The Jordan Harbinger Show - 542: Nicole Perlroth | Who's Winning the Cyberweapons Arms Race?
Episode Date: August 3, 2021Nicole Perlroth (@nicoleperlroth) is an award-winning cybersecurity journalist for The New York Times and bestselling author of This Is How They Tell Me the World Ends: The Cyberweapons Arms ...Race. What We Discuss with Nicole Perlroth: The startlingly simple reasons why most nation-states now resort to using cyberwarfare tactics before conventional weaponry in acts of aggression -- to increasingly devastating effect. How industries are so interconnected that there's almost no way for a cyberattack to target one victim without endangering countless others on all sides of a conflict (which is why you may have Putin to blame if there's a Cadbury chocolate egg shortage next Easter). Why leaving the security of 85 percent of its critical infrastructure up to privatization makes the United States especially vulnerable to cyberwarfare attacks. The massive amount of intellectual property that's been lost to hackers -- from the formula for Coca-Cola to information that would allow China and other rival nations to catch up with the United States in the nuclear arms race. What Nicole believes the US should do to push back against these threats and the governments that perpetrate them -- and ensure that it's not inadvertently one of them. And much more... Full show notes and resources can be found here: jordanharbinger.com/542 Sign up for Six-Minute Networking -- our free networking and relationship development mini course -- at jordanharbinger.com/course! Like this show? Please leave us a review here -- even one sentence helps! Consider including your Twitter handle so we can thank you personally!See Privacy Policy at https://art19.com/privacy and California Privacy Notice at https://art19.com/privacy#do-not-sell-my-info.
Transcript
Discussion (0)
Coming up next on the Jordan Harbinger Show.
Cyber war isn't targeted.
Cyber war can take all of us down at a few clicks, but we're not acting like that.
A lot of nations are engaged in developing these offensive capabilities,
but they don't understand that the collateral damage is usually their own citizens or their allies or businesses.
Welcome to the show. I'm Jordan Harbinger.
On the Jordan Harbinger show, we decode the stories, secrets and skills are the world's most
fascinating people. We have in-depth conversations with people at the top of their game,
astronauts and entrepreneurs, spies, psychologists, even the occasional four-star general drug
trafficker or former jihadi. Each episode turns our guest's wisdom into practical advice
that you can use to build a deeper understanding of how the world works and become a better
critical thinker. If you're new to the show or you're looking for a handy way to tell your friends
about it, we've got starter packs. These are collections of your favorite episodes organized by
topic that'll help new listeners get a taste of everything that we do here on the show.
Just visit jordanharbinger.com slash start to get started or to help somebody else get started with us.
Of course, I always appreciate that.
Now, today, when I was a kid, I used to love finding bugs in software.
I would be on a bulletin board system and I'd figure out that some little asky color coding thing
could crash the entire software, and I'd report the bug to the SISOP, the system operator.
and I remember one time I did it in the sysop called the police,
and the police called my parents,
and they didn't really know what was going on,
but my parents thought I was going to get in trouble.
And, you know, that just made me have a vendetta against this guy.
Is it weird that I'm still mad about it?
But law enforcement never really dissuaded me from hacking or from anything else.
I later went to a hacker conference called DevCon,
and I found out how easy it is to get into our power grid,
these SCADA systems that mess with air traffic control and water and power
using transponder hacking to trick aircraft. I mean, it really is just scary how quickly you can
mess things up if you are a bad actor. We regulate weapons and arms sales, and we work hard not to
allow the proliferation of nukes, but we do nothing to stop the spread of what are called zero-day
exploits and other hacks discovered in critical systems. My guest today, Nicole Pearlroth,
literally wrote the book on cyber warfare. Today we'll talk about why this is so dangerous,
why we're not doing really anything about it, how it's being misused.
both in the United States and abroad. We'll talk about hackers who forge documents,
bribe people, hack computers both domestically and abroad for money,
white hat, black hat, and everything in between. We'll talk about massive attacks on Google
from China and how nation states are using cyber warfare before pretty much any other weaponry
these days. China has stolen enough IP from the Western world for the next decade,
including the formula for Coca-Cola, Benjamin Moore Paint, plans for the F-35,
and has stolen enough info to catch up with us in the nuclear arms.
race, but that might not be all we have to worry about right now.
Today, we'll explore the cyber warfare going on these days, how we're being attacked
by our enemies on the regular, and how ready we are for the next catastrophic cyber attack
against the West and or the United States.
And if you're wondering how I manage to book all these great authors, thinkers, and
creators every single week, it's because of my network.
I'm teaching you how to build your network for free over at Jordan Harbinger.com slash
course.
And by the way, most of the guests on the show already subscribe to the course, come
join us. You'll be in smart company where you belong. Now, Nicole Pearl Roth. The U.S. is engaged in
large-scale cyber warfare, and it seems like our critical infrastructure is more or less, I won't say
undefended, but kind of undefended at the moment. How accurate would you say that statement is?
That's incredibly accurate. You know, the statistic everyone throws around, although no one's
ever actually furnished any proof that this is true, but it feels largely true, is that
85% of our critical infrastructures owned by the private sector. And the government has no say
as of this moment over how secure or not secure it is. We leave it to every company to basically
fend for themselves. And now you're seeing ransomware attacks that are taking out pipelines
and the food supply that just come down to a lack of two-factor authentication and bad password
management. That's all it takes.
For people who don't know two-factor authentication is like when I'm trying to log into my bank
and it goes, hey, we just sent you a text, making sure that it's you. Please type in that four-digit,
six-digit code. And there are people that are in control of like oil pipelines, power grid
systems, water treatment plants that are like, eh, I don't want to deal with that. I'm just going
to use my, I've been using the same password for 20 years. Why change it now, right?
That's right. I mean, even the colonial pipeline, you have to give them a little more credit in
that it came down to some employee who'd come and gone. I don't even know how long they'd been gone,
still had an active account with access to their network, and that account had just hadn't been
used for a long time and didn't have two-factor authentication turned on. So all it took was someone
getting his stolen password, seeing he worked at Colonial Pipeline, trying to get into the network,
and there being no obstacle to them doing so.
And because Colonial Pipelines Network Administrators
weren't paying attention to some old employees' account,
they weren't paying attention to the attack
when they came in and started mucking around their systems
and then deploying ransomware
that held their data hostage in such a way
that they couldn't actually see where gas was going off the pipeline.
It's not like the ransomware hit the pipeline itself,
but they're a business and they couldn't charge customers
because their billing systems had been held hostage.
So they took the step of shutting down the pipeline.
So basically, because they had this old employee account
that didn't have two-factor authentication turned on,
an entire pipeline that supplies nearly half the jet fuel
and gas and diesel to the East Coast was held hostage.
And all it took was this old employee with a stolen password
that didn't have two-factor authentication turned on.
And that seems glaringly,
it's dangerous for that level of access to be sort of,
it's kind of like leaving a gun in a room.
You never go in and you go, well, we never go in there.
Well, okay, but your kids are playing in the house.
Yeah, but I mean, I'm just never, who would open that drawer?
Right.
And it's the same kind of thing, but we're thinking, oh, but nobody has, it's kind of a tricky drawer.
It's got, you know, there's a key lock.
Where's the key?
Oh, we leave it in the key chain with the house keys.
They're not going to open that drawer.
It's sort of the same thing, except for we would never think that that gun is secure,
but we think, oh, well, that employee's gone.
so no one's going to log into that account.
Well, okay, no one nefarious.
And I guess to their credit, sort of colonial pipeline, the oil pipeline that was shut down
for those of you who don't know what we're talking about, they shut that down themselves
because they were worried about what might happen because the other elements of their system
were compromised.
And that's kind of a whole other discussion about, was that the best way to have your systems
connected like that?
And to their credit, they shut it down before somebody could do something really horrible.
but not all cyber attacks have ended with just a rush on gas that ended up being a big nothing
burger.
We saw a massive Ukrainian cyber attack by Russia.
So take us through that a little bit.
And also, why do this?
You know, what's the message to Ukraine from Russia here by doing this?
