See all Lex Fridman transcripts on Youtube

Speaker 1

00:00

If 1 site is hacked, you can just unleash all hell.

Speaker 2

00:03

We have stumbled into this new era of mutually assured digital destruction.

Speaker 1

00:09

How far are people willing to go?

Speaker 2

00:11

You can capture their location, you can capture their contacts that record their telephone calls, record their camera without them knowing about it. Basically you can put an invisible ankle bracelet on someone without them knowing. You could sell that to a zero-day broker for 2000000 dollars.

Speaker 1

00:34

The following is a conversation with Nicole Perlroth, cybersecurity journalist and author of This Is How They Tell Me The World Ends, The Cyber Weapons Arm Race. This is the Alex Friedman Podcast. To support it, please check out our sponsors in the description.

Speaker 1

00:50

And now, dear friends, here's Nicole Polaroth. You've interviewed hundreds of cybersecurity hackers, activists, dissidents, computer scientists, government officials, forensic investigators, and mercenaries. So let's talk about cybersecurity and cyber war. Start with the basics.

Speaker 1

01:10

What is a zero-day vulnerability? And then a zero-day exploit or attack?

Speaker 2

01:18

So at the most basic level, let's say I'm a hacker and I find a bug in your iPhone iOS software that no 1 else knows about, especially Apple. That's called a 0 day because the minute it's discovered, engineers have had 0 days to fix it. If I can study that 0 day, I could potentially write a program to exploit it.

Speaker 2

01:45

And that program would be called a zero-day exploit. And for iOS, the dream is that you craft a zero-day exploit that can remotely exploit someone else's iPhone without them ever knowing about it. And you can capture their location, you can capture their contacts that record their telephone calls, record their camera without them knowing about it. Basically, you can put an invisible ankle bracelet on someone without them knowing.

Speaker 2

02:15

And you can see why that capability, that zero-day exploit would have immense value for a spy agency or a government that wants to monitor its critics or dissidents. And so there's a very lucrative market now for zero-day exploits.

Speaker 1

02:31

So you said a few things there. 1 is iOS. Why iOS?

Speaker 1

02:36

Which operating system? Which 1 is the sexier thing to try to get to or the most impactful thing? And the other thing you mentioned is remote versus like having to actually come in physical contact with it, is that the distinction?

Speaker 2

02:50

So iPhone exploits have just been a government's number 1 priority. Recently, actually, the price of an Android remote zero-day exploit, something that can get you into Android phones, is actually higher. The value of that is now higher on this underground market for zero-day exploits than an iPhone iOS exploit.

Speaker 2

03:15

So things are changing.

Speaker 1

03:16

So there's probably more Android devices, so that's why it's better. But on the iPhone side, if I, so I'm an Android person, because I'm a man of the people. But it seems like all the elites use iPhone, all the people at nice dinner parties.

Speaker 1

03:33

So is that the reason that like the more powerful people use iPhones, is that why?

Speaker 2

03:38

I don't think so. I actually, so it was about 2 years ago that the prices flipped. It used to be that if you could craft a remote, zero-click exploit for iOS, then that was about as good as it gets.

Speaker 2

03:55

You could sell that to a zero-day broker for $2 million. The caveat is you can never tell anyone about it because the minute you tell someone about it, Apple learns about it, they patch it, and that $2.5 million investment that that zero-day broker just made goes to dust. So a couple years ago, and don't quote me on the prices, but an Android zero-click remote exploit for the first time topped the iOS. And actually, a lot of people's read on that was that it might be a sign that Apple's security was falling and that it might actually be easier to find an iOS zero-day exploit than find an Android zero-day exploit.

Speaker 2

04:48

The other thing is market share. There are just more people around the world that use Android. And a lot of governments that are paying top dollar for zero-day exploits these days are deep-pocketed governments in the Gulf that want to use these exploits to monitor their own citizens, monitor their critics, and so it's not necessarily that they're trying to find elites, it's that they want to find out who these people are that are criticizing them or perhaps planning the next Arab Spring.

Speaker 1

05:21

So in your experience, are most of these attack targeted to cover a large population or is there attacks that are targeted towards specific individuals?

Speaker 2

05:31

So I think it's both. Some of the zero-day exploits that have fetched top dollar that I've heard of in my reporting in the United States were highly targeted.

