The Jordan Harbinger Show - 542: Nicole Perlroth | Who's Winning the Cyberweapons Arms Race?

Episode Date: August 3, 2021

Nicole Perlroth (@nicoleperlroth) is an award-winning cybersecurity journalist for The New York Times and bestselling author of This Is How They Tell Me the World Ends: The Cyberweapons Arms ...Race. What We Discuss with Nicole Perlroth: The startlingly simple reasons why most nation-states now resort to using cyberwarfare tactics before conventional weaponry in acts of aggression -- to increasingly devastating effect. How industries are so interconnected that there's almost no way for a cyberattack to target one victim without endangering countless others on all sides of a conflict (which is why you may have Putin to blame if there's a Cadbury chocolate egg shortage next Easter). Why leaving the security of 85 percent of its critical infrastructure up to privatization makes the United States especially vulnerable to cyberwarfare attacks. The massive amount of intellectual property that's been lost to hackers -- from the formula for Coca-Cola to information that would allow China and other rival nations to catch up with the United States in the nuclear arms race. What Nicole believes the US should do to push back against these threats and the governments that perpetrate them -- and ensure that it's not inadvertently one of them. And much more... Full show notes and resources can be found here: jordanharbinger.com/542 Sign up for Six-Minute Networking -- our free networking and relationship development mini course -- at jordanharbinger.com/course! Like this show? Please leave us a review here -- even one sentence helps! Consider including your Twitter handle so we can thank you personally!See Privacy Policy at https://art19.com/privacy and California Privacy Notice at https://art19.com/privacy#do-not-sell-my-info.

Transcript
Discussion (0)
Starting point is 00:00:00 Coming up next on the Jordan Harbinger Show. Cyber war isn't targeted. Cyber war can take all of us down at a few clicks, but we're not acting like that. A lot of nations are engaged in developing these offensive capabilities, but they don't understand that the collateral damage is usually their own citizens or their allies or businesses. Welcome to the show. I'm Jordan Harbinger. On the Jordan Harbinger show, we decode the stories, secrets and skills are the world's most fascinating people. We have in-depth conversations with people at the top of their game,
Starting point is 00:00:38 astronauts and entrepreneurs, spies, psychologists, even the occasional four-star general drug trafficker or former jihadi. Each episode turns our guest's wisdom into practical advice that you can use to build a deeper understanding of how the world works and become a better critical thinker. If you're new to the show or you're looking for a handy way to tell your friends about it, we've got starter packs. These are collections of your favorite episodes organized by topic that'll help new listeners get a taste of everything that we do here on the show. Just visit jordanharbinger.com slash start to get started or to help somebody else get started with us. Of course, I always appreciate that.
Starting point is 00:01:13 Now, today, when I was a kid, I used to love finding bugs in software. I would be on a bulletin board system and I'd figure out that some little asky color coding thing could crash the entire software, and I'd report the bug to the SISOP, the system operator. and I remember one time I did it in the sysop called the police, and the police called my parents, and they didn't really know what was going on, but my parents thought I was going to get in trouble. And, you know, that just made me have a vendetta against this guy.
Starting point is 00:01:42 Is it weird that I'm still mad about it? But law enforcement never really dissuaded me from hacking or from anything else. I later went to a hacker conference called DevCon, and I found out how easy it is to get into our power grid, these SCADA systems that mess with air traffic control and water and power using transponder hacking to trick aircraft. I mean, it really is just scary how quickly you can mess things up if you are a bad actor. We regulate weapons and arms sales, and we work hard not to allow the proliferation of nukes, but we do nothing to stop the spread of what are called zero-day
Starting point is 00:02:13 exploits and other hacks discovered in critical systems. My guest today, Nicole Pearlroth, literally wrote the book on cyber warfare. Today we'll talk about why this is so dangerous, why we're not doing really anything about it, how it's being misused. both in the United States and abroad. We'll talk about hackers who forge documents, bribe people, hack computers both domestically and abroad for money, white hat, black hat, and everything in between. We'll talk about massive attacks on Google from China and how nation states are using cyber warfare before pretty much any other weaponry these days. China has stolen enough IP from the Western world for the next decade,
Starting point is 00:02:49 including the formula for Coca-Cola, Benjamin Moore Paint, plans for the F-35, and has stolen enough info to catch up with us in the nuclear arms. race, but that might not be all we have to worry about right now. Today, we'll explore the cyber warfare going on these days, how we're being attacked by our enemies on the regular, and how ready we are for the next catastrophic cyber attack against the West and or the United States. And if you're wondering how I manage to book all these great authors, thinkers, and creators every single week, it's because of my network.
Starting point is 00:03:18 I'm teaching you how to build your network for free over at Jordan Harbinger.com slash course. And by the way, most of the guests on the show already subscribe to the course, come join us. You'll be in smart company where you belong. Now, Nicole Pearl Roth. The U.S. is engaged in large-scale cyber warfare, and it seems like our critical infrastructure is more or less, I won't say undefended, but kind of undefended at the moment. How accurate would you say that statement is? That's incredibly accurate. You know, the statistic everyone throws around, although no one's ever actually furnished any proof that this is true, but it feels largely true, is that
Starting point is 00:03:56 85% of our critical infrastructures owned by the private sector. And the government has no say as of this moment over how secure or not secure it is. We leave it to every company to basically fend for themselves. And now you're seeing ransomware attacks that are taking out pipelines and the food supply that just come down to a lack of two-factor authentication and bad password management. That's all it takes. For people who don't know two-factor authentication is like when I'm trying to log into my bank and it goes, hey, we just sent you a text, making sure that it's you. Please type in that four-digit, six-digit code. And there are people that are in control of like oil pipelines, power grid
Starting point is 00:04:40 systems, water treatment plants that are like, eh, I don't want to deal with that. I'm just going to use my, I've been using the same password for 20 years. Why change it now, right? That's right. I mean, even the colonial pipeline, you have to give them a little more credit in that it came down to some employee who'd come and gone. I don't even know how long they'd been gone, still had an active account with access to their network, and that account had just hadn't been used for a long time and didn't have two-factor authentication turned on. So all it took was someone getting his stolen password, seeing he worked at Colonial Pipeline, trying to get into the network, and there being no obstacle to them doing so.
Starting point is 00:05:22 And because Colonial Pipelines Network Administrators weren't paying attention to some old employees' account, they weren't paying attention to the attack when they came in and started mucking around their systems and then deploying ransomware that held their data hostage in such a way that they couldn't actually see where gas was going off the pipeline. It's not like the ransomware hit the pipeline itself,
Starting point is 00:05:44 but they're a business and they couldn't charge customers because their billing systems had been held hostage. So they took the step of shutting down the pipeline. So basically, because they had this old employee account that didn't have two-factor authentication turned on, an entire pipeline that supplies nearly half the jet fuel and gas and diesel to the East Coast was held hostage. And all it took was this old employee with a stolen password
Starting point is 00:06:09 that didn't have two-factor authentication turned on. And that seems glaringly, it's dangerous for that level of access to be sort of, it's kind of like leaving a gun in a room. You never go in and you go, well, we never go in there. Well, okay, but your kids are playing in the house. Yeah, but I mean, I'm just never, who would open that drawer? Right.
Starting point is 00:06:26 And it's the same kind of thing, but we're thinking, oh, but nobody has, it's kind of a tricky drawer. It's got, you know, there's a key lock. Where's the key? Oh, we leave it in the key chain with the house keys. They're not going to open that drawer. It's sort of the same thing, except for we would never think that that gun is secure, but we think, oh, well, that employee's gone. so no one's going to log into that account.
Starting point is 00:06:47 Well, okay, no one nefarious. And I guess to their credit, sort of colonial pipeline, the oil pipeline that was shut down for those of you who don't know what we're talking about, they shut that down themselves because they were worried about what might happen because the other elements of their system were compromised. And that's kind of a whole other discussion about, was that the best way to have your systems connected like that? And to their credit, they shut it down before somebody could do something really horrible.
Starting point is 00:07:12 but not all cyber attacks have ended with just a rush on gas that ended up being a big nothing burger. We saw a massive Ukrainian cyber attack by Russia. So take us through that a little bit. And also, why do this? You know, what's the message to Ukraine from Russia here by doing this? So the attack by Russia on Ukraine, and there have been several noteworthy attacks, one of the most famous was when they actually turned the power off to a large size.
