00:18:16,000 --> 00:18:29,000 Right? I mean, and, you know, so here we are, you know, going, you know, we've come from government versus government to a bunch of individuals versus a corporation. 254 00:18:29,000 --> 00:18:34,000 And, and anonymous did quite a number on HP Gary. It's really quite impressive. 255 00:18:34,000 --> 00:18:45,000 You know, that, that, that a, a small group of determined smart individuals can effectively take down a security company. 256 00:18:45,000 --> 00:18:50,000 Kind of a different world when that, when that's true. 257 00:18:50,000 --> 00:18:55,000 And also, probably we should add what's what happened in Egypt and some of the other Arab countries, 258 00:18:56,000 --> 00:19:00,000 where protest is using the, we're using the internet to communicate organized. 259 00:19:00,000 --> 00:19:03,000 And the government in response tried to shut the internet down. 260 00:19:03,000 --> 00:19:08,000 And so the interesting response, it didn't actually work. 261 00:19:08,000 --> 00:19:13,000 And it's only, it's, you can only do that if you have crappy internet infrastructure. 262 00:19:13,000 --> 00:19:19,000 Right? If there's just one telco in your country, and it's owned by the president's brother, 263 00:19:20,000 --> 00:19:26,000 it's kind of easy to, you know, to say, just to get you just turn that off for a day or two, please. 264 00:19:26,000 --> 00:19:35,000 You know, if you have a robust internet infrastructure with many companies and many access points, you just can't do that. 265 00:19:35,000 --> 00:19:42,000 But, you know, so we're so, so I happen to, we probably want to see the happen again this year. 266 00:19:43,000 --> 00:19:54,000 I was also two older examples. I want to talk about, and I was interviewed about about a month ago by a, by a Russian magazine about cyber war. 267 00:19:54,000 --> 00:20:00,000 And one of the things that are put are asked me is why is Russia considered the bad guy in this? 268 00:20:00,000 --> 00:20:05,000 Are they blame us for a stone? Are they blame us for a Georgia? Why are we the bad guy? 269 00:20:05,000 --> 00:20:15,000 You said that, that you're not, you, you've, you've forgotten. Russia was actually the first victim way back in 1982. 270 00:20:15,000 --> 00:20:28,000 The United States asserted malicious code in Canadian software that was sent to Russia to help control the trans-Siberian pipeline. 271 00:20:28,000 --> 00:20:37,000 The, the resultant explosion, I believe is still the largest non-nuclear explosion on our planet. 272 00:20:37,000 --> 00:20:46,000 And, and, you know, this was a cyber attack. How is it different than Stuxnet? Sounds like the same thing. 273 00:20:46,000 --> 00:20:49,000 Right, but it's 30 years previously. 274 00:20:49,000 --> 00:21:01,000 In 1991, and this story is also unconfirmed but widely believed. The United States inserted malicious code in printers that were being sent to Iraq. 275 00:21:01,000 --> 00:21:09,000 This is before the first Gulf War. And that malicious code effectively damaged the Iraqi air defense system. 276 00:21:09,000 --> 00:21:21,000 Making it easier for US and I think we know whatever coalition it was, the war planes to attack Iraq. This is in response to the invasion of Kuwait. 277 00:21:21,000 --> 00:21:33,000 So that's my list of stories. And when you think about them, I mean, the, the, the huge difference in, in not only perpetrators targets and tactics. 278 00:21:33,000 --> 00:21:42,000 You know, the, the, the spread of what could be considered cyber war, cyber conflict is suddenly very, very large. 279 00:21:42,000 --> 00:21:52,000 And. So think about response for a second. When you're attacked in cyber space. 280 00:21:52,000 --> 00:21:59,000 There's a variety of ways you can defend yourself as a variety of institutions you can call on for defense. 281 00:21:59,000 --> 00:22:02,000 You can call on the police. 282 00:22:02,000 --> 00:22:09,000 You can call on the military. You can call on whatever organization does counterterrorism. 283 00:22:09,000 --> 00:22:18,000 You can call on, you know, a set of products and services you've purchased. You can call on your corporate lawyers. 284 00:22:18,000 --> 00:22:26,000 And the particular legal regime, right, legal framework for any particular defense depends on two things. 285 00:22:26,000 --> 00:22:30,000 Who's attacking you and why? 286 00:22:30,000 --> 00:22:40,000 And in cyber space when you're attacked, the two things you don't know are who's attacking you and why? 287 00:22:40,000 --> 00:22:44,000 That makes defense difficult. 288 00:22:44,000 --> 00:22:54,000 Right, when a stony is the victim of a denial services hack, they don't know is it Russia or some guy in an apartment somewhere? 289 00:22:54,000 --> 00:23:00,000 It makes a difference. But you don't know. 290 00:23:00,000 --> 00:23:04,000 I mean, to think of all the different adversaries we talked about in our examples. 291 00:23:04,000 --> 00:23:06,000 We talked about hackers. 292 00:23:06,000 --> 00:23:12,000 We talked about criminals, financially motivated attackers. We talked about politically motivated attackers. 293 00:23:12,000 --> 00:23:16,000 We talked about spies. We didn't talk about we could imagine talking about terrorists. 294 00:23:16,000 --> 00:23:20,000 We talked about governments and militaries. 295 00:23:20,000 --> 00:23:30,000 Right, the perpetrators run the gamut from unsuitificated, sophisticated from poorly funded to well-funded to non-risk of risk of risk of risk of risk. 296 00:23:30,000 --> 00:23:36,000 And they're all using the same tactics. 297 00:23:36,000 --> 00:23:44,000 Right, you can't tell when you're at the receiving end. 298 00:23:44,000 --> 00:23:52,000 I mean, so think about the tactics. Right, we've seen data theft, 299 00:23:52,000 --> 00:23:56,000 Eves dropping, data manipulation, the Nile of service, sabotage. 300 00:23:56,000 --> 00:24:02,000 Right, these are all tools of all of those different attackers. 301 00:24:02,000 --> 00:24:06,000 By the differences in the motivation. 302 00:24:06,000 --> 00:24:10,000 A little, I think it was side note on sabotage. 303 00:24:10,000 --> 00:24:12,000 Especially sabotage against networks. 304 00:24:12,000 --> 00:24:18,000 And I think this is widely misunderstood in people who think about cyber war. 305 00:24:18,000 --> 00:24:24,000 In a war, destroying the enemy's communications network 306 00:24:24,000 --> 00:24:28,000 is the least good thing you can do with it. 307 00:24:28,000 --> 00:24:32,000 Right, the best thing you can do is control it. 308 00:24:32,000 --> 00:24:38,000 Selectively and leak messages. That's the best. You can really mess up doing that. 309 00:24:38,000 --> 00:24:43,000 If you can't do that, the second best thing is Eves dropping on it. 310 00:24:43,000 --> 00:24:48,000 Right, passively listening. That's very, very valuable. 311 00:24:48,000 --> 00:24:54,000 Only if you can't do that, the least good thing you can do is destroy it. 312 00:24:54,000 --> 00:24:59,000 Right, but it's definitely not your first choice. It's not even your second choice. 313 00:24:59,000 --> 00:25:02,000 Mr. Little, let's go a little side there. 314 00:25:03,000 --> 00:25:10,000 So a lot of these attacks are examples of what we've started to call 315 00:25:10,000 --> 00:25:14,000 the advanced persistent threat, APT. 316 00:25:14,000 --> 00:25:17,000 I generally hate buzzwords, they hate new buzzwords, 317 00:25:17,000 --> 00:25:20,000 but I'm coming around to this one. 318 00:25:20,000 --> 00:25:23,000 It's not new. 319 00:25:23,000 --> 00:25:30,000 It's the idea that the hackers, the enemy, the bad guy, who I went to call it, 320 00:25:30,000 --> 00:25:38,000 wants to get into you and they're going to use a variety of methods and techniques until they get in. 321 00:25:38,000 --> 00:25:41,000 Right, so it's sort of unlike the criminal threat. 322 00:25:41,000 --> 00:25:45,000 The criminal wants to make in the sub-100,000 credit card numbers, 323 00:25:45,000 --> 00:25:47,000 and it doesn't care where you get some front. 324 00:25:47,000 --> 00:25:53,000 So if you're going to defend yourself, you just have to be more secure than the other guy, and you're fine. 325 00:25:53,000 --> 00:25:57,000 Right, but if it's anonymous versus HP Gary, 326 00:25:58,000 --> 00:26:02,000 anonymous wants in to HP Gary, not anybody, 327 00:26:02,000 --> 00:26:06,000 and they're going to keep working until they do it. 328 00:26:06,000 --> 00:26:13,000 Right, this is a real threat, again, it's not new, but it's not a bad buzzword. 329 00:26:13,000 --> 00:26:19,000 And on the internet, the advantage goes to the attacker. 330 00:26:19,000 --> 00:26:23,000 I mean, not for all time, but certainly now. 331 00:26:23,000 --> 00:26:28,000 And if you don't think about history, let's say history of warfare, this bounce is back and forth. 332 00:26:28,000 --> 00:26:30,000 Sorry. 333 00:26:30,000 --> 00:26:35,000 Right, you know, just think about the US Civil War, the attacker had the advantage, 334 00:26:35,000 --> 00:26:38,000 because weapons were powerful and no one knew how to defend themselves, 335 00:26:38,000 --> 00:26:42,000 and people were lining up and rose like they did in old and times, 336 00:26:42,000 --> 00:26:45,000 and they'd just be shooting at each other and people would die. 337 00:26:45,000 --> 00:26:50,000 It wasn't until Napoleon figured out offensive tactics in the age of rifles, 338 00:26:50,000 --> 00:26:55,000 that the pension was sorry, the fender advantage before, 339 00:26:55,000 --> 00:26:58,000 and then Napoleon figured out the attacker advantage. 