« The Jordan Harbinger Show

542: Nicole Perlroth | Who's Winning the Cyberweapons Arms Race?

2021-08-03 | 🔗

Nicole Perlroth (@nicoleperlroth) is an award-winning cybersecurity journalist for The New York Times and bestselling author of This Is How They Tell Me the World Ends: The Cyberweapons Arms Race.

What We Discuss with Nicole Perlroth:
  • The startlingly simple reasons why most nation-states now resort to using cyberwarfare tactics before conventional weaponry in acts of aggression -- to increasingly devastating effect.
  • How industries are so interconnected that there's almost no way for a cyberattack to target one victim without endangering countless others on all sides of a conflict (which is why you may have Putin to blame if there's a Cadbury chocolate egg shortage next Easter).
  • Why leaving the security of 85 percent of its critical infrastructure up to privatization makes the United States especially vulnerable to cyberwarfare attacks.
  • The massive amount of intellectual property that's been lost to hackers -- from the formula for Coca-Cola to information that would allow China and other rival nations to catch up with the United States in the nuclear arms race.
  • What Nicole believes the US should do to push back against these threats and the governments that perpetrate them -- and ensure that it's not inadvertently one of them.
  • And much more...

Full show notes and resources can be found here: jordanharbinger.com/542

Sign up for Six-Minute Networking -- our free networking and relationship development mini course -- at jordanharbinger.com/course!

Like this show? Please leave us a review here -- even one sentence helps! Consider including your Twitter handle so we can thank you personally!

This is an unofficial transcript meant for reference. Accuracy is not guaranteed.
Coming up next on the Jordan Harbinger, show cyber war isn't targeted cyber work and take all of us down and a few collects, but we're not acting like that. A lot of nations are engaged in developing these offensive capability is that they dont understand that collateral. Damage is usually their own citizens for their allies or businesses. Welcome to the show, I'm Jordan Harbinger on the Georgian Ireland or show what he called the stories secrets and skills of the world's most fascinating people we have in that. relations with people at the top of their game, astronauts entrepreneurs, spies psychologists even occasional, four star general drug traffickers or former jihadi. Each turns our guests wisdom into practical advice that you can use to build a deeper understanding of how the world works and become that are critical thinker, Savior
to the show or you're. Looking for a handy way to tell your friends about it, we ve got started packs these our collections of your favorite episodes organised by topic, new listeners get a taste of everything that we do here on the show just visit Jordan you're gonna come slash, start to get started or tell somebody else get started with us. Course. I always appreciate that that today, when I was a kid, I you to love finding bugs in software now beyond our borders, Lord system and figure out that some little ascii clear coding thing could crash the entire southward and I'd report. The bug too, this is this- is democracy and I remember one time I did it, and this is called the police and Police called my parents and they really know what was going on, but my parents thought I was gonna get in trouble and you know that just made me have a data against this guy. Is it- but I'm still mad about it. But law enforcement never really does, did me from hacking from anything else I lit. I went to a hacker conference called Deaf Kind and I found out how easy it is to get into our power grid
these scatter systems that mess with air traffic control and water and power using. ponder hacking to trick aircraft. I mean it really is just scary. How quickly you mess things up. If you are a bad actor, we regularly weapons and arms sales and we work hard, not to allow the proliferation of nukes. But we do nothing to stop the spread of work. zero day exploits another hacks discovered in Nicole systems, my guest, today, Nicole, rough literally wrote the book on cyber warfare travel. About why this is so dangerous. Why we're not doing really anything about it? How its being misused, both in the United States and abroad, I will talk about hackers who forged documents: bride people, hack computers, both ethically and abroad, for money, why it had black hat and everything in between we'll talk about massive attacks on Google from China, in how nation states are using so we're warfare before pretty much any other weaponry these days, trying to stolen enough IP from the western world for the next decade, including the formula Coca COLA, Benjamin
or paint plans for the thirty five and is on enough info to catch up with us in the nuclear arms race, but that might We all we have to worry about right now today will expire. the cyber warfare going on these days, how are being attacked our enemies on the regular and how ready we are for the next catastrophic cyber attack against the west. or the United States and if you're wondering how we manage to book all these great authors, thinkers and creators every single week, it's because of my network and teaching you, to build your network for free over at Jordan, Harbinger, dotcom, slash, coarse and by the way then I guess, on the show already subscriber the course come join us you'll, be in smart company, where you belong now, Nicole, Pearl Roth the? U s- is engaged in large scale. Cyber warfare and it seems like our critical infrastructure- is more or less, I won't say undefined what kind of undefended at the moment, how accurate would you say that statement is that's incredibly accurate. You now this
Let's take everyone throws around, although no one's ever actually furnished any proof that this is true. But it feels largely true is that eighty five percent of our critical infrastructures- by the private sector and the government has no say, as of this moment over how secure not secure it as we leave it to every company to basically Fenn themselves and now you're saying, ran somewhere attacks that are taking out pipelines and the food supply that just come down to a lack of two factor: authentication and bad password management. That's all it takes for people who don't know toothache your authentication is like one I'm trying to log into my bank and it goes hey. We just sent you a text making that it's you please type in that four digit six digit code and there are people, in control of like oil pipelines, power grid systems, watertight
in plants that are like, and I want to deal with that. I'm just gonna use mice. I've been using the same password for twenty years. Why change it now right? That's right when even the colonial pipeline? You have to give him a little more credit in that became down to some employee. come and gone. I don't even know how long we had been gone. Still an active account with access to their network and that account had just I have been used for a long time and didn't have to factor authentication turned on, so all it took. Was someone getting stolen password. Seeing he worked at Cologne pipeline trying to get in the network and there being no obstacle to them doing so, and because colonial pipelines, net administrators weren't, paying attention to some old employees account they weren't paying attention to the attack when they came in and started walking around their systems and and then deploying and somewhere that held their data hostage in such a way that they can
actually see where gas was going off the pipeline. It's not like the ransom were hit the pipeline itself by their business and they can charge customers because their billing systems had been held hostage. So they took the step of shutting down there blind so basically because they had this old, employ account that enough to backdoor authentication turned on an entire pipeline supplies, nearly half the jet fuel and gas and diesel to the EAST Coast was held hostage and all it took. Was this old employ with the stolen password that didn't have to factor authenticate turn on, and that seems glaringly it's dangerous for level of access to these sort of it is kind of like me. A gun in a room. You never go, and neither will we never go in there. But ok, but your kid. playing in the house yeah, but I mean I'm just never. Who would open that all right, it's the same kind of thing, but we're thinking or what nobody has there. It's kind of it he draws its got. You know, there's a key, lock, where's, the key. We leave it in the key chain with the housekeeper they're not going
open that door. It's sort of the same thing except for? We would never think that that gun is secure, but we think of that he's gone, so no one's gonna, into that account. Well, ok, no one nefarious into, I guess to their credit sort of Romeo pipeline the oil pipeline that were shut down for those of you who don't know what we're talking about. They shut that down themselves. because they were worried about what might happen because the other elements of their system or compromised and that's kind of a whole other discussion about? Was that the best way to have your systems connected like that and in to their credit they shut it down before somebody could do something really horrible, but not all cyber attacks have ended with just the russian gas that ended up being a big, nothing burger. We saw a mask Ukrainian cyber attack by Russia so take us through that, a little bit and also why do this? You know what's the message to Ukraine from Russia here by doing this the attack by Russia, Ukraine and there have been several noteworthy attacks. One
the most famous was when they actually turned power off to a large section of western Ukraine for a few hours, cars and then a year later, came back into the same thing to their capital here for a couple hours. That was a big one, but the one you're referring to is the one that security people call not pasture, and warble name and it's worth just lingering on it for a moment. The reason they called it not patches because it looked like a huge ransom or attack that looked like patch I ran somewhere, but it wasn't ran somewhere because there was no way for the victims to pay a ransom and get access to their data back. It was actually just attack of destruction, so what happened was sometimes around two thousand seventeen or earlier Russia breached a company that basically like Ukraine's turbo tat. Actually legally most government agencies and banks and large corporations in Ukraine are required to use less tax software. That taxes