Starting point is 00:07:42 of Western Ukraine for a few hours. And then a year later came back and did the same thing to their capital, Kiev for a couple hours. That was a big one. But the one you're referring to is the one that security people call not Petja. And it's a horrible name and it's worth just lingering on it for a moment. The reason they called it not Petja is because it looked like a huge ransomware attack that looked like Petja ransomware. But it wasn't ransomware because there was no way for the victims to pay a ransom and get access to their data back. It was actually, just attack of destruction. So what happened was sometime around 2017 or earlier, Russia breached a company that's basically like Ukraine's turbotax. Actually, legally, most government agencies and banks
Starting point is 00:08:28 and large corporations in Ukraine are required to use this tax software. That tax software company is run by mom and pop, just outside Kiev, who never thought that their little tax software company could be used as a nation-state weapon. But that's what happened. Russia's preeminent hackers from the GRU, their intelligence agency, came in, compromised the tax software company, got into the software update so that when all of these Ukrainian companies downloaded the latest, greatest version of this tax software, they weren't just downloading the tax software. They were downloading a GRU backdoor. And once they were in side, their GRU unleashed what was essentially a digital weapon of destruction. It looked like
Starting point is 00:09:18 ransomware, which is just code that holds your data hostage with encryption until you pay up, only there was no way for the victims to pay. So all of a sudden, all of these Ukrainian government agencies couldn't access anything on their network. They couldn't access email or anything else. They had to hop on Facebook to communicate with the country to say, we're still standing. But it also hit railways. People couldn't get tickets on trains. It hit the postal service. People are still not getting pension checks that they were owed back in 2016, 2017. It held up the radiation monitoring systems at Chernobyl, the old nuclear site. So suddenly, the people at Chernobyl couldn't see how much radiation was leaking out of that blast site. But it also hit any company that did any business in Ukraine,
Starting point is 00:10:09 Even if they had a single employee working remotely from Ukraine, they were caught up in this attack. So it hit FedEx. FedEx suffered $400 million in damage from this attack. It hit Pfizer. It hit Merck. Merck's vaccine production systems were held up in this attack. It actually had to go tap into the CDC's emergency supplies of vaccines that year. It hit Cadbury Egg Chocolate factories in Tasmania. You name it. Dear Lord, no. Yeah. And so it ended up being the most costly cyber attack known to man.
Starting point is 00:10:45 It was $10 billion in damages, although we think it might have been worse because a lot of victims didn't even report their damages. But it was really a prelude in some ways to a lot of the attacks we're seeing now. You know, if we had been paying closer attention to how that attack happened in the United States, we might have been a little bit more prepared for the solar winds attack that we're still unwinding right now, where Russia, another Russian hacking group, this time less of a destructive actor, thank God, broke into solar winds, which is a Texas company that provides software to more than 400 of the Fortune 500 and to all of our preeminent federal agencies like
Starting point is 00:11:27 DHS and the Treasury and the Department of Justice and the Department of Energy in our nuclear labs, got into their software update. And all of a sudden, most government agencies downloaded this Russian backdoor. And we still don't know the extent of damages from that attack. We still don't know just how deep the Russians are into our government systems. But they also got into some of our electric utilities. We don't know what they plan to do with that access. So this is where we are now. We are seeing attacks come in through the software supply chain. And for years, people have been talking about this threat. But now suddenly they're asking the right questions, which is how do you trust that any of the software you're using is secure and not a Russian Trojan horse.
Starting point is 00:12:14 Especially when you're updating. I mean, I update my apps all the time thinking, oh, I'm on the latest version. I'm on the most secure version. But if there's some fake update that I install, now I'm on the least secure version of that software that's ever been created. And it might disable my ability to update to a patch. I mean, it's really hard to say. I assume they did that. They went, well, okay, if they find out about this, we don't want it to then check the server for the latest undo. We wanted to just not work anymore. And now you're in this sort of zone where you're going, how do I manually update my turbo tap, my Ukrainian turbotax? Do I have to, okay, I have to delete it. Then I have to download the fresh version that's off
Starting point is 00:12:51 their website, which I've never been to, and find that, and then enter my code that I haven't looked at in three years because I bought it ages ago. And you're doing that on hundreds of thousands of computers or millions of computers at the same time. Right, right. And it's pervasive. It does strike me as sort of like tragically comical that vaccine companies are reporting these losses, shipping companies are reporting these losses. And then Cadbury's like, hey, and we can't get any of those chocolate eggs out. Like, we're going to be way behind this Easter for these little eggs. Just so nobody points the finger at blame Putin. Okay. Don't look at me. Right. And the only reason I ever bring up Cadbury in my list of not Petya victims and I always bring it up is just because
Starting point is 00:13:32 I want people to understand that we're so interconnected now that a targeted attack between Russia and Ukraine doesn't even exist anymore because we're so connected that something, you know, Russia decided to aim at Ukraine to basically take them offline ahead of their independence day would actually, you know, cause disruption to a chocolate factory in Tasmania is really the best visual you get when you try and understand that cyber. War isn't targeted. Cyber war can take all of us down at a few clicks, but we're not acting like that. A lot of nations are engaged in developing these offensive capabilities, but they don't understand that the collateral damage is usually their own citizens or their allies or businesses.
Starting point is 00:14:21 And what's really interesting from that attack is, you know, I mentioned some of the figures of FedEx, $400 million. Merck, I think, at $600 million. When they tried to go get that many back from their insurers because they had cyber insurance. Their insurers said, uh, uh, uh, you know, we have this tiny little clause in your policy that's a war exemption clause. And it says that if you are collateral damage in a war, we don't have to pay out. And in this case, you were collateral damage in Russia's war on Ukraine. And so we're not going to pay you out. And those lawsuits are ongoing. But American companies are on the hook for those damages. That is crazy because, of course, it is war damage, but also it's like, well, when I signed that,
Starting point is 00:15:03 I thought you meant if there's a drone strike and it knocks out part of our headquarters, you're not going to pay for that, not an actual cyber intrusion, which is the whole freaking point of the insurance. So, and the insurance company's argument is, no, no, no, we're insuring you for when a kid comes into your office and installs some spyware and knocks out 50 of your computers and you have to replace them or you have to scrape that data. We're not paying you when the GRU, the Russian military sort of hacker intelligence unit, target something in your collateral damage. And so now there's probably a whole different type of insurance industry out there
Starting point is 00:15:36 with much higher premiums that says, oh, yeah, we'll insure you against that for $350 million or more on an annual basis, depending on how big your company is. You know, it's like this massive, now you're paying as much for cyber insurance as you are for insurance on all your FedEx delivery trucks at this point, right? Because the damage is equal or greater. Well, that's right. I mean, I and you live now in the wildfire zone, and my neighbors are getting notices that their insurer will no longer cover fire insurance on their properties anymore. And I think that's what's happening now with cyber insurance. Yeah, sure, they'll still cover Pfizer and Merck and FedEx, but their premiums are going to be astronomical. And there's going to be all sorts of fine print in there that says, you know, if you're a target of this kind of attack, we don't have to pay out.
Starting point is 00:16:25 And so this is something businesses are reckoning with. Now, the good news is that cyber insurance companies will say, okay, we'll underwrite you, but you need to have a much higher baseline of cybersecurity. You need to have two-factor authentication installed. You need to be patching your systems. We need a clear idea of what's in your network and how well secured that software is. We need to know that you have strong password management or your employees are using password managers, all of that. And so, some ways it's creating market incentives for these companies to raise the bar. But there's another thing about that not-peche attack, which I failed to mention, which is the reason it was so cataclysmic, why it destroyed so much, is because it was sailing on a stolen weapon from the national security agency. So just a few months before Russia launched that attack on Ukraine, someone, we still don't know who they are, they called themselves the shadow brokers, had hacked the NSA and had started dribbling the NSA's best kept code and hacking tools online. And one of the tools that they dumped
Starting point is 00:17:36 was some code that exploited a vulnerability in Microsoft Windows that allowed their malware or code to spread automatically across a network. Instead of a hacker having to manually infect one computer after another, the NSA's tool essentially allowed them to automate this attack. So after that was dumped online, North Korea picked it up for a ransomware attack. That was pretty bad, but fortunately the North Koreans had made some mistakes in their code and someone was able to neutralize it pretty quickly. And then Russia baked it onto its not Petcha attack, which is why you saw their code sale around the world and the way it did and wreaked that much destruction on companies
Starting point is 00:18:18 including American companies. And there's been no accountability for that. And people don't even realize that all of those damages were enabled by an NSA digital hacking tool. The not Petja attack. By the way, how do people name these things? Like, Wanna Cry, Petcha, not Petcha.
Starting point is 00:18:36 How do the names come up? Okay. It's a huge point of frustration for me. If I run for president, it's going to be like a single platform, which is cut out the ridiculous names for these attacks. and for these nation-state groups because it's gone crazy.
Starting point is 00:18:51 Like, CrowdStrike is a security company, and they name Chinese attacks something panda, Russia, something bear. So you have all these names for these groups like fancy bear and berserk bear. And every cybersecurity company's naming convention is different. So anytime we call out these groups, it's like, Nobelium, aka so-and-so bear, aka APT-2372. You know, it's so frustrating. But usually the way it goes with malware, ransomware, is that it's after some word in the code.