Speaker 1

05:40

You

Speaker 2

05:41

know, there was a potential terrorist attack. They wanted to get into this person's phone. It had to be done in the next 24 hours.

Speaker 2

05:47

They approached hackers and say, we'll pay you X millions of dollars if you can do this. But then you look at when we've discovered iOS 0 day exploits in the wild, Some of them have been targeting large populations like Uyghurs. So a couple years ago, there was a watering hole attack. Okay, what's a watering hole attack?

Speaker 2

06:12

There's a website. It was actually, it had information aimed at Uyghurs, and you could access it all over the world. And if you visited this website, it would drop an iOS zero-day exploit onto your phone. And So anyone that visited this website that was about Uyghurs, anywhere, I mean Uyghurs living abroad, basically the Uyghur diaspora, would have gotten infected with this zero-day exploit.

Speaker 2

06:44

So in that case, they were targeting huge swaths of this 1 population or people interested in this 1 population basically in real time.

Speaker 1

06:57

Who are these attackers? From the individual level to the group level, psychologically speaking, what's their motivation? Is it purely money?

Speaker 1

07:07

Is it the challenge? Are they malevolent? Is it power? These are big philosophical human questions, I guess.

Speaker 2

07:15

So these are the questions I set out to answer for my book. I wanted to know, are these people that are just after money? If they're just after money, how do they sleep at night, not knowing whether that zero-day exploit they just sold to a broker is being used to basically make someone's life a living hell.

Speaker 2

07:38

And what I found was there's kind of this long-sorted history to this question. You know, it started out in the 80s and 90s when hackers were just finding holes and bugs in software for curiosity's sake, really as a hobby. And some of them would go to the tech companies like Microsoft or Sun Microsystems at the time, or Oracle. And they'd say, hey, I just found this 0 day in your software and I can use it to break into NASA.

Speaker 2

08:08

And the general response at the time wasn't, thank you so much for pointing out this flaw and our software will get it fixed as soon as possible. It was, don't ever poke around our software ever again, or we'll stick our general counsel on you. And that was really sort of the common thread for years. And so hackers who set out to do the right thing were basically told to shut up and stop doing what you're doing.

Speaker 2

08:40

And what happened next was they basically started trading this information online. Now, when you go back and interview people from those early days, they all tell a very similar story, which is they're curious, they're tinkers. You know, they remind me of like the kid down the block that was constantly poking around the hood of his dad's car. You know, they just couldn't help themselves.

Speaker 2

09:06

They wanted to figure out how a system is designed and how they could potentially exploit it for some other purpose. It doesn't have to be good or bad. But they were basically kind of beat down for so long by these big tech companies that they started just silently trading them with other hackers. And that's how you got these really heated debates in the 90s about disclosure.

Speaker 2

09:35

Should you just dump these things online? Because any script kiddie can pick them up and use it for all kinds of mischief. But, you know, don't you want to just stick a middle finger to all these companies that are basically threatening you all the time. So there was this really interesting dynamic at play.

Speaker 2

09:53

And what I learned in the course of doing my book was that government agencies and their contractors sort of tapped into that frustration and that resentment. And they started quietly reaching out to hackers on these forums. And they said, hey, you know that 0 day you just dropped online, could you come up with something custom for me? And I'll pay you 6 figures for it so long as you shut up and never tell anyone that I paid you for this.

Speaker 2

10:24

And that's what happened. So throughout the 90s, there was a bunch of boutique contractors that started reaching out to hackers on these forums and saying, hey, I'll pay you 6 figures for that bug you were trying to get Microsoft to fix for free. And sort of so began or so catalyzed this market where governments and their intermediaries started reaching out to these hackers and buying their bugs for free. And in those early days, I think a lot of it was just for quiet counterintelligence, traditional espionage.

Speaker 2

11:00

But as we started baking the software, Windows software, Schneider Electric, Siemens Industrial Software, into our nuclear plants and our factories and our power grid and our petrochemical facilities and our pipelines, those same 0 days came to be just as valuable for sabotage and war planning.

Speaker 1

11:24

Does the fact that the market sprung up and you can now make a lot of money change the nature of the attackers that came to the table? Or grow the number of attackers? I mean, what is, I guess, you told the psychology of the hackers in the 90s, what is the culture today?