a company is run by mom and pop just outside Kiev never thought that there are little tax software company could be used as a nation state weapon, but that's what happened Russia has pre eminent hackers the GEO their intelligence agency came in compromised the tax off where a company got into the software update, so that when all of he's ukrainian companies downloaded the latest greatest version of this tax software. They weren't just downloading the tat software. Were downloading a g. Are you back door and once they were inside their e g? Are you unleashed what was essentially a digital weapon of destruction. It looked like ran somewhere, which has just code that hold your data hostage with encrypt until you pay up only there was no way for the victims to pay, so all of us
then all of these ukrainian government agencies can access anything on their network that connects us email or anything else. They had to hop on Facebook to communicate with the country to say we're still standing but it also had railways. People can get tickets on trains it hit. The postal service people are still not getting pension checks that they were owed back in two thousand. Sixteen, thousand seventeen. It held up the radiation monitoring systems at Chernobyl, the old nuclear site. So suddenly the people at Chernobyl Cunt, how much radiation was leaking out of not last sight, but it also had any company did any business in Ukraine, even if they had a single employ working remotely from Ukraine. They were caught up in this attack, so it hit Fedex fatter,
suffered four hundred million dollars in damage from this attack. It hit Pfizer it hidden. Merk marks, vaccine production systems were held up in this attack. It actually had to go tap into the CDC emergency supplies of back scenes that year it here. Cadbury aid. Chocolate factories in Tasmania, you name your Lord no yeah enter, being the most costly cyber attack known to man. It was Ten billion dollars in damages, although we think it might have been worse because a lot of victims did even report their damage as but it was a prelude in some ways to a lot of the attacks were saying now. You know if we had been paying closer attention to how that attack happened in the United States. We might have been a little bit more prepared for the solar wind, that were stolen, winding right now, where Russia,
another russian hacking group this time less of a destructive actor. Thank God broke into solar wines, which is a Texas company that provides software to more than four hundred of them. two five hundred and to all of our pre eminent federal agencies like D Chat, in the Treasury and the Department of Justice in the Department of Energy and our nuclear labs got into their software update and all of a sudden, most government agencies downloaded this russian back door and we still don't know the extent of damages from not attack. We still don't know just how deep the Russians are into our government systems, but they also got into some of our electric till it is? We don't know what they plan to do with that access, so this is where Now we are seeing attacks come in through the software supply chain and for years people have been about this threat, but now suddenly they're asking the right questions, which is how do you trust that any of the software
you're using, is secure, and not a russian Trojan horse, especially Europe did I mean it. I update my apps all the time, thinking I'm in the latest version among the most secure version, but if there's some fake update that I install now, I'm on the least secure version of that software, that's ever been created and it might decide well my ability to update to patch. I mean it's really hard to say. I assume they did that they went well. Ok if they find out about this. We don't want it to then check the server for the law. it is. Do we wanted to just not work any more, and now you in this sort of zone where you're gone. Had one manually update my turbo, ukrainian turbo tax to have two ok have to delete it. Then I have to download the fresh version. That's off their website I've never been to an that and then enter my code that I haven't looked at and three years because I bought it ages ago and you're doing that on hundreds of thousands Computers are millions of computers. At the same time, re Ray and its pervasive, it does strike me as a sort of like tragically comical, that
seen. Companies are reporting these losses. Shipping companies are reporting these losses and then Cadbury's I came. We can't get any of those chocolate eggs out where it really be way behind the seized her for these these little eggs Kristen. Nobody points blame right, Putin, ok, don't look at me Ray and the only reason I ever bring up Cadbury on my list of not patch of victims that always bring it up is just because I want people stand that were so interconnected now that a targeted attack between Russia, An Ukraine doesn't even exist anymore because we're so connected that something in Russia had decided to aim at Ukraine to basically take them. off line ahead of their independence day would actually you know, cause disruption to a chocolate factory in Tasmania is really the best visual you get when you I understand that cyber war isn't targeted. Cyber war can take all of us down at a few clicks, but we're not acting like that
lot of nations are engaged in developing these often of capability is that they dont understand that the collateral damage is usually their own citizens or allies or businesses, and what's really interesting from not attack, is you know. I mentioned some of the figures of damage that acts four hundred million dollars merk, I think at six hundred million dollars when they tried to go, get that money back. from their ensures because they had cyber insurance, their ensured You know we have this tiny little clause in your policy that the war exemption clause- and it says that if you collateral damage in a war we don't have to pay out, and in this case you were collateral damage in Russia's war on Ukraine, and so we're not going to pay you out in those lawsuits are ongoing, but american companies are on the hook for those damages. That is clear. see because, of course it is a war damage, but also its. I will
sign that I thought you men, if there's a drone strike and knocks out part of our headquarters. You're, not gonna pay, for that. Not an act cyber intrusion, which is the whole frickin, pointed the insurance, so that in the insurance cover The argument is known and I were ensuring you for when a kid comes in your office and install some spyware Knox out, fifty of computers- and you have to is that what you have just described that data? we're not paying you when the gr you that russian military sort a hacker intelligence unit target something you're collateral damage and end so now, there's probably a whole different type of insurance industry out there with much higher premium it says, oh yeah will ensure you against that. Four three hundred fifty million dollars or more on an annual basis, depending on how big your company, as you know, it's like this massive Europe now you're paying as much for cyber insurances. You are french, and all your Fedex delivery trucks at this point right, because the damage is equally rang or greater. Well, that's right! I mean I I Anjou live now in the wildfires on and my
neighbours are getting notices, that their ensure will no longer cover fire insurance on their property is anymore, and I think that's what's happening now with cyber insurance. Yeah. Sure, though, does not cover Pfizer and Mark and FED Ex, or premiums are goin to be astronomical and there's gonna be all sorts of fine print in there. That says, you know if you're, in a target of this kind of attack, we don't have to pay out, and so this is something businesses are reckoning with now. The good news is that cyber insurance companies will say ok, we'll underwrite you, but You need to have a much higher baseline of cyber security unit. To have two factor authentication installed. You need to be patching, you're, we need a clear idea of what's in your net and how well secured that software is, we need to know that you have strong password manage manner. Your employees are using password managers, all of that and in some way as its creating market incentives for these companies to raise the bar, but there's an
their thing about that? Not Petra attack, which I feel dimension, which is the reason so tat, a clear MAC why it destroyed so much is because it was failing on a stolen weapon from the National Security Agency, so just a few months before Russia, launch that attack on Ukraine? Someone we still don't know who they are. They call themselves the shadow brokers had hacked the Anna and had dribbling me NSA's best kept code and and hacking tools online and one of the tools that they dont was some cool that exploited a vulnerability and Microsoft Windows that allow their malware or code to spread automatically across a network instead of a hat having to manually, in fact one computer after another, the annexes tool essentially allowed them to automate this attack after that was dumped online. North Korea picked it up for
somewhere attack that was pretty bad, but fortunately the North Koreans had made some mistakes, code, and someone was able to neutralize it pretty quickly and then I shall baked it onto its, not picture tat, which is why saw their code sail around the world and the way it dead and red dot, much destruction on but he's including american companies, and there has been no. Ability for that in people, don't even realised that all of those damages were enabled by an essay digital hacking tool the not Petra attack by the way, how to people name these things like want to cry. Petya, not your at the head of the names. Come up? Ok, it's a huge point of frustration for me. If I run for president, it's gonna be like a single platform which is cut out the ridiculous names for these attacks and, furthermore, nation state groups, because its
I'm crazy, like crowd strike, is a security company and may name chinese attacks, something panda, Russia, something bearers of all these names for these groups like fancy bare and berserk bare, and every cyber security company Naming convention is different, so any time we call out these groups at play no belly, I'm a k a so and so bear a K. A pity to three seven to enact so in prostrating button, usually the way it goes with malware ransom. Where is that its after some word in the code, The North Korea attack that I mentioned was called Wanna cry because there was some little snippet of coal, in their ran somewhere. That said, something like w and a three hour by in something like that, but really it be great if we could get some central naming authority to avoid some of these ridiculous names. In the confusion yeah, I figure there was