Starting point is 00:19:25 So the North Korea attack that I mentioned was called Wanna Cry because there was some little snippet of code in their ransomware that said something like W-N-A-C-R-Y, you know, something like that. But really, it'd be great if we could get some central naming authority to avoid some of these ridiculous names in the confusion. Yeah, I figured there was something to that with the code. The NAPACA attack, something like 80% of Ukrainian computers had to be wiped clean because of this, right? So that's massive. And it sounds like what we're worried about is not just how much damage that can cause, but the fact that that might just be a dry run for something even larger. I mean, okay, you went after Ukraine, it went and destroyed a bunch of data, $10 billion in damage. What happens now when you go after Canada and Mexico and the United States and Germany, which you can easily do.
Starting point is 00:20:16 I mean, it's not like, I would imagine it's not a huge squad of people required to pull off an attack like this against a nation state. It's just they chose Ukraine because they knew they wouldn't have any consequences to pay as a result, most likely. Yeah, well, it's pretty interesting. And I didn't really, I couldn't really wrap my head around this until I went to Ukraine and met with all the people who did forensics inside Ukraine on not just the not Petya attack, but several of the attacks I mentioned leading up to it. You know, the attacks that took out the power. There were attacks. that were aimed at Ukrainian media companies. For years, they had been shelling Ukraine with all of these different kinds of attacks. But what was clear to the people who did forensics is that this was Russia really experimenting. This was their petri dish. This was them trying out one method here, one slightly different method there, basically like the scientific method of hacking. And so their theory on the ground there is that not Petya was designed to look like ransomware,
Starting point is 00:21:15 but there was no way for people to pay the ransom. And that really it was just a destructive tool. It was a way for Russia to wipe the slate clean to erase any trace of everything they had done before that so that, you know, no one would be wiser to the capabilities they do have. And what they said was, we believe that we weren't the ultimate target. We believe that we were spring training. We believe that you in the United States and the West are the entire, target here. But when it comes your way, we should mention that it will be so much worse because we are actually not that digitized here. You know, we still run our elections on pen and paper. Our power systems are still pretty archaic. You know, Not Petya didn't take out the power across
Starting point is 00:22:04 the whole country. It didn't touch our nuclear plants. But when it comes for you, there's there is a high likelihood that it will do a lot more than $10 billion in damage and it will take a lot lot longer for you to get your systems up and running because you're so much more virtualized. And by the way, you know, doesn't seem like you're that secure either. So it was a wake-up call, but we're not really treating it like it's a wake-up call. We didn't change the fundamental ways we do business after the not-pet-cha attack. Most Americans have never even heard of the not-patcha attack. They wouldn't even need to do much to take down, to do billions of dollars in damage in the United States. I mean, if you took down Amazon web hosting, which a lot of people think,
Starting point is 00:22:45 Amazon, you buy things there. That backbone of internet hosting, there goes almost all of the services that you use. Or if you took a chunk out of, I mean, remember when Gmail's down for like a day and people are like, what the hell? We can't do any business. What if you took down Outlook and Amazon, or you just stopped airline traffic for a day or a week, like the Iceland volcano, except for the United States? Right. And all you need to do, that's not even like kill people. type of damage. That's just a massive, expensive inconvenience. Now you're talking about what happens if they shut off the power in the South in July when it's 100 degrees outside and no one can turn on air conditioning or a fan and the phone system doesn't work, right? Because the cell towers are down.
Starting point is 00:23:35 So you can't even call 911 if you're passing out or you're, you need an ambulance. Like that kind of damage could be done by a few people relatively easily because a lot of those SCADA systems, I think, they're called are from like the 90s, right, those power grid systems. And they all, I remember talking with somebody who worked there a long time ago. And there are people that go, oh yeah, our systems are so safe. They're buried underground. You have to go in this tunnel and the tunnels flooded half the time to get there. Well, how do you control it? Oh, we hooked it up to a telephone line. I can log in from my phone. Okay, so you did that and you never go down there for local access. You don't think anybody else can do that. And it's really shocking because these guys who connect the system to the phone line,
Starting point is 00:24:16 it's like the young intern figured out how to do that. They didn't hire CrowdStrike to make their systems accessible remotely. They just freaking plugged it into Zoom, basically. It's just really, really pathetic a lot of the ways that these things have been made accessible. Yeah, well, you know, we don't even really have to use hypotheticals because there was a situation over the winter when Texas power went out. Was it Escott? Yes. About the name of the company?
Starting point is 00:24:44 Yeah, yeah, that was it. Yeah. You know, they went out and everyone in cybersecurity said, oh, gosh, is this the attack we've been waiting for? Nope. It was just due to an underinvestment in winterizing. If they're making that level of or lack of investment in winterizing, what do you think their cybersecurity posture is?
Starting point is 00:25:04 And look at what happened. I mean, people were not, they didn't just lose power in the middle of this storm. they lost access to their water because their pipes were frozen. I mean, that's really what it would look like. Only in this case, you know, Russia might not turn it back on. They might make sure that the power stayed off. The one I actually worry about the most is water because at least we've sort of wrapped our heads around the threat to our power supplies.
Starting point is 00:25:30 But we haven't really wrapped our heads around the threat to the water supply. And, you know, most of the water treatment facilities here, in the United States, serve communities of less than 10,000 people, and they barely have an IT guy on staff, let alone a cybersecurity expert. And just the day in my book came out, actually, there was a hack on a water treatment facility in Oldsmar, Florida, just outside Tampa, where hackers got in remotely into the water treatment facility because they'd been using a decade-old version of Microsoft Windows that hadn't been patched in years. and they didn't have two-factor authentication turned on,
Starting point is 00:26:12 and they hadn't even thought about this scenario, but a hacker was able to get into their chemical controls and up the level of Y, L-Y-E in the water, from something like 1,100 parts per million to 11,000 parts per million, which is enough to send everyone to the hospital in the middle of COVID when hospitals are already under strain. And oh, by the way, they did it on the Friday ahead of Super Bowl weekend in Tampa. So thank God some engineer was sitting at his computer,
Starting point is 00:26:38 and happen to watch his cursor move around and catch this thing in action. But, you know, in most cases, there wouldn't have been an engineer sitting in front of their computer watching that happen. And, you know, it was just at a wedding last weekend. And I right next to our hotel was this little water treatment facility. And it was like, there is no way there is an IT guy sitting there on-prem watching to make sure no one's mucking around with their chemical controls. And I guarantee you there's a very easy way for someone to remote into their stuff.
Starting point is 00:27:08 system and up the level of cost of chemicals in the water. So the scenarios are endless and we keep having these close calls, but we're still not changing the way we secure our critical infrastructure. You're listening to the Jordan Harbinger show with our guest Nicole Pearl Roth. We'll be right back. When it's time to scale your business, it's time for Shopify. Get everything you need to grow the way you want. Like all the way. Stack more sales with the best converting checkout on the track your cha-chings from every channel, right in one spot, and turn real-time reporting into big-time opportunities. Take your business to a whole new level.
Starting point is 00:27:52 Switch to Shopify. Start your free trial today. Now back to Nicole Pearl Roth on the Jordan Harbinger show. I would imagine that that software that runs those plants, it's all the same stuff, it's all the same version of the same stuff. It all runs on windows, like you said, the windows might not even be patched. That sounds like they just got remote access to Windows, and then they use the software like you can do with a screen share on Zoom or any other remote software. Imagine if somebody found out how to, I'm sure they already did, find out how to remotely access this software plain and simple, because they make these things easily accessible so that, hey, your IT guy, oh, he's a consultant, he lives offsite, hey, there's something weird going on with our software.
Starting point is 00:28:37 They give them a call. He logs in remotely and handles it. That is absolutely not secure. There's, like you said, there's probably one guy there just to make sure pipes aren't exploding, and they're on their iPad watching Netflix, and they're just looking for giant spurts of water squirting out. They're not sitting there going, oh, that seems like a chemical imbalance on system number seven. Let me go look at that and inspect that. They probably don't even have anybody qualified on site to even do that any given time. So that is terrifying, especially because you can log in and do that to a thousand small town water systems, probably all at the same time. or within a few hours before anybody figures out anything and they can unplug the internet.
Starting point is 00:29:18 I mean, it's just the amount of damage is massive. And then you have no idea who did it in the first place. I mean, you can point fingers, but that's pretty much it. I remember reading that in Ukraine, Russia pushed a lot of the anti-vac stuff that sounds very familiar here. They tested that on the Ukrainian population, said, hey, the MMR vaccine causes autism.
