1 00:00:02,480 --> 00:00:05,480 Speaker 1: Get in touch with technology with tech Stuff from how 2 00:00:05,559 --> 00:00:14,880 Speaker 1: Stuff Looks Coming. Hey there everyone, and welcome to Tech Stuff. 3 00:00:14,920 --> 00:00:20,160 Speaker 1: My name is Jonathan Strickland, and here is Lauren Vogelbaum. Yep, 4 00:00:20,320 --> 00:00:23,280 Speaker 1: that's that's that's my co host. Everybody. Today, we're going 5 00:00:23,320 --> 00:00:26,840 Speaker 1: to talk a little bit about security. It's an important thing, 6 00:00:27,040 --> 00:00:30,800 Speaker 1: cyber security specifically. Yeah, you've got to secure your cybers, 7 00:00:30,960 --> 00:00:33,880 Speaker 1: all your cybers, all your cybers are belonging to you 8 00:00:34,000 --> 00:00:37,400 Speaker 1: and should continue to do so. Um. Yeah, we're we're 9 00:00:37,400 --> 00:00:41,280 Speaker 1: talking about cybersecurity because because President of Wilma did, yes 10 00:00:41,320 --> 00:00:44,480 Speaker 1: he did. The President of the United States of America 11 00:00:45,000 --> 00:00:47,880 Speaker 1: had his State of the Union address, which is when 12 00:00:47,920 --> 00:00:50,000 Speaker 1: the president, if you are not from the United States, 13 00:00:50,040 --> 00:00:55,000 Speaker 1: were perhaps just our politically, uh, completely separate from anything 14 00:00:55,040 --> 00:00:57,560 Speaker 1: that goes on, a little bit lost and confused perhaps, 15 00:00:57,640 --> 00:01:00,000 Speaker 1: or maybe maybe you haven't been to the internet. Maybe 16 00:01:00,040 --> 00:01:03,440 Speaker 1: you live as a hermit often the distance and you 17 00:01:03,560 --> 00:01:06,640 Speaker 1: only get human contact through podcasts, in which case, hey, 18 00:01:06,640 --> 00:01:10,160 Speaker 1: thanks for choosing ours. But yeah, every every year the 19 00:01:10,440 --> 00:01:15,200 Speaker 1: president has this this forum where he begins to to 20 00:01:15,360 --> 00:01:20,160 Speaker 1: address how the country is doing and what his administration 21 00:01:20,280 --> 00:01:23,160 Speaker 1: or her administration. Should we ever get a female president. 22 00:01:23,480 --> 00:01:27,839 Speaker 1: I'm sure it's someday, someday, any any year now, but anyway, 23 00:01:27,959 --> 00:01:31,600 Speaker 1: that is when the president will lay out plans for 24 00:01:31,760 --> 00:01:34,520 Speaker 1: what is going what the government will focus on in 25 00:01:34,560 --> 00:01:37,760 Speaker 1: the following year, assuming the rest of the government plays ball, 26 00:01:38,000 --> 00:01:41,959 Speaker 1: because again the United States government, it's not just the president, sure, 27 00:01:42,160 --> 00:01:44,479 Speaker 1: but but it's kind of saying what's important. Yeah, yeah, 28 00:01:44,520 --> 00:01:47,680 Speaker 1: And I personally kind of side note. I feel like 29 00:01:47,720 --> 00:01:52,200 Speaker 1: this has become less critical to politics now, in this 30 00:01:52,200 --> 00:01:55,000 Speaker 1: this our information age, than it was, for example, fifty 31 00:01:55,040 --> 00:01:57,520 Speaker 1: or sixty years ago, when people didn't really have direct 32 00:01:57,560 --> 00:02:00,760 Speaker 1: and continual access to everything bloody going on in the 33 00:02:00,760 --> 00:02:02,920 Speaker 1: government all the time. Yeah, that's that's a good point 34 00:02:03,000 --> 00:02:05,960 Speaker 1: because earlier you would hear the president essentially during the 35 00:02:06,000 --> 00:02:10,240 Speaker 1: State of the Union address and after any major event 36 00:02:10,440 --> 00:02:13,720 Speaker 1: like a catastrophe or not even not not necessarily something bad, 37 00:02:13,760 --> 00:02:15,520 Speaker 1: but usually it had to be something big, and then 38 00:02:15,520 --> 00:02:18,280 Speaker 1: the president would end up addressing the nation about it. 39 00:02:18,919 --> 00:02:21,200 Speaker 1: But in this case, we now live in a world 40 00:02:21,280 --> 00:02:24,560 Speaker 1: where we get this information on a fairly continuous basis. 41 00:02:24,560 --> 00:02:26,760 Speaker 1: I mean, you could follow the president on Twitter and 42 00:02:26,800 --> 00:02:30,560 Speaker 1: get information or just the twenty four hour news coverage 43 00:02:30,720 --> 00:02:33,359 Speaker 1: of what's going on the government's out there too. Anyways. 