Speaker 1

11:42

And where is it heading?

Speaker 2

11:44

So I think There are people who will tell you they would never sell a 0 day to a 0 day broker or a government. 1 because they don't know how it's going to get used when they throw it over the fence. You know, most of these get rolled into classified programs and you don't know how they get used.

Speaker 2

12:01

If you sell it to a zero-day broker, you don't even know which nation state might use it. Or potentially which criminal group might use it if you sell it on the dark web. The other thing that they say is that they wanna be able to sleep at night. And they lose a lot of sleep if they found out their 0 day was being used to make a dissidence life living hell.

Speaker 2

12:25

But there are a lot of people, good people, who also say, No, this is not my problem. This is the technology company's problem. If they weren't writing new bugs into their software every day, then there wouldn't be a market. You know, then there wouldn't be a problem.

Speaker 2

12:42

But they continue to write bugs into their software all the time and they continue to profit off that software. So why shouldn't I profit off my labor too? And 1 of the things that has happened, which is I think a positive development over the last 10 years are bug bounty programs. You know, Companies like Google and Facebook and then Microsoft and finally Apple, which resisted it for a really long time, have said, okay, we are gonna shift our perspective about hackers, We're no longer going to treat them as the enemy here.

Speaker 2

13:18

We're going to start paying them for what it's essentially free quality assurance. And we're going to pay them good money in some cases, you know, 6 figures in some cases. We're never going to be able to bid against a zero-day broker who sells to government agencies. But we can reward them and hopefully get that to that bug earlier where we can neutralize it so that they don't have to spend another year developing the zero-day exploit and in that way we can keep our software more secure.

Speaker 2

13:48

But every week I get messages from some hacker that says, I tried to see this zero-day exploit that was just found in the wild, being used by this nation state. I tried to tell Microsoft about this 2 years ago and they were gonna pay me peanuts, so it never got fixed. You know, there are all sorts of those stories that can continue on. And, you know, I think just generally, hackers are not very good at diplomacy.

Speaker 2

14:19

You know, they tend to be pretty snipey, technical, crowd, and very philosophical in my experience. But, you know, diplomacy is not their strong suit.

Speaker 1

14:31

Well, there almost has to be a broker between companies and hackers where you can translate effectively, just like you have a zero-day broker between governments and hackers. Yeah. Because you have to speak their language.

Speaker 2

14:43

Yeah, and there have been some of those companies who've risen up to meet that demand. And HackerOne is 1 of them, BugCrowd is another, Synack has an interesting model. So that's a company that you pay for a private bug bounty program, essentially.

Speaker 2

14:59

So you pay this company, they tap hackers all over the world to come hack your software, hack your system. And then they'll quietly tell you what they found. And I think that's a really positive development. And actually The Department of Defense hired all 3 of those companies I just mentioned to help secure their systems.

Speaker 2

15:21

Now, I think they're still a little timid in terms of letting those hackers into the really sensitive high side classified stuff, but you know, baby steps.

Speaker 1

15:33

Just to understand what you were saying, you think it's impossible for companies to financially compete with the zero-day brokers with governments? So like, the defense can't outpay the hackers?

Speaker 2

15:47

It's interesting, you know, they shouldn't outpay them. Because what would happen if they started offering 2.5 million dollars at Apple for any 0 day exploit that governments would pay that much for, is their own engineers would say, why the hell am I working, you know, for less than that and doing my 9 to 5 every day? So you would create a perverse incentive.

Speaker 2

16:14

And I didn't think about that until I started this research and I realized, okay, yeah, that makes sense. You don't want to incentivize offense so much that it's to your own detriment. And so I think what they have though, what the companies have on government agencies is if they pay you, you get to talk about it. You know, you get the street cred.

Speaker 2

16:38

You get to brag about the fact you just found that $2.5 million iOS 0 Day that no 1 else did. And if you sell it to a broker, you never get to talk about it. And I think that really does eat at people.

Speaker 1

16:52

Can I ask you a big philosophical question about human nature here? So if you have, in what you've seen, If a human being has a 0 day, they found a 0 day vulnerability that can hack into, I don't know, what's the worst thing you can hack into? Something that could launch nuclear weapons.