So the attack by Russia on Ukraine, and there have been several noteworthy attacks, one of the most famous
was when they actually turned the power off to a large size.
of Western Ukraine for a few hours. And then a year later came back and did the same thing to
their capital, Kiev for a couple hours. That was a big one. But the one you're referring to is the one
that security people call not Petja. And it's a horrible name and it's worth just lingering on it
for a moment. The reason they called it not Petja is because it looked like a huge ransomware attack
that looked like Petja ransomware. But it wasn't ransomware because there was no way for the victims to
pay a ransom and get access to their data back. It was actually,
just attack of destruction. So what happened was sometime around 2017 or earlier, Russia breached a
company that's basically like Ukraine's turbotax. Actually, legally, most government agencies and banks
and large corporations in Ukraine are required to use this tax software. That tax software company is
run by mom and pop, just outside Kiev, who never thought that their little tax software
company could be used as a nation-state weapon. But that's what happened. Russia's preeminent hackers
from the GRU, their intelligence agency, came in, compromised the tax software company,
got into the software update so that when all of these Ukrainian companies downloaded the
latest, greatest version of this tax software, they weren't just downloading the tax
software. They were downloading a GRU backdoor. And once they were in
side, their GRU unleashed what was essentially a digital weapon of destruction. It looked like
ransomware, which is just code that holds your data hostage with encryption until you pay up,
only there was no way for the victims to pay. So all of a sudden, all of these Ukrainian government
agencies couldn't access anything on their network. They couldn't access email or anything else.
They had to hop on Facebook to communicate with the country to say, we're still standing. But it also hit
railways. People couldn't get tickets on trains. It hit the postal service. People are still not getting
pension checks that they were owed back in 2016, 2017. It held up the radiation monitoring systems at
Chernobyl, the old nuclear site. So suddenly, the people at Chernobyl couldn't see how much radiation
was leaking out of that blast site. But it also hit any company that did any business in Ukraine,
Even if they had a single employee working remotely from Ukraine, they were caught up in this attack.
So it hit FedEx. FedEx suffered $400 million in damage from this attack.
It hit Pfizer. It hit Merck. Merck's vaccine production systems were held up in this attack.
It actually had to go tap into the CDC's emergency supplies of vaccines that year.
It hit Cadbury Egg Chocolate factories in Tasmania. You name it.
Dear Lord, no.
Yeah.
And so it ended up being the most costly cyber attack known to man.
It was $10 billion in damages, although we think it might have been worse because a lot of
victims didn't even report their damages.
But it was really a prelude in some ways to a lot of the attacks we're seeing now.
You know, if we had been paying closer attention to how that attack happened in the United
States, we might have been a little bit more prepared for the solar winds attack that
we're still unwinding right now, where Russia, another Russian hacking group, this time less of a
destructive actor, thank God, broke into solar winds, which is a Texas company that provides
software to more than 400 of the Fortune 500 and to all of our preeminent federal agencies like
DHS and the Treasury and the Department of Justice and the Department of Energy in our nuclear labs,
got into their software update. And all of a sudden, most government agencies downloaded this
Russian backdoor. And we still don't know the extent of damages from that attack. We still don't
know just how deep the Russians are into our government systems. But they also got into some of our
electric utilities. We don't know what they plan to do with that access. So this is where we are now.
We are seeing attacks come in through the software supply chain. And for years, people have been
talking about this threat. But now suddenly they're asking the right questions, which is how do you
trust that any of the software you're using is secure and not a Russian Trojan horse.
Especially when you're updating. I mean, I update my apps all the time thinking, oh, I'm
on the latest version. I'm on the most secure version. But if there's some fake update that I
install, now I'm on the least secure version of that software that's ever been created.
And it might disable my ability to update to a patch. I mean, it's really hard to say. I assume
they did that. They went, well, okay, if they find out about this, we don't want it to then
check the server for the latest undo. We wanted to just not work anymore. And now you're in this
sort of zone where you're going, how do I manually update my turbo tap, my Ukrainian turbotax?
Do I have to, okay, I have to delete it. Then I have to download the fresh version that's off
their website, which I've never been to, and find that, and then enter my code that I haven't
looked at in three years because I bought it ages ago. And you're doing that on hundreds of thousands
of computers or millions of computers at the same time. Right, right. And it's pervasive. It does
strike me as sort of like tragically comical that vaccine companies are reporting these losses,
shipping companies are reporting these losses. And then Cadbury's like, hey, and we can't get any
of those chocolate eggs out. Like, we're going to be way behind this Easter for these little eggs.
Just so nobody points the finger at blame Putin. Okay. Don't look at me. Right. And the only reason
I ever bring up Cadbury in my list of not Petya victims and I always bring it up is just because
I want people to understand that we're so interconnected now that a targeted attack between
Russia and Ukraine doesn't even exist anymore because we're so connected that something,
you know, Russia decided to aim at Ukraine to basically take them offline ahead of their
independence day would actually, you know, cause disruption to a chocolate factory in Tasmania
is really the best visual you get when you try and understand that cyber.
War isn't targeted. Cyber war can take all of us down at a few clicks, but we're not acting like
that. A lot of nations are engaged in developing these offensive capabilities, but they don't
understand that the collateral damage is usually their own citizens or their allies or businesses.
And what's really interesting from that attack is, you know, I mentioned some of the figures
of FedEx, $400 million. Merck, I think, at $600 million. When they tried to go get that many
back from their insurers because they had cyber insurance. Their insurers said, uh, uh, uh,
you know, we have this tiny little clause in your policy that's a war exemption clause. And it says
that if you are collateral damage in a war, we don't have to pay out. And in this case, you were
collateral damage in Russia's war on Ukraine. And so we're not going to pay you out. And those
lawsuits are ongoing. But American companies are on the hook for those damages.
That is crazy because, of course, it is war damage, but also it's like, well, when I signed that,
I thought you meant if there's a drone strike and it knocks out part of our headquarters,
you're not going to pay for that, not an actual cyber intrusion, which is the whole freaking
point of the insurance. So, and the insurance company's argument is, no, no, no, we're insuring
you for when a kid comes into your office and installs some spyware and knocks out 50 of your
computers and you have to replace them or you have to scrape that data. We're not paying you
when the GRU, the Russian military sort of hacker intelligence unit,
target something in your collateral damage.
And so now there's probably a whole different type of insurance industry out there
with much higher premiums that says,
oh, yeah, we'll insure you against that for $350 million or more on an annual basis,
depending on how big your company is.
You know, it's like this massive,
now you're paying as much for cyber insurance as you are for insurance
on all your FedEx delivery trucks at this point, right?
Because the damage is equal or greater.
Well, that's right. I mean, I and you live now in the wildfire zone, and my neighbors are getting notices that their insurer will no longer cover fire insurance on their properties anymore. And I think that's what's happening now with cyber insurance. Yeah, sure, they'll still cover Pfizer and Merck and FedEx, but their premiums are going to be astronomical. And there's going to be all sorts of fine print in there that says, you know, if you're a target of this kind of attack, we don't have to pay out.
And so this is something businesses are reckoning with. Now, the good news is that cyber insurance companies will say, okay, we'll underwrite you, but you need to have a much higher baseline of cybersecurity.
You need to have two-factor authentication installed. You need to be patching your systems. We need a clear idea of what's in your network and how well secured that software is. We need to know that you have strong password management or your employees are using password managers, all of that. And so,
some ways it's creating market incentives for these companies to raise the bar. But there's another thing
about that not-peche attack, which I failed to mention, which is the reason it was so cataclysmic,
why it destroyed so much, is because it was sailing on a stolen weapon from the national security
agency. So just a few months before Russia launched that attack on Ukraine, someone, we still don't
know who they are, they called themselves the shadow brokers, had hacked the NSA and had started
dribbling the NSA's best kept code and hacking tools online. And one of the tools that they dumped
was some code that exploited a vulnerability in Microsoft Windows that allowed their malware or
code to spread automatically across a network. Instead of a hacker having to manually infect one
computer after another, the NSA's tool essentially allowed them to automate this attack.
So after that was dumped online, North Korea picked it up for a ransomware attack.
That was pretty bad, but fortunately the North Koreans had made some mistakes in their code
and someone was able to neutralize it pretty quickly.
And then Russia baked it onto its not Petcha attack, which is why you saw their code
sale around the world and the way it did and wreaked that much destruction on companies
including American companies.
And there's been no accountability for that.
And people don't even realize
that all of those damages
were enabled by an NSA digital hacking tool.
The not Petja attack.
By the way, how do people name these things?
Like, Wanna Cry, Petcha, not Petcha.
How do the names come up?
Okay.
It's a huge point of frustration for me.
If I run for president,
it's going to be like a single platform,
which is cut out the ridiculous names
for these attacks.
and for these nation-state groups because it's gone crazy.
Like, CrowdStrike is a security company, and they name Chinese attacks something panda,
Russia, something bear.
So you have all these names for these groups like fancy bear and berserk bear.
And every cybersecurity company's naming convention is different.