Starting point is 00:29:36 And then there was a massive measles outbreak or something like that, right? Am I close here? Yes, you're close. I mean, it was really disturbing. And again, I couldn't have wrapped my head around this until I actually went to Ukraine. But I met with officials at the embassy and I was there to talk about cyber threat, hacking threats. But they didn't even have time to think about cyber threats because they were so focused on Russian disinformation in Ukraine. And at that very moment, there was this crazy measles outbreak that had actually spread to Hasidic communities in New York because some of them do this pilgrimage to Ukraine every year. But a lot of it, Ukraine has a disinformation minister, something we don't still have here in the United States, but I met with them at the time. And he said, yes, they tracked a lot of it down to Facebook pages, targeted at young Ukrainian mothers where Russian trolls were flooding the comment sections,
Starting point is 00:30:31 trying to legitimize the vaccination debate and seeding doubts among Ukrainian mothers that measles vaccines caused autism or was some, you know, nation-state tool of control. And so a lot of young mothers weren't getting vaccinated. Meanwhile, back in Russia, the vaccination rates were nearing 100%, whereas in Ukraine, they were dipping below 50. It didn't even hit me at the time because this was 2019 that a year later, less than a year later, we would have a global pandemic. But sure enough, here we are in the middle of this global pandemic.
Starting point is 00:31:06 And the biggest threat right now is vaccine hesitancy. And oh, yep, some white papers are just now coming up that are tracing a lot of disinformation related to the Pfizer and Moderna vaccines to Russian troll networks. And they're playing out on Facebook. They're playing out on social media. And this is where we are now. That is, of course, terrifying because it affects the public health of the entire country. And yeah, the joke is really on us because when you look at vaccination rates in Russia,
Starting point is 00:31:34 well, why are they so high? Oh, they have an oppressive government. Okay, but they're obviously not doing the same type of disinformation that they are over here. I mean, and of course it's using our own sort of information freedom against us and that's a whole different probably podcast here. But I want to go back to what you mentioned before, the shadow brokers hack and what this means, the gravity of it. I don't think most people know what zero days are, why they're valuable. Can you take us through that a little bit? Because this is one of the main reasons that we're having so many of cyber attacks, correct?
Starting point is 00:32:04 You know, it is and it isn't. Just to back up, and I promise this is the most technical part of our conversation today. But what is a zero day? So a zero day is a flaw in software that the software maker is not aware of. And the day someone discovers it, that's day zero, or zero day. Because they've had zero days to fix it. And until they can fix it, everyone who uses that software is vulnerable to hacking. So just to take the most simple example, let's say, I'm, I'm a hacker and I find a flaw in your iPhone's iOS software. And I can write a program to exploit it. So that flaw is called a zero day. The program to exploit it's called a zero day exploit. And if I create a good program, I can use it to read your text messages, track your location on your iPhone, access your phone calls, use your camera without your knowledge, record all of your surround sound and conversations, your calendar
Starting point is 00:33:01 appointment. That's basically everything a spy agency could ever want or need. And so there is a market where governments are not regulators, but governments are customers. The U.S. government is one of the top customers in this space. And they will pay hackers to sell them those zero-day exploits. The going rate for the zero-day exploit I just described in your iOS software is $2.5 million. US government brokers will pay you $2.5 million to sell them that exploit with the condition that you not tell anyone about it because the minute you tell someone or the minute Apple finds out about it, they'll patch that underlying zero day, you'll get one of those annoying prompts on your phone to update your software and suddenly that $2.5 million capability turns to mud. So there is a long
Starting point is 00:33:51 history here since the 90s of U.S. government agencies paying hackers. both in the United States and abroad to sell them these zero days and the code to exploit them to add to their stockpiles. So I started writing this book about this because I was just fascinated by the moral hazard and the security dilemma baked into that marketplace. We are all using the same software today. Three decades ago when these programs started, this marketplace launched, we were all using different software. China was using Huawei. We were using Oracle and Cisco for the most part. Three decades later, Huawei's a glaring exception, but we're all using the same technology. We're all using Android phones and iPhones and Windows, whether you know it or not,
Starting point is 00:34:38 you might not have a Windows PC, but it's in the power grid and your water systems and your pipelines. And same for industrial systems, Siemens software, Schneider Electric Software, that's pretty much the market leaders when it comes to industrial systems. So when the U.S. government finds a zero day in that software and holds on to it and makes sure that it doesn't get fixed, it means that most Americans in our critical infrastructure, more and more so, are left vulnerable. So I was fascinated by this. I never in a million years imagined that the NSA's own stockpile of zero-day exploits would get hacked by someone we still don't know who they are three, four years later, dumped online so that our adversaries like North Korea and Russia would pick them up
Starting point is 00:35:28 and use them in these global destructive attacks. But that is precisely what happened. Now, the zero day that was used by North Korea and Russia was called Eternal Blue at the agency at the NSA. I do know from reporting that it was developed in-house. This is not something that they secured off the market. But that marketplace is alive and well today. Actually, the going rate for that iOS zero-day exploit I described earlier, you can actually get more these days if you sell it to a broker based in Abu Dhabi called CrowdFense. They're offering $3 million or $3.5 million for that same one that U.S. agencies will pay $2.5 million for. And in essence, what that market does is it closes the capabilities gap. So three decades ago, the U.S. was still the top player in the space.
Starting point is 00:36:15 We were worried about Russia. We were worried about China, not so much because China matched our capabilities were still sort of the top dog. No one's pulled off the same level of attack that the United States and Israel pulled off several years ago. But they were just so prolific with their attacks that we were worried about that. What the market has done is it's closed this capabilities gap so that countries that have had very little in the way of offensive capabilities or engineers with the skills to pull off these attacks can now tap into this market and buy things off the shelf that years ago they would have had to develop in-house. And that's why I focus on the zero-day market in the book. But, you know, that is advanced nation-state level cyber warfare.
Starting point is 00:36:59 Unfortunately, on the defensive side, a lot of the attacks we're seeing right now don't come in through zero days. They come in through just the lack of basic cybersecurity hygiene. They come in through stolen passwords and a lack of two-factor authentication. 80% of the ransomware attacks we're seeing right now come in through a combination of a stolen password or a phishing email and a lack of two-factor authentication. Although what's terrifying is that just last month, the Department of Homeland Security warned that there is a new ransomware strain out there that does exploit zero days and does use zero days. And that's very scary because those are almost impossible to stop until you figure out what
Starting point is 00:37:45 flaw they're using and how to patch it and get that patch rolled out to everyone and get everyone to actually implement that patch because these days so many companies are too lazy to even run their patches on time. What about backdoors deliberately programmed into software? I mean, we've heard that, hey, don't use Huawei software. It's got a backdoor. Let's try to sniff the traffic coming from any of your devices. You know, a lot of people say, oh, that's just BS. It's just non-competitive crap. But I would assume that there are backdoors deliberately programmed into many devices. I mean, why wouldn't there be? Especially when you're talking about like industrial, supposedly secure networking devices. There's a big incentive for a company to accept a nice
Starting point is 00:38:27 $100 million plus dollar incentive or something like that to put something in there that's never going to get misused. We're only using this for national security, right? Yeah. And there's a long. history there. Their most famous example was a Swiss company that offered encryption, and they were called Cryptoag. And we learned later that they were getting paid off by the CIA and the NSA to put a backdoor into that encryption software, because their encryption was used by countries that don't trust American software, like Iran, Syria, North Korea, et cetera. And so the NSA, basically, went to them and said, use this backdoor. Put this back door in your systems. You'll be doing
Starting point is 00:39:12 your country and ours, a giant patriotic favor. You know, we will cover your expenses. And that was in essence the way that U.S. intelligence agencies were able to spy on some of Iran's most sensitive systems for years before the Iranians discovered it and actually arrested one of crypto AG's employees who had no idea that his employer was doing this. That was a long time ago. Now, the people I interviewed for my book wouldn't speak directly to any of these operations because obviously they're incredibly highly classified. But what they would say is that in the U.S. intelligence community, there is a five-tier, six-tier system. And at the bottom, our nation states that have basically zero hacking capability. We call them the script kiddies of nation states.