Speaker 1

17:15

Which percentage of the people in the world that have the skill would not share that with anyone, with any bad party? I guess how many people are completely devoid of ethical concerns in your sense? So my belief is all the ultra-competent people or very, very high percentage of ultra-competent people are also ethical people. That's been my experience, but then again, my experience is narrow.

Speaker 1

17:46

What's your experience been like?

Speaker 2

17:48

So this was another question I wanted to answer. You know, who are these people who would sell a zero-day exploit that would neutralize a Schneider Electric safety lock at a petrochemical plant? Basically the last thing you would need to neutralize before you trigger some kind of explosion.

Speaker 2

18:07

Who would sell that? And I got my answer, Well, the answer was different. A lot of people said I would never even look there because I don't even want to know. I don't even want to have that capability.

Speaker 2

18:23

I don't even want to have to make that decision about whether I'm going to profit off of that knowledge. I went down to Argentina and this whole kind of moral calculus I had in my head was completely flipped around. So just to back up for a moment, so Argentina actually is a real hacker's paradise. People grew up in Argentina and you know I went down there I guess I was there around 2015, 2016 but you still couldn't get an iPhone.

Speaker 1

18:56

You

Speaker 2

18:56

know they didn't have Amazon Prime, you couldn't get access to any of the apps we all take for granted. To get those things in Argentina as a kid, you have to find a way to hack them. And it's the whole culture is really like a hacker culture.

Speaker 2

19:12

They say like, it's really like a MacGyver culture. You have to figure out how to break into something with wire and tape. And that means that there are a lot of really good hackers in Argentina who specialize in developing zero-day exploits. And I went down to this Argentina conference called Echo Party, and I asked the organizer, okay, can you introduce me to someone who's selling zero-day exploits to governments?

Speaker 2

19:42

And he was like, just throw a stone. Throw a stone anywhere and you're gonna hit someone. And all over this conference, you saw these guys who were clearly from these Gulf states who only spoke Arabic. You know, what are they doing at a young hacking conference in Buenos Aires?

Speaker 2

20:01

And so I went out to lunch with kind of this godfather of the hacking scene there and I asked this really dumb question and I'm still embarrassed about how I phrased it. But I said, so, you know, will these guys only sell these zero-day exploits to good Western governments." And he said, Nicole, last time I checked, the United States wasn't a good Western government. You know, the last country that bombed another country into oblivion wasn't China or Iran. It was the United States.

Speaker 2

20:33

So if we're gonna go by your whole moral calculus, you know, just know that we have a very different calculus down here and we'd actually rather sell to Iran or Russia or China maybe than the United States And that just blew me away. Like, wow. He's like, we'll just sell to whoever brings us the biggest bag of cash. Have you checked into our inflation situation recently?

Speaker 2

20:58

So I had some of those reality checks along the way. We tend to think of things as, is this moral, you know, is this ethical, especially as journalists.

Speaker 1

21:08

You know,

Speaker 2

21:08

we kind of sit on our high horse sometimes and write about a lot of things that seem to push the moral bounds. But in this market, which is essentially an underground market, the 1 rule is like Fight Club. No 1 talks about Fight Club.

Speaker 2

21:24

First rule of the zero-day market, nobody talks about the zero-day market on both sides because the hacker doesn't want to lose their $2.5 million bounty and governments roll these into classified programs and they don't want anyone to know what they have. So no 1 talks about this thing. And when you're operating in the dark like that, it's really easy to put aside your morals sometimes.

Speaker 1

21:48

Can I, as a small tangent, ask you, by way of advice, you must have done some incredible interviews? And you've also spoken about how serious you take protecting your sources. If you were to give me advice for interviewing when you're recording on mic with a video camera, how is it possible to get into this world?

Speaker 1

22:12

Like is it basically impossible? So you've spoken with a few people, what is it, like the godfather of cyber war, cybersecurity, so people that are already out. And they still have to be pretty brave to speak publicly. But Is it virtually impossible to really talk to anybody who's a current hacker?

Speaker 1

22:34

You're always like 10, 20 years behind?