So anytime we call out these groups, it's like, Nobelium, aka so-and-so bear,
aka APT-2372.
You know, it's so frustrating.
But usually the way it goes with malware, ransomware, is that it's after some word in the code.
So the North Korea attack that I mentioned was called Wanna Cry because there was some little snippet of code in their ransomware that said something like W-N-A-C-R-Y, you know, something like that.
But really, it'd be great if we could get some central naming authority to avoid some of these ridiculous names in the confusion.
Yeah, I figured there was something to that with the code. The NAPACA attack, something like 80% of
Ukrainian computers had to be wiped clean because of this, right? So that's massive. And it sounds like
what we're worried about is not just how much damage that can cause, but the fact that that might
just be a dry run for something even larger. I mean, okay, you went after Ukraine, it went and
destroyed a bunch of data, $10 billion in damage. What happens now when you go after Canada and Mexico
and the United States and Germany, which you can easily do.
I mean, it's not like, I would imagine it's not a huge squad of people required to pull off an attack like this against a nation state. It's just they chose Ukraine because they knew they wouldn't have any consequences to pay as a result, most likely.
Yeah, well, it's pretty interesting. And I didn't really, I couldn't really wrap my head around this until I went to Ukraine and met with all the people who did forensics inside Ukraine on not just the not Petya attack, but several of the attacks I mentioned leading up to it. You know, the attacks that took out the power. There were attacks.
that were aimed at Ukrainian media companies.
For years, they had been shelling Ukraine with all of these different kinds of attacks.
But what was clear to the people who did forensics is that this was Russia really experimenting.
This was their petri dish.
This was them trying out one method here, one slightly different method there, basically like the scientific method of hacking.
And so their theory on the ground there is that not Petya was designed to look like ransomware,
but there was no way for people to pay the ransom. And that really it was just a destructive tool.
It was a way for Russia to wipe the slate clean to erase any trace of everything they had done
before that so that, you know, no one would be wiser to the capabilities they do have.
And what they said was, we believe that we weren't the ultimate target. We believe that we were
spring training. We believe that you in the United States and the West are the entire,
target here. But when it comes your way, we should mention that it will be so much worse because
we are actually not that digitized here. You know, we still run our elections on pen and paper.
Our power systems are still pretty archaic. You know, Not Petya didn't take out the power across
the whole country. It didn't touch our nuclear plants. But when it comes for you, there's there is a
high likelihood that it will do a lot more than $10 billion in damage and it will take a lot
lot longer for you to get your systems up and running because you're so much more virtualized.
And by the way, you know, doesn't seem like you're that secure either. So it was a wake-up call,
but we're not really treating it like it's a wake-up call. We didn't change the fundamental ways
we do business after the not-pet-cha attack. Most Americans have never even heard of the not-patcha
attack. They wouldn't even need to do much to take down, to do billions of dollars in damage
in the United States. I mean, if you took down Amazon web hosting, which a lot of people think,
Amazon, you buy things there. That backbone of internet hosting, there goes almost all of the services
that you use. Or if you took a chunk out of, I mean, remember when Gmail's down for like a day and
people are like, what the hell? We can't do any business. What if you took down Outlook and Amazon,
or you just stopped airline traffic for a day or a week, like the Iceland volcano, except for the
United States? Right. And all you need to do, that's not even like kill people.
type of damage. That's just a massive, expensive inconvenience. Now you're talking about what happens
if they shut off the power in the South in July when it's 100 degrees outside and no one can turn
on air conditioning or a fan and the phone system doesn't work, right? Because the cell towers are down.
So you can't even call 911 if you're passing out or you're, you need an ambulance. Like that kind of
damage could be done by a few people relatively easily because a lot of those SCADA systems, I think,
they're called are from like the 90s, right, those power grid systems. And they all, I remember talking
with somebody who worked there a long time ago. And there are people that go, oh yeah, our systems are so
safe. They're buried underground. You have to go in this tunnel and the tunnels flooded half the time to
get there. Well, how do you control it? Oh, we hooked it up to a telephone line. I can log in from my
phone. Okay, so you did that and you never go down there for local access. You don't think anybody else can do
that. And it's really shocking because these guys who connect the system to the phone line,
it's like the young intern figured out how to do that. They didn't hire CrowdStrike to make
their systems accessible remotely. They just freaking plugged it into Zoom, basically. It's just
really, really pathetic a lot of the ways that these things have been made accessible.
Yeah, well, you know, we don't even really have to use hypotheticals because there was a situation
over the winter when Texas power went out.
Was it Escott?
Yes.
About the name of the company?
Yeah, yeah, that was it.
Yeah.
You know, they went out and everyone in cybersecurity said, oh, gosh, is this the attack we've been
waiting for?
Nope.
It was just due to an underinvestment in winterizing.
If they're making that level of or lack of investment in winterizing, what do you think
their cybersecurity posture is?
And look at what happened.
I mean, people were not, they didn't just lose power in the middle of this storm.
they lost access to their water because their pipes were frozen.
I mean, that's really what it would look like.
Only in this case, you know, Russia might not turn it back on.
They might make sure that the power stayed off.
The one I actually worry about the most is water because at least we've sort of wrapped our heads
around the threat to our power supplies.
But we haven't really wrapped our heads around the threat to the water supply.
And, you know, most of the water treatment facilities here,
in the United States, serve communities of less than 10,000 people, and they barely have an
IT guy on staff, let alone a cybersecurity expert. And just the day in my book came out, actually,
there was a hack on a water treatment facility in Oldsmar, Florida, just outside Tampa,
where hackers got in remotely into the water treatment facility because they'd been using
a decade-old version of Microsoft Windows that hadn't been patched in years.
and they didn't have two-factor authentication turned on,
and they hadn't even thought about this scenario,
but a hacker was able to get into their chemical controls
and up the level of Y, L-Y-E in the water,
from something like 1,100 parts per million to 11,000 parts per million,
which is enough to send everyone to the hospital in the middle of COVID
when hospitals are already under strain.
And oh, by the way, they did it on the Friday ahead of Super Bowl weekend in Tampa.
So thank God some engineer was sitting at his computer,
and happen to watch his cursor move around and catch this thing in action.
But, you know, in most cases, there wouldn't have been an engineer sitting in front of their
computer watching that happen.
And, you know, it was just at a wedding last weekend.
And I right next to our hotel was this little water treatment facility.
And it was like, there is no way there is an IT guy sitting there on-prem watching to make
sure no one's mucking around with their chemical controls.
And I guarantee you there's a very easy way for someone to remote into their stuff.
system and up the level of cost of chemicals in the water. So the scenarios are endless and we keep
having these close calls, but we're still not changing the way we secure our critical infrastructure.
You're listening to the Jordan Harbinger show with our guest Nicole Pearl Roth. We'll be right back.
When it's time to scale your business, it's time for Shopify. Get everything you need to grow the
way you want. Like all the way. Stack more sales with the best converting checkout on the
track your cha-chings from every channel, right in one spot, and turn real-time reporting into
big-time opportunities.
Take your business to a whole new level.
Switch to Shopify.
Start your free trial today.
Now back to Nicole Pearl Roth on the Jordan Harbinger show.
I would imagine that that software that runs those plants, it's all the same stuff, it's all the same
version of the same stuff.
It all runs on windows, like you said, the windows might not even be patched.
That sounds like they just got remote access to Windows, and then they use the software like you can do with a screen share on Zoom or any other remote software.
Imagine if somebody found out how to, I'm sure they already did, find out how to remotely access this software plain and simple, because they make these things easily accessible so that, hey, your IT guy, oh, he's a consultant, he lives offsite, hey, there's something weird going on with our software.
They give them a call. He logs in remotely and handles it. That is absolutely not secure.
There's, like you said, there's probably one guy there just to make sure pipes aren't exploding, and they're on their iPad watching Netflix, and they're just looking for giant spurts of water squirting out.
They're not sitting there going, oh, that seems like a chemical imbalance on system number seven.
Let me go look at that and inspect that.
They probably don't even have anybody qualified on site to even do that any given time.
So that is terrifying, especially because you can log in and do that to a thousand small town water systems, probably all at the same time.
or within a few hours before anybody figures out anything
and they can unplug the internet.
I mean, it's just the amount of damage is massive.
And then you have no idea who did it in the first place.
I mean, you can point fingers, but that's pretty much it.
I remember reading that in Ukraine,
Russia pushed a lot of the anti-vac stuff
that sounds very familiar here.
They tested that on the Ukrainian population,
said, hey, the MMR vaccine causes autism.
And then there was a massive measles outbreak
or something like that, right?