340 00:26:58,000 --> 00:27:01,000 Right, and that's stayed the same until weapons got better again. 341 00:27:01,000 --> 00:27:04,000 Got into World War I, and defenders had the advantage. 342 00:27:04,000 --> 00:27:07,000 Right, trench warfare, you were pretty safe unless you stuck your head up in charge, 343 00:27:07,000 --> 00:27:10,000 in which case you died. 344 00:27:10,000 --> 00:27:17,000 And I know really wasn't until World War II and Hitler who figured out how to use tanks 345 00:27:17,000 --> 00:27:23,000 and invented Blitz Creek warfare that we again saw, the attacker had the advantage. 346 00:27:23,000 --> 00:27:30,000 So you'd so ask technologies change, you know, that goes back and forth over the span of a couple of centuries. 347 00:27:30,000 --> 00:27:34,000 Right now on the internet, the attacker has the advantage. 348 00:27:34,000 --> 00:27:38,000 I mean, you know that if someone wanted to get in, they would get in. 349 00:27:38,000 --> 00:27:43,000 It might take a while, but, you know, nobody's perfectly secure. 350 00:27:43,000 --> 00:27:45,000 It's just a matter of time and effort. 351 00:27:45,000 --> 00:27:47,000 Right, that's the way it is. 352 00:27:47,000 --> 00:27:52,000 So this advanced persistent threat is real and it's effective, right? 353 00:27:52,000 --> 00:27:54,000 It's, you know, it's good to work. 354 00:27:54,000 --> 00:27:59,000 And how we deal with it is worth talking about. 355 00:27:59,000 --> 00:28:03,000 And I'm also defining, I mean, I'm defining politically motivated, 356 00:28:03,000 --> 00:28:07,000 having hacking, but I'm defining politically very broadly, right? 357 00:28:07,000 --> 00:28:12,000 It's nationalistic, it's ethical, it's religious. 358 00:28:12,000 --> 00:28:17,000 It, the, the targets could be governments, could be corporations. 359 00:28:17,000 --> 00:28:23,000 Right? We've seen politically motivated hacking against, again, against companies and 360 00:28:23,000 --> 00:28:29,000 politically charged industries, oil companies, pharmaceutical companies, Microsoft. 361 00:28:29,000 --> 00:28:33,000 Right, against institutions, against individuals. 362 00:28:33,000 --> 00:28:36,000 Right? These are cano all be targets. 363 00:28:43,000 --> 00:28:48,000 So now I want to talk about the politics of cyber war. 364 00:28:48,000 --> 00:28:50,000 The world is gearing up for cyber war. 365 00:28:50,000 --> 00:28:54,000 We make no mistake, you know, even as even as, you know, we go about our day, 366 00:28:54,000 --> 00:28:56,000 countries are preparing for cyber war. 367 00:28:56,000 --> 00:29:02,000 The US cyber command, as of sometime last year, became fully operational, 368 00:29:02,000 --> 00:29:04,000 whatever that actually means. 369 00:29:04,000 --> 00:29:10,000 The UK has talked a lot about this cyber capability, NATO. 370 00:29:11,000 --> 00:29:15,000 As talked about this, cyber capability, China makes a big deal in that 371 00:29:15,000 --> 00:29:19,000 doctrinal material about controlling cyber space and any broader 372 00:29:19,000 --> 00:29:22,000 conflict, other countries. 373 00:29:22,000 --> 00:29:25,000 I mean, this isn't the bad thing. 374 00:29:25,000 --> 00:29:29,000 Maybe war expands to fill all available theaters, 375 00:29:29,000 --> 00:29:33,000 land, sea, air, space, and now cyber space. 376 00:29:33,000 --> 00:29:37,000 And any future war will have a cyber space component, 377 00:29:37,000 --> 00:29:40,000 and it makes sense for countries to prepare for that. 378 00:29:40,000 --> 00:29:45,000 I mean, just as, you know, in US versus Iraq, we saw an air war 379 00:29:45,000 --> 00:29:48,000 preceding a ground war. 380 00:29:48,000 --> 00:29:52,000 You could easily see the next time the US invades somebody for a cyber war 381 00:29:52,000 --> 00:29:55,000 to precede an air war to precede a ground war. 382 00:29:55,000 --> 00:30:03,000 Right? You know, that's just, that's, that's a reasonable progression of, of attack of attacks. 383 00:30:03,000 --> 00:30:07,000 So, I mean, so countries think it would be sort of derelict in their duty as nation states, 384 00:30:07,000 --> 00:30:11,000 if they didn't have a cyber command. 385 00:30:11,000 --> 00:30:16,000 But there is, you know, in this broader cyber conflict, 386 00:30:16,000 --> 00:30:20,000 it's less clear where the defense should be. 387 00:30:20,000 --> 00:30:24,000 And there's a power struggle going on in countries over this. 388 00:30:24,000 --> 00:30:26,000 You know, I watched the United States. 389 00:30:26,000 --> 00:30:31,000 It was between the FBI and the DHS and the DOD. 390 00:30:31,000 --> 00:30:35,000 Over who controls national defense in cyberspace, 391 00:30:35,000 --> 00:30:41,000 and they were congressional hearings, and there was debate, and the DOD1. 392 00:30:41,000 --> 00:30:44,000 The FBI lost the HHS lost. 393 00:30:44,000 --> 00:30:50,000 And the US cyber command is co-located with the NSA at Fort Mead. 394 00:30:50,000 --> 00:30:57,000 The head of the US cyber command is the head of the NSA, so you kind of know who won here. 395 00:30:58,000 --> 00:31:03,000 Right? And this is a struggle for the power, for the budget, 396 00:31:03,000 --> 00:31:07,000 and the US, the DOD1. 397 00:31:07,000 --> 00:31:14,000 There's also a power struggle in government and, and corporations over who controls 398 00:31:14,000 --> 00:31:17,000 the security and critical infrastructure. 399 00:31:17,000 --> 00:31:22,000 Right now in the US, the corporations seem to have won so far. 400 00:31:22,000 --> 00:31:25,000 I don't know how long they could hold out. 401 00:31:25,000 --> 00:31:29,000 We'll talk a bit about more about that later. 402 00:31:29,000 --> 00:31:33,000 All right? There's the whole security versus privacy power struggle, 403 00:31:33,000 --> 00:31:36,000 which I, I, I, have long maintained is a red herring, 404 00:31:36,000 --> 00:31:40,000 that the real debate is liberty versus control. 405 00:31:40,000 --> 00:31:45,000 Right? And here's where the metaphors matter. 406 00:31:45,000 --> 00:31:51,000 Right? Here's where using the rule war rhetoric gets you in trouble. 407 00:31:51,000 --> 00:31:53,000 Right? Because to the police, 408 00:31:53,000 --> 00:31:57,000 we are all citizens to protect. 409 00:31:57,000 --> 00:32:03,000 To the military, we are a population to be subdued. 410 00:32:03,000 --> 00:32:09,000 Using the war metaphor reinforces the notion that we are helpless. 411 00:32:09,000 --> 00:32:11,000 Right? I mean, war doesn't think we deal with. 412 00:32:11,000 --> 00:32:14,000 We let the government deal with that. That's not our problem. 413 00:32:14,000 --> 00:32:17,000 We don't worry about it. We don't defend against it. 414 00:32:17,000 --> 00:32:21,000 Right? We just stand back and duck. 415 00:32:21,000 --> 00:32:25,000 Right? So if we use the war metaphor, we need others to protect us. 416 00:32:25,000 --> 00:32:33,000 We can't do it ourselves. And it just feeds our fears. 417 00:32:33,000 --> 00:32:39,000 And when you look at the different defense tactics being proposed in various countries 418 00:32:39,000 --> 00:32:46,000 to deal with the cyberwar threat, you see that the metaphor matters a lot. 419 00:32:46,000 --> 00:32:55,000 We just talked about the notion of military control over the internet backbone, 420 00:32:55,000 --> 00:33:04,000 over critical infrastructure like the power grid, over protocols and technologies. 421 00:33:04,000 --> 00:33:07,000 And I think about some of the wholesale surveillance we saw. 422 00:33:07,000 --> 00:33:11,000 I mean, certainly in the US, but the UK and other countries too. 423 00:33:11,000 --> 00:33:16,000 You know, while the year after December 11th, the NSA walked into the AT&T. 424 00:33:16,000 --> 00:33:21,000 The phone company's offices and said, hi, we want to eat, drop on everybody. 425 00:33:21,000 --> 00:33:24,000 And instead of the AT&T saying, you can't do that. 426 00:33:24,000 --> 00:33:29,000 That's illegal. AT&T said, sure, here, you use that closet over there. 427 00:33:29,000 --> 00:33:33,000 Just lock the door when you're done. 428 00:33:33,000 --> 00:33:40,000 Right? I mean, that's something you do in wartime, but not in peace time. 429 00:33:40,000 --> 00:33:45,000 I mean, just like during World War II, the president's United States said, 430 00:33:45,000 --> 00:33:51,000 the Chrysler stopped building cars, start building tanks, and Chrysler said yes, sir. 431 00:33:51,000 --> 00:33:55,000 Right? Because we were in nation at war. 432 00:33:55,000 --> 00:33:59,000 You never do that in peace time. 433 00:33:59,000 --> 00:34:03,000 Or some of the debates and ease-dropping facilitation. 434 00:34:03,000 --> 00:34:07,000 These debates are happening in many countries. I can talk mostly about the US. 435 00:34:07,000 --> 00:34:12,000 The United States, I think 2003, we passed a law called Calia. 436 00:34:12,000 --> 00:34:14,000 And I forget what it stands for. 437 00:34:14,000 --> 00:34:19,000 But it basically, it's a law that says the phone companies have to make phone calls, 438 00:34:19,000 --> 00:34:22,000 Eves drop, Eves drop, or friendly. 