Starting point is 00:40:01 You know, they might be able to pull off some silly denial of service attack, although these days they can tap into the market and buy some of their hacking capabilities off the shelf. Then in between there are countries that have, you know, the talent to pull off these attacks. They might not be able to pull off a sophisticated attack that would turn off the power somewhere, but they could basically fill up their capabilities gap by tapping into the market. And then at the top, there are countries that can hack into technology and place a backdoor into the software supply chain and use that sort of crypto, AG model to spy on their enemies. And at the very top is the tier six guys, the top dogs who can do that
Starting point is 00:40:43 all at scale. And they said that is where the United States is today. We are at a place where we can plant backdoors into global technology so that we can spy on these systems at scale in real time. And I had the privilege, I guess you would call it, of having a small slice of access to the Snowden documents, and it was very clear from some of the NSA and the GCHQ's documents that we were inside two of the leading encryption chip makers in the world. They never named the actual manufacturer, but they said basically we have full capability to spy on anyone who uses this particular flavor of encryption chip. So we know that the United States and our closest allies and five eyes have been doing this for a very long time, and we never stopped to think that maybe our enemies would be
Starting point is 00:41:32 doing the same to us. But that is in essence what the solar ones attack is, the one that we're unwinding right now. You know, it's not them planning a backdoor physically into the hard drives or the encryption chips. But they don't need to do that because they were able to get into this cloud application used by so many U.S. government agencies and top cybersecurity companies and electric utilities to do whatever they wanted. And the good news from that attack is that the actor was the SVR, which is really a traditional espionage, Russian espionage group. They're not the same actor that turned off the lights in Ukraine and launched the Notpeche attack. They're known for stealing emails and strategy planning documents and that kind of thing. The bad news is we know the
Starting point is 00:42:16 SVR pretty well because they actually hacked the White House and the State Department between 2014 and 2015. And when I went and interviewed the guys who were brought on site to remediate and get the Russians out of those systems. They said, we'd never seen anything like it. It was like hand-to-hand digital combat. It's not as if we would see a Russian hacker inside the State Department's network and they would scurry away. They would stay and fight to keep their access. At one point, they even hacked investigators' tools, the RSA Net Witness tool that they used to find further Russian backdoors and manipulated it so it wouldn't find their backdoors. So that's the adversary inside our systems right now. And not only that, they were inside our system.
Starting point is 00:42:58 for nine months before a private company said, I think we have a problem here. So it's going to be at least a year or more before we can stand up and confidently say we've eradicated Russian hackers from nuclear labs, the Department of Homeland Security, the Treasury, the Justice Department. And that's a real problem because, you know, maybe they don't pull off these destructive attacks. But we know that there is a lot of coordination between a lot of Russian nation state hacking groups, and they could just as easily pass that access off to a group that is known for pulling off some of these more destructive attacks. Yeah, if they have nine months of mapping out our network infrastructure and saying what works where and credentials and everything, they could just say, we're done with this,
Starting point is 00:43:43 we got the boot. But if you guys want to go in there and make a huge ass mess and detonate a cyber bomb on a nuclear facility, here you go. Here's everything. we know some of it's a little outdated, but the rest of it is probably still intact, right? We still know where all the facilities are. We still know what all the software they're using is with the exception of maybe the solar winds has a patch now. But everything else, the computers are still in the rooms they were in before. I mean, we're not rebuilding those systems from scratch. We're just trying to secure them. And any IP they stole, of course, is already gone. So that is quite arrogant of us to put a backdoor in hardware or software and then think,
Starting point is 00:44:20 no one else is ever going to find this, especially when they might even be in the systems that we are using to plan the placement of those backdoors in the first place? Yeah, and it really complicates the U.S. response. You know, every time I cover one of these attacks, I post the story on Twitter, and, you know, 60% of the responses are, why don't we just go shut off the lights in Russia already? You know, clearly they are not deterred from these attacks. Time for us to flex some muscle and shut off the lights. Well, that really sounds good in theory. But the problem is that people don't realize is just how vulnerable we are. So yeah, you know, how do you respond to solar winds when number one, it's the same kind of attack the U.S.
Starting point is 00:45:03 government has been pulling off for years on adversary systems, on Huawei and crypto AG and all sorts of others that we don't even know about. Do we really want to take that kind of activity, that kind of traditional espionage activity, and say, this is off the table? I don't think so because we We do it all the time. We've been doing it for decades. We've just been doing it better. So it's harder for people to detect American stealthy supply chain attacks. But the other thing is, you know, how do you respond to an attack aggressively when you yourself are so vulnerable? And the language that I hear all the time is, we live in the glaciest of glass houses. So yeah, we might have sharper stones than others, but our adversaries can just come back and say,
Starting point is 00:45:47 hey, they just blew up this pipeline. Or hey, they just turn. turned off our lights. We have the right to respond proportionally, which means we can come hold up the colonial pipeline. Only in Russia, they have the luxury of basically outsourcing that kind of activity to cyber criminals or ransomware groups and saying, we had nothing to do with this. We don't have that luxury here. Any attack you see come out of the United States comes out of the NSA or cyber command or another intelligence agency. We don't have the luxury of saying, hey, Northrop Grumman, you go do this for us, or tapping the guy at Google on the shoulder at night and saying, hey, you're going to come moonlight for us. So it's harder to hide these American attacks through
Starting point is 00:46:27 these layers of attribution and plausible deniability. And that makes escalation, you know, that much more of a risk, particularly when we are so vulnerable. This is the Jordan Harbinger show with our guest, Nicole Pearl Roth. We'll be right back. Thank you so much for supporting the show. Your support of our advertisers keeps us going. For all the links and all those promo codes that you hear on the show, those are all in one place. Go to Jordan Harbinger.com slash deals. That's where everything is. No need to write anything down. Please consider supporting those who support us. Don't forget, we've got worksheets for many episodes of the show. If you want some of the drills and exercises and main takeaways talked about during the show,
Starting point is 00:47:07 they're all in one easy place. The link to the worksheets is in the show notes at Jordan Harbinger.com slash podcast. Now for the rest of my conversation with Nicole Pearl Roth. You mentioned before the script kitty countries buying nation state capabilities. I looked this up, this system called Pegasus, and I think was it Saudi Arabia who essentially can send a text to like Jeff Bezos and they have full access to his phone and they did that and they got some, I don't know, racy underwear photos of the guy that made it into the National Enquirer, I think. This is scary because I looked at Pegasus and I was like, well, how much does it cost?
Starting point is 00:47:44 I think a basic install is like 500 grand. So you don't have to be Saudi Arabia and have a $2 billion cybersecurity program running in your country. You can just be a really rich a hole who's like, look, I want to blackmail this world leader, celebrity, whatever it is, because I'll make my Fevna Grandback. Are you kidding me? I'm to make four or five million bucks off of this by threatening to release photos of the first lady or so-and-so on media.
Starting point is 00:48:12 They're just going to pay this. So a $500,000 investment to a cyber security company to give me access to somebody's phone or multiple people's phones unfettered. It's like it's an obvious sort of good, in air quotes, investment if you're a criminal. I'm sure they try and screen it, but like, are you really screening it? Do you really look at the target or you just hand over the install and it's good for one or two phones? I mean, I don't really know, but there's no way to detect it in the phone. I checked, at least if you're a victim. Maybe if you're working at the NSA, they can take a look at it.
Starting point is 00:48:44 But you can't find it. You can't defend against it. It just does what it does. And it's like, we're really this helpless. And this is a private company selling this. It's not a hacker where you pay in Bitcoin. You freaking wire them the money to Israel or whatever. Yeah.
Starting point is 00:48:57 I don't know if the Jeff Bezos hack came down to Pegasus. But certainly, you know, we know that the Saudis used Pegasus to spy on confidants of Jamal Khashoggi. And that's part of the reason they were able to track his communications. and find out he was going to go to the embassy that day that he was picked up, tortured, and dismembered. And yeah, I worry a lot about Pegasus. You know, this is spyware for your phone
Starting point is 00:49:22 that's manufactured by this Israeli company called NSO Group. And they've been selling it to the Saudis. They've sold it to the United Arab Emirates. They've used it on a lot of dissidents and journalists. Mexico uses this. We don't necessarily think of Mexico as an authoritarian government, But a few years ago, I started getting calls from people who were reading my stories about Pegasus in Mexico. And they said, I think I've been getting those same messages that, you know, the UAE was using to spy on dissidents, phones.
Starting point is 00:49:55 And all of these people started calling. And they were nutritionists. They were doctors. They were consumer rights activists. And it was like, why would these people have nation state level spy were on their phone? Well, it took a couple months. but, you know, I put them in touch with Citizen Lab, which was able to do the forensics to find out that, yes, they did have Pegasus installed on their phones.
Starting point is 00:50:17 And what did they have in common? They were all people who at one point or another had publicly advocated for a soda tax in Mexico where Coca-Cola and Pepsi maintained some of the largest market share there. A soda tax. Yeah. So here is someone clearly, you know, if NSO says it just sells to government, well, someone in Mexico's government was clearly getting kickbacks from. someone in the soda or sugar industry and was using this nation-state spyware that's usually
Starting point is 00:50:43 reserved for terrorists and pedophiles and criminals according to NSO group. That's what their technology is used for. But here was someone using it to intimidate nutritionists from not advocating publicly for a national soda tax. So there is a lot of room for corruption and misuse of these tools. So when I went back to NSO group and I said, hey, looks like someone's abusing your spyware to spy on nutritionists and doctors in Mexico, what say you, they said, well, we'll investigate. And I said, okay, so you'll investigate. Okay, so how do you know when your spyware is abused?