Am I close here?
Yes, you're close.
I mean, it was really disturbing. And again, I couldn't have wrapped my head around this until I actually went to Ukraine. But I met with officials at the embassy and I was there to talk about cyber threat, hacking threats. But they didn't even have time to think about cyber threats because they were so focused on Russian disinformation in Ukraine. And at that very moment, there was this crazy measles outbreak that had actually spread to Hasidic communities in New York because some of them do this pilgrimage to Ukraine every year.
But a lot of it, Ukraine has a disinformation minister, something we don't still have here in the United States,
but I met with them at the time. And he said, yes, they tracked a lot of it down to Facebook pages,
targeted at young Ukrainian mothers where Russian trolls were flooding the comment sections,
trying to legitimize the vaccination debate and seeding doubts among Ukrainian mothers that measles vaccines caused autism
or was some, you know, nation-state tool of control.
And so a lot of young mothers weren't getting vaccinated.
Meanwhile, back in Russia, the vaccination rates were nearing 100%, whereas in Ukraine,
they were dipping below 50.
It didn't even hit me at the time because this was 2019 that a year later, less than a
year later, we would have a global pandemic.
But sure enough, here we are in the middle of this global pandemic.
And the biggest threat right now is vaccine hesitancy.
And oh, yep, some white papers are just now coming up that are tracing a lot of disinformation
related to the Pfizer and Moderna vaccines to Russian troll networks.
And they're playing out on Facebook.
They're playing out on social media.
And this is where we are now.
That is, of course, terrifying because it affects the public health of the entire country.
And yeah, the joke is really on us because when you look at vaccination rates in Russia,
well, why are they so high?
Oh, they have an oppressive government.
Okay, but they're obviously not doing the same type of disinformation that they are over here.
I mean, and of course it's using our own sort of information freedom against us and that's a whole different probably podcast here.
But I want to go back to what you mentioned before, the shadow brokers hack and what this means, the gravity of it.
I don't think most people know what zero days are, why they're valuable.
Can you take us through that a little bit?
Because this is one of the main reasons that we're having so many of cyber attacks, correct?
You know, it is and it isn't. Just to back up, and I promise this is the most technical part of our conversation today. But what is a zero day? So a zero day is a flaw in software that the software maker is not aware of. And the day someone discovers it, that's day zero, or zero day. Because they've had zero days to fix it. And until they can fix it, everyone who uses that software is vulnerable to hacking. So just to take the most simple example, let's say, I'm,
I'm a hacker and I find a flaw in your iPhone's iOS software.
And I can write a program to exploit it.
So that flaw is called a zero day.
The program to exploit it's called a zero day exploit.
And if I create a good program, I can use it to read your text messages,
track your location on your iPhone, access your phone calls, use your camera without your
knowledge, record all of your surround sound and conversations, your calendar
appointment. That's basically everything a spy agency could ever want or need. And so there is a market
where governments are not regulators, but governments are customers. The U.S. government is one of the
top customers in this space. And they will pay hackers to sell them those zero-day exploits. The going
rate for the zero-day exploit I just described in your iOS software is $2.5 million.
US government brokers will pay you $2.5 million to sell them that exploit with the condition
that you not tell anyone about it because the minute you tell someone or the minute Apple finds out
about it, they'll patch that underlying zero day, you'll get one of those annoying prompts on your phone
to update your software and suddenly that $2.5 million capability turns to mud. So there is a long
history here since the 90s of U.S. government agencies paying hackers.
both in the United States and abroad to sell them these zero days and the code to exploit them
to add to their stockpiles. So I started writing this book about this because I was just fascinated
by the moral hazard and the security dilemma baked into that marketplace. We are all using
the same software today. Three decades ago when these programs started, this marketplace launched,
we were all using different software. China was using Huawei. We were using Oracle and
Cisco for the most part. Three decades later, Huawei's a glaring exception, but we're all using
the same technology. We're all using Android phones and iPhones and Windows, whether you know it or not,
you might not have a Windows PC, but it's in the power grid and your water systems and your pipelines.
And same for industrial systems, Siemens software, Schneider Electric Software, that's pretty much
the market leaders when it comes to industrial systems. So when the U.S. government finds a zero
day in that software and holds on to it and makes sure that it doesn't get fixed, it means that
most Americans in our critical infrastructure, more and more so, are left vulnerable.
So I was fascinated by this. I never in a million years imagined that the NSA's own stockpile
of zero-day exploits would get hacked by someone we still don't know who they are three, four
years later, dumped online so that our adversaries like North Korea and Russia would pick them up
and use them in these global destructive attacks. But that is precisely what happened.
Now, the zero day that was used by North Korea and Russia was called Eternal Blue at the agency
at the NSA. I do know from reporting that it was developed in-house. This is not something that
they secured off the market. But that marketplace is alive and well today. Actually, the going rate for
that iOS zero-day exploit I described earlier, you can actually get more these days if you sell it to a
broker based in Abu Dhabi called CrowdFense. They're offering $3 million or $3.5 million for that same one
that U.S. agencies will pay $2.5 million for. And in essence, what that market does is it closes
the capabilities gap. So three decades ago, the U.S. was still the top player in the space.
We were worried about Russia. We were worried about China, not so much because China matched our
capabilities were still sort of the top dog. No one's pulled off the same level of attack that the
United States and Israel pulled off several years ago. But they were just so prolific with their
attacks that we were worried about that. What the market has done is it's closed this capabilities
gap so that countries that have had very little in the way of offensive capabilities or
engineers with the skills to pull off these attacks can now tap into this market and buy things
off the shelf that years ago they would have had to develop in-house. And that's why I focus on the
zero-day market in the book. But, you know, that is advanced nation-state level cyber warfare.
Unfortunately, on the defensive side, a lot of the attacks we're seeing right now don't come in
through zero days. They come in through just the lack of basic cybersecurity hygiene. They come in
through stolen passwords and a lack of two-factor authentication.
80% of the ransomware attacks we're seeing right now come in through a combination of a stolen
password or a phishing email and a lack of two-factor authentication.
Although what's terrifying is that just last month, the Department of Homeland Security warned
that there is a new ransomware strain out there that does exploit zero days and does use zero
days. And that's very scary because those are almost impossible to stop until you figure out what
flaw they're using and how to patch it and get that patch rolled out to everyone and get everyone
to actually implement that patch because these days so many companies are too lazy to even run
their patches on time. What about backdoors deliberately programmed into software? I mean, we've heard
that, hey, don't use Huawei software. It's got a backdoor. Let's try to sniff the traffic coming from any of your
devices. You know, a lot of people say, oh, that's just BS. It's just non-competitive crap.
But I would assume that there are backdoors deliberately programmed into many devices.
I mean, why wouldn't there be? Especially when you're talking about like industrial,
supposedly secure networking devices. There's a big incentive for a company to accept a nice
$100 million plus dollar incentive or something like that to put something in there that's
never going to get misused. We're only using this for national security, right?
Yeah. And there's a long.
history there. Their most famous example was a Swiss company that offered encryption, and they were called
Cryptoag. And we learned later that they were getting paid off by the CIA and the NSA to put a backdoor
into that encryption software, because their encryption was used by countries that don't trust
American software, like Iran, Syria, North Korea, et cetera. And so the NSA, basically,
went to them and said, use this backdoor. Put this back door in your systems. You'll be doing
your country and ours, a giant patriotic favor. You know, we will cover your expenses. And that
was in essence the way that U.S. intelligence agencies were able to spy on some of Iran's most
sensitive systems for years before the Iranians discovered it and actually arrested one of
crypto AG's employees who had no idea that his employer was doing this. That was a long time ago.
Now, the people I interviewed for my book wouldn't speak directly to any of these operations because
obviously they're incredibly highly classified. But what they would say is that in the U.S.
intelligence community, there is a five-tier, six-tier system. And at the bottom, our nation
states that have basically zero hacking capability. We call them the script kiddies of nation states.
You know, they might be able to pull off some silly denial of service attack, although these days
they can tap into the market and buy some of their hacking capabilities off the shelf.
Then in between there are countries that have, you know, the talent to pull off these attacks.
They might not be able to pull off a sophisticated attack that would turn off the power somewhere,
but they could basically fill up their capabilities gap by tapping into the market.
And then at the top, there are countries that can hack into technology
and place a backdoor into the software supply chain and use that sort of crypto,
AG model to spy on their enemies. And at the very top is the tier six guys, the top dogs who can do that
all at scale. And they said that is where the United States is today. We are at a place where we can
plant backdoors into global technology so that we can spy on these systems at scale in real time.