439 00:34:22,000 --> 00:34:27,000 So, throughout most of the history, the telephone industry, 440 00:34:27,000 --> 00:34:30,000 if the government, the police wanted to ease up on a phone call, 441 00:34:30,000 --> 00:34:34,000 they would drive to the phone switch, right? 442 00:34:34,000 --> 00:34:39,000 Open up the case, find the correct phone line, connect to it, 443 00:34:39,000 --> 00:34:44,000 and then, you know, with a recorder and a headset would listen. 444 00:34:44,000 --> 00:34:50,000 That work great, but with modern packets switch networks, you can't do that. 445 00:34:50,000 --> 00:34:56,000 Right? There isn't the same easy way to ease-drop this annoyed the FBI. 446 00:34:56,000 --> 00:35:02,000 They went to Congress and said, make the phone company, fix that. 447 00:35:02,000 --> 00:35:13,000 Fix that problem, varse. Congress passed a law, and now in the US, the phone switch manufacturers deliberately make their systems easy to ease-drop on. 448 00:35:13,000 --> 00:35:17,000 I think it's a massive and security they're adding, but that's the law is. 449 00:35:17,000 --> 00:35:29,000 So, last year, and last year, in this year, the FBI wants the, to extend that capability to all communication systems. 450 00:35:30,000 --> 00:35:36,000 Because more and less and less communication happens over the phone network, right? 451 00:35:36,000 --> 00:35:41,000 They're worried about Skype, basically. 452 00:35:41,000 --> 00:35:52,000 But the law is broad enough to apply to everything from Skype to email to the chat window and second life. 453 00:35:52,000 --> 00:35:59,000 Now, depending on the technology, making it even dropping friendly runs from easy to impossible. 454 00:35:59,000 --> 00:36:03,000 Maybe think about something like Gmail, that's easy. 455 00:36:03,000 --> 00:36:11,000 Right? Because the email exists in the clear-on Google servers, and the FBI can go to Google with appropriate papers and say, we want his email. 456 00:36:11,000 --> 00:36:19,000 And in fact, Google maintains an office to deal with those requests from the US and other countries. 457 00:36:19,000 --> 00:36:25,000 Right? To deal with requests from the government for the email of various people. 458 00:36:25,000 --> 00:36:34,000 They can do that now, no change required. Are you going again? They'll end the Skype where it's impossible for Skype to do that. 459 00:36:34,000 --> 00:36:44,000 Right? Your Skype call is encrypted on your machine, decrypted on the other end, and there's no place in the middle to ease-drop on. 460 00:36:44,000 --> 00:36:53,000 You can't redesign the system, you have to rip it down and build a new, less secure one in order to make that work. 461 00:36:53,000 --> 00:36:57,000 Other systems of somewhere in the middle. 462 00:36:57,000 --> 00:37:01,000 So this is not a law yet, this is still being debated. 463 00:37:01,000 --> 00:37:08,000 There is a bill, and as these things meandle through it may or may not happen. 464 00:37:08,000 --> 00:37:15,000 I've been broader debates in a lot of countries about blackberries. 465 00:37:15,000 --> 00:37:22,000 Last year, I was one of the most recently, the governments of Saudi Arabia and the United Arab Emirates set the blackberry. 466 00:37:22,000 --> 00:37:27,000 We can't use drop on this, and this is annoying us. Fix that. 467 00:37:27,000 --> 00:37:32,000 Blackberries said we can't possibly fix that, and they gave a whole bunch of reasons. 468 00:37:32,000 --> 00:37:38,000 The government of Saudi Arabia and the UAE said bullshit, it did it for Russia and China. 469 00:37:38,000 --> 00:37:40,000 India said, hey, you should do it for us too. 470 00:37:40,000 --> 00:37:46,000 And what what RIM is doing is they're, they're basically they're moving their servers around. 471 00:37:46,000 --> 00:37:54,000 The countries are less worried about corporate blackberry users and more about individual blackberry users. 472 00:37:55,000 --> 00:37:59,000 And blackberry traffic is encrypted from the handset to the first server. 473 00:37:59,000 --> 00:38:03,000 So what RIM is doing is they put a server in Saudi Arabia. 474 00:38:03,000 --> 00:38:06,000 So now the government will use drop on their stuff. 475 00:38:06,000 --> 00:38:10,000 You know they've done this for the US as well. 476 00:38:10,000 --> 00:38:22,000 Right, so here again, countries are asking technology firms to deliberately redesign their systems to make each dropping easier. 477 00:38:22,000 --> 00:38:25,000 Another tactic is the data retention laws. 478 00:38:25,000 --> 00:38:41,000 We had was the one in Germany now and they're being talked about many places forcing ISPs to save internet data on their customers that can be used to facilitate surveillance. 479 00:38:41,000 --> 00:38:49,000 Right, for what somebody's just see one year, somebody's see two years depends on the country depends on the law on the bill. 480 00:38:49,000 --> 00:38:55,000 And we have with seeing debates in the United States is debate right now on the internet on the internet kill switch. 481 00:38:55,000 --> 00:38:59,000 Right, should there be an ability, I mean, it sounds crazy when I talk about it. 482 00:38:59,000 --> 00:39:04,000 Should we design in the ability to shut the internet off? 483 00:39:04,000 --> 00:39:07,000 I mean, you know, this is the definition of dumb. 484 00:39:07,000 --> 00:39:15,000 And I don't know, you know, it's hard to tell exactly how the, the law makers are opposed wanted to work. 485 00:39:15,000 --> 00:39:22,000 I think the idea of vision is a big red button in the president's desk says, you know, stop internet now and you can press it and then it goes away. 486 00:39:22,000 --> 00:39:30,000 Or maybe as to call somebody and say, you know, press the button max. I don't know. 487 00:39:30,000 --> 00:39:38,000 Right, but you know, sort of I think a very dangerous thing, but certainly talked about and when we're seeing done in some countries either wholly or selectively. 488 00:39:38,000 --> 00:39:45,000 Sometimes they want to be able to shut off a country like you know, stop internet traffic from from this country or from that IP address. 489 00:39:45,000 --> 00:39:53,000 I mean, some of it's stuff we we sort of do normally with a political spin, some of it stuff we couldn't imagine doing. 490 00:39:53,000 --> 00:40:00,000 But we're also seeing proposals for, uh, at internet attribution laws. 491 00:40:00,000 --> 00:40:04,000 The idea is that anonymity on the internet is bad. 492 00:40:05,000 --> 00:40:13,000 And you saw this in a lot of the examples I gave about these cyber conflicts and cyber wars. We don't know who did it. We don't know who did it. We don't know. We constantly don't know who did it. 493 00:40:13,000 --> 00:40:18,000 So people say, well, I got a great idea. Let's make sure we know who did it. 494 00:40:18,000 --> 00:40:29,000 Right, but of course, you know, we, anyone here knows this is impossible. It's never going to work, but you are seeing these calls to end and an entity on the internet. 495 00:40:29,000 --> 00:40:38,000 And if we just did that, we would be able to know who the bad guys are. We just arrest them, wouldn't that be easy. If it were only true. 496 00:40:38,000 --> 00:40:45,000 But you know, changed in these debates is the notion that we are at war. 497 00:40:45,000 --> 00:40:56,000 And a lot of these measures, you know, might make sense in wartime, but they really do make us less safe in peacetime. 498 00:40:56,000 --> 00:41:06,000 So depending on the rhetoric you use and the rhetoric, the government accepts, you get a different solution space. 499 00:41:06,000 --> 00:41:11,000 Right, a different set of options become politically viable. 500 00:41:11,000 --> 00:41:18,000 And this is debate. The warmongers are winning. 501 00:41:19,000 --> 00:41:38,000 So let's talk a bit about the future of the cyber conflicts. I mean, certainly we need to be prepared for war. As I said earlier, you know, cyber command is essential that you that with that country's do need a cyber command because any war will include a cyber space components. 502 00:41:38,000 --> 00:41:45,000 And also critical is the debate on who secures critical infrastructure. 503 00:41:45,000 --> 00:41:52,000 At what point, you know, what can the market do and what does government have to do? 504 00:41:52,000 --> 00:42:05,000 And when you deal with common defense, you very regularly get market failures. This is why even libertarians agree that you need a common defense, a military police. 505 00:42:05,000 --> 00:42:13,000 So think of it, you know, they simplistic examples. So imagine a chemical company, they own a plant. It's near some population center. 506 00:42:13,000 --> 00:42:18,000 And if it explodes a bunch of bunch of people die. Right. So there's, there's a big risk there. 507 00:42:18,000 --> 00:42:28,000 The chemical company will secure that plant up to the value of it to the chemical company. 508 00:42:28,000 --> 00:42:38,000 At best, they'll secure it up to the value of the chemical company, right? Because there's no greater loss than going out of business. 509 00:42:38,000 --> 00:42:50,000 Any residual risk needs to be secured by a public institution because there's no way for the market to get there. 