Thanks to that with the code and did not Petra attack something like eighty percent of ukrainian computers are, there had to be wiped clean because of this right. So that's! That's massive it sounds like what were worried about is not just how much time that can cause, but the fact that that might just be a dry run for something even larger. I mean ok, you went after Ukraine, it went in destroyed a bunch of data, ten billion dollars and damage. What and now, when you go after Canada and Mexico and the United States and Germany, which you can easily do, I mean it's not like. I would imagine it's not as huge squad people required to pull off an attack like this against a nation state. It's just. They chose Ukraine as they knew they wouldn't have any consequences to pay. As a result, most likely yeah words pretty interesting, and I didn't de. I can't really rat my head around us until I went to Ukraine and met with all the people who did forensics inside Ukraine on are not just the not Petra attack but several of the attacks they mention leading up to it. The attacks that took out the power
Attacks that were aimed at ukrainian media company is for years they had been shelling Ukraine with all of these different kinds of attacks. But what was clear to the people who did ransacked is that this was Russia really experimenting. This was their petri dish it was then trying out one method here, one slightly different method: there, basically like the scientific method of hacking and so their theory on the ground there? Is that not Petra? It was designed to look like ram somewhere, but there was no way for people to pay them. SAM and that really it was just destructive to. I was wafer Russia to wipe the slate clean to a raised, any trace of everything, had done before that, so that you know One would be wiser to the capabilities they do have and what they said was We believe that we weren't the ultimate target. We believed that we were spring training. We believe
that you and the United States in the West are the end target here, but when it comes your way. We should mention that it will be so much worse because we are actually not that digitized here you know, still run our elections on Pennon Paper. Our power systems are still pretty archaic. You know not Petra didn't take out the power across the whole country. It didn't touch our nuclear plants, but when it comes for you there is. There is a high likelihood that it will do a lot more than ten billion dollars and damage, and it will take a lot longer for you to get your system up and running, because you're so much more virtual eyes and by the way you know doesn't seem like you're that secure either. So it was a wake up call, but we're not really treating it like it's a wake up call with it. We didn't change the funding. Always we do business after the not Petra attack. Most Americans have never even heard of the not patch attack
They wouldn't even need to do much to take down to do billions, it ours and damaging united em. If you took down Amazon web hosting, which a lot of people think o Amazon you buy, things are that backbone internet hosting there goes almost of the services that you use or if you took a chunk out of our neighbours, Gmail's gmail down for like a day and people are like what the hell are. We can't do any business. What have you took down outlook an Amazon or you just stopped airline traffic for a day or a week like there when volcano, except for the United States right in all need to do the that's, not even like kill people type of damage that just a massive expensive incomes and now you're talkin about what happens if they shut off the power in the south in July when it's a hunter, degrees outside and no one can turn on air conditioning or a fan and their let it get. The phone system does
work right because the cell towers are down. So you can't even call nine when one of your passing out or your you need an ambulance like that kind of damage could be done by a few people relative easily because a lot of those scatter systems, I think they're, called from like the nineties right, those power grid systems and they all- I remember talking with somebody work there long time ago, and there are people go oh yeah. Our systems are so safe there buried under ground. You have to go in this town on the tunnels flooded, half the time to get the well. How do you control at all? We looked it up to a telephone line. I can log in from my phone ok, so you did that and you never go down there for local access. You don't think anybody else can do that in its real shocking because these guys who connected system to the phone line. It's like the young into figured out how to do that. They didn't higher crowd strike to make their systems excess, remotely they just friends, plug it into zoom. Basically, it's just really really pathetic a lot of the ways that these things have been made
accessible yeah. Well, you know we don't even really up to use hypotheticals, because there is the situation over the winter when taxes power went out, was it s guy? Yes, at the name of the company layer that was it yeah, you know they went out and everyone in I've security said: oh gosh is this: the attack we ve been waiting. Four nope. It was just due to an under investment in winter, rising if they're making that level of lack of investment in winter rising. What do you think? They're cyber security posture as and look at it happened. I mean people were not the unjust lose power in the middle of the storm they lost access to their water. Their pipes were frozen. I mean that really what it would look like only in this case in our Russia might not turn it back on. They might make sure that the power station- the one I actually worry about the most as water, because at least we have sort of wrapped our heads around the threat to our power supplies.
but we haven't really wrapped our heads around the threat to the water supply and in most of the war treatment facilities here in the United States serve commute the use of less than ten thousand people, and barely have an I t, guy on staff let alone a cyber security expert and just the day my book came out. Actually, there was at a hack on a water treatment facility in old Marv Lord I just type Tampa we're hackers got in remotely into the water treatment facility because they ve been using a decade old version of Microsoft Windows that hadn't been patched in years and they didn't have to factor authentication turn on- and they haven't even thought about this scenario, but a hacker- was able to get into their chemical controls and up the level Why the hell? Why I e in the water, from something like eleven hundred parts per million to eleven thousand parts per million, which is enough?
and everyone to the hospital in the middle of covert when hospitals are already under strain and oh by the They did it on the Friday ahead of Super bowl weakened in temper. So, thank God, engineer was sitting at his computer and happened, watches her sir move around in catch this thing and action by you know. In most cases there wouldn't have an engineer sitting in front of their computer watching that happen an initiative. Wedding last weekend. I right next, our hotel was this little water treatment facility and it was like there is no way there is an idea. Guy now sitting there prime watching to make sure no one smacking around with their chemical controls, and I guarantee you there very easy way for some to remote into their system and up the level of costs to chemicals in the water. So the Scenarios are endless and we keep having these close cause. But we're still not changing the way we secure a critical infrastructure
or listening to the Jordan Harbinger show with our guest Nicole Pearl Roth Roby right back now, Nicole Pearl Roth on the Georgian Harbinger show Imagine that that software that runs those plants, it's all the same stuff. It's all the same version of this I'm stuff, it all runs on windows. Like you said, the windows might not even be patched. That sounds like that. got remote access to windows, and then they use the software, like you can do with his screen. Share and zoom. Or any other remote software. Imagine If somebody found out how I m sure they already did find out how to remotely access this software plain and simple, because they make these easily accessible so that a year I t guy all he's a consultant. He lives off site, hey, there's some we're going on with our software. They give him a call he logs in remotely in handles it. That is ab lately not secure. There's, like you said, there's probably one guy there just to make sure pipes are exploding and they're on their ip
watching Netflix and they're, just looking for a giant spurts of water sorting out there not sit. They're going. Oh, that's seems like a chemical and balance on system number. Seven. Let me look at that and inspect that they probably men have anybody qualified on site to even do that any given time. So that is terrifying, especially because you can log in and do that to a thousand small town water systems, probably all same time or within a few hours before anybody figures, anything and they can unplug the internet. I mean it's just the amount damage is massive, and then you have no idea what of it, who did it in the first place and you can point fingers, but that's pretty much it. I remember reading that in Ukraine, Russia pushed a lot of the anti back staff that sounds
very familiar here. They tested that on the ukrainian population said hey, the seminar vaccine causes autism, and then there was a massive measles outbreak or something like that right and make it my close here. Yes, your clothes, I mean it was really disturbing and again I can Arap Moi had around this until I actually went to Ukraine, but I met with officials at the embassy, and I was there to talk about cyber threat, hacking threats, but they don't even have time to think about cyber threats because they were so focused on russian distant for me can and Ukraine, and at TAT very moment there was this raising measles outbreak did I had actually spread to hasidic community in New York because some of them do this pilgrimage to Ukraine area, but a lotta that Ukraine has a disinformation minister, ministers then, we shall still have here in the United States, but I met with them at the time, and he said yes, they attract a lot of it. Down to Facebook. Page is tat.