Speaker 2

22:37

It's a good question, and this is why I'm a print journalist. But, you know, a lot, when I've seen people do it, it's always the guy who's behind the shadows, whose voice has been altered. You know, when they've gotten someone on camera, that's usually how they do it.

Speaker 2

22:56

You know, very, very few people talk in this space. And there's actually a pretty well-known case study in why you don't talk publicly in this space and you don't get photographed and that's the Gruk. So, you know, the Gruk is or was this zero-day broker South African guy lives in Thailand And right when I was starting on this subject at the New York Times, he'd given an interview to Forbes and he talked about being a zero-day broker. And he even posed next to this giant duffel bag filled with cash, ostensibly.

Speaker 2

23:31

And later he would say he was speaking off the record, he didn't understand the rules of the game. But what I heard from people who did business with him was that the minute that that story came out, he became PNG'd. No 1 did business with him. You know, his business plummeted by at least half.

Speaker 2

23:49

No 1 wants to do business with anyone who's gonna get on camera and talk about how they're selling 0 days to governments. It puts you at danger. And I did hear that he got some visits from some security folks. And it's another thing for these people to consider.

Speaker 2

24:06

If they have those zero-day exploits at their disposal, they become a huge target for nation states all over the world. You know, talk about having perfect OPSEC. You know, you better have some perfect OPSEC if people know that you have access to those zero-day exploits.

Speaker 1

24:27

Which sucks because, I mean, transparency here would be really powerful for educating the world and also inspiring other engineers to do good. It just feels like when you're operating in shadows, it doesn't help us move in the positive direction in terms of like getting more people on the defense side versus on the attack side. But of course, what can you do?

Speaker 1

24:51

I mean, the best you can possibly do is have great journalists, just like you did, interview and write books about it and integrate the information you get while hiding the sources.

Speaker 2

25:02

Yeah, and I think what HackerOne has told me was, okay, let's just put away the people that are finding and developing 0 day exploits all day long, let's put that aside. What about the however many millions of programmers all over the world who've never even heard of a zero-day exploit? Why not tap into them and say, hey, we'll start paying you if you can find a bug in United Airlines software or in Schneider Electric or in Ford or Tesla.

Speaker 2

25:37

And I think that is a really smart approach. Let's go find this untapped army of programmers to neutralize these bugs before the people who will continue to sell these to governments can find them and exploit them.

Speaker 1

25:50

Okay, I have to ask you about this. From a personal side, it's funny enough, after we agreed to talk, I've gotten, for the first time in my life, was a victim of a cyber attack. So this is ransomware, it's called Deadbolt.

Speaker 1

26:08

People can look it up. I have a QNAP device for basically kind of coldish storage. So it's about 60 terabytes with 50 terabytes of data on it in RAID 5 and apparently about 4 to 5,000 QNAP devices were hacked and taken over with this ransomware. And what Ransomware does there is it goes file by file, almost all the files on the QNAP storage device and encrypts them.

Speaker 1

26:40

And then there's this very eloquently and politely written page that pops up. You know, It describes what happened. All your files have been encrypted. This includes, but is not limited to, photos, documents, and spreadsheets.

Speaker 1

26:53

Why me? This is, a lot of people commented about how friendly and eloquent this is. And I have to commend them. It is, and it's pretty user-friendly.

Speaker 1

27:05

Why me? This is not a personal attack. You have been targeted because of the inadequate security provided by your vendor, QNAP. What now?

Speaker 1

27:16

You can make a payment of exactly .03 Bitcoin, which is about $1,000, to the following address. Once the payment has been made, we'll follow up with transaction to the same address, blah, blah, blah, they give you instructions of what happens next, and they'll give you a decryption key that you can then use. And then there's another message for QNAP that says, all your affected customers have been targeted using a 0 day vulnerability in your product. We offer you 2 options to mitigate this and future damage.

Speaker 1

27:48

1, make a Bitcoin payment of 5 Bitcoin to the following address, and that will reveal to QNAP, I'm summarizing things here, what the actual vulnerability is. Or you can make a Bitcoin payment of 50 Bitcoin to get a master decryption key for all your customers. 50 Bitcoin is about $1.8 million. Okay.