And I had the privilege, I guess you would call it, of having a small slice of access to the Snowden
documents, and it was very clear from some of the NSA and the GCHQ's documents that we were inside
two of the leading encryption chip makers in the world. They never named the actual manufacturer,
but they said basically we have full capability to spy on anyone who uses this particular
flavor of encryption chip. So we know that the United States and our closest allies and five eyes have
been doing this for a very long time, and we never stopped to think that maybe our enemies would be
doing the same to us. But that is in essence what the solar ones attack is, the one that we're
unwinding right now. You know, it's not them planning a backdoor physically into the hard drives or
the encryption chips. But they don't need to do that because they were able to get into this cloud
application used by so many U.S. government agencies and top cybersecurity companies and electric
utilities to do whatever they wanted. And the good news from that attack is that the actor was
the SVR, which is really a traditional espionage, Russian espionage group. They're not the same actor
that turned off the lights in Ukraine and launched the Notpeche attack. They're known for stealing
emails and strategy planning documents and that kind of thing. The bad news is we know the
SVR pretty well because they actually hacked the White House and the State Department between 2014
and 2015. And when I went and interviewed the guys who were brought on site to remediate and get the
Russians out of those systems. They said, we'd never seen anything like it. It was like hand-to-hand
digital combat. It's not as if we would see a Russian hacker inside the State Department's
network and they would scurry away. They would stay and fight to keep their access. At one point,
they even hacked investigators' tools, the RSA Net Witness tool that they used to find further
Russian backdoors and manipulated it so it wouldn't find their backdoors. So that's the adversary
inside our systems right now. And not only that, they were inside our system.
for nine months before a private company said, I think we have a problem here. So it's going to be
at least a year or more before we can stand up and confidently say we've eradicated Russian hackers
from nuclear labs, the Department of Homeland Security, the Treasury, the Justice Department. And that's a
real problem because, you know, maybe they don't pull off these destructive attacks. But we know that
there is a lot of coordination between a lot of Russian nation state hacking groups, and they could
just as easily pass that access off to a group that is known for pulling off some of these more
destructive attacks. Yeah, if they have nine months of mapping out our network infrastructure and
saying what works where and credentials and everything, they could just say, we're done with this,
we got the boot. But if you guys want to go in there and make a huge ass mess and detonate a cyber
bomb on a nuclear facility, here you go. Here's everything.
we know some of it's a little outdated, but the rest of it is probably still intact, right?
We still know where all the facilities are. We still know what all the software they're using
is with the exception of maybe the solar winds has a patch now. But everything else, the computers
are still in the rooms they were in before. I mean, we're not rebuilding those systems from scratch.
We're just trying to secure them. And any IP they stole, of course, is already gone.
So that is quite arrogant of us to put a backdoor in hardware or software and then think,
no one else is ever going to find this, especially when they might even be in the
systems that we are using to plan the placement of those backdoors in the first place?
Yeah, and it really complicates the U.S. response. You know, every time I cover one of these attacks,
I post the story on Twitter, and, you know, 60% of the responses are, why don't we just go shut
off the lights in Russia already? You know, clearly they are not deterred from these attacks.
Time for us to flex some muscle and shut off the lights. Well, that really sounds good in theory.
But the problem is that people don't realize is just how vulnerable we are. So yeah, you know,
how do you respond to solar winds when number one, it's the same kind of attack the U.S.
government has been pulling off for years on adversary systems, on Huawei and crypto AG and all sorts
of others that we don't even know about. Do we really want to take that kind of activity, that kind
of traditional espionage activity, and say, this is off the table? I don't think so because we
We do it all the time. We've been doing it for decades. We've just been doing it better.
So it's harder for people to detect American stealthy supply chain attacks. But the other thing is,
you know, how do you respond to an attack aggressively when you yourself are so vulnerable?
And the language that I hear all the time is, we live in the glaciest of glass houses. So yeah,
we might have sharper stones than others, but our adversaries can just come back and say,
hey, they just blew up this pipeline. Or hey, they just turn.
turned off our lights. We have the right to respond proportionally, which means we can come hold up
the colonial pipeline. Only in Russia, they have the luxury of basically outsourcing that kind of
activity to cyber criminals or ransomware groups and saying, we had nothing to do with this. We don't have
that luxury here. Any attack you see come out of the United States comes out of the NSA or cyber command
or another intelligence agency. We don't have the luxury of saying, hey, Northrop Grumman,
you go do this for us, or tapping the guy at Google on the shoulder at night and saying,
hey, you're going to come moonlight for us. So it's harder to hide these American attacks through
these layers of attribution and plausible deniability. And that makes escalation, you know,
that much more of a risk, particularly when we are so vulnerable. This is the Jordan Harbinger
show with our guest, Nicole Pearl Roth. We'll be right back. Thank you so much for supporting
the show. Your support of our advertisers keeps us going. For all
the links and all those promo codes that you hear on the show, those are all in one place. Go to
Jordan Harbinger.com slash deals. That's where everything is. No need to write anything down. Please
consider supporting those who support us. Don't forget, we've got worksheets for many episodes of the show.
If you want some of the drills and exercises and main takeaways talked about during the show,
they're all in one easy place. The link to the worksheets is in the show notes at Jordan Harbinger.com
slash podcast. Now for the rest of my conversation with Nicole Pearl Roth.
You mentioned before the script kitty countries buying nation state capabilities.
I looked this up, this system called Pegasus, and I think was it Saudi Arabia who essentially
can send a text to like Jeff Bezos and they have full access to his phone and they did that
and they got some, I don't know, racy underwear photos of the guy that made it into the National
Enquirer, I think.
This is scary because I looked at Pegasus and I was like, well, how much does it cost?
I think a basic install is like 500 grand.
So you don't have to be Saudi Arabia and have a $2 billion cybersecurity program running
in your country.
You can just be a really rich a hole who's like, look, I want to blackmail this world leader,
celebrity, whatever it is, because I'll make my Fevna Grandback.
Are you kidding me?
I'm to make four or five million bucks off of this by threatening to release photos of
the first lady or so-and-so on media.
They're just going to pay this.
So a $500,000 investment to a cyber security company to give me access to somebody's phone or multiple people's phones unfettered.
It's like it's an obvious sort of good, in air quotes, investment if you're a criminal.
I'm sure they try and screen it, but like, are you really screening it?
Do you really look at the target or you just hand over the install and it's good for one or two phones?
I mean, I don't really know, but there's no way to detect it in the phone.
I checked, at least if you're a victim.
Maybe if you're working at the NSA, they can take a look at it.
But you can't find it.
You can't defend against it.
It just does what it does.
And it's like, we're really this helpless.
And this is a private company selling this.
It's not a hacker where you pay in Bitcoin.
You freaking wire them the money to Israel or whatever.
Yeah.
I don't know if the Jeff Bezos hack came down to Pegasus.
But certainly, you know, we know that the Saudis used Pegasus to spy on confidants of
Jamal Khashoggi.
And that's part of the reason they were able to track his communications.
and find out he was going to go to the embassy that day
that he was picked up, tortured, and dismembered.
And yeah, I worry a lot about Pegasus.
You know, this is spyware for your phone
that's manufactured by this Israeli company called NSO Group.
And they've been selling it to the Saudis.
They've sold it to the United Arab Emirates.
They've used it on a lot of dissidents and journalists.
Mexico uses this.
We don't necessarily think of Mexico as an authoritarian government,
But a few years ago, I started getting calls from people who were reading my stories about Pegasus in Mexico.
And they said, I think I've been getting those same messages that, you know, the UAE was using to spy on dissidents, phones.
And all of these people started calling.
And they were nutritionists.
They were doctors.
They were consumer rights activists.
And it was like, why would these people have nation state level spy were on their phone?
Well, it took a couple months.
but, you know, I put them in touch with Citizen Lab, which was able to do the forensics
to find out that, yes, they did have Pegasus installed on their phones.
And what did they have in common?
They were all people who at one point or another had publicly advocated for a soda tax in Mexico
where Coca-Cola and Pepsi maintained some of the largest market share there.
A soda tax.
Yeah.
So here is someone clearly, you know, if NSO says it just sells to government, well, someone
in Mexico's government was clearly getting kickbacks from.
someone in the soda or sugar industry and was using this nation-state spyware that's usually
reserved for terrorists and pedophiles and criminals according to NSO group.
That's what their technology is used for.
But here was someone using it to intimidate nutritionists from not advocating publicly
for a national soda tax.
So there is a lot of room for corruption and misuse of these tools.