it at young ukrainian mothers, where you, russian trolls, were flooding the comments section trying to legitimize the vaccination debate and sitting down, among ukrainian mothers that measles vaccines caused autism, or was some nation state tool of control and so a lot of young mothers weren't getting vaccinated. Meanwhile, back in Russia, the vaccination rates were nearing a hundred percent, whereas in Ukraine we're dipping below fifty. It didn't even hit me at the time. This was to them, Nineteen that a year later or less than a year later, we would have a global pandemic that Sharon Here we are in the middle of this Bobby endemic in the biggest threat. Right now is vaccine hesitancy and oh yeah. Some white papers are just now coming up that our trade, seeing a lot of disinformation related to the fire and Madeira vaccines to russian troll networks. And they're playing out on Facebook, they're playing out on social media and
is where we are now. That is, of course, terrifying as it affects the public health of the entire country, and yet the joke is really on us, because when you look at vaccination rates in Russia will why are they so I already have an oppressive government. Ok, but there obviously not do same type of disinformation that they are over. Here I mean in, of course its using our own sort of information, freedom against us and that the whole different yeah, probably podcast here, but I want to go back to what you are before the shadow brokers, hack and what this means the gravity of it? I don't think most people know what zero days are, why their valuable you take us through that a little bit because This is one of the main reasons that we're having so many cyber attacks correct. You know it, isn't it isn't just a back up, and I promise is the most technical part of our conversation today, but what is a zero day, so a zero day is a flaw and software that the software maker is not aware of and the day someone discovers that daisy or zero day.
Because they had zero days to fix it and until they can fix that everyone who uses that software as vulnerable to hacking suggested take them as simple. ample. Let's say I'm a hacker, and I find a flaw in your I Iowa software and I can write a programme to exploit it so that laws called zero day the programme to exploit its called a zero to exploit, and if I create a good programme, I can use it to read your text messages your location on your Iphone access. Your phone caused use your camp without your knowledge record. All of your surround sound and conversations your calendar appointment. That's basically everything aspire agency, ever want or need, and so There is a market where governments not regulators, but governments, our customers, do? U S. Government is one of the top customers in this space and they will pay hackers to sell them. Those zero deaths,
lights, the going rate for the zero to exploit a just described in your Iowa softwares. Two point: five million dollars: U S. Government brokers will pay two point five minutes dollars to sell them not exploit, with the condition that you know tell anyone about it, because the minute you tell someone or the minute apple finds out about it, they'll patch, that under nine zero day, you'll get one those annoying, prompts on your phone to update your software and suddenly that too, Five million dollar capability turns to mad, so there is a long history here since the nineties of U S, government agencies, pang hackers, both in the United States and rod to sell them these zero days and a code to exploit them to add to their stockpiles. So West are writing this book about this, because I was just fascinate. By the moral hazard and the security dilemma baked and to that market place. You know,
we are all using the same software today, three decades ago, when things programme started this marketplace launched, we were all using different software. China I was using Weiwei. We were using or a colony Cisco for the most part. Three decades there was always a glaring exception, but we're all using the same technology were all using andred phones and I found, windows, whether you know it or not. You might not have a windows pc that it's in the power grid and your water systems and your pipelines and same for industrial system seamen, software Schneider, electric software, it that's pretty much the market leaders when it comes to industrial system. so when the? U S, government fines as zero day in that software and holds onto it and make sure that it doesn't get facts It means that most Americans and our critical infrastructure mourn so are left vulnerable. So as fascinated
I thus never in a million years imagined that the NSA's own stockpile of zero to exploit would get her by someone. We still do not know who they are three four years later d, Don lime so that our adversaries, like north korean Russia, would pick him up and use them in these global destructive attacks. But that is precisely what happened how the zero day that was used by North Korea and Russia was called eternal blue at the agency, at the other. I do know reporting that it was developed in house, this is not something that they secured off in the market, but that market place alive and well today. Actually, the going rate for that Iowa steering exploit I described earlier. You can act
yet more these days, if you sell it to a broker based in Abu Dhabi, called crowd fence their offer and three million dollars or three point five million dollars for that same one, that? U S, agencies will pay two point five million dollars for and in essence, what that market does is it closes. The capability is got so three decades ago, the Euro, still the top player in the space. We were worried about Russia. We were worried China, not so much because China matched our capabilities, were still sort of the top dog. No one's pulled off the same level of attack that the United States and Israel pulled off several years ago, but they are just so prolific with their attacks that we are worried about that with the market has done. Is it
lose this capabilities gap so that countries that have had very little in the way of authentic capabilities or engineers at the skills to pull off. These attacks can now tap into this market and buy things off the shelf that years ago they would have had to develop in house and that's why focus on the security market and the, but that you know that is advanced nation state level. Cyber warfare. Unfortunately the defensive side, a lotta, the attacks or seeing right now don't come in through zero days. They come in through just the lack of basic cyber security hygiene. They come Andrews, stolen passwords and a lack of two factor authentication. Eighty percent of the ransom were attacks or thing right now come in through a combination of a stolen password or a fishing email and a lack of two factor authentication, although
terrifying is that, just last month the Department of Homeland Security warned that there is a new ransom where strain out there. That does exploit zero days and jet does use Euro days and not very scary, because those are almost impossible to stop until you figure out what flaw they're using and how to patch it and get that patch rolled out to everyone and get a ruined actually implement that patch, because these days so many companies are, are too lazy to even run their patches on time. What about backdoors deliberately programmed into software? I mean we ve heard that hey, don't use Huawei software software, it's gotta, backdoor! Let's China sniff the traffic come in from any of your devices, you know a lot of we'll say I'll bs, it's just non competitive crap, but I would assume that there are backdoors deliberately programmed into many devices. I mean why, wouldn't there be especially when you're talkin about like industrial supposedly secure, working devices there's a big incentive,
company to accept a nice million, plus dollar incentive, or something like that to put something in there that never gonna get misused were only using this for national security right. Yeah and there's a long history there. You know, do most famous example with a swift company that offered encryption and- and they were called cryptic a g and we learned later that they were getting paid off by CIA and the Anna to put a back door into that encryption software, because their encryption was used by countries that don't american software, like IRAN, Syria, North Korea, etc, and so the basically went to them and said used. Thus backdoor put this back during your systems will be doing in Europe Andrea and ours, a giant patriotic fever. We will cover your expenses and that
Wasn't in essence, the way that you S, intelligence agencies were able to spy on some of IRAN's most sensitive systems for years The Iranians discovered at an actually arrested one of crypto ages, These were no idea that his employer was doing less. That was long time ago now the people I interviewed for my buck wouldn't speak directly to any of these patients because, obviously there are incredibly highly classified, but what they would say is in the: U S: intelligence: community. There is a five year six to your system and at the bottom, our nation states that have basic
zero hacking capability that we call the script kiddies of nation states. You know they might be able to pull off some silly denial of service attack, although these days they can tap into the market and by some of their hacking capabilities off the shelf. Nan in between there are countries that have you know the talent to pull off these attacks. They might not be able to pull off a sophisticated attack that would turn off the power somewhere, but they can basically fill up their capabilities got by tapping into the market and as a top, there are countries that can hack into technology and place a back door into the software supply chain and use that sort of Crypto Agee model to spy on their enemy is and at the very top as the tear sex guys, the top dogs. Who can do that all at scale