510 00:42:51,000 --> 00:42:58,000 Right. There isn't any mechanism to do that without government intervention. 511 00:42:58,000 --> 00:43:03,000 Now, you know, and these sort of market failures are everywhere in security. 512 00:43:03,000 --> 00:43:10,000 And depending on your politics, you might pick regulation or subsidy or government take over. I actually don't care. 513 00:43:10,000 --> 00:43:17,000 Right. That's politics. But from a security perspective, you need some government to handle that. 514 00:43:17,000 --> 00:43:24,000 And there are critical infrastructure risks that are beyond the scope of the companies that own that critical infrastructure. 515 00:43:24,000 --> 00:43:31,000 That's very clear. And the debate on how to secure these, I think, is an important one to have. 516 00:43:31,000 --> 00:43:38,000 We need discussion on the characteristics of cyber war. 517 00:43:38,000 --> 00:43:43,000 There's not a lot of thinking about what cyber war looks like. 518 00:43:43,000 --> 00:43:46,000 There's a fundamental asymmetry in cyber war. 519 00:43:46,000 --> 00:43:52,000 At some countries are naturally secure and some are naturally vulnerable. 520 00:43:52,000 --> 00:43:56,000 I think about North Korea versus the United States. 521 00:43:56,000 --> 00:43:59,000 I know if Korea has what 10 computers. 522 00:43:59,000 --> 00:44:06,000 It's really hard to attack them in cyberspace because they don't have much cyberspace. 523 00:44:06,000 --> 00:44:13,000 Compare that to the US, which relies very heavily in critical ways on cyberspace. 524 00:44:13,000 --> 00:44:20,000 The US is naturally vulnerable in cyberspace, simply because how they use it. 525 00:44:20,000 --> 00:44:28,000 And again, this isn't new. I mean, there are countries that because of their, their mountainous terrain are naturally safer against the land war, 526 00:44:28,000 --> 00:44:35,000 or because of, you know, their seaboders are naturally safer against an ocean war. 527 00:44:35,000 --> 00:44:39,000 And you know, the countries that are more vulnerable in land are on seaboders in the air. 528 00:44:39,000 --> 00:44:45,000 I mean, we already know that terrain gives countries advantages and disadvantages in different theaters. 529 00:44:45,000 --> 00:44:48,000 Cyberspace is no different. 530 00:44:48,000 --> 00:44:51,000 So there are asymmetries that are worth thinking about. 531 00:44:51,000 --> 00:44:54,000 There's the fundamental asymmetry of attack versus defense. 532 00:44:54,000 --> 00:44:58,000 That is much easier to attack than defend. 533 00:44:58,000 --> 00:45:03,000 In a lot of ways, it's similar to nuclear war. 534 00:45:03,000 --> 00:45:07,000 Right, where where the attack was everything in defense was nothing. 535 00:45:07,000 --> 00:45:09,000 That you couldn't defend. 536 00:45:09,000 --> 00:45:20,000 You know, there's whole set of doctrine based on that fact that there was no such thing as defense who was all attack. 537 00:45:20,000 --> 00:45:24,000 Deal the fact that weapons don't come with a return address. 538 00:45:24,000 --> 00:45:30,000 Right, when Israel attack Syria, the Syrians can look up, see what was painted on the back of the airplanes and say, 539 00:45:30,000 --> 00:45:33,000 oh, yeah, Israel did it. 540 00:45:33,000 --> 00:45:40,000 When I ran was attacked by Israel via Stuxnet, I ran couldn't look up anything. 541 00:45:40,000 --> 00:45:43,000 Right, they couldn't know who did it. 542 00:45:43,000 --> 00:45:48,000 Now perhaps Israel told them in some diplomatic back channel, hey, that's us, ha ha. 543 00:45:48,000 --> 00:45:51,000 Maybe they didn't. 544 00:45:51,000 --> 00:45:56,000 I mean, they could have written something in the worm that said, you know, this is Israel, ha ha. 545 00:45:56,000 --> 00:46:00,000 But, you know, of course anybody could do that, right? It's really easy to smooth that. 546 00:46:00,000 --> 00:46:08,000 You know, cyber weapons don't have the same attribution that regular weapons have. 547 00:46:08,000 --> 00:46:09,000 This is this is a problem. 548 00:46:09,000 --> 00:46:14,000 It rules of warfare state that your weapons need to be attributed, right? 549 00:46:14,000 --> 00:46:16,000 Your soldiers wear uniforms. 550 00:46:16,000 --> 00:46:20,000 Your tanks are painted, your colors. 551 00:46:20,000 --> 00:46:23,000 And this is not just so, you know, maybe it's a couple of reasons for this. 552 00:46:23,000 --> 00:46:26,000 I mean, it's an old doctrine. 553 00:46:26,000 --> 00:46:29,000 It helps prevent friendly fire, right? 554 00:46:29,000 --> 00:46:32,000 You know who is on your sides, you don't shoot them. 555 00:46:32,000 --> 00:46:44,000 It also lets the enemy know who's military and who's civilian, because wars are fought between militaries. 556 00:46:44,000 --> 00:46:50,000 And someone not uniform is a non-combatant, where someone in you form is a combatant. 557 00:46:50,000 --> 00:46:51,000 They're sort of different rules. 558 00:46:51,000 --> 00:46:56,000 This is one that raises why guerilla wars are so hard for countries. 559 00:46:56,000 --> 00:47:00,000 Because in the guerilla wars, there's no difference between combatants and non-combatants. 560 00:47:00,000 --> 00:47:01,000 It all blurs. 561 00:47:01,000 --> 00:47:04,000 And we're terrible at that. 562 00:47:04,000 --> 00:47:06,000 We don't know what to do. 563 00:47:06,000 --> 00:47:14,000 We're better off at, we're much better at fighting armies that act like armies. 564 00:47:14,000 --> 00:47:19,000 I think we need to start talking about cyber war treaties. 565 00:47:19,000 --> 00:47:22,000 There's actually an interesting book. 566 00:47:22,000 --> 00:47:25,000 It's called Cyber War, which written by Richard Clark. 567 00:47:25,000 --> 00:47:30,000 He was another cyber security adviser under President Bush. 568 00:47:30,000 --> 00:47:33,000 The first half of the, it's a tough book to talk about. 569 00:47:33,000 --> 00:47:35,000 The first half of the book is terrible. 570 00:47:35,000 --> 00:47:38,000 It's just cyber warring, hype and exaggeration. 571 00:47:38,000 --> 00:47:40,000 Don't read it. 572 00:47:40,000 --> 00:47:43,000 The second half of the book talks about treaties and things to do. 573 00:47:43,000 --> 00:47:45,000 It's great read it. 574 00:47:45,000 --> 00:47:48,000 It's a hard book to review. 575 00:47:48,000 --> 00:47:53,000 He spends a lot of time on cyber war treaties. 576 00:47:53,000 --> 00:48:00,000 How they might look, how they are similar and different to nuclear treaties, what international 577 00:48:00,000 --> 00:48:08,000 organizations might negotiate these treaties, how they might look, how they might work. 578 00:48:08,000 --> 00:48:13,000 There are examples of things you might consider under international treaties. 579 00:48:13,000 --> 00:48:15,000 No first use of cyber weapons. 580 00:48:15,000 --> 00:48:17,000 That sounds like a good one. 581 00:48:17,000 --> 00:48:20,000 A minimization of collateral damage. 582 00:48:20,000 --> 00:48:23,000 Could be something you'd want in a treaty. 583 00:48:23,000 --> 00:48:27,000 No, I haven't no attacks against civilian targets in infrastructure. 584 00:48:27,000 --> 00:48:29,000 I think that's a good idea. 585 00:48:29,000 --> 00:48:35,000 Or even better, no unnamed weapons. 586 00:48:35,000 --> 00:48:39,000 Weapons need to self-destruct the ed at the end of a conflict. 587 00:48:39,000 --> 00:48:40,000 It's a good idea. 588 00:48:40,000 --> 00:48:42,000 Stucks that actually will self-destruct. 589 00:48:42,000 --> 00:48:43,000 It's a good idea. 590 00:48:43,000 --> 00:48:44,000 It's a good idea. 591 00:48:44,000 --> 00:48:46,000 It's a good idea. 592 00:48:46,000 --> 00:48:48,000 It's a good idea. 593 00:48:48,000 --> 00:48:50,000 It's a good idea. 594 00:48:50,000 --> 00:48:52,000 It's a good idea. 595 00:48:52,000 --> 00:48:53,000 It's a good idea. 596 00:48:53,000 --> 00:48:54,000 It's a good idea. 597 00:48:54,000 --> 00:48:56,000 It's a good idea. 598 00:48:56,000 --> 00:48:57,000 It's a good idea. 599 00:48:57,000 --> 00:48:58,000 It's a good idea. 600 00:48:58,000 --> 00:48:59,000 It's a good idea. 601 00:48:59,000 --> 00:49:00,000 It's a good idea. 602 00:49:00,000 --> 00:49:01,000 It's a good idea. 603 00:49:01,000 --> 00:49:02,000 It's a good idea. 604 00:49:02,000 --> 00:49:03,000 It's a good idea. 605 00:49:03,000 --> 00:49:04,000 It's a good idea. 606 00:49:04,000 --> 00:49:05,000 It's a good idea. 607 00:49:05,000 --> 00:49:06,000 It's a good idea. 608 00:49:06,000 --> 00:49:07,000 It's a good idea. 609 00:49:07,000 --> 00:49:08,000 It's a good idea. 610 00:49:08,000 --> 00:49:09,000 It's a good idea. 611 00:49:09,000 --> 00:49:10,000 It's a good idea. 612 00:49:10,000 --> 00:49:11,000 It's a good idea. 613 00:49:11,000 --> 00:49:12,000 It's a good idea. 614 00:49:12,000 --> 00:49:13,000 It's a good idea. 615 00:49:13,000 --> 00:49:14,000 It's a good idea. 616 00:49:14,000 --> 00:49:15,000 It's a good idea. 617 00:49:15,000 --> 00:49:17,000 It's a good idea. 618 00:49:17,000 --> 00:49:19,000 It's a good idea. 619 00:49:19,000 --> 00:49:20,000 It's a good idea. 620 00:49:20,000 --> 00:49:21,000 It's a good idea. 621 00:49:21,000 --> 00:49:22,000 It's a good idea. 622 00:49:22,000 --> 00:49:23,000 It's a good idea. 623 