Speaker 1

28:11

So first of all, on a personal level, this 1 hurt for me. There's, I mean, I learned a lot because I wasn't, for the most part, backing up much of that data because I thought I can afford to lose that data. It's not like horrible. I mean, I think you've spoken about the crown jewels, like making sure there's things you really protect.

Speaker 1

28:38

And I have, I'm very conscious security wise on the crown jewels, but there's a bunch of stuff, like personal videos, they're not, like I don't have anything creepy, but just like fun things I did that because they were very large or 4K or something like that, I kept them on there thinking RAID 5 will protect it. You know, just I lost a bunch of stuff, including raw footage from interviews and all that kind of stuff. So it's painful, and I'm sure there's a lot of painful stuff like that for the 4 to 5,000 people that use QNAP. And there's a lot of interesting ethical questions here.

Speaker 1

29:18

Do you pay them? Does QNAP pay them? Do the individuals pay them? Especially when you don't know if it's going to work or not.

Speaker 1

29:28

Do you wait? So QNAP said that please don't pay them. We're working very hard day and night to solve this. It's so philosophically interesting to me because I also project onto them thinking, what is their motivation?

Speaker 1

29:48

Because the way they phrased it on purpose, perhaps, but I'm not sure if that actually reflects their real motivation, is maybe they're trying to help themselves sleep at night. Basically saying this is not about you, this is about the company, or the vulnerability, it's just like you mentioned, this is the justification they have. But they're hurting real people. They hurt me, but I'm sure there's a few others that are really hurt.

Speaker 2

30:14

And the 0 day factor is a big 1. They are, QNAP right now is trying to figure out what the hell is wrong with their system that would let this in. And even if they pay, if they still don't know where the 0 day is, what's to say that they won't just hit them again and hit you again.

Speaker 2

30:34

So that really complicates things. And that is a huge advancement for ransomware. It's really only been, I think, in the last 18 months that we've ever really seen ransomware exploit 0 days to pull these off. Usually 80% of them, I think the data shows 80% of them come down to a lack of two-factor authentication.

Speaker 2

30:57

You know, so when someone gets hit by a ransomware attack, they don't have two-factor authentication on, you know, their employees were using stupid passwords. Like, you can mitigate that in the future. This 1, they don't know, they probably don't know.

Speaker 1

31:11

Yeah, and it was, I guess it's 0 click because I didn't have to do anything. The only thing, well, here's the thing. I did basics of, I put it behind a firewall.

Speaker 1

31:26

I followed instructions. But like, I wasn't, I didn't really pay attention. So maybe there's like, maybe there's a misconfiguration of some sort that's easy to make. It's difficult, we have a personal NAS.

Speaker 1

31:39

So I'm not willing to sort of say that I did everything I possibly could. But I did a lot of reasonable stuff and they still hit it with 0 clicks. I didn't have to do anything.

Speaker 2

31:52

Yeah, well it's like a 0 day and it's a supply chain attack. You know, you're getting hit from your supplier. You're getting hit because of your vendor.

Speaker 2

32:01

And it's also a new thing for ransomware groups to go to the individuals to pressure them to pay. There was this really interesting case, I think it was in Norway, where there was a mental health clinic that got hit. And the cyber criminals were going to the patients themselves to say pay this or we're going to release your psychiatric records. I mean, talk about hell.

Speaker 2

32:28

In terms of whether to pay, that is on the cheaper end of the spectrum.

Speaker 1

32:33

From the individual or from the company? Both.

Speaker 2

32:36

We've seen, for instance, there was an Apple supplier in Taiwan. They got hit and the ransom demand was 50 million. I'm surprised it's only 1.8 million.

Speaker 2

32:49

I'm sure it's gonna go up. And it's hard, you know, there's obviously governments and maybe in this case, the company are gonna tell you, we recommend you don't pay or please don't pay. But the reality on the ground is that some businesses can't operate, some countries can't function. I mean, the under reported storyline of Colonial Pipeline was after the company got hit and took the preemptive step of shutting down the pipeline because their billing systems were frozen, they couldn't charge customers downstream, my colleague David Singer and I got our hands on a classified assessment that said that as a country, we could have only afforded 2 to 3 more days of colonial pipeline being down.

Speaker 2

33:40

And it was really interesting. I thought it was the gas and the jet fuel, but it wasn't. We were sort of prepared for that. It was the diesel.