So when I went back to NSO group and I said, hey, looks like someone's abusing your spyware
to spy on nutritionists and doctors in Mexico, what say you, they said, well, we'll investigate.
And I said, okay, so you'll investigate. Okay, so how do you know when your spyware is abused?
Do you have any way of seeing how your technology is getting used? No. Okay, so how do you find out
when it's being abused? Well, journalists let us know. Okay, well, I'm one of the three journalists
who's written about this thing. So basically it'll take me, you know, a year to find out that your
spyware is on these nutritionists iPhones. Then I'm going to do all this reporting. Then I'm going to call
you and then you're going to investigate. Okay, let's say you find out that yes, they were abusing it or
someone was abusing it. What do you do? They said, oh, well, we'll stop selling to them. Okay, but this is
hardware, right? You sell this hardware to these government agencies. How do you get it out of their
building? You know, how do you make sure you can't just go rip it out, right? They're not going to let you
in. Well, yeah, but we can starve them of features and software update. So what, you know, it's clear that even
when there is clear cases of abuse, there's no kill switch for this spyware. These customers in
government agencies will just hold on to it for as long as they can. And we just see that same story
play out over and over and over and over again. And that's just with NSO Group, which is one of the more
expensive players in this space and one of the more sophisticated. But below them, there are hundreds of
other spyware companies that are selling to countries that have even poorer human rights records than the Saudis
in Mexico. And no one, there's no oversight over this market at all. That's insane. The idea that
it's going to take years to catch up and then they're going to go, well, that's it. We're not sending
you the update patch that has the ability to change the app icons or whatever, right? Like,
it still freaking works. My parents are still using, you know, older iPhones. They're like,
I don't need an update. Okay. So what? We just let them have spyware hacking hardware that
maybe an eight years is unusable because it's it's so outdated and then what another agency says
you know what we fixed that problem that was terrible we can't we fired that guy he's gone
we want the new stuff though here's a check okay fine we believe you because we want 45 million
dollars for the new shit i mean come on let's be realistic here it's insane i also know that a lot
of these countries are getting hackers from overseas you mentioned in the book that there's like
shady jobs where they kind of fly you out to, I don't know, I hate to name a country and then
they're innocent. Let's say Qatar. And they're like, you're going to be doing Infosec. Great. Oh,
by the way, it's all against dissidents and people that we don't like and we're probably
going to throw them in prison and they're going to die there. And then you're like, I, you know,
I'm going to head back to New York. That's going to be a no from me, dog. But a lot of people
stay and take the check, right? Yeah. And actually, you know, just to Qatar's credit,
they were actually the victim of NSO group.
That's why I didn't want to name them.
I picked the one like good guy country, or at least in that respect.
No, they're not really the good guys because we later learned that actually they were paying off FIFA officials to hold the World Cup and all the stuff.
And then suck it.
No, what happened was, yeah, what happened was there were these NSA analysts, operators who were starting to get job offers from contractors around the Beltway who say,
hey, we're going to pay you four times or at least double what you're getting at NSA and we're
going to give you all sorts of fun perks. Come join us. So they join them. They say, okay, we're going to
fly you over to our satellite office in Abu Dhabi and you're going to be doing the exact same work
you were doing at the NSA. We're going to make sure that you're spying on terrorists and you're
defending the UAE from cyber threats. Okay, it doesn't sound bad and you're getting $400,000 a year.
They fly over there. And at first, sure,
are tracking terror cells and ISIS cells in the Middle East, and that's pretty much aligned with
what they were doing at the NSA. Well, then very quickly it became, hey, we think Qatar is actually
funding the Muslim Brotherhood. And we think they're actually buying off FIFA officials to host the
World Cup. Can you prove that? And these NSA guys are like, okay, well, this doesn't sound too far
field from what I was doing earlier. So, okay, but I'll have to hack into Qatar systems. Sure, go for it.
So they hack into Qatar systems.
And the story one of these former NSA guys told me was that, you know, here they are.
They're getting into Qatarri Royals emails and tracking their flight itineries and seeing who they're meeting with and all the kinds of things that you would need to do to see if they're funding the Muslim Brotherhood.
Well, at one point, Michelle Obama, who was then first lady, was planning a trip to Qatar to speak about her Let Girls Learn initiative.
and she's emailing personal notes to this Katari Shika,
and they're trading emails back and forth.
And the person who's reading them is an American,
former NSA hacker stationed in Abu Dhabi,
who's like, what the hell am I doing here?
And thank God he's one of the few to say,
what the hell am I doing here and left,
but a lot of them stayed.
And who knows what communications they've caught in their dragnet by now?
But that's the state of play now,
is that even former NSA hackers who were trained up on our taxpayer dollars are now overseas spying on Americans or whoever gets caught in their dragnet.
And it's just a great visual example of just how out of control this spyware market has become the market for hackers and their capabilities,
that a former NSA hacker would be sitting there reading Michelle Obama's emails from some villa outside Abu Dhabi.
that is shocking because it just shows you that once they get it's sort of like mission creep right i'm
sure they got it to track is and then they're like whoa whoa this is pretty awesome yeah why don't
we use this for some other thing i mean just to see if there's an issue yeah we're not gonna do
anything and then it's like well now we can look at everyone it's kind of like you mentioned this in
the book there's signals intelligence there's human intelligence and then there's like the joke
the sort of parody the love intelligence where people are like hey i'm using this to track
terrorists, but they're like, what is my, whatever my ex-girlfriend is doing? Right. Like, what is she up to?
Right. I couldn't find her on Facebook. Let me just, oh, look, her credit score sucks. I wonder why that is.
Let me just take a, oh, look at this information. Wow, she got fired from this job. Yeah.
She's been up to no good. Yeah. You know, and you're just, and someone says, wait, you shouldn't be doing that.
But wait a minute. What is my ex-boyfriend up to? Right. So there's this mission creep thinking, like,
it's not going to be a big deal. And then it's like, dot, dot, dot, dot, you're spying on people that are supposed to have
secure communication, you're using this to go after a dissident to keep a regime in power that
maybe doesn't like criticism. And it's like, it's horrifying because it's, it really is dot,
dot, dot chopped up with a bone saw when it comes to this kind of thing. I don't mean to make light of that,
but that's how this goes. Yeah. And, you know, there was a story my colleagues at the Times did,
I think it was last week, although everything's starting to blur together in the pandemic,
about how the Saudi guys who dismembered Jamal Khashoggi received.
paramilitary training in the United States. And that was a big shock, you know, that sent all these shockwaves
out. Well, the same thing has been happening digitally for a long time. We've been sending our best and
brightest over to Abu Dhabi and to Riyadh, and we're training up, you know, their nation state hackers
under the auspices of the war on terrorism requires that our allies in the Gulf and the Middle East
have these same capabilities without thinking that one day they might think, oh, well, we have these
capabilities and this person is saying some things on Twitter about us that we don't like,
we're going to turn these capabilities on them. And, you know, I tell that story at one point in
my book of Ahmed Mansour, who we call the million dollar dissident because any kind of spyware on
the market has been found on this guy's phone. NSO groups Pegasus, hacking teams tools, you know,
other European spyware companies, all of that spyware has been found on his phone. And what he said to me
was when I last interviewed him before he was locked up and thrown in solitary confinement,
was you might think you're just a voting rights activist, but one day you're going to find
that someone somewhere has labeled you a terrorist and they're justifying the use of all of these
tools on you and your family. And you might not think of yourself as a terrorist and every other
country might not think of yourself as a terrorist, but it doesn't matter. You know, at some point,
you're going to get locked up and thrown in solitary confinement. And so to me, people like Ahmed Mansour,
really, the canary in the coal mine saying, we got to pay attention to this. We got to have rules
over who were training up, who were selling these tools to. I actually think the United States as, you know,
the government that sort of kicked off this market long ago and is still one of the biggest sponsors
of Zero Days in spyware technology,
I actually think it's time for us to use the power of our purse
to say we're not going to do business with any company
that sells its tools to oppressive governments.
And I think we need to rework our idea of what an oppressive government is.
It's not just Iran and North Korea.
It's the Saudis.
It's the Emirates.
It's the Qataris.
It's the Egyptians.
You know, we should not be training their intelligence
teams to do this level of cyber war and digital espionage. We just shouldn't. And maybe it's inevitable
they'll get those tools somewhere else. But, you know, we hold ourselves to a higher standard here.
We're just not meeting it and particularly not in this realm. We saw how the shadowbroker theft
of all those exploits led to ransomware attacks on British hospitals, all these different types of
businesses that had nothing to do with anything. They were just trying to extort money out of it.