00:49:23,000 --> 00:49:24,000 It's a good idea. 624 00:49:24,000 --> 00:49:25,000 It's a good idea. 625 00:49:25,000 --> 00:49:26,000 It's a good idea. 626 00:49:26,000 --> 00:49:27,000 It's a good idea. 627 00:49:27,000 --> 00:49:28,000 It's a good idea. 628 00:49:28,000 --> 00:49:29,000 It's a good idea. 629 00:49:29,000 --> 00:49:30,000 It's a good idea. 630 00:49:30,000 --> 00:49:31,000 It's a good idea. 631 00:49:31,000 --> 00:49:32,000 It's a good idea. 632 00:49:32,000 --> 00:49:33,000 It's a good idea. 633 00:49:33,000 --> 00:49:34,000 It's a good idea. 634 00:49:34,000 --> 00:49:35,000 It's a good idea. 635 00:49:35,000 --> 00:49:36,000 It's a good idea. 636 00:49:36,000 --> 00:49:37,000 It's a good idea. 637 00:49:37,000 --> 00:49:38,000 It's a good idea. 638 00:49:38,000 --> 00:49:39,000 It's a good idea. 639 00:49:39,000 --> 00:49:40,000 It's a good idea. 640 00:49:40,000 --> 00:49:41,000 It's a good idea. 641 00:49:41,000 --> 00:49:42,000 It's a good idea. 642 00:49:42,000 --> 00:49:43,000 It's a good idea. 643 00:49:43,000 --> 00:49:44,000 It's a good idea. 644 00:49:44,000 --> 00:49:45,000 It's a good idea. 645 00:49:45,000 --> 00:49:46,000 It's a good idea. 646 00:49:46,000 --> 00:49:48,000 It's a good idea. 647 00:49:48,000 --> 00:49:49,000 It's a good idea. 648 00:49:49,000 --> 00:49:50,000 It's a good idea. 649 00:49:50,000 --> 00:49:51,000 It's a good idea. 650 00:49:51,000 --> 00:49:52,000 It's a good idea. 651 00:49:52,000 --> 00:49:53,000 It's a good idea. 652 00:49:53,000 --> 00:49:54,000 It's a good idea. 653 00:49:54,000 --> 00:49:55,000 It's a good idea. 654 00:49:55,000 --> 00:49:56,000 It's a good idea. 655 00:49:56,000 --> 00:49:57,000 It's a good idea. 656 00:49:57,000 --> 00:49:58,000 It's a good idea. 657 00:49:58,000 --> 00:49:59,000 It's a good idea. 658 00:49:59,000 --> 00:50:00,000 It's a good idea. 659 00:50:00,000 --> 00:50:01,000 It's a good idea. 660 00:50:01,000 --> 00:50:02,000 It's a good idea. 661 00:50:02,000 --> 00:50:03,000 It's a good idea. 662 00:50:03,000 --> 00:50:04,000 It's a good idea. 663 00:50:04,000 --> 00:50:05,000 It's a good idea. 664 00:50:05,000 --> 00:50:06,000 It's a good idea. 665 00:50:06,000 --> 00:50:07,000 It's a good idea. 666 00:50:07,000 --> 00:50:08,000 It's a good idea. 667 00:50:08,000 --> 00:50:09,000 It's a good idea. 668 00:50:09,000 --> 00:50:10,000 It's a good idea. 669 00:50:10,000 --> 00:50:11,000 It's a good idea. 670 00:50:11,000 --> 00:50:12,000 It's a good idea. 671 00:50:12,000 --> 00:50:13,000 It's a good idea. 672 00:50:13,000 --> 00:50:14,000 It's a good idea. 673 00:50:14,000 --> 00:50:15,000 It's a good idea. 674 00:50:15,000 --> 00:50:16,000 It's a good idea. 675 00:50:16,000 --> 00:50:17,000 It's a good idea. 676 00:50:17,000 --> 00:50:18,000 It's a good idea. 677 00:50:18,000 --> 00:50:19,000 It's a good idea. 678 00:50:19,000 --> 00:50:20,000 It's a good idea. 679 00:50:20,000 --> 00:50:21,000 It's a good idea. 680 00:50:21,000 --> 00:50:22,000 It's a good idea. 681 00:50:22,000 --> 00:50:23,000 It's a good idea. 682 00:50:23,000 --> 00:50:24,000 It's a good idea. 683 00:50:24,000 --> 00:50:25,000 It's a good idea. 684 00:50:25,000 --> 00:50:26,000 It's a good idea. 685 00:50:26,000 --> 00:50:27,000 It's a good idea. 686 00:50:27,000 --> 00:50:28,000 It's a good idea. 687 00:50:28,000 --> 00:50:29,000 It's a good idea. 688 00:50:29,000 --> 00:50:30,000 It's a good idea. 689 00:50:30,000 --> 00:50:31,000 It's a good idea. 690 00:50:31,000 --> 00:50:32,000 It's a good idea. 691 00:50:32,000 --> 00:50:33,000 It's a good idea. 692 00:50:33,000 --> 00:50:34,000 It's a good idea. 693 00:50:34,000 --> 00:50:35,000 It's a good idea. 694 00:50:35,000 --> 00:50:36,000 It's a good idea. 695 00:50:36,000 --> 00:50:40,000 We are right now in the early years of a cyberwar arms race. 696 00:50:40,000 --> 00:50:45,000 I don't think that's good for anybody. 697 00:50:45,000 --> 00:50:50,000 And remember, it fuels an arms race as ignorance. 698 00:50:50,000 --> 00:50:53,000 I don't know what you're doing. 699 00:50:53,000 --> 00:50:57,000 I assume the worst and respond accordingly. 700 00:50:57,000 --> 00:50:59,000 You don't know what I'm doing. 701 00:50:59,000 --> 00:51:03,000 You have to assume the worst and respond accordingly. 702 00:51:03,000 --> 00:51:10,000 And then that keeps going until we have a lot of 10,000 nuclear warheads each. 703 00:51:10,000 --> 00:51:17,000 So anything that dampens, the cyberwar arms race is a good thing. 704 00:51:17,000 --> 00:51:23,600 Even something as simple as a hotline between different cyber commands, especially if we're 705 00:51:23,600 --> 00:51:25,600 sorry to see non-nation state actors. 706 00:51:25,600 --> 00:51:30,600 It'd be great if the US cyber command called the Russian cyber commands say, hey, is that you? 707 00:51:30,600 --> 00:51:31,600 And Russian can say, no, that's not us. 708 00:51:31,600 --> 00:51:32,600 I don't know what is either. 709 00:51:32,600 --> 00:51:34,600 And they have a little conversation. 710 00:51:34,600 --> 00:51:41,200 But that sounds like it could be valuable in dealing with the non-nation state actors that 711 00:51:41,200 --> 00:51:49,400 are going to definitely going to start popping up with these cyberwar capabilities. 712 00:51:49,400 --> 00:51:54,600 We also need to decide what an offensive action is in cyber space. 713 00:51:54,600 --> 00:51:57,600 And there's a gamut of actions, right? 714 00:51:57,600 --> 00:51:59,600 So from benign to definitely offensive, right? 715 00:51:59,600 --> 00:52:00,600 There's defending yourself. 716 00:52:00,600 --> 00:52:02,600 I mean, we know that's okay. 717 00:52:02,600 --> 00:52:06,600 Eves dropping, you know, a little offensive, but it's been happening for a century. 718 00:52:06,600 --> 00:52:08,200 This is not going to stop. 719 00:52:08,200 --> 00:52:11,200 So that's certainly allowed in peace time. 720 00:52:11,200 --> 00:52:12,600 Building up attack capabilities. 721 00:52:12,600 --> 00:52:15,600 You know, I guess building weapons is okay. 722 00:52:15,600 --> 00:52:19,600 Getting across in the line is something called preparing the battlefield. 723 00:52:19,600 --> 00:52:26,080 And this is a doctrine by which you can go into a potential enemies terrain and not do 724 00:52:26,080 --> 00:52:32,080 offensive things, but prepare for doing offensive things, right? 725 00:52:32,080 --> 00:52:37,680 Reconnaissance occasionally leaving caches of supplies under the doctrine of preparing 726 00:52:37,680 --> 00:52:40,280 the battlefield. 727 00:52:40,280 --> 00:52:44,880 We pretty much know that both the US and China have been infiltrating each other's networks 728 00:52:44,880 --> 00:52:47,880 and leaving logic bombs. 729 00:52:47,880 --> 00:52:52,480 Not detonating them, but leaving them there. 730 00:52:52,480 --> 00:52:56,880 This feels bad to me. 731 00:52:56,880 --> 00:53:01,760 If you were told that some other country, you know, walked into your capital city and buried 732 00:53:01,760 --> 00:53:05,880 some bombs places, you'd be annoyed, right? 733 00:53:05,880 --> 00:53:07,680 You'd say, that's not okay. 734 00:53:07,680 --> 00:53:09,200 You can't do that. 735 00:53:09,200 --> 00:53:11,400 We are doing that in cyberspace. 736 00:53:11,400 --> 00:53:13,000 There's risks here. 737 00:53:13,000 --> 00:53:14,000 Right? 738 00:53:14,000 --> 00:53:16,480 There's risk something goes off on it unintentionally. 739 00:53:16,480 --> 00:53:20,120 There's risks things go out of hand. 740 00:53:20,120 --> 00:53:24,560 Not only is it bad policy, I think it's dangerous policy. 741 00:53:24,560 --> 00:53:29,120 Then over here in our benign to offensive actions are things like stockstead, which are definitely 742 00:53:29,120 --> 00:53:38,880 offensive, which certainly by any reasonable definition would be considered an act of war. 743 00:53:38,880 --> 00:53:44,440 We decide where the line is, then what's an offensive action. 744 00:53:44,440 --> 00:53:48,720 And also we need to decide what the rules of engagement are in cyberspace. 745 00:53:48,720 --> 00:53:53,040 And without all those treaties, we need to decide what's allowed and what isn't. 746 00:53:53,040 --> 00:53:55,760 What's fair in the war and what isn't. 747 00:53:55,760 --> 00:53:57,960 We don't actually know. 748 00:53:57,960 --> 00:54:00,480 We don't have these definitions. 749 00:54:00,480 --> 00:54:04,880 We also need to decide at what level in the command structure should these assures as 750 00:54:04,880 --> 00:54:05,880 me made? 751 00:54:05,880 --> 00:54:11,880 I mean, right now in the United States, it was Seymour Hershey's written about this extensively, 752 00:54:11,880 --> 00:54:16,360 that cyber war decisions like preparing the battlefield, leaving logic bombs, are being 753 00:54:16,360 --> 00:54:20,320 made at far too low level in the command structure. 754 00:54:20,320 --> 00:54:25,200 Then in fact, these things are internationally dangerous enough that they should be made 755 00:54:25,200 --> 00:54:30,240 by the US president not by some bird kernel. 756 00:54:30,240 --> 00:54:35,000 And that is destabilizing to have these decisions being made at a low level. 757 00:54:35,000 --> 00:54:39,160 Certainly, I think we need conversations about this internationally. 