Starting point is 00:51:19 Do you have any way of seeing how your technology is getting used? No. Okay, so how do you find out when it's being abused? Well, journalists let us know. Okay, well, I'm one of the three journalists who's written about this thing. So basically it'll take me, you know, a year to find out that your spyware is on these nutritionists iPhones. Then I'm going to do all this reporting. Then I'm going to call you and then you're going to investigate. Okay, let's say you find out that yes, they were abusing it or someone was abusing it. What do you do? They said, oh, well, we'll stop selling to them. Okay, but this is hardware, right? You sell this hardware to these government agencies. How do you get it out of their building? You know, how do you make sure you can't just go rip it out, right? They're not going to let you
Starting point is 00:51:59 in. Well, yeah, but we can starve them of features and software update. So what, you know, it's clear that even when there is clear cases of abuse, there's no kill switch for this spyware. These customers in government agencies will just hold on to it for as long as they can. And we just see that same story play out over and over and over and over again. And that's just with NSO Group, which is one of the more expensive players in this space and one of the more sophisticated. But below them, there are hundreds of other spyware companies that are selling to countries that have even poorer human rights records than the Saudis in Mexico. And no one, there's no oversight over this market at all. That's insane. The idea that it's going to take years to catch up and then they're going to go, well, that's it. We're not sending
Starting point is 00:52:46 you the update patch that has the ability to change the app icons or whatever, right? Like, it still freaking works. My parents are still using, you know, older iPhones. They're like, I don't need an update. Okay. So what? We just let them have spyware hacking hardware that maybe an eight years is unusable because it's it's so outdated and then what another agency says you know what we fixed that problem that was terrible we can't we fired that guy he's gone we want the new stuff though here's a check okay fine we believe you because we want 45 million dollars for the new shit i mean come on let's be realistic here it's insane i also know that a lot of these countries are getting hackers from overseas you mentioned in the book that there's like
Starting point is 00:53:29 shady jobs where they kind of fly you out to, I don't know, I hate to name a country and then they're innocent. Let's say Qatar. And they're like, you're going to be doing Infosec. Great. Oh, by the way, it's all against dissidents and people that we don't like and we're probably going to throw them in prison and they're going to die there. And then you're like, I, you know, I'm going to head back to New York. That's going to be a no from me, dog. But a lot of people stay and take the check, right? Yeah. And actually, you know, just to Qatar's credit, they were actually the victim of NSO group. That's why I didn't want to name them.
Starting point is 00:54:00 I picked the one like good guy country, or at least in that respect. No, they're not really the good guys because we later learned that actually they were paying off FIFA officials to hold the World Cup and all the stuff. And then suck it. No, what happened was, yeah, what happened was there were these NSA analysts, operators who were starting to get job offers from contractors around the Beltway who say, hey, we're going to pay you four times or at least double what you're getting at NSA and we're going to give you all sorts of fun perks. Come join us. So they join them. They say, okay, we're going to fly you over to our satellite office in Abu Dhabi and you're going to be doing the exact same work you were doing at the NSA. We're going to make sure that you're spying on terrorists and you're
Starting point is 00:54:44 defending the UAE from cyber threats. Okay, it doesn't sound bad and you're getting $400,000 a year. They fly over there. And at first, sure, are tracking terror cells and ISIS cells in the Middle East, and that's pretty much aligned with what they were doing at the NSA. Well, then very quickly it became, hey, we think Qatar is actually funding the Muslim Brotherhood. And we think they're actually buying off FIFA officials to host the World Cup. Can you prove that? And these NSA guys are like, okay, well, this doesn't sound too far field from what I was doing earlier. So, okay, but I'll have to hack into Qatar systems. Sure, go for it. So they hack into Qatar systems.
Starting point is 00:55:22 And the story one of these former NSA guys told me was that, you know, here they are. They're getting into Qatarri Royals emails and tracking their flight itineries and seeing who they're meeting with and all the kinds of things that you would need to do to see if they're funding the Muslim Brotherhood. Well, at one point, Michelle Obama, who was then first lady, was planning a trip to Qatar to speak about her Let Girls Learn initiative. and she's emailing personal notes to this Katari Shika, and they're trading emails back and forth. And the person who's reading them is an American, former NSA hacker stationed in Abu Dhabi, who's like, what the hell am I doing here?
Starting point is 00:56:02 And thank God he's one of the few to say, what the hell am I doing here and left, but a lot of them stayed. And who knows what communications they've caught in their dragnet by now? But that's the state of play now, is that even former NSA hackers who were trained up on our taxpayer dollars are now overseas spying on Americans or whoever gets caught in their dragnet. And it's just a great visual example of just how out of control this spyware market has become the market for hackers and their capabilities, that a former NSA hacker would be sitting there reading Michelle Obama's emails from some villa outside Abu Dhabi.
Starting point is 00:56:43 that is shocking because it just shows you that once they get it's sort of like mission creep right i'm sure they got it to track is and then they're like whoa whoa this is pretty awesome yeah why don't we use this for some other thing i mean just to see if there's an issue yeah we're not gonna do anything and then it's like well now we can look at everyone it's kind of like you mentioned this in the book there's signals intelligence there's human intelligence and then there's like the joke the sort of parody the love intelligence where people are like hey i'm using this to track terrorists, but they're like, what is my, whatever my ex-girlfriend is doing? Right. Like, what is she up to? Right. I couldn't find her on Facebook. Let me just, oh, look, her credit score sucks. I wonder why that is.
Starting point is 00:57:23 Let me just take a, oh, look at this information. Wow, she got fired from this job. Yeah. She's been up to no good. Yeah. You know, and you're just, and someone says, wait, you shouldn't be doing that. But wait a minute. What is my ex-boyfriend up to? Right. So there's this mission creep thinking, like, it's not going to be a big deal. And then it's like, dot, dot, dot, dot, you're spying on people that are supposed to have secure communication, you're using this to go after a dissident to keep a regime in power that maybe doesn't like criticism. And it's like, it's horrifying because it's, it really is dot, dot, dot chopped up with a bone saw when it comes to this kind of thing. I don't mean to make light of that, but that's how this goes. Yeah. And, you know, there was a story my colleagues at the Times did,
Starting point is 00:58:02 I think it was last week, although everything's starting to blur together in the pandemic, about how the Saudi guys who dismembered Jamal Khashoggi received. paramilitary training in the United States. And that was a big shock, you know, that sent all these shockwaves out. Well, the same thing has been happening digitally for a long time. We've been sending our best and brightest over to Abu Dhabi and to Riyadh, and we're training up, you know, their nation state hackers under the auspices of the war on terrorism requires that our allies in the Gulf and the Middle East have these same capabilities without thinking that one day they might think, oh, well, we have these capabilities and this person is saying some things on Twitter about us that we don't like,
Starting point is 00:58:48 we're going to turn these capabilities on them. And, you know, I tell that story at one point in my book of Ahmed Mansour, who we call the million dollar dissident because any kind of spyware on the market has been found on this guy's phone. NSO groups Pegasus, hacking teams tools, you know, other European spyware companies, all of that spyware has been found on his phone. And what he said to me was when I last interviewed him before he was locked up and thrown in solitary confinement, was you might think you're just a voting rights activist, but one day you're going to find that someone somewhere has labeled you a terrorist and they're justifying the use of all of these tools on you and your family. And you might not think of yourself as a terrorist and every other
Starting point is 00:59:33 country might not think of yourself as a terrorist, but it doesn't matter. You know, at some point, you're going to get locked up and thrown in solitary confinement. And so to me, people like Ahmed Mansour, really, the canary in the coal mine saying, we got to pay attention to this. We got to have rules over who were training up, who were selling these tools to. I actually think the United States as, you know, the government that sort of kicked off this market long ago and is still one of the biggest sponsors of Zero Days in spyware technology, I actually think it's time for us to use the power of our purse to say we're not going to do business with any company
Starting point is 01:00:10 that sells its tools to oppressive governments. And I think we need to rework our idea of what an oppressive government is. It's not just Iran and North Korea. It's the Saudis. It's the Emirates. It's the Qataris. It's the Egyptians. You know, we should not be training their intelligence
Starting point is 01:00:30 teams to do this level of cyber war and digital espionage. We just shouldn't. And maybe it's inevitable they'll get those tools somewhere else. But, you know, we hold ourselves to a higher standard here. We're just not meeting it and particularly not in this realm. We saw how the shadowbroker theft of all those exploits led to ransomware attacks on British hospitals, all these different types of businesses that had nothing to do with anything. They were just trying to extort money out of it. I mean, it really is kind of like proliferation. Once these bad actors get it, they're like, well, I don't care if a bunch of people in Britain die. I mean, who gives a crap?