Speaker 2

33:48

Without the diesel, the refineries couldn't function and it would have totally screwed up the economy. And so there was almost this like national security economic impetus for them to pay this ransom. And the other 1 I always think about is Baltimore. You know, when the city of Baltimore got hit, I think the initial ransom demand was something around 76,000.

Speaker 2

34:13

It may have even started smaller than that. And Baltimore stood its ground and didn't pay, but ultimately the cost to remediate was $18 million. It's a lot for the city of Baltimore. That's money that could have gone to public school education and roads and public health.

Speaker 2

34:32

And instead it just went to rebuilding these systems from scratch. And so a lot of residents in Baltimore were like, why the hell didn't you pay the $76,000? So it's not obvious. It's easy to say don't pay, because why you're funding their R&D for the next go round.

Speaker 2

34:52

But it's too often, it's too complicated.

Speaker 1

34:56

So on the individual level, just like the way I feel personally from this attack, Have you talked to people that were kind of victims in the same way I was, but maybe more dramatic ways or so on, you know, in the same way that violence hurts people? Yeah. How much does this hurt people in your sense and the way you researched it?

Speaker 2

35:16

The worst ransomware attack I've covered on a personal level was an attack on a hospital in Vermont. And you think of this as like, okay, it's hitting their IT networks. They should still be able to treat patients.

Speaker 2

35:34

But it turns out that cancer patients couldn't get their chemo anymore, because the protocol of who gets what is very complicated, and without it, nurses and doctors couldn't access it. So they were turning chemo patients away, cancer patients away. 1 nurse told us, I don't know why people aren't screaming about this, that the only thing I've seen that even compares to what we're seeing at this hospital right now was when I worked in the burn unit after the Boston Marathon bombing. You know, they really put it in these super dramatic terms.

Speaker 2

36:11

And last year, there was a report in the Wall Street Journal where they attributed an infant death to a ransomware attack because a mom came in and whatever device they were using to monitor the fetus wasn't working because of the ransomware attack. And so they attributed this infant death to the ransomware attack. Now on a bigger scale but less personal, when there was the NotPetya attack, so this was an attack by Russia on Ukraine that came at them through a supplier, a tax software company in that case, that didn't just hit any government agency or business in Ukraine that used this tax software. It actually hit any business all over the world that had even a single employee working remotely in Ukraine.

Speaker 2

37:07

So it hit Maersk, the shipping company, but hit Pfizer, hit FedEx, but the 1 I will never forget is Merck. It paralyzed Merck's factories. I mean, it really created an existential crisis for the company. Merck had to tap into the CDC's emergency supplies of the Gardasil vaccine that year because their whole vaccine production line had been paralyzed in that attack.

Speaker 2

37:32

Imagine if that was gonna happen right now to Pfizer or Moderna or Johnson & Johnson. You know, imagine. I mean, that would really create a global cyber terrorist attack, essentially.

Speaker 1

37:47

And that's almost unintentional.

Speaker 2

37:49

I thought for a long time, I always labeled it as collateral damage.

Speaker 1

37:53

Collateral damage, yeah.

Speaker 2

37:54

But actually just today, there was a really impressive threat researcher at Cisco, which has this threat intelligence division called Talos, who said, stop calling it collateral damage. They could see who was gonna get hit before they deployed that malware. It wasn't collateral damage, it was intentional.

Speaker 2

38:19

They meant to hit any business that did business with Ukraine. It was to send a message to them too. So I don't know if that's accurate. I always thought of it as sort of the sloppy collateral damage, but it definitely made me think.

Speaker 1

38:34

So how much of this between states is going to be a part of war? These kinds of attacks on Ukraine, between Russia and US, Russia and China, China and US. Let's look at China and US.

Speaker 1

38:53

Do you think China and US are going to escalate something that would be called a war purely in the space of cyber?

Speaker 2

39:04

I believe any geopolitical conflict from now on is guaranteed to have some cyber element to it. The Department of Justice recently declassified a report that said China's been hacking into our pipelines, and it's not for intellectual property theft. It's to get a foothold so that if things escalate in Taiwan, for example, They are where they need to be to shut our pipelines down and we just got a little glimpse of what that looked like With colonial pipeline and the panic buying and the jet fuel shortages and that assessment.