758 00:54:39,160 --> 00:54:43,240 So we know what the level is as it is being made. 759 00:54:43,280 --> 00:54:46,000 We need to understand cyber mercenaries. 760 00:54:46,000 --> 00:54:49,120 My mercenary is just to be really popular with armies. 761 00:54:49,120 --> 00:54:53,160 They kind of without a vote in the beginning of the last century. 762 00:54:53,160 --> 00:54:56,280 But in cyberspace, they're coming back. 763 00:54:56,280 --> 00:55:02,240 And whether it's true recruitment of mercenaries or false flag recruitment, a lot of these 764 00:55:02,240 --> 00:55:10,880 cyber weapon capabilities are being contracted out. 765 00:55:10,880 --> 00:55:15,640 And we really need to figure out how deal with non-state actors. 766 00:55:15,640 --> 00:55:19,960 And the gamut from kids playing politics to terrorists. 767 00:55:19,960 --> 00:55:25,160 This is only going to get worse as more of these capabilities get further diffused in the 768 00:55:25,160 --> 00:55:30,960 population, as things get easier. 769 00:55:30,960 --> 00:55:35,960 Right, we need to think about defense and I think it's a discussion about resilience. 770 00:55:36,880 --> 00:55:41,880 That we need resilience in cyberspace. 771 00:55:41,880 --> 00:55:44,720 And mostly, I think we need to stop feeding our fears. 772 00:55:44,720 --> 00:55:48,000 Right, there are risks here, but they're not new, they're not unprecedented. 773 00:55:48,000 --> 00:55:51,400 The things we've dealt with before, the things we can deal with. 774 00:55:51,400 --> 00:55:56,360 And we need a lot of adult conversation about it. 775 00:55:56,360 --> 00:55:57,640 So that's my talk. 776 00:55:57,640 --> 00:55:59,120 I'm happy to take questions. 777 00:55:59,120 --> 00:56:07,280 You can't leave yet, you might as well ask questions. 778 00:56:07,280 --> 00:56:10,960 The food's not ready. 779 00:56:10,960 --> 00:56:24,040 So I'm going to start, yes. 780 00:56:24,040 --> 00:56:25,040 We'll be cyber terrorism. 781 00:56:25,040 --> 00:56:29,920 I mean, right now, I think it's largely a medium-ith. 782 00:56:29,920 --> 00:56:37,200 Because my terrorists want to kill people and you just annoy people. 783 00:56:37,200 --> 00:56:41,400 You can imagine, I always think the story I think of has been ladden in this cave, and 784 00:56:41,400 --> 00:56:45,240 as associate says, I know the next attack against the Great American Satan, we're going 785 00:56:45,240 --> 00:56:46,560 to take down their email. 786 00:56:46,560 --> 00:56:48,760 It belongs going to slap the guy. 787 00:56:48,760 --> 00:56:49,760 No. 788 00:56:50,760 --> 00:56:52,960 If I can get my email, that's a holiday. 789 00:56:52,960 --> 00:56:55,880 I'm not terrorized. 790 00:56:55,880 --> 00:56:57,400 I'm annoyed and inconvenienced. 791 00:56:57,400 --> 00:56:59,000 Maybe I'm happy. 792 00:56:59,000 --> 00:57:02,600 Yeah, I mean, we know this because occasionally, these things have maximum. 793 00:57:02,600 --> 00:57:06,760 A bunch of years ago, a US communication satellite was down for a while because of a bad 794 00:57:06,760 --> 00:57:07,960 software upgrade. 795 00:57:07,960 --> 00:57:10,520 Nobody was terrorized. 796 00:57:10,520 --> 00:57:13,520 So, well, certainly there's a potential cyber terrorism. 797 00:57:13,520 --> 00:57:15,320 And it probably will be more in the future. 798 00:57:15,320 --> 00:57:17,120 I think right now it's a medium-ith. 799 00:57:17,120 --> 00:57:23,200 But yes, in terms of the broader cyber conflicts, it's something you have to think 800 00:57:23,200 --> 00:57:24,200 about. 801 00:57:24,200 --> 00:57:33,840 I think it's different, but yeah. 802 00:57:33,840 --> 00:57:39,040 Sure, I mean, yeah, I mean, it makes a great movie. 803 00:57:39,040 --> 00:57:41,040 So think about 9-11. 804 00:57:41,040 --> 00:57:45,280 I don't know, I actually actually have an example of this because when the Trintower's 805 00:57:45,280 --> 00:57:50,560 collapse, they collapsed on one of the New York City's biggest phone switches. 806 00:57:50,560 --> 00:57:54,520 So you can imagine a cyber attack that would take down the phone network as a precursor 807 00:57:54,520 --> 00:57:55,520 or something else. 808 00:57:55,520 --> 00:58:00,400 And whenever, and thinks about 9-11, no one says, oh my god, and then with the phone network 809 00:58:00,400 --> 00:58:01,400 dropped, right? 810 00:58:01,400 --> 00:58:05,800 It doesn't even make the radar of atrocities. 811 00:58:05,800 --> 00:58:08,400 So I just don't see it as terror. 812 00:58:08,400 --> 00:58:10,840 I mean, yeah, we can invent all these complicated stories. 813 00:58:10,840 --> 00:58:14,960 But honestly, they're going to drive a truck bomb into a building because that's what 814 00:58:15,000 --> 00:58:15,960 works. 815 00:58:15,960 --> 00:58:21,400 So you drop the emergency phone network, too. 816 00:58:21,400 --> 00:58:24,720 It's in the noise. 817 00:58:24,720 --> 00:58:25,720 But that'll change, right? 818 00:58:25,720 --> 00:58:29,920 This is a matter of time before someone can do real damage in a cyber space. 819 00:58:29,920 --> 00:58:33,400 So have the conversation now as valuable. 820 00:58:33,400 --> 00:58:37,000 There's a question over there. 821 00:58:37,000 --> 00:58:38,000 Sorry? 822 00:58:38,000 --> 00:58:41,320 Well, we see that. 823 00:58:41,360 --> 00:58:43,760 So right, we see it in Japan. 824 00:58:43,760 --> 00:58:45,400 We saw attack-in-stereactors. 825 00:58:45,400 --> 00:58:48,200 2003 and the United States. 826 00:58:48,200 --> 00:58:52,640 There was a large blackout in the Northeast Quadrant and the Southeast Quadrant of Canada. 827 00:58:52,640 --> 00:58:53,640 These things happen. 828 00:58:53,640 --> 00:58:55,640 The taxidermit structures happen all the time. 829 00:58:55,640 --> 00:58:57,920 They're not common, but they're regular. 830 00:58:57,920 --> 00:59:02,280 And again, they're not really terror. 831 00:59:02,280 --> 00:59:07,040 I mean, what's happening to me right now is crossing into terror. 832 00:59:07,040 --> 00:59:10,920 But it is such a large-scale attack that you couldn't possibly do that. 833 00:59:10,920 --> 00:59:13,640 You know, humans, humans couldn't have done that. 834 00:59:13,640 --> 00:59:20,360 You know, it was just such a powerful force that that caused all that damage. 835 00:59:20,360 --> 00:59:25,200 But you know, when you think about even a taxidermit structure, they happen regularly 836 00:59:25,200 --> 00:59:26,600 by accident. 837 00:59:26,600 --> 00:59:28,440 So we know how to deal with them. 838 00:59:28,440 --> 00:59:32,000 We know their effects and people just aren't terrorized. 839 00:59:32,000 --> 00:59:36,720 I mean, the blackout in the US was really annoying. 840 00:59:36,720 --> 00:59:38,560 That's as far as a gap. 841 00:59:38,560 --> 00:59:40,000 And yes, they would cost money. 842 00:59:40,000 --> 00:59:42,720 And yes, some people died. 843 00:59:42,720 --> 00:59:44,280 This is what happens. 844 00:59:44,280 --> 00:59:45,360 Now I live in Minneapolis. 845 00:59:45,360 --> 00:59:49,480 We had a bridge collapse several years ago. 846 00:59:49,480 --> 00:59:50,520 You know, people died. 847 00:59:50,520 --> 00:59:54,080 You could imagine the terrorist blowing up that bridge. 848 00:59:54,080 --> 00:59:59,760 You know, the terror is much where our reaction and the thing itself. 849 00:59:59,760 --> 01:00:00:00,600 Which I think is interesting. 850 01:00:01,600 --> 01:00:05,520 As a hand, I see a hand way back there. 851 01:00:05,520 --> 01:00:06,800 But I'm not going to be able to hear you. 852 01:00:06,800 --> 01:00:07,520 This is the problem. 853 01:00:07,520 --> 01:00:09,520 A question about this. 854 01:00:09,520 --> 01:00:10,520 Oh, wow. 855 01:00:10,520 --> 01:00:15,160 I've just been able to read all of my things for a while. 856 01:00:15,160 --> 01:00:32,440 I mean, really, this is a talk about everything but crime. 857 01:00:32,440 --> 01:00:38,080 You think about this is really a talk about non-financialy-motivated attacks. 858 01:00:38,080 --> 01:00:39,800 You add financial in. 859 01:00:39,800 --> 01:00:42,480 And again, it's the same tactics, the same defenses. 860 01:00:42,480 --> 01:00:45,080 A lot of what I'm saying applies. 861 01:00:45,080 --> 01:00:50,200 And most of what governments have been dealing with in cyberspace are financially 862 01:00:50,200 --> 01:00:56,320 motivated attacks and ranging from loan criminals to very organized crime. 863 01:00:56,320 --> 01:01:00,840 And there are the same issues, the same problems, the same international issues. 864 01:01:00,840 --> 01:01:07,640 And I think definitely pretty much everything I said applies, although you tend to get 865 01:01:07,640 --> 01:01:13,240 attackers that are easier to deflect. 866 01:01:13,240 --> 01:01:16,800 Because I want to rob a bank, I don't care which bank. 867 01:01:16,800 --> 01:01:21,360 We're politically motivated attackers tend to be more focused. 868 01:01:21,360 --> 01:01:26,320 And I think that's an important difference that we've largely ignored as we've built 869 01:01:26,320 --> 01:01:28,240 security and structures against crime. 870 01:01:28,240 --> 01:01:34,600 But I think there is the whole spectrum when you look at financially motivated attackers. 871 01:01:34,600 --> 01:01:40,160 You know, politically motivated attackers are closer to the hackers of old. 872 01:01:40,200 --> 01:01:44,480 Who are doing it for, you know, bragging rights or to see if they could. 