and they said that is where the United States is today. We are out of place where we can plant backdoors into global technology so that we can spy on these systems at scale in real time, and I had the privilege, I guess you could call it of having a small slice of access to this Odin Document- and it was very clear from some of the USA and the GC each Hughes document that we were inside too, of the leading encryption. chip makers in the world. They never named the actual manufacturer, but these that basically, we have full capability spy on anyone who uses this particular flavour of encryption check. So we know, that the United States and our closest allies and five. I have been doing this for a very long time and we never stop to think that maybe our enemies would be doing the same to us, but that is in essence what the solar ones attack is the one
we're unwinding right now. You know it's not them planning a backdoor physically into the hard drives or the encryption chaps, but they don't need to do that because they were able to get into this cloud. The occasion used by so many? U S: government agencies and top cyber security companies and electric utilities do whatever they want it, and the Good NEWS from now attack is that the actor was the asked be which is the traditional espionage, russian espionage group. There are not the same actor that turned off the lights in Ukraine and launch the not pet. Attack, their known for stealing emails and strategy planning documents in that kind of thing. The bad news, As we know the ass, we are pretty well because they actually have the White House in the state department between two thousand fourteen in two thousand. Fifty and when I went and interviewed the guys who were brought on site to remediate and get the Russians out of those systems, they said we'd never seen anything like it. It was like hand to hand digital combat
it's not as if we would see a russian hacker inside the State Department network and they would scurry away, they would stay and fight to keep their access. At one point, the even hacked investigators tools that are aid, not witness, told that they used to find the russian backdoors and manipulated it, so it won't find their backdoors. So that's the adversary inside systems right now, and not only that they were in sight. Our systems for nine months before a private company said. I think we have a problem here. So it's going to be at least a year or more before we can stand up and confidently say we ve eradicated russian hackers from nuclear labs, the Department of Homeland Security, the Treasury, the Justice Department and not a real problem. because you know maybe they don't pull off these destructive attacks, but we now that there is a lot of coordination between a lot of russian nation state hacking groups and they could just as easily pass that access off to a group that is known for point
some of these more destructive attacks. Yes, they have nine months of mapping out our network infrastructure and saying what works aware and credentials and everything they could just say we're done with this. We got the boot If you guys want to go in there and make a huge ass mess and detonated cyber bomb on a nuclear facility. Here you go years everything we know some of its a little outdated, but the rest of it is probably still intact rate. We still nowhere, facilities are, we still know what all this after their using as with the exception of? Maybe the solar wins has a patch now, but ever else? At the computers are stolen, the rooms they were in before I mean we're, not rebuilding those systems from scratch, we're just trying to secure them in any ip they stole, of course, has already gone said. That is quite arrogant. to put it back door and hardware or software, and then think no one else, is ever going to find this, especially when
they might even be in the systems that we are using to plan the placement of those back doors in the first place yet, and it really complicates the: U S response now. Every time I cover one of these attacks, I post the story on Twitter and new sixty percent Sponsors are why don't we just go shut off the lights and Russia already in our clearly. They are not deterred from these attacks time for us to flex a muscle and shut off the lights. Well, that sounds good and theory by the by problem is that that people don't realize, is just how vulnerable we are so yeah you know how do you respond to smaller ones when number one and the same kind of attack? The? U S? Government has been pulling off for years on adversary sister on. My way and an crypto e and also
others that we don't even know about two. We really want to take that kind of activity. That kind of traditional asked me a notch activity and say this is off the table. I don't think so, because we do it all the time we ve been doing it for decades. We ve just been doing it better, so it harder for people to detect American stealthy supply chain attacks, but the other thing is: how do you respond to an attack aggressively when you yourself are so honourable and the language that I hear all the time as we live the glassy Esther glass houses. so yeah. We might have sharper stones than others, but our adversaries can just come back and say: hey they just blew up this pipeline or hate. They just turned off our lights. We have the right to respond proportionally, which means we can come hold up, colonial pipeline only in Russia. They have the luxury of basically outsourcing that kind of activity to cyber criminals, ransom where groups, and so
We have nothing to do with best. We don't have that luxury here. Any attack you see come out of the United States comes out of the Anna or cyber commander, another intelligence agency? We don't have the luxury of saying, hey, nor program and you go do this for us or tapping the guy Google, on the shoulder at night and saying here, you're gonna, come moonlight for us, so it's harder to hide these american attacks through these layers of attribution and plausible deniability, and that makes escalation not much more of the rest, particularly when we are so vulnerable. This the Jordan Harbinger show with our guest Nicole Pearl Roth, we'll be right back. Thank you so much for supporting the show your support of our advertisers keeps us going for all the links promo code that you here on the show. Those are all in one place: gotTA, Jordan, harbinger dot, com, slash deals, that's where every is no need to write anything down. Please consider supporting those who support us. Don't forget, we ve got working
for many episodes of the sheriff? You want some of the drills and exercises maintain always talked about during the show. All in one easy place. The link to the war It is in the show, notes at Jordan you're, dot com, slash podcast now for the rest of my conversation with Nicole Pearl Roth. from before these script, Kitty Country, buying nation state capabilities. I look this sad. This system called Pegasus and I think Saudi Arabia, who essentially concerned a text till I get basis and they have full access to his phone, and I did that and they got some Antonov ray see underwear photos of the guy that made it intervened, she'll enquire. I think this is because I looked at Pegasus and others like my. How much does it cost adding a basic installs? five hundred grand, so you don't have to be so The Arabian have a two billion dollars. Cyber security program running in your country, You can just be a really rich a whole whose like look, I want to blackmail this world leader,
celebrity whatever it is because I'll make my phone a grand back. Are you getting them to make forty five million bucks off of this by threatening to release photos of the first you're so and so on. Media that are just gonna pay this so far thousand? Our investment to have cybersecurity company to get me. has to somebody's fallen or multiple people's phones, unfettered it it's like it's an obvious sort of good in air quotas. Ass men, if you're a criminal record, Tryin screen it, but like are you really screening it? Do you really look at the target area just hand over the installer? It's good for one or two phones, I mean I don't really know but there's no way to detected in the phone. I checked the least if you're a victim, maybe if you're working at the end They can take a look at it, but you can't find it. You can't defend against it. Does what it does and it's like we're really this helpless- and this is Private companies selling this- it's not a hacker where you pay in Bitcoin, you frickin wire than the money to Israel or whatever yeah. I dont know. If the Jeff basis hat came down to pigs,
last, but certainly you know, we know that the Saudis used Pegasus to spy on confidence of Jamaica Show and that's part, The reason they were able to track is communications and find out. He was going to go to the embassy that day that he was picked up, tortured and dismembered, and yet, I worry a lot about Pegasus sooner. This is spyware. your phone, that's manufactured by this israeli company called s own group and these selling it to the South EAST they ve sold it to the United Arab Emirates, leave used it on a lot of dissidents and journalists. Mexico uses this. We don't necessarily think of Mexico. as an authoritarian government, but a few years ago started, getting calls from people who were reading my stories about Pegasus in Mexico and they said think I've been getting those same messages that you know the? U S, using to spy on dissidents, phones and all of these peoples are calling and
they were nutrition ass, they were doctors, they were consumer rights activists and it was like what a lie with these people have nation state level spyware on their found well took a couple months, but I put him in touch with citizen lab, which was able to do the forensics to find out that, yes, they did have picked says installed on their farms and what do they have in common? They were all people who, at one point or another, had publicly advocated for a soda attacks in Mexico, where Coca COLA hepsey maintain some of the largest market share that soda attacks yeah. So here is someone clearly enough. Anna, so says it just cells to government. Well, someone in Mexico's government was clearly getting kickbacks firms. one in the soda sugar industry and was using this nation states, spyware, that's usually reserved for terrorists and pedophiles and criminals according to an eye so group, that's what they're technologies used for but here was someone using it to intimidate nutritionists from not advocating publicly for a national soda attacks.