Speaker 2

39:42

I just mentioned about the diesel so They're there, you know, they've got in there Anytime I read a report about new aggression from fighter jets, Chinese fighter jets in Taiwan, or what's happening right now with Russia's buildup on the Ukraine border, or India, Pakistan, I'm always looking at it through a cyber lens and it really bothers me that other people aren't because there is no way that these governments and these nation states are not going to use their access to gain some advantage in those conflicts. And I am now in a position where I'm an advisor to the cybersecurity infrastructure security agency at DHS. So I'm not saying anything classified here, but I just think that it's really important to understand just generally what the collateral damage could be for American businesses and critical infrastructure in any of these escalated conflicts around the world. Because just generally our adversaries have learned that They might never be able to match us in terms of our traditional military spending on traditional weapons and fighter jets.

Speaker 2

41:08

But we have a very soft underbelly when it comes to cyber. 80% or more of America's critical infrastructure, So pipelines, power grid, nuclear plants, water systems is owned and operated by the private sector. And for the most part, there is nothing out there legislating that those companies share the fact they've been breached. They don't even have to tell the government they've been hit.

Speaker 2

41:38

There's nothing mandating that they even meet a bare minimum standard of cybersecurity. And that's it. So even when there are these attacks, most of the time we don't even know about it. So that is, you know, if you were going to design a system to be as blind and vulnerable as possible, that's pretty good.

Speaker 2

42:00

That's what it looks like is what we have here in the United States. And everyone here is just operating like, let's just keep hooking up everything for convenience. You know, software eats the world. Let's just keep going for cost, for convenience sake, just because we can.

Speaker 2

42:20

And when you study these issues and you study these attacks and you study the advancement and the uptick in frequency and the lower barrier to entry that we see every single year, you realize just how dumb software eats world is. And no 1 has ever stopped to pause and think, should we be hooking up these systems to the internet? They've just been saying, can we? Let's do it.

Speaker 2

42:51

And that's a real problem. And this, and just in the last year, you know, we've seen a record number of zero-day attacks. I think there were 80 last year, which is probably more than double what it was in 2019. A lot of those were nation states.

Speaker 2

43:06

We live in a world with a lot of geopolitical hot points right now. And where those geopolitical hot points are are places where countries have been investing heavily in offensive cyber tools.

Speaker 1

43:21

If you're a nation state, the goal would be to maximize the footprint of 0 day, like super secret 0 day that nobody's aware of. That whenever war is initiated, the huge negative effects of shutting down infrastructure or any kind of 0 day is the chaos it creates. So if you just, there's a certain threshold when you create the chaos, the markets plummet, just everything goes to hell.

Speaker 1

43:50

So there's-

Speaker 2

43:51

It's not just 0 days. We make it so easy for threat actors. I mean, we're not using two-factor authentication.

Speaker 2

44:00

We're not patching. There was the shell shock vulnerability that was discovered a couple years ago. It's still being exploited because so many people haven't fixed it. So, the 0 days are really the sexy stuff.

Speaker 2

44:16

And what really drew me to the 0 day market was the moral calculus we talked about. Particularly from the US government's point of view, how do they justify leaving these systems so vulnerable when we use them here, and we're baking more of our critical infrastructure with this vulnerable software. You know, it's not like we're using 1 set of technology and Russia's using another and China's using this. We're all using the same technology.

Speaker 2

44:45

So when you find a 0 day in windows, you're not just leaving it open so you can spy on Russia or implant yourself in the Russian grid, you're leaving Americans vulnerable too. But 0 days are like, that is the secret sauce. That's the superpower. And I always say like every country now, with the exception of Antarctica, someone added the Vatican to my list, is trying to find offensive hacking tools in 0 days to make them work.

Speaker 2

45:17

And those that don't have the skills now have this market that they can tap into where, you know, $2.5 million, that's chump change for a lot of these nation states. It's a hell of a lot less than trying to build the next fighter jet. But yeah, the goal is chaos. I mean, why did Russia turn off the lights twice in Ukraine?

Speaker 2

45:39

I think part of it is chaos. I think part of it is to sow the seeds of doubt in their current government. Your government can't even keep your lights on. Why are you sticking with them?