873 01:01:44,480 --> 01:01:50,240 I mean, it's much closer to that with the normal financial incentives, 874 01:01:50,240 --> 01:01:56,280 tend not to work because the attackers aren't influenced by them in the same way you'd expect. 875 01:02:00,280 --> 01:02:01,920 See a hand over there and then over there. 876 01:02:01,920 --> 01:02:02,920 So you first. 877 01:02:02,920 --> 01:02:12,360 It's definitely true as a lot of psychological experiments that bear that out. 878 01:02:12,360 --> 01:02:18,480 It's no no, we'll logical reason. 879 01:02:18,480 --> 01:02:19,840 But we fear. 880 01:02:19,840 --> 01:02:24,840 You know, I think it's definitely true. 881 01:02:24,840 --> 01:02:29,360 It's definitely true as a lot of psychological experiments that bear that out. 882 01:02:29,400 --> 01:02:31,560 It's no no, we'll logical reason. 883 01:02:31,560 --> 01:02:36,320 But we fear a tax from humans much more than natural attacks, 100% true. 884 01:02:36,320 --> 01:02:38,080 And animals are actually in the middle. 885 01:02:38,080 --> 01:02:46,400 Like bear attacks are half a scary as people and then they're more scary than natural disasters. 886 01:02:46,400 --> 01:02:51,480 Although, you know, tsunami in Japan means you really think Gamera and you know, 887 01:02:51,480 --> 01:02:54,520 who knows what's going on there, right? 888 01:02:54,520 --> 01:02:56,000 Just hand over here. 889 01:02:59,440 --> 01:03:03,440 Not just attacking, but at least one of physical attacks. 890 01:03:03,440 --> 01:03:05,440 And let's just have that in some space. 891 01:03:05,440 --> 01:03:10,280 And the difference in the data or the value of the people can come up. 892 01:03:10,280 --> 01:03:15,280 So going back to the beginning of the police, the crowd reports. 893 01:03:15,280 --> 01:03:17,120 Yeah, this is a real problem. 894 01:03:17,120 --> 01:03:19,760 And then it's not the end. 895 01:03:19,760 --> 01:03:24,160 It's actually also something because people aren't come to this software. 896 01:03:24,160 --> 01:03:25,360 Take it first. 897 01:03:25,360 --> 01:03:26,720 So why is it not here? 898 01:03:26,720 --> 01:03:27,680 It's quite linear. 899 01:03:28,240 --> 01:03:29,600 And it's actually it's more general than that. 900 01:03:29,600 --> 01:03:34,160 That that threats you can't see are scary and threats you can see. 901 01:03:34,160 --> 01:03:35,440 And it's not just cyberspace. 902 01:03:35,440 --> 01:03:40,160 It's like, you know, threats in the air, radiation because you can't see it is scarier. 903 01:03:40,160 --> 01:03:46,000 I mean, the great psychological studies on what people fear and not being able to see the threat 904 01:03:46,000 --> 01:03:47,280 makes it scarier. 905 01:03:47,280 --> 01:03:51,120 So yes, cyberspace threats are scary because it goes through their unknown, 906 01:03:51,120 --> 01:03:55,360 right, their science fiction, they're, you can't understand them. 907 01:03:55,440 --> 01:03:58,640 Whereas, you know, a lion you can see, that's a lion. 908 01:03:58,640 --> 01:03:59,280 I'm scared of it. 909 01:03:59,280 --> 01:04:01,440 Where you know what it is. 910 01:04:01,440 --> 01:04:03,520 Cyberspace threats are more nebulous. 911 01:04:03,520 --> 01:04:06,560 I think that's that's certainly that's definitely true. 912 01:04:06,560 --> 01:04:09,040 But it boogie men's a good example, right? 913 01:04:09,040 --> 01:04:13,520 You know, because we don't know we tend to fill in. 914 01:04:13,520 --> 01:04:18,400 And especially with, you know, some of the media hype, it's easy to to exaggerate. 915 01:04:20,400 --> 01:04:23,040 You know, the hackers can take down the internet. 916 01:04:23,040 --> 01:04:23,840 Great exaggeration. 917 01:04:26,320 --> 01:04:28,480 See a hand way back there. 918 01:04:29,440 --> 01:04:31,520 You must also be a loud speaker. 919 01:04:31,760 --> 01:04:32,640 Oh, yeah. 920 01:04:32,640 --> 01:04:34,640 So, I'm really looking at these issues. 921 01:04:34,640 --> 01:04:39,680 I think that, I think that, I don't know what it's like to take down the internet. 922 01:04:39,680 --> 01:04:41,040 Do you have a problem with that? 923 01:04:41,040 --> 01:04:43,280 Because take it all out of the internet. 924 01:04:43,280 --> 01:04:45,680 So, the information that makes it difficult, right? 925 01:04:45,680 --> 01:04:46,640 There's a reason. 926 01:04:46,640 --> 01:04:50,640 And so, they would have a much more time to send me a little more information. 927 01:04:50,640 --> 01:04:54,640 And they will take the people to the internet. 928 01:04:54,640 --> 01:04:55,440 I think that's true. 929 01:04:55,440 --> 01:04:56,640 I certainly think that. 930 01:04:56,640 --> 01:05:00,000 And if you build in a kill switch, I mean, as soon as you build a, 931 01:05:00,960 --> 01:05:03,520 a deliberate capability to shut down the internet, 932 01:05:03,520 --> 01:05:06,080 you invite the bad guys to use a capability. 933 01:05:06,960 --> 01:05:09,440 I mean, it's probably, you know, if we build that, 934 01:05:09,440 --> 01:05:12,640 it's in sort of an assumption by lawmakers who propose this, 935 01:05:12,640 --> 01:05:14,960 that only the good guys can push the button. 936 01:05:16,000 --> 01:05:17,760 I don't know why they assume that. 937 01:05:19,120 --> 01:05:19,360 Right? 938 01:05:19,360 --> 01:05:20,720 Because you got a button there, 939 01:05:21,360 --> 01:05:24,000 or it takes a spoofing a good guy and you push the button. 940 01:05:24,000 --> 01:05:26,400 And so, it sort of makes the bad guys job easier. 941 01:05:27,360 --> 01:05:30,080 So, yes, I'm definitely not a fan of an air kill switch. 942 01:05:30,080 --> 01:05:32,240 I think it should be a negative internet kill switch. 943 01:05:33,440 --> 01:05:34,400 So, hand there first. 944 01:05:34,400 --> 01:05:59,520 It's gotten less terrifying, but the careful way the careful way it doesn't say how electricity works, 945 01:06:00,080 --> 01:06:01,600 or how car works. 946 01:06:02,000 --> 01:06:06,640 They know how it works, and they know how the interface works. 947 01:06:06,640 --> 01:06:11,040 They just know that behind the scenes is a lot going on that they don't quite get. 948 01:06:11,920 --> 01:06:18,320 So, I might know how a car works even though an open the engine looks completely far into me. 949 01:06:18,960 --> 01:06:22,160 Or I know that I could, how the lights which work in my house, 950 01:06:22,160 --> 01:06:24,000 even though I don't know nothing about power generation. 951 01:06:25,200 --> 01:06:28,160 So, what technology does is it hides complexity, 952 01:06:28,320 --> 01:06:31,280 and people get used to and carval with their metaphors. 953 01:06:32,080 --> 01:06:34,080 But when those metaphors get ripped open, 954 01:06:34,640 --> 01:06:38,800 that people realize how ignorant they actually are, 955 01:06:38,800 --> 01:06:39,840 and then they get more scared. 956 01:06:40,560 --> 01:06:46,000 So, you know, there's a veil that's a convenient veil that allows people to be comfortable. 957 01:06:46,720 --> 01:06:48,080 And that's sort of the way it works. 958 01:06:48,400 --> 01:06:50,720 So, a hand was this way, so I'm then you. 959 01:06:50,720 --> 01:06:51,360 Sorry, you're. 960 01:06:58,240 --> 01:07:06,080 You know, I don't, I just read an article like last week that said in the US credit card fraud, 961 01:07:06,080 --> 01:07:10,080 that is as lowest point in 10 years, which surprised me, 962 01:07:10,960 --> 01:07:13,520 because I had always believed it was increasing. 963 01:07:15,200 --> 01:07:18,320 So, I have to say right now, I don't know. 964 01:07:19,440 --> 01:07:21,600 I don't think there's a lot of hype, 965 01:07:21,600 --> 01:07:26,720 they think there's anti-hype, because these are desperately wants you to believe it's safe. 966 01:07:27,600 --> 01:07:29,760 The merchants want you to believe it's safe. 967 01:07:29,760 --> 01:07:33,840 Nobody except maybe, you know, the security companies want to hype it. 968 01:07:34,800 --> 01:07:37,120 So, there's a lot of pressure to keep the hype down. 969 01:07:39,840 --> 01:07:44,400 But I have to say that actually don't know whether it's increasing degrees. 970 01:07:44,400 --> 01:07:48,080 And my guess is increasing because it's actually quite profitable, but maybe I'm wrong. 971 01:07:50,560 --> 01:07:51,840 So, I have your down here. 972 01:07:53,120 --> 01:07:54,640 He doesn't have the shout. 973 01:07:57,360 --> 01:08:02,320 I don't think it would be like me to actually have everyone go to IPv6. 974 01:08:04,320 --> 01:08:07,840 The question is, you can just put in a kill switch in IPv6. 975 01:08:08,960 --> 01:08:13,520 I'm not saying that you can't as a switch as a telco, 976 01:08:13,520 --> 01:08:15,920 as a company, shut off parts of the net. 977 01:08:15,920 --> 01:08:19,040 And I refuse to get traffic from this set of IP addresses, 978 01:08:19,600 --> 01:08:22,000 or for these protocols, or for this day. 979 01:08:22,000 --> 01:08:23,360 I mean, you can do that. 980 01:08:23,360 --> 01:08:27,280 But the question is, should countries be allowed to do it, 981 01:08:27,840 --> 01:08:29,920 should third parties be able to do it? 982 01:08:30,480 --> 01:08:32,640 So, it's not the phone company saying, 983 01:08:32,960 --> 01:08:34,560 this traffic danger is I'm going to shut it down. 984 01:08:34,560 --> 01:08:36,480 It's someone else telling the phone company, 985 01:08:36,480 --> 01:08:37,840 hey, you have to do that. 986 01:08:38,320 --> 01:08:40,560 And that's where I think the danger is. 987 01:08:41,200 --> 01:08:44,800 But yes, as a receiver of an in a traffic, 988 01:08:44,800 --> 01:08:47,280 you can block pieces of it, right? 