So there is a lot of room for corruption and misuse of these tools. So when I went back to end as though group and, I said hey- looks like someone's abuse. your spyware to spy on nutritionists and doctors and Mexico. What say you they said well will investigate, and I said Hey so you'll investigate okay. So how do you know when you're spyware, as is abused, tube any way of seeing how your technologies gunning use? No ok- you find out when is being abused. Well, journalists, let us now! Ok, Why one of the three journalists whose written about this thing so basically it take me, you know a year, to find out the your spires on these trickiness iphones, then I'm do all this reporting they're going to call you and then you're gonna investigate. Ok, let's say you find out that, yes, they were abusing someone was abusing at what do you do it? Our will, stop selling to them? Ok, but this is hardware right. You, you sell this hardware to these government agencies. How do you get it out of their bill
You know how do you make sure you can just go rip it outright? They're, not gonna, let you in well yeah, but we can starve them of teachers and software updates you know it's clear that, even when there is clear cases of abuse, there's no kill switch for the spyware. These customers and government agencies will just hold on to it for as long as they can, and we just see that same song, they play out over and over and over and over again and noxious within us. Our group, which is one of the more expensive players in this space and one other, more sophisticated, went below them. There are hundreds of other spyware companies that are selling to country that have even poorer human rights records than the Saudis and and Mexico, and no one there's no oversight over this market at all. That's insane The idea that it's gonna take years to catch up and then they're gonna go well. That's it we're not sending you the update patch that has the ability to change the app icons or whatever I like it still. Frickin works, my parents,
are still using. You know older iphones, like I don't need an update, okay. So what We just let him have spyware hacking hardware that maybe an eight years as unusable, because it's it's so Data then one another. Since he says you know what we fix that problem. That was terrible. We can we fight that guy he's gone. We want the new stuff, though here's a check, a fine. We believe you, because we want for five million dollars for the new shit. I mean come on. Let's be realistic here, it's insane I also know that a lot of these countries are getting hackers from overseas. You mentioned in the book that there, like shady jobs, where they kind of flying I don't know, I don't hate it. A country and then their innocent. Let's Qatar and the like gonna be doing info SEC, great, oh, by the way, it's all against dissidents and people that we don't like we're- probably probably gonna, throw them prison in they're, gonna die there and they like. You know I'm going head back to New York, that's going to be a no from me dog, but a lot of people stay and take the check right. Yeah
Finally, now just to Qatar credit, they were actually the victim of an eye so So that's why I don't want a name. I screwed, I think one like the good guy. Can we at least in that, rather not there. Really. The good guy, ok they're, later learned that actually they were paying off visa officials to hold the world CUP in all this famine. Second, what happened was we'll have been whereas there are these, an essay analysed operators who are start to get job offers from contractors around the beltway who say, hey we're gonna pay. four times, or at least double what you're getting at an essay and we're gonna give you all sorts of fun perks come join us, so they join them. They say: ok, we're gonna! Why you have? to our satellite office in Abu Dhabi and Europe. We do in exact same work. You are doing at the Anna say, you were gonna, make sure that your speech
hang on terrorists and your defending. Do you I e from cyber threats? Okay, it doesn't sound bad you're, getting four hundred thousand dollars a year. They fly over there and at first sure there are tracking terror cells and ISIS cells in the Middle EAST and that's pretty much alike- What they were doing at the an essay will then very quickly it became we think attires actually funding the Muslim Brotherhood and we think there actually buying off fief ass to host the World CUP. Can you prove that and these on a SEC eyes were like ok. Well. This doesn't sound too far field from what I was. During earlier, so ok, but I'll have to hack into Qatar systems should go for it, so they hack into Qatar systems in the sea. every one of these former an essay guys told me, was that you know here they are they're getting in you, Qatar, Royals emails and and tracking flight itineraries, and seeing who their meeting with all the kinds of things that you would need to do to see if their funding Islam Brotherhood, you on one point,
shallow Obama, who was then first lady, was planning a trip to Qatar to speak about what her. Let girls learn initiative and she's emailing personal note to this Qatar she got and their trading emails back and forth when the person whose reading them is an american form, and ass, a hacker stationed in Abu Dhabi, whose like what the hell am I doing here and God, he is one of the few to stay with the hell. Am I doing here and laughed but a lot of them staid and who knows what communications be caught in their dragnet by now? But that's the state of play now is that even former and as they hackers who who were trained up on our taxpayer dollars are now over. You, spying on Americans or whoever gets caught in their dragnet and adjusted. great visual example of just how out of control this spyware market has become the market for hackers and their capabilities
that a former and ass, they happen to be sitting there. Reading Michelle Obama's emails from some villa outside Abu Dhabi, that is, fucking, because it just shows you that once they get it sort of mission creep right. I'm sure they got it to track ices another like war world. This is pretty awesome. Why don't we uses first and others that I mean just to see? If there is an issue, job we're not gonna, do anything and then it's like we now we can look at every one. It's kind of like you mentioned this in the book. There's signals intelligence, there's human intelligence and others like the joke, the parity love intelligence where people are like hey, I'm using this to track terrorists, but they're like what is my whatever my ex girlfriend is doing right like what is she to re I couldn't find on Facebook. Let me just look her credits, sucks. I wonder why that is. Let me just take a look at this information. While she got fired from this job, she's been up to no good, you know an ear just then someone says we should be doing that, but wait a minute. What is my ex boyfriend up to rights? If there's this mission creep? Think
it's not going to be a big deal, and then it's like dot dot dot your spying on people that are supposed to have your communication you're using is to go after a dissident to keep up ray. in in power that maybe doesn't like her Rosamond. It's like it horrifying because its it really data, DOT chopped up with a bone, saw when it comes to this kind of thing, and I'm gonna make light of that. But that's how this go here and you know there was a story. My colleagues at the time said. I think it was last week on everything serene blurted out there. In the pandemic about how the saudi guy who dismember Jamal cash. Yogi, receive paramilitary training in the United States, and that was a big shock in its enemies. Shockwaves out. Well, the same thing has been happening: digitally for a long time we ve been sending our best and brightest over two Abu Dhabi and to and were training. You know their nation state there's under the auspices of the war on terrorism,
wires that our allies in the gulf in the Middle EAST have these same capabilities without thinking that one day they might think. Oh well, we have these capabilities in this person is saying something twitter about us that we don't like we're. Gonna turn these capabilities on them and in I tell that store, at one point in my book of on bad sore, who we call the million dollar dissident because any and of spyware on the market has been found on the skies phone and is so groups pagan, says hacking teams tool. no other european. Spyware company is all that a spyware has been found on his phone and What he said to me a wise when I last interviewed him before he was locked up and thrown in solitary confinement, was, you might think, you're just of voting rights active but one day, you're gonna find that someone somewhere has labelled you a terrorist and their justifying the use of all of these tools.