Starting point is 01:01:05 I want $4 million. You know, I don't care. You're not dealing with necessarily rational actors that are thinking at the sort of nation state level. You're dealing with somebody who is the equivalent of me but grew up in rural Ukraine or a small town in Ukraine. And they're like, so I never have to work again. They'll figure out the hell thing. I just want to put this into play. And then it gets out of hand, especially when you get multiple.
Starting point is 01:01:27 players involved. North Korea's been hacking cryptocurrency exchanges to get money off so they can, I assume, so they can buy weapons and keep working on nukes and things like that. I mean, they don't have any scruples about selling weapons, chemical weapons to Syria, for example, if they can get money, they don't care at all. So having these weapons in these different hands is really horrible. But I guess that leads to sort of my final question here was, what would you say is the timeline for just a massive cyber attack against the United States? Not Sony against Sony, you know, stealing movies or whatever Fortune 500 companies, but against our grid, our critical infrastructure, where do you think it'll come from? And when do you think it might come? I mean, you've got to
Starting point is 01:02:07 have an idea, right? So this is the question I used to ask everyone when I first started covering cybersecurity. I'd ask everyone, I said, so how long until we have this cyber-induced, kinetic, cataclymatic, cataclymatic, cataclysmic attack that cost us lives? And 10 years ago, everyone had the same answer, almost ludicrously. So they always said 18 to 24 months, Nicole, we're going to see this in 18 to 24 months. And, you know, it was just far enough that if it didn't happen, I might not hold them to the prediction. And if it was, it was just close enough to add urgency. Okay. So now we're 10 years later. We haven't had that big one. Why? Why do you think that is? Well, I think a couple of reasons. But, you know, for one, I think that we've sort of set up this very fuzzy,
Starting point is 01:02:50 ill-conceived form of mutually assured digital destruction. You know, Russia is very clearly in our power grid. We've caught them with their fingers on the switches. They've breached Wolf Creek, which is a nuclear plant in Kansas. They reported that a couple years ago. And so the United States, a couple years ago, we broke the story that Cyber Command had been hacking into the Russian grid as a show of force. You know, to say, you turn off the lights here, you do anything to our nuclear plants,
Starting point is 01:03:19 will do the exact same to you. You better watch it. So maybe that's held. Maybe that has deterred Russia proper, the GRU from turning off the lights here, okay? But they're not missing the capabilities or the access. They have all the ingredients to pull this off. So I think maybe mutually assured digital destruction has kept them from doing so. So what I worry about now, though, is something much more akin to the colonial pipeline attack. I think that that actually laid out a new playbook. I think that, you know, here was a cyber criminal group, we think, based in Russia, that hit the IT system at Colonial Pipeline. So Colonial Pipeline, you know, without billing, shut down the pipeline itself. You know, I got my hands on a classified DOE assessment that said we could have only
Starting point is 01:04:05 afforded two more days or three more days of downtime from the pipeline being offline before chemical factories ground to a halt because they couldn't get diesel or mass transit stopped. You know, really ground the economy to a halt. And so I think the playbook that was exposed there was Russia proper doesn't need to come bomb a pipeline here, or you use digital means to cause some kind of explosion on the colonial pipeline. They can just encourage their cybercriminals to come after the companies that run our food supply, our water supply, our pipelines. They don't even necessarily need to hit the operation system itself.
Starting point is 01:04:45 They can just hold up the IT systems. And then all of a sudden, we're running out of gas and jet fuel and diesel, and we can't trust our water supply, and we can't get meat ahead of the July 4th holiday. Like, all of those things just happened. No Cadbury eggs anymore? Yeah. No Cadbury eggs anymore before Easter. You know, all of those things just happened. It's just that we think they were Russia enabled, potentially encouraged, but not directed.
Starting point is 01:05:10 But I think the new playbook is that Russia says, if we respond aggressively to any one of these attacks, I think the Russia is, I think the Russia. response would be go to town guys. You know, here is a list of the most sensitive targets that we already have access to. Hit them, hit them hard, but do it in a way that gives us a level of plausible deniability, but has the exact same downstream effects. And every single week, we get closer and closer to that. You know, we haven't seen those ransomware attacks play out in any kind of coordinated way, but we're getting closer. And so, you know, as long as there's a new playbook there, you know, mutually assured digital destruction doesn't work. Because how do you respond when it's a private cybercriminal group in Russia or in Romania or Ukraine doing it? You know, I don't know. And I think some of
Starting point is 01:05:58 the interesting discussions inside the administration right now are we invaded Afghanistan because they were harboring the Taliban. At what point do we go after a nation state because they're harboring this kind of cybercriminal that's causing this much destruction here? The problem is that, you know, we can go after them, whatever that means, take them offline, turn off the grid, you know, et cetera, et cetera. But we still have to reckon with the fact that we're so vulnerable. We haven't even bothered to turn on two-factor authentication. And Russia can say, well, they hit us. We're just going to go hit them.
Starting point is 01:06:33 And then you get into this cycle of escalation. And that's what I worry about is the cycle of escalation. And I think we're getting dangerously close to that. And I would say within the next five years, I'll be safe. I'm not going to say 24 to 48 months. but we're getting close enough that I think we're going to see a cyber attack within the next four years even that causes substantial loss of life. And we have not adjusted our threat calculus around that possibility. And we've not even adjusted the levers we would need to get to the place where we need to be in terms of our cyber defense.
Starting point is 01:07:06 Anytime we've tried to regulate that companies meet a basic standard of cybersecurity, lobbyists have pushed it down and kicked it down. And so we're left in this very fuzzy place where we can recommend best practices for the private sector and they'll take it or leave it. And so one of the pieces, small pieces of good news, I would say, in the last couple of months is President Biden signed a cyber executive order and in it was a paragraph aimed at federal contractors that said, you guys can self-certify, we'll come up with a set of guidelines. You can self-certify that you meet those guidelines that you have two-factor authentication, that you're using updated software, you have password managers, et cetera, et cetera. But if we catch you lying to us, you know, if you get
Starting point is 01:07:49 caught up in a ransomware attack that came in because you didn't update your software, you're banned from ever doing business with the federal government again, which in colonial pipelines case, because their pipeline butts up against all sorts of federal systems, would have made them commercially unviable. So that's a powerful stick to get companies to really raise the bar when it comes to cybersecurity. So I don't know if it's going to work, but it's a clever way of working around our existing political landscape. And I hope at least, you know, it helps raise the bar along with some of the cyber insurance issues that we talked about earlier. Hopefully it doesn't just encourage the companies to hide shit and lie about it. Right. I mean, that's another option. I can, like,
Starting point is 01:08:28 oh, yeah, oops, we didn't do that. Don't tell anyone. Yeah. Well, the thing is, though, is that another piece of that executive order is, they said, we're going to create a national transportation safety board for cyber. Just like when a plane crashes and we do a forensics investigation of their black box, we're going to do that for major cyber incidents. So that's good. So it's going to get harder to hide. The other piece of good news is that ransomware attacks are really hard to hide because for years, for decades even, companies have been burying their Chinese IP theft and some of these, you know, Russian probes. But ransomware is different. Not only are they holding company systems hostage and taking them offline, they're actually doing this double
Starting point is 01:09:12 extortion scheme recently where they're dumping some of their data online and extorting them twice, saying, you know, well, pay us once to give you access to your data back, pay us twice so we delete the data we already stole and we'll stop leaking it out online. So that's made it really hard for these companies to hide these attacks. Just today, I saw a major coal company is now hit with ransomware. And the only reason I knew that is because their data started showing up on the Russian our evil group's happy blog is what they call it. And so, you know, it's getting harder to hide. And so in some ways, as sad as it is to say, ransomware is a blessing in disguise because finally Americans are seeing the extent of our digital vulnerability. And finally, we're asking these
Starting point is 01:09:54 questions that most of us who have been paying attention have been asking for the last decade, which is, why aren't we more secure? You know, why are we not meeting this base level of cybersecurity? Why don't we know what's in our government systems and in our software that touches our networks? Why don't we know where that software is made? Why aren't we securing it? Where are the grants to make sure state and local agencies that run elections can actually be convinced that they have any level of cybersecurity? So, you know, in some ways it's good news, but we're in for a lot of short-term pain, I think,
Starting point is 01:10:27 over the next couple of years until some of those policies play out. Nicole, thank you very much. Fascinating topic, a little bit scary. but I think we all kind of need to be, we need to have our head on the swivel for this sort of thing because there are probably a lot of people out there who are using the same password they use
Starting point is 01:10:42 for their Gmail or their Wi-Fi network on their SCADA command and control system for the power grid company that they work for. And like, you are the weak link if you are doing that kind of thing, right? You are the reason people might die because they can't turn on their aircon in the middle of July because you're too lazy
Starting point is 01:11:00 to change your password. Or you keep it on a sticky note on your desktop or it's your birthday. Yeah. Right. I mean, we see things like that. These aren't just silly examples. We see real things like that.