989 01:08:47,280 --> 01:08:49,200 You can block it all, that's fine. 990 01:08:50,160 --> 01:08:53,680 And wouldn't you think that politicians, for example, 991 01:08:53,680 --> 01:08:57,440 know how easy it is, would demand a new week? 992 01:08:57,840 --> 01:09:00,240 Well, you know, some are demanding in some aren't. 993 01:09:00,640 --> 01:09:02,080 But we'll see how it goes, right? 994 01:09:02,880 --> 01:09:06,240 And right now in the US, and I just heard this, 995 01:09:06,240 --> 01:09:09,200 that the bill, manning in a kill switch has been rewritten 996 01:09:09,200 --> 01:09:10,560 to prohibiting the internet kill switch. 997 01:09:11,600 --> 01:09:14,720 Because they just put a big not operator in front of the law, and we're done. 998 01:09:14,720 --> 01:09:16,880 I mean, I don't know, I don't know how this works. 999 01:09:17,680 --> 01:09:22,080 So, it's a lot of things can happen as we go through legislative processes. 1000 01:09:22,080 --> 01:09:23,120 It's the moral. 1001 01:09:23,760 --> 01:09:25,200 So a hand back there, yes. 1002 01:09:31,440 --> 01:09:34,080 Well, I mean, we know about how to defend against all the surface of the tax. 1003 01:09:34,080 --> 01:09:36,880 I mean, there are companies that that's sell no surface protection. 1004 01:09:36,880 --> 01:09:38,640 I mean, we know how this works. 1005 01:09:39,680 --> 01:09:42,240 You need a bigger pipe than the attacker, and you can survive. 1006 01:09:43,280 --> 01:09:44,880 This is how we defend. 1007 01:09:44,960 --> 01:09:46,000 So there's nothing new here. 1008 01:09:48,000 --> 01:09:49,680 We just have to defend ourselves. 1009 01:09:51,200 --> 01:09:55,040 And in the worst case, you know, you'll lose and you get shut down for a little while. 1010 01:09:55,040 --> 01:09:55,920 Like, that's happened, too. 1011 01:09:57,040 --> 01:10:00,640 I mean, you know, and countries companies survive. 1012 01:10:01,040 --> 01:10:02,560 Right, Amazon's been a victim's scene. 1013 01:10:02,560 --> 01:10:04,080 It's been a victim. They're all, okay. 1014 01:10:05,200 --> 01:10:07,360 You lose some revenue, but maybe maybe not. 1015 01:10:08,480 --> 01:10:10,480 No, we seem to have learned from a lot of these now, 1016 01:10:10,480 --> 01:10:15,040 service attacks that that the revenue tends not to be lost, but displaced. 1017 01:10:16,400 --> 01:10:20,560 That if you get it, someone can't get to the Amazon website. 1018 01:10:20,560 --> 01:10:24,320 They're more likely to buy their book tomorrow than to go to a competitors website. 1019 01:10:25,280 --> 01:10:28,160 I mean, some business is lost, but less than you'd think. 1020 01:10:31,200 --> 01:10:33,280 So a hand closer to the front. 1021 01:10:33,280 --> 01:10:34,080 There it is. 1022 01:10:41,120 --> 01:10:44,080 The questions have we underestimated the anonymity, 1023 01:10:44,080 --> 01:10:44,560 feasting the internet? 1024 01:10:44,560 --> 01:10:49,120 We probably have, I should actually believe we undervaluate that anonymity 1025 01:10:49,120 --> 01:10:53,280 internet is incredibly valuable and something that's good for sight and civilization. 1026 01:10:53,280 --> 01:10:58,160 Something we should we should cherish and keep and a lot of people think it has no value. 1027 01:10:58,720 --> 01:11:05,200 I mean, yes, it course it has problems, but anonymity is is important to a free society. 1028 01:11:05,760 --> 01:11:07,840 So I'm a, I'm a big fan of it in anonymity. 1029 01:11:07,840 --> 01:11:12,960 But it actually doesn't matter because you cannot build an internet system without anonymity. 1030 01:11:15,360 --> 01:11:22,400 Any, any, any not anonymous system, somebody can build in an anonymous overlay, 1031 01:11:23,520 --> 01:11:24,960 just by being an aggregator. 1032 01:11:26,640 --> 01:11:30,400 Right? So so you can't make anonymity go away from the internet. You just can't. 1033 01:11:30,400 --> 01:11:32,720 So, so in sense, it's a non-issue. 1034 01:11:32,720 --> 01:11:34,720 I mean, you can try, but you won't be able to. 1035 01:11:35,680 --> 01:11:37,520 Hand over there. 1036 01:11:43,520 --> 01:11:48,800 Because questions about whether any company prescibers will we now know that HPHB Gary did, right? 1037 01:11:48,800 --> 01:11:51,760 We know that they built and sold cyber weapons. 1038 01:11:52,960 --> 01:11:56,320 Since I, like I had never heard of the company before this all happened, 1039 01:11:57,200 --> 01:12:02,960 my guess is this more than one out there that are right now building and selling cyber weapons. 1040 01:12:03,520 --> 01:12:05,840 But it sounds like a fun job, right? 1041 01:12:08,880 --> 01:12:12,880 So, but no, you know, companies are not public about doing this. 1042 01:12:14,400 --> 01:12:18,560 Right, HPHB Gary didn't like the fact that we now know that they built and sold cyber weapons. 1043 01:12:19,520 --> 01:12:21,200 It wasn't on their website. 1044 01:12:23,600 --> 01:12:25,600 Did they never shop in cart function? 1045 01:12:25,600 --> 01:12:29,920 We now they might. So, so no, we, we, we don't have proof, but 1046 01:12:30,640 --> 01:12:33,440 almost certainly if there's one this more than one. 1047 01:12:49,440 --> 01:12:50,640 Right, and that might change, right? 1048 01:12:50,640 --> 01:12:53,600 And companies might say, yes, we're in the cyber weapons business. 1049 01:12:53,600 --> 01:12:57,120 I mean, but right now it's so new and so shadowy, nobody's talking about it. 1050 01:12:57,440 --> 01:12:59,840 But sure that could change. 1051 01:12:59,840 --> 01:13:02,640 And you can imagine, you know, grommon aerospace wherever, whoever, 1052 01:13:02,640 --> 01:13:05,040 if I forget who owns who these days, who's a real company, 1053 01:13:05,040 --> 01:13:07,200 can say, yes, we, we, we know, we make cyber weapons. 1054 01:13:07,200 --> 01:13:12,000 We, we sell them to, you know, eight of the eight of the NATO countries and, and, you know, 1055 01:13:12,000 --> 01:13:14,960 we get high satisfaction marks and buy your cyber weapons from us, right? 1056 01:13:14,960 --> 01:13:18,320 I mean, sure, you can see this happening. 1057 01:13:22,640 --> 01:13:24,720 It's a hand over there. I mean, you're my last question. 1058 01:13:27,120 --> 01:13:39,120 Mm-hmm. 1059 01:13:39,120 --> 01:13:41,120 Mm-hmm. 1060 01:13:43,120 --> 01:13:48,880 Uh, actually none. I mean, and countries, I mean, we've been doing, and the NSA is doing internet 1061 01:13:48,880 --> 01:13:52,480 espionage since there wasn't internet. They're not going to stop and there's no reason why they 1062 01:13:52,480 --> 01:13:54,000 should. 1063 01:13:54,000 --> 01:13:58,080 I mean, internet isn't different. It's just another place. So I'm, I'm not saying, 1064 01:13:58,080 --> 01:14:02,320 this should be no astronaut internet. That'd be ridiculous. And of course, there will be. 1065 01:14:04,560 --> 01:14:08,240 All right, so I think we're almost done. Jeff promised he'd be back. 1066 01:14:08,240 --> 01:14:13,680 He had to run out for a conference call. He's not. So I, I'm going to pretend. I know what's going on. 1067 01:14:13,680 --> 01:14:17,280 But at first, I want to, I want to tell you, this is what an vaguely an announcement. 1068 01:14:17,280 --> 01:14:20,640 Uh, I'm writing a new book. This is it. This is the only copy you can't have it. 1069 01:14:20,640 --> 01:14:23,760 Uh, uh, uh, uh, uh, uh, I mentioned 1070 01:14:23,840 --> 01:14:29,440 on my blog about a month ago. And it's, it's called the dishonest minority. And it's about the sort 1071 01:14:29,440 --> 01:14:37,280 of fundamental role of security in human civilization. And why, why security exists and what it does. 1072 01:14:37,920 --> 01:14:41,680 And if life is good, it'll be out in the fall. If life is less good, it'll be out in the spring. 1073 01:14:41,680 --> 01:14:48,400 If life sucks, it'll be out next fall. And so if you notice my blog posts and my newsletters 1074 01:14:48,480 --> 01:14:53,680 becoming smaller in the next few months, that's why. So I mean, if people are interested in this, 1075 01:14:53,680 --> 01:14:59,680 I'd love to talk a little bit about it. I'm also looking for uh, critical readers of a first draft. 1076 01:14:59,680 --> 01:15:05,200 Uh, uncritical readers are not useful to me. Those are easy to get. But anyways, some people 1077 01:15:05,200 --> 01:15:09,760 might be willing to read it and really make substantive comments. I mean, you know, please, please talk to me. 1078 01:15:09,760 --> 01:15:14,880 And, and so I believe what's going to happen now is those two people are going to come in. 1079 01:15:15,840 --> 01:15:22,080 And they're going to tell me if there's like a reception out there. There is, which means beer, 1080 01:15:24,080 --> 01:15:32,640 beer, food, right out there. And if it isn't good, go to the surgery people and steal their food. 1081 01:15:32,640 --> 01:15:33,680 Thanks.