On you and your family- and you might not think of yourself as a terrorist and every other country may not think of yourself as a terrorist, but it doesn't matter no at some point. You're gonna, get locked up and thrown in solitary confinement and so to me Ahmed Mansoor, really the canary in the coal mine, saying we got to pay attention to this. We got to have rules over who were training up who were selling these tools to. I actually think the United States, as you know, the government that sort of kicked off this market long ago and is still one of the biggest sponsors of zero days and spyware technology. Actually think it's time for us to use the power of our purse to say we're not going to do business with any company That sells its tools to oppressive governments, and I think we need to rework. I our idea of what an oppressive governments as it's, not just IRAN and North Korea. It's the South EAST
It's the immorality. Is it the Qatar? Is it the Egyptians? You know we should not be training their intelligence teams to do this level of cyber war and digital espionage. We just shut it and maybe its inevitable they'll get those tools somewhere else you know we hold ourselves to a higher standard here, we're just not meeting at an globally, not in this round saw how the shadow broker theft of all those exploits led to ransom where attacks on british hospitals all these different types of businesses that had nothing to do with any. They are trying to extort money out of Emily. It really is kind of like Proliferation once these bad actor get it there, like guano care, a bunch of people in Britain die who gives a crap. I want four million dollars. You know why don't care you're not dealing with Joey, rational actors that are thinking at the sort of nation state level you're dealing with somebody who is equivalent of me, but grew up in rural, Ukraine or or a small town in Ukraine and the like. So I never
have to work again, they'll figure out the whole thing I just want to put this into play. And then it gets out of hand, especially when you get multiple players involved. North Korea's been hacking. Crypto currency exchanges to get money also they can assume so they can buy weapons and keep working on nukes and things like that, I'm in their data, have any scruples about selling weapons chemical weapons to Syria, for example. If they can get money, they don't care at all. So having these weapons in these different hands is really horrible, but I guess that leads to sort of, final question here was: what would you say as the timeline for just a massive cyber attack against the United States, not Sony against Sony, you, you know stealin movies or whatever fortune, five hundred companies, but against our grid, our critical infrastructure? Where do you think, it'll come from, and when do you think it might come? I made you gotta have an idea right. So this is the question is, Ask everyone when I first start her cyber security at ask. Everyone has had so how long until we have this cyber induced kinetic cataclysmic attack. The cost of flies
and ten years ago everyone have the same answer almost ludicrous lease by they always said. Eighteen to twenty four months, Nicole, we're going to see this an eighteen to twenty four months- and you know it was just far enough- If it didn't happen, I might not hold them to the protection and, if, as it was just close enough to add urgency, okay, so now or ten years later, we haven't had that big one. Why? Why do you think that is well, I think a couple Reed but you know for one. I think that we sort of set up this very fuzzy ill conceived form of mutually assured digital destruction. Rush This very clearly in our power grid, we ve caught them with their fingers on the switches. These breached Wolf Creek, which is a nuclear plant in Cannes ass. They reported that a couple years ago and so the United States. Couple years ago we broke the story that Cyber command had been hacking into the russian grid. As a show of force. You now to say you turn off the lights here. You do anything tore nuclear plant.
we'll do the exact same to you, you better watch out, so maybe that's how maybe that has deterred Russia proper. The g are you from turning off the lights here? Ok, but they're not missing the capabilities of the act they have all the ingredients to pull this off? So I think, maybe mutually assured digital destruction has kept them from doing so. So what I worry about now, though, miss something much more akin to the colonial pipeline attack. I think that- actually laid out a new playbook. I think that you know here was a cyber criminal group. We think, based in Russia, that hit the I t system at colonial pipeline, so colonial pipeline, you know without billing, down the pipeline itself. May I got my hands on a classified deity assessment. That said, we could have only afforded to more days or three more days, downtime from the pipeline being offline before chemical factories ground to a halt because they can get diesel or mass Transit star
You know really ground the economy to a halt, and so I think the playbook that was exposed there was Russia Prob. doesn't need to come bomb a pipeline here. You'd use digital means to cause some kind of explosion on the colonial pipeline. They can just encourage their cybercriminals to come after the companies that run our food supply are water. Supply are pipelines, don't even as a thoroughly need to hit the operation system itself, they can just hold up the it systems and then all of a sudden we're running out of gas and jet fuel and diesel, and we can't trust our water supply and we can't get me out of, July fourth holiday, like all of those things just happened: oh Cadbury, eggs, anymore yeah.
Oh god, very eggs anymore before Easter. Now all of those things are happening is that we think they were Russia enabled potentially encourage but not directed, but I think the new playbook is that Russia says if we respond aggressively to any one of these attacks. I think the russian response would be go to town guys. Here is a list of them. under the targets that we already have access to hit em hit him hard, but do it in a way that gives us a level of plausible deny it lady, but has the exact same downstream effects and every single week we got closer and closer. To that end, we haven't seen those ransom are attacks play in any kind of coordinated way, but we're getting closer and Oh you know. As long as there is a new play back there, no mutually assured digital destruction doesn't work, because how do you respond when it's a private site? criminal group in Russia in Romania or Ukraine? Doing at you know, I don't know- and I think some of the interesting discussions in
the administration right now are we invaded after understand because they were harbouring the Taliban at what point do we go after it, nation state because their harbouring this kind of cyber criminal that's causing this much destruction here, the poor. problem is that in a weekend oh after that, whatever that means take them off line turn off the grid, etc, etc. But we stopped running. fact that we're so vulnerable, we haven't even bother to turn onto vector of and Russia can say what they had ass. We're just gonna go hit DEM and then you get into the cycle of escalation. And that's what I worry about is the cycle of escalation, and I think we're getting dangerously close to that and I would say, within the next five years, I'll be safe. I'm not going to stay twenty four to forty eight months, but we're getting close enough that I think we're going to see a cyber attack within the next four years. Event that causes substantial loss of life and we have not adjusted
are threats calculus around that possibility and we have not even adjusted the levers we would need to get to the place where we need to be in terms of our cyber defence. Any time we try to regulate that companies need a basic standard of cyber security. Lobbyists have pushed it down and kicked it down and so were left in this very fuzzy place where we can recommend best practices for the private sector and they'll, take it or leave it, and though one of the pieces small pieces
the Good NEWS I would say in the last couple months is President Biden cited a cyber executive order and in it was a paragraph aimed at federal contractors. That said, you guys can self sort of will come up with a set of guidelines. You can self certify that you meet those guidelines that you have to factor authentication that you're using updated software, your password managers, etc, etc. But if we catch you lying to us, you know if you get caught up in a ransom where attack that came in, because you can update your software, your banned from ever doing business with the federal government. Again, which, in colonial pipelines case because their pipeline, but up against all sorts of federal systems, would have made them commercially. Unbuyable sets a powerful Staten who to get companies to really raise the bar when it comes to cyber security. So I dont know if it's work. But it's a clever way of working around our existing political landscape and I hope at least you know it. Three the bar, along with some of the cyber insurance issues that we talked about earlier, hopefully, doesn't
encouraged the companies to hide shit and lie about it. You hurry, I mean us another option. I can I go. We owe oaks, we didn't do that, don't tell anyone yeah! Well, that's the thing as though, is that another piece of that executive order as they set we're gonna, create a national transportation safety port for Cyber, just like when a plane crashes, and we deal with four and six investigation of their black box. We're gonna do that for major cyber incident that's good, that's gonna, get harder to hide. The other piece of good news is that ran somewhere. Attacks are really hard to hide because Never years for decades, even companies have been burnt their Chinese IP thought it right, and some of these in a russian probes that ran where's different. Not only are they holding company systems hostage and taking them off line there actually doing with double extortion scheme recently, where their dump some of their data online and extorting them twice thing, and I will pass once to give you access to your data back past wasted