Starting point is 01:11:08 And now people are going to realize not only can it cost their company $200 million, but it could kill people. Yeah. And I think that's something we need to be aware of. Yeah. And, you know, it's a little bit like the pandemic. And that is another sort of piece of good news and that people are thinking along these lines.
Starting point is 01:11:22 But like, you know, solving the pandemic, governments can only play so much of a role. A lot of it came down to what businesses were doing, how they were able to continue to run their operations, the development of a vaccine. And then a lot of it just came down to us wearing masks and social distancing. And there's the added, you know, similarity that a lot of people, because they couldn't see the pandemic, didn't believe it exists. And same in cyber. You know, a lot of it comes down to personal responsibility. A lot of these attacks come through an employee's stolen password or them forgetting to turn on two-factor authentication or to update their software, whatever it is. So until help people realize that they have accountability, that they have an individual responsibility
Starting point is 01:12:05 to protect their businesses, their homes, but also, you know, government agencies to a certain extent. We're not going to get anywhere. Thank you very much. Now, I've got some thoughts on this episode, but before we get into that, here's what you should check out next on the Jordan Harbinger Show. Sleep is not an optional lifestyle luxury. Sleep is a non-negotiable biological necessity, sleep is a life support system. It is mother nature's best effort yet at immortality. And the decimation of sleep throughout industrialized nations is now having a catastrophic impact on our health, our wellness, as well as the safety in the education of our children. It is a silent sleep loss epidemic, and I would contend that it is fast becoming the greatest public health challenge
Starting point is 01:12:52 that we now face in the 21st century. The evidence is very clear that when we delay school start times, academic grades increase, behavioral problems decrease, truancy rates decrease, psychological and psychiatric issues decrease. But what we also found which we didn't expect in those studies is the life expectancy of students increased. So if our goal as educators truly is to educate and not risk lives in the process, then we are failing our children in the most spectacular manner with this incessant model of early school start times. And by the way, 7308, for a teenager is the equivalent for an adult waking up at 4.30 or 3.30 in the morning. If you're trying to survive or regularly getting five hours of sleep or less, you have a 65% risk of dying at any
Starting point is 01:13:43 moment in time. When you wake up the next day, you have a revised mind-wide web of associations. A new associative network, a rebooted iOS that is capable of defining remarkable insights. into previously impenetrable problems, and it is the reason that you have never been told to stay awake on a problem. Instead, you're told to sleep on a problem. For more on sleep, including why we dream and how we can increase the quality of our sleep, check out episode number 126 with Dr. Matthew Walker
Starting point is 01:14:18 here on the Jordan Harbinger Show. You know, we've talked about this a lot here on the show. I did an episode with Chris Hadnaggy on social engineering. We did episode 428 with Jenny Roch, Radcliffe, there are so many things going on in the cyber warfare landscape. Y'all have probably heard of Stuxnet where a computer virus totally messed up Iran's nuclear centrifuges. That was a whole show. I could do a whole show on this. It was just an amazing, amazing cyber weapon. Of course, now the United States is even more vulnerable to these same tools
Starting point is 01:14:50 and we're totally unprepared, as you can tell from the conversation here. There are certain major cyber warfare groups from the United States and otherwise that say things like, what's Snowden leaked about the United States, especially the NSA and what they could do, was low level, and there is so much more. Imagine what they mean by that if the Edward Snowden leaks were low level compared to what we can actually do in the cyber domain. Now, let's just hope that's being used where it needs to be used and not just against United States citizens. I won't say not being used at all against U.S. citizens because I think we're beyond that level of naivete, right? Hopefully, it's just not entirely focused on violating our privacy and our civil rights.
Starting point is 01:15:28 Of course, now post-Duxnet Iran is coming after us. They're going after our grid, our power, our water. And just the damage, the potential damage of this is terrifying to think about. So what do we need to do? We need to become more cyber literate so we don't give up our passwords because that is still the most common vector for attack. Unbelievable. Unfeacon believable.
Starting point is 01:15:49 We need tax credits for more secure software so that companies don't look at it as just an unnecessary cost center that may never return. We need to invest in cybersecurity both in the government and not leave it up to private companies who can't afford to do it and don't have the resources. We may need a digital Geneva convention, but again, let's focus on the legal aspects of this after we focus on keeping the barbarians away from the gate, huh?
Starting point is 01:16:12 We also need rules for contractors not to teach foreign governments that might use them against Americans, although that's kind of maybe a little bit disingenuous considering where all this garbage is coming from in the first place, Am I right? Everyone who's not American? What do you think? Also, no sharing of zero days in hacker knowledge with oppressive regimes. You'd think this would be an obvious one. But if we've got totalitarian, authoritarian regimes bidding against this, we need to make it illegal for companies to sell weapons to
Starting point is 01:16:40 them just like it is for them to sell nukes and bombs and other weapons to them. These cyber weapons are just as dangerous, if not more so. Last but at least, keep an eye on your own backyard. Make sure you're aware of the fishing. And for God's sake, get the spyware. off your computer. I'll tell you this. One day, and I've said this on the show before, one day we interviewed, let's just say, a political operative. And after the show, his assistant, who was a total moron, left the computer on and left Skype on. This is when we were using Skype. And I came back to save the files later on after I'd gotten a drink or possibly even a meal. And I realized, I'm still looking at this guy's bedroom. And in he walks, drops his pants,
Starting point is 01:17:18 and rolls up a fat-ass joint. And now I deleted that footage, because I, I knew deep down that I just wasn't strong enough. I would succumb to temptation, and then my kids would be asking me about those Google results in 10 years when I ended up selling that video to the National Enquirer, or, you know, whoever else would pay for it. I don't realize why I'm telling you this, and I thought I had a connection to today's show, but now I think I'm just going through cathartic experience here. Thanks so much for listening, and thanks so much to Nicole Pearl Roth for coming on the show.
Starting point is 01:17:46 Her book is called This Is How They Tell Me, the World Ends, the Cyber Weapon Arms Race. Links to Her Stuff will be on the website and the show. Show notes. Please use our website links if you buy the books from the guests on the show. It does help support us. It all adds up. Worksheets for the episode are in the show notes. Transcripts in the show notes. There's a video of this interview going up on our YouTube channel at Jordan Harbinger.com. com slash YouTube. We also have a brand new Clips channel with cuts that don't make it to the show or just highlights from the interviews that you can't see anywhere else. Jordan Harbinger.com slash clips is where you can find that. I'm at Jordan Harbinger on Twitter, Instagram,
Starting point is 01:18:18 or just hit me on LinkedIn. I'm teaching you how to connect with amazing people, all the same software systems, tiny habits that I use. In other words, teaching you to dig the well before you get thirsty. That's in our six-minute networking course, which is free. Jordan Harbinger.com slash course is where you'll find it. Most of the guests on the show, subscribe to the course. Come join us. You'll be in smart company where you belong. This show is created in association with Podcast One. My team is Jen Harbinger, Jay Sanderson, Robert Fogarty, Milio Campo, Ian Baird, Josh Ballard, and Gabriel Mizrahi. Remember, we rise by lifting others. The fee for the show is that you share it with friends
Starting point is 01:18:51 when you find something useful or interesting. If you know somebody who's interested in cyber, cyber warfare, hacking, definitely. Share this episode with them, please. I hope you find something great in every episode. Please do share the show with those you care about. In the meantime, do your best to apply what you hear on the show so you can live what you listen, and we'll see you next time. This episode is sponsored in part by Something You Should Know podcast.
Starting point is 01:19:16 Finding a new great podcast shouldn't be this hard, so let me save you some time. If you like the Jordan Harbinger show, you'll probably like Something You Should Know with Mike Carruthers. It's one of those shows that makes you smarter in a practical, useful way. Same curiosity vibe we go for here, just in a fast-focused format. Mike brings on top experts and asks the exact questions that you'd want to ask, and the topics are all over the place in the best way. Recently, they've covered things like why we care so much what other people think,
Starting point is 01:19:41 the benefits of laughter, why sports fans get so invested, and what makes people like you or not. The through line is always the same. Smart ideas you can actually use in real life. Something you should know has been featured in Apple's shows we love, and it's got thousands of five-star reviews because it's consistently interesting. So if you want another show that scratches
Starting point is 01:19:59 that I want to understand how people in the world really work, itch, search for something you should know wherever you get your podcasts. Look for the bright yellow light bulb and start listening. You can thank me later.

There aren't comments yet for this episode. Click on any sentence in the transcript to leave a comment.