I mean, it really is kind of like proliferation.
Once these bad actors get it, they're like, well, I don't care if a bunch of people in Britain die.
I mean, who gives a crap?
I want $4 million.
You know, I don't care.
You're not dealing with necessarily rational actors that are thinking at the sort of nation state level.
You're dealing with somebody who is the equivalent of me but grew up in rural Ukraine or a small town in Ukraine.
And they're like, so I never have to work again.
They'll figure out the hell thing.
I just want to put this into play.
And then it gets out of hand, especially when you get multiple.
players involved. North Korea's been hacking cryptocurrency exchanges to get money off so they can,
I assume, so they can buy weapons and keep working on nukes and things like that. I mean,
they don't have any scruples about selling weapons, chemical weapons to Syria, for example,
if they can get money, they don't care at all. So having these weapons in these different hands
is really horrible. But I guess that leads to sort of my final question here was, what would you say
is the timeline for just a massive cyber attack against the United States? Not Sony against Sony, you know,
stealing movies or whatever Fortune 500 companies, but against our grid, our critical infrastructure,
where do you think it'll come from? And when do you think it might come? I mean, you've got to
have an idea, right? So this is the question I used to ask everyone when I first started covering
cybersecurity. I'd ask everyone, I said, so how long until we have this cyber-induced,
kinetic, cataclymatic, cataclymatic, cataclysmic attack that cost us lives? And 10 years ago, everyone had the
same answer, almost ludicrously. So they always said 18 to 24 months, Nicole, we're going to see this
in 18 to 24 months. And, you know, it was just far enough that if it didn't happen, I might not
hold them to the prediction. And if it was, it was just close enough to add urgency. Okay. So now we're 10
years later. We haven't had that big one. Why? Why do you think that is? Well, I think a couple
of reasons. But, you know, for one, I think that we've sort of set up this very fuzzy,
ill-conceived form of mutually assured digital destruction.
You know, Russia is very clearly in our power grid.
We've caught them with their fingers on the switches.
They've breached Wolf Creek, which is a nuclear plant in Kansas.
They reported that a couple years ago.
And so the United States, a couple years ago,
we broke the story that Cyber Command had been hacking into the Russian grid as a show of force.
You know, to say, you turn off the lights here, you do anything to our nuclear plants,
will do the exact same to you. You better watch it. So maybe that's held. Maybe that has deterred Russia
proper, the GRU from turning off the lights here, okay? But they're not missing the capabilities or the
access. They have all the ingredients to pull this off. So I think maybe mutually assured digital
destruction has kept them from doing so. So what I worry about now, though, is something much more
akin to the colonial pipeline attack. I think that that actually laid out a new playbook. I think
that, you know, here was a cyber criminal group, we think, based in Russia, that hit the IT system
at Colonial Pipeline. So Colonial Pipeline, you know, without billing, shut down the pipeline
itself. You know, I got my hands on a classified DOE assessment that said we could have only
afforded two more days or three more days of downtime from the pipeline being offline before chemical
factories ground to a halt because they couldn't get diesel or mass transit stopped. You know,
really ground the economy to a halt.
And so I think the playbook that was exposed there was Russia proper doesn't need to come bomb a pipeline here,
or you use digital means to cause some kind of explosion on the colonial pipeline.
They can just encourage their cybercriminals to come after the companies that run our food supply,
our water supply, our pipelines.
They don't even necessarily need to hit the operation system itself.
They can just hold up the IT systems.
And then all of a sudden, we're running out of gas and jet fuel and diesel, and we can't trust our water supply, and we can't get meat ahead of the July 4th holiday.
Like, all of those things just happened.
No Cadbury eggs anymore?
Yeah.
No Cadbury eggs anymore before Easter.
You know, all of those things just happened.
It's just that we think they were Russia enabled, potentially encouraged, but not directed.
But I think the new playbook is that Russia says, if we respond aggressively to any one of these attacks, I think the Russia is, I think the Russia.
response would be go to town guys. You know, here is a list of the most sensitive targets that we
already have access to. Hit them, hit them hard, but do it in a way that gives us a level of plausible
deniability, but has the exact same downstream effects. And every single week, we get closer and closer
to that. You know, we haven't seen those ransomware attacks play out in any kind of coordinated way,
but we're getting closer. And so, you know, as long as there's a new playbook there, you know,
mutually assured digital destruction doesn't work. Because how do you respond when it's a private
cybercriminal group in Russia or in Romania or Ukraine doing it? You know, I don't know. And I think some of
the interesting discussions inside the administration right now are we invaded Afghanistan because
they were harboring the Taliban. At what point do we go after a nation state because they're harboring
this kind of cybercriminal that's causing this much destruction here? The problem is that, you know, we can
go after them, whatever that means, take them offline, turn off the grid, you know, et cetera, et cetera.
But we still have to reckon with the fact that we're so vulnerable.
We haven't even bothered to turn on two-factor authentication.
And Russia can say, well, they hit us.
We're just going to go hit them.
And then you get into this cycle of escalation.
And that's what I worry about is the cycle of escalation.
And I think we're getting dangerously close to that.
And I would say within the next five years, I'll be safe.
I'm not going to say 24 to 48 months.
but we're getting close enough that I think we're going to see a cyber attack within the next four years even
that causes substantial loss of life. And we have not adjusted our threat calculus around that possibility.
And we've not even adjusted the levers we would need to get to the place where we need to be in terms of our cyber defense.
Anytime we've tried to regulate that companies meet a basic standard of cybersecurity,
lobbyists have pushed it down and kicked it down. And so we're left in this very fuzzy place where we can
recommend best practices for the private sector and they'll take it or leave it. And so one of the
pieces, small pieces of good news, I would say, in the last couple of months is President Biden signed
a cyber executive order and in it was a paragraph aimed at federal contractors that said,
you guys can self-certify, we'll come up with a set of guidelines. You can self-certify that you
meet those guidelines that you have two-factor authentication, that you're using updated software,
you have password managers, et cetera, et cetera. But if we catch you lying to us, you know, if you get
caught up in a ransomware attack that came in because you didn't update your software, you're banned
from ever doing business with the federal government again, which in colonial pipelines case,
because their pipeline butts up against all sorts of federal systems, would have made them commercially
unviable. So that's a powerful stick to get companies to really raise the bar when it comes to
cybersecurity. So I don't know if it's going to work, but it's a clever way of working around our
existing political landscape. And I hope at least, you know, it helps raise the bar along with
some of the cyber insurance issues that we talked about earlier. Hopefully it doesn't just encourage
the companies to hide shit and lie about it. Right. I mean, that's another option. I can, like,
oh, yeah, oops, we didn't do that. Don't tell anyone. Yeah. Well, the thing is, though,
is that another piece of that executive order is, they said, we're going to create a national
transportation safety board for cyber. Just like when a plane crashes and we do a forensics
investigation of their black box, we're going to do that for major cyber incidents. So that's good.
So it's going to get harder to hide. The other piece of good news is that ransomware attacks
are really hard to hide because for years, for decades even, companies have been burying their
Chinese IP theft and some of these, you know, Russian probes. But ransomware is different. Not only are they
holding company systems hostage and taking them offline, they're actually doing this double
extortion scheme recently where they're dumping some of their data online and extorting them twice,
saying, you know, well, pay us once to give you access to your data back, pay us twice so we delete
the data we already stole and we'll stop leaking it out online. So that's made it really hard
for these companies to hide these attacks. Just today, I saw a major coal company is now hit with
ransomware. And the only reason I knew that is because their data started showing up on the Russian
our evil group's happy blog is what they call it. And so, you know, it's getting harder to hide.
And so in some ways, as sad as it is to say, ransomware is a blessing in disguise because finally
Americans are seeing the extent of our digital vulnerability. And finally, we're asking these
questions that most of us who have been paying attention have been asking for the last decade,
which is, why aren't we more secure? You know, why are we not meeting this base level of cybersecurity?
Why don't we know what's in our government systems and in our software that touches our networks?
Why don't we know where that software is made?
Why aren't we securing it?
Where are the grants to make sure state and local agencies that run elections can actually be convinced
that they have any level of cybersecurity?
So, you know, in some ways it's good news, but we're in for a lot of short-term pain, I think,
over the next couple of years until some of those policies play out.
Nicole, thank you very much.
Fascinating topic, a little bit scary.
but I think we all kind of need to be,
we need to have our head on the swivel
for this sort of thing
because there are probably a lot of people out there
who are using the same password they use
for their Gmail or their Wi-Fi network
on their SCADA command and control system
for the power grid company that they work for.