delete. The data we already stolen will stop linking it out on line, so that made a really hard for these companies to hide his attack. Just today sought a major call. Company is now hit with ransom, where the only reason, namely that is because their data started showing. By the Russian are evil groups. Happy blog is what they call it, and so it's getting harder to hide, and so in some ways as side is, that is to say ransom, whereas a blessing in disguise because finally, Americans are seeing the extent of our digital ability and finally were asking these questions that most of us have been paying. Attention had been asking for the last decade, witches Why aren't we more secure? Why are we not meeting this base level of cyber security? Why don't we know? What's in our government systems and in our software that touches our networks? Why don't we know where that software is made wire? We secure
Where were the grants to make sure state and local agencies that run elections can actually be convinced that they have any level of cyber security? So you know, and some it is good news, but we're in for a lot of short term pain. I think over the next couple years, until some of those policies play out now, Thank you very much fascinating topic little bit scary, but I think all kind of need to be. We need to have our head on a swivel for this sort of thing, because there are probably people out there who are using the same password they used for their gmail or their wifi. network on their scatter common, control system for the power GRID Company that they work for and like you, the weak link. If you are doing that kind of thing right, You are the reason people might die because the chapter on their work on in the mill July, because you're too lazy to change your password or you keep it a sticky note on your desktop or it's your birthday Ramey. We see things that these are just two examples. We see real things like that and now blogging realise not only can cause their company,
two hundred million dollars, but it could kill people here, and I think that something we need to be aware. Yeah anyhow, it's a little bit like the pandemic, and that is another sort of piece of good news and that people are thinking along these lines. But, like you saw me pandemic. Governments can only play so much raw. A lot of it came down to what businesses were doing, how they were able continue to run their operations, the development of a vaccine and then a lot. It just came down to us wearing masks and social distancing and there's the added there's similarity that a lot of people, because they can see the pandemic, didn't believe it exists and semen, cyber. You know a lot of it comes down to personal responsibility. A lot of these attacks come through an employee, stolen password or them forgetting to turn on two backdrop indication or to update their soft. Whatever it s, so until people realise that they have accountability, that they have an individual responsibility to protect their business says their homes, but also
a government agencies to a certain extent we're not gonna get anywhere. Thank you very much. Now. I've got some thoughts on this. but before we get into that, here's what you should check out next on the Jordan Harbinger, show it is not an optional lifestyle? Luxury sleep is a non negotiable biological necessity. Sleep is a life port system, it is mother, nature is best effort, yet immortality and the debt A nation of sleep throughout industrialized nations is now having a catastrophic impact on our health or wellness, as well as the safety in the education of children. It is, silent sleepless epidemic and I would contain but it is fast becoming the greatest public health challenge that we now face in the twenty first century. The evidence is very that when we delay school start times, academic grades increase. Behavioral problem decrease. True see rates decrease cycle England, psychiatric issues decrease, but what we also found, which
didn't expect in this. That is, the life expectancy of students increased. So if all goal as edge Haiti is truly, is to educate and not risk lives in the process that we are failing. Our children in the most spectacular manner, with this incessant model of early school start times and by the way said thirty, a m for a teenager is the equivocal
for adult waking up, but for thirty or three thirty in the morning, if you're trying to survive or regularly getting five hours of sleep or less, you have a sixty five percent risk of dying at any moment in time. When you wake up next day, you have a revised mind wide web of associations and new Associated network rebooted io ass, those capable of defining remarkable insights into previously in any trouble problems, and it is the reason that you will never be the tool to stay awake on a problem. It's dead your told to sleep on a problem for more on sleep, including why we dream and how we can increase the quality of our sleep check out episode, number one: twenty six with Doktor Matthew, walk. Here on the Jordan Harbinger, show talked about this. A lot here on the show I didn't episode with Chris had Nagy on social engineering. We did
for twenty eight with Jenny Radcliffe there are so many things going on in the cyber Warfare- landscape, Ya'Ll PRY heard of Stuxnet, where a computer virus totalling messed up IRAN's nuclear centrifuges, that was a horse. I could do all show on this. It was just an amazing amazing, cyber weapon, of course, now United States is even more vulnerable to these same tools and were totally unprepared. As you can tell from the conversation here, there are certain major cyber war for groups from United it's an otherwise that say things like what Snowden leaked about the United States, especially the saying what they could do was low level, and there is so much more imagine what they mean by that. If the Edward Snow late or low level compared to what we can actually do in this domain. Knowledge is hope, that's being used where it needs to used and not just against United United States citizens, I won't say, not being used at all against our citizens because I think were beyond that level of naive I write. Hopefully it's just not entirely focused on
violating our privacy and our civil rights, of course, now posed. Stuxnet IRAN has come after us, they're going after a grid, our power, our water, in just the damage. The potential damage of this is terrifying, about. So what do we need to do? We need to become more cyber literate, so you don't give up our passwords, because that is still the common vector for attack unbelievable. Freak unbelievable. We need tax credits for more secure soft so that companies dont look at it as just an unnecessary costs, centre that may never return. We need to invest in Cyprus, dirty both in the government and not leave it up to private companies who can't afford to do it and don't have the resource we may need a digital Geneva convention. But again, let's focus on the legal aspects of this. After we focus on keeping the barbarians away from the gate ha. We also need rules for cod tractors not to teach foreign governments that might use them against Americans, although that's kind of maybe robot, disingenuous considering world is garbage, is coming from the first place, my right, everyone whose not american? What do you think
no sharing of zero days and hacker knowledge with oppressive regimes. You'd think this would be an obvious one, but if we ve got to tell it area, Thor Tyrian regimes bidding against this. We need to make it illegal for companies to sell. happens to them, just like it is for them to sell nooks and bombs and other weapons to them. These cyber weapons are just as dangerous, if not more so last but not least, keep an eye on your own backyard, make sure you are aware of the fishing and, for God's sake, get the spyware off your computer outside this one day, and I said, the sailor show before one day we interviewed, let you say, a political operative and after the show his assistant, who was a total moron left the computer on and left Skype bonds is one where using Skype and I came back to say files later on after I've gotten a drink or possibly even a meal, and I realized I'm still looking at this guy's bedroom an in he walks drops his pants and rose up a fat assed joint
I now I deleted that footage, because I knew deep down that I wasn't just. I just wasn't strong efforts. come to temptation and then my kids asking me about those Google results. In ten years. When I ended up selling that video to the national inquirer Org, you know whoever else would pay for it, realize what I'm telling you this, and I thought I had a connection to today show. But now I think I'm just going through cathartic experience here thanks so much for this and thanks so much in the corporal refer common on the show her book is called. This is how they tell me that old ends, the cyber weapon, arms race links to have stifled, the website in the show notes. Please use our website links if you buy the books from the guests on the show it does help support us at all adds up worksheets, for Kosovo and the show notes transcripts in the shone out, there's a video of this interview going up on our you to channel at Jordan, harbinger dot com, Slash Youtube. We also have a brand new cliffs channel with cuts that don't make it the show orders highlights from me interviews that you can't see anywhere else. Jordan urban sure dot com, slash clips is where you can find that I'm
Jordan, Harbinger on Twitter, Instagram or just hit me on Linkedin? I'm teaching you how to connect with amazing people all the same software those tiny habits that I used, in other words, teaching to dig the well before you thirsty. That's in our six minutes. Networking course, which is free, Jordan, harbinger dot com. Slash course is where you'll find it most of the guests on the show. Subscribe, of course, come joy. you'll, be in smart company where you belong, the show is created in association with Podcast one. My team is Jen Harbinger J Sanderson Robert Folk, eighty million Campo in bared, Josh, Ballard and Gabriel Miss Raw. He remember, we rise by lifting others the fee for the show? Is that share it with friends when you find something useful or interesting, fino somebody's interested in cyber warfare. Hacking definitely share. This episode Please I hope you find some great in every episode. Please do shit. the show with those you care about in the meantime, do your best to apply you here on the show, so you can live what you listen and we'll see you next time.
Transcript generated on 2022-03-06.