And like, you are the weak link
if you are doing that kind of thing, right?
You are the reason people might die
because they can't turn on their aircon
in the middle of July because you're too lazy
to change your password.
Or you keep it on a sticky note on your desktop
or it's your birthday.
Yeah.
Right.
I mean, we see things like that.
These aren't just silly examples.
We see real things like that.
And now people are going to realize not only can it cost their company $200 million,
but it could kill people.
Yeah.
And I think that's something we need to be aware of.
Yeah.
And, you know, it's a little bit like the pandemic.
And that is another sort of piece of good news and that people are thinking along these
lines.
But like, you know, solving the pandemic, governments can only play so much of a role.
A lot of it came down to what businesses were doing, how they were able to continue to run
their operations, the development of a vaccine. And then a lot of it just came down to us wearing masks
and social distancing. And there's the added, you know, similarity that a lot of people, because
they couldn't see the pandemic, didn't believe it exists. And same in cyber. You know, a lot of it comes
down to personal responsibility. A lot of these attacks come through an employee's stolen password or
them forgetting to turn on two-factor authentication or to update their software, whatever it is. So until
help people realize that they have accountability, that they have an individual responsibility
to protect their businesses, their homes, but also, you know, government agencies to a certain
extent. We're not going to get anywhere. Thank you very much. Now, I've got some thoughts on
this episode, but before we get into that, here's what you should check out next on the Jordan
Harbinger Show. Sleep is not an optional lifestyle luxury. Sleep is a non-negotiable biological
necessity, sleep is a life support system. It is mother nature's best effort yet at immortality.
And the decimation of sleep throughout industrialized nations is now having a catastrophic impact
on our health, our wellness, as well as the safety in the education of our children. It is a silent
sleep loss epidemic, and I would contend that it is fast becoming the greatest public health challenge
that we now face in the 21st century. The evidence is very clear that when we delay school start
times, academic grades increase, behavioral problems decrease, truancy rates decrease,
psychological and psychiatric issues decrease. But what we also found which we didn't expect in
those studies is the life expectancy of students increased. So if our goal as educators truly is to
educate and not risk lives in the process, then we are failing our children in the most spectacular
manner with this incessant model of early school start times. And by the way, 7308,
for a teenager is the equivalent for an adult waking up at 4.30 or 3.30 in the morning. If you're
trying to survive or regularly getting five hours of sleep or less, you have a 65% risk of dying at any
moment in time. When you wake up the next day, you have a revised mind-wide web of associations.
A new associative network, a rebooted iOS that is capable of defining remarkable insights.
into previously impenetrable problems,
and it is the reason that you have never been told to stay awake on a problem.
Instead, you're told to sleep on a problem.
For more on sleep, including why we dream
and how we can increase the quality of our sleep,
check out episode number 126 with Dr. Matthew Walker
here on the Jordan Harbinger Show.
You know, we've talked about this a lot here on the show.
I did an episode with Chris Hadnaggy on social engineering.
We did episode 428 with Jenny Roch,
Radcliffe, there are so many things going on in the cyber warfare landscape.
Y'all have probably heard of Stuxnet where a computer virus totally messed up Iran's nuclear
centrifuges. That was a whole show. I could do a whole show on this. It was just an amazing,
amazing cyber weapon. Of course, now the United States is even more vulnerable to these same tools
and we're totally unprepared, as you can tell from the conversation here. There are certain
major cyber warfare groups from the United States and otherwise that say things like, what's
Snowden leaked about the United States, especially the NSA and what they could do, was low level,
and there is so much more. Imagine what they mean by that if the Edward Snowden leaks were low level
compared to what we can actually do in the cyber domain. Now, let's just hope that's being used
where it needs to be used and not just against United States citizens. I won't say not being used
at all against U.S. citizens because I think we're beyond that level of naivete, right? Hopefully,
it's just not entirely focused on violating our privacy and our civil rights.
Of course, now post-Duxnet Iran is coming after us.
They're going after our grid, our power, our water.
And just the damage, the potential damage of this is terrifying to think about.
So what do we need to do?
We need to become more cyber literate so we don't give up our passwords because that is still
the most common vector for attack.
Unbelievable.
Unfeacon believable.
We need tax credits for more secure software so that companies don't look at it
as just an unnecessary cost center that may never return.
We need to invest in cybersecurity both in the government
and not leave it up to private companies
who can't afford to do it and don't have the resources.
We may need a digital Geneva convention,
but again, let's focus on the legal aspects of this
after we focus on keeping the barbarians away from the gate, huh?
We also need rules for contractors
not to teach foreign governments
that might use them against Americans,
although that's kind of maybe a little bit disingenuous
considering where all this garbage is coming from in the first place,
Am I right? Everyone who's not American? What do you think? Also, no sharing of zero days in hacker knowledge
with oppressive regimes. You'd think this would be an obvious one. But if we've got totalitarian,
authoritarian regimes bidding against this, we need to make it illegal for companies to sell weapons to
them just like it is for them to sell nukes and bombs and other weapons to them. These cyber weapons
are just as dangerous, if not more so. Last but at least, keep an eye on your own backyard.
Make sure you're aware of the fishing. And for God's sake, get the spyware.
off your computer. I'll tell you this. One day, and I've said this on the show before,
one day we interviewed, let's just say, a political operative. And after the show, his assistant,
who was a total moron, left the computer on and left Skype on. This is when we were using Skype.
And I came back to save the files later on after I'd gotten a drink or possibly even a meal.
And I realized, I'm still looking at this guy's bedroom. And in he walks, drops his pants,
and rolls up a fat-ass joint. And now I deleted that footage, because I,
I knew deep down that I just wasn't strong enough.
I would succumb to temptation, and then my kids would be asking me about those Google results
in 10 years when I ended up selling that video to the National Enquirer, or, you know,
whoever else would pay for it.
I don't realize why I'm telling you this, and I thought I had a connection to today's show,
but now I think I'm just going through cathartic experience here.
Thanks so much for listening, and thanks so much to Nicole Pearl Roth for coming on the show.
Her book is called This Is How They Tell Me, the World Ends, the Cyber Weapon Arms Race.
Links to Her Stuff will be on the website and the show.
Show notes. Please use our website links if you buy the books from the guests on the show. It does help
support us. It all adds up. Worksheets for the episode are in the show notes. Transcripts in the show notes.
There's a video of this interview going up on our YouTube channel at Jordan Harbinger.com.
com slash YouTube. We also have a brand new Clips channel with cuts that don't make it to the show
or just highlights from the interviews that you can't see anywhere else. Jordan Harbinger.com
slash clips is where you can find that. I'm at Jordan Harbinger on Twitter, Instagram,
or just hit me on LinkedIn. I'm teaching you how to connect with amazing people, all the same software
systems, tiny habits that I use. In other words, teaching you to dig the well before you get thirsty.
That's in our six-minute networking course, which is free.
Jordan Harbinger.com slash course is where you'll find it.
Most of the guests on the show, subscribe to the course. Come join us. You'll be in smart company
where you belong. This show is created in association with Podcast One. My team is Jen Harbinger,
Jay Sanderson, Robert Fogarty, Milio Campo, Ian Baird, Josh Ballard, and Gabriel Mizrahi.
Remember, we rise by lifting others. The fee for the show is that you share it with friends
when you find something useful or interesting.
If you know somebody who's interested in cyber, cyber warfare, hacking, definitely.
Share this episode with them, please.
I hope you find something great in every episode.
Please do share the show with those you care about.
In the meantime, do your best to apply what you hear on the show
so you can live what you listen, and we'll see you next time.
This episode is sponsored in part by Something You Should Know podcast.
Finding a new great podcast shouldn't be this hard, so let me save you some time.
If you like the Jordan Harbinger show, you'll probably like Something You Should Know
with Mike Carruthers.
It's one of those shows that makes you smarter in a practical, useful way.
Same curiosity vibe we go for here, just in a fast-focused format.
Mike brings on top experts and asks the exact questions that you'd want to ask,
and the topics are all over the place in the best way.
Recently, they've covered things like why we care so much what other people think,
the benefits of laughter, why sports fans get so invested,
and what makes people like you or not.
The through line is always the same.
Smart ideas you can actually use in real life.
Something you should know has been featured in Apple's shows we love,
and it's got thousands of five-star reviews
because it's consistently interesting.
So if you want another show that scratches
that I want to understand
how people in the world really work,
itch, search for something you should know
wherever you get your podcasts.
Look for the bright yellow light bulb
and start listening.
You can thank me later.