44 00:02:33,400 --> 00:02:35,600 Speaker 1: State the Union kind of traditionally seen as a big 45 00:02:35,639 --> 00:02:39,760 Speaker 1: important event here in the US. So during the State 46 00:02:39,800 --> 00:02:43,000 Speaker 1: of the Union, one of the many points the President 47 00:02:43,240 --> 00:02:47,440 Speaker 1: addressed was cybersecurity. Now that was not the the the 48 00:02:47,600 --> 00:02:49,600 Speaker 1: entire focus of the speech. In fact, it only took 49 00:02:49,639 --> 00:02:51,800 Speaker 1: up a small section about a minute and a half. 50 00:02:51,840 --> 00:02:53,639 Speaker 1: I think. Yeah. In fact I can I can read 51 00:02:53,639 --> 00:02:57,200 Speaker 1: out verbatim what he said because the text is available 52 00:02:57,360 --> 00:03:00,760 Speaker 1: on the on the Internet of all things. So here's 53 00:03:00,760 --> 00:03:05,200 Speaker 1: what President Obama had to say about cyber security. America 54 00:03:05,360 --> 00:03:08,680 Speaker 1: must also face the rapidly growing threat from cyber attacks. 55 00:03:08,720 --> 00:03:12,239 Speaker 1: We know hackers steal people's identities and infiltrate private email. 56 00:03:12,520 --> 00:03:15,600 Speaker 1: We know foreign countries and companies swipe our corporate secrets. 57 00:03:15,960 --> 00:03:18,880 Speaker 1: Now our enemies are also seeking the ability to sabotage 58 00:03:18,880 --> 00:03:21,960 Speaker 1: our power grid, our financial institutions, and our air traffic 59 00:03:21,960 --> 00:03:25,080 Speaker 1: control systems. We cannot look back years from now and 60 00:03:25,120 --> 00:03:27,640 Speaker 1: wonder why we did nothing in the face of real 61 00:03:27,680 --> 00:03:30,960 Speaker 1: threats to our security and our economy. That's why earlier 62 00:03:31,000 --> 00:03:33,560 Speaker 1: today I signed a new executive order that will strengthen 63 00:03:33,560 --> 00:03:37,240 Speaker 1: our cyber defenses by increasing information sharing and developing standards 64 00:03:37,280 --> 00:03:40,440 Speaker 1: to protect our national security, our jobs, and our privacy. 65 00:03:40,720 --> 00:03:43,400 Speaker 1: Now Congress must act as well by passing legislation to 66 00:03:43,400 --> 00:03:46,400 Speaker 1: give our government a greater capacity secure our networks ended 67 00:03:46,440 --> 00:03:50,440 Speaker 1: to our attacks. So really, this of course just served 68 00:03:50,520 --> 00:03:53,200 Speaker 1: to alert the nation to yes, we are aware of 69 00:03:53,200 --> 00:03:55,560 Speaker 1: the problem, and yes we are going to do something 70 00:03:55,680 --> 00:03:59,280 Speaker 1: to respond to this problem. But of course the speech 71 00:03:59,360 --> 00:04:02,160 Speaker 1: was not the right venue to go into detail about 72 00:04:02,360 --> 00:04:04,200 Speaker 1: what that was going to be, right right, These these 73 00:04:04,280 --> 00:04:06,560 Speaker 1: kinds of speeches aren't really used for extreme detail of 74 00:04:06,600 --> 00:04:10,840 Speaker 1: any kind. It's it's more more hey stuff, Yeah, hey, problem, 75 00:04:10,920 --> 00:04:13,680 Speaker 1: we're gonna fix it. How are we going to fix it? 76 00:04:14,400 --> 00:04:18,120 Speaker 1: Look over here at the Chewbacca. Um. Yeah, And this 77 00:04:18,200 --> 00:04:21,360 Speaker 1: is regardless of who is in power. It's just that's 78 00:04:21,400 --> 00:04:23,360 Speaker 1: the way, that's the way it works. Yeah, we We are, 79 00:04:23,400 --> 00:04:25,320 Speaker 1: by the way, trying very hard in this episode to 80 00:04:25,480 --> 00:04:28,400 Speaker 1: to not let any of our personal politics enter into 81 00:04:28,480 --> 00:04:31,280 Speaker 1: this discussion. Sure, so this is this is actually us 82 00:04:31,320 --> 00:04:33,520 Speaker 1: being being as fair as we possibly can be. And 83 00:04:33,560 --> 00:04:35,080 Speaker 1: if we wind up making a little bit of fun 84 00:04:35,120 --> 00:04:38,880 Speaker 1: of any given administration, it's not Yeah, it's not politically motivated. 85 00:04:39,120 --> 00:04:41,560 Speaker 1: Now in this case, it's motivated by our knowledge of 86 00:04:41,600 --> 00:04:45,240 Speaker 1: how technology works, how policy works, and how those two 87 00:04:45,800 --> 00:04:50,279 Speaker 1: things don't necessarily mesh very well. Uh. And that that's 88 00:04:50,279 --> 00:04:55,040 Speaker 1: regardless of what your political stances, whether you're conservative or liberal, 89 00:04:55,160 --> 00:04:58,520 Speaker 1: no matter what it's it's just the technology is kind 90 00:04:58,520 --> 00:05:02,200 Speaker 1: of a political uh, just as a tool. Now you 91 00:05:02,240 --> 00:05:05,120 Speaker 1: can use it for political means. But anyway, getting into this, 92 00:05:05,200 --> 00:05:07,520 Speaker 1: we we really wanted to talk more about the Executive 93 00:05:07,600 --> 00:05:11,799 Speaker 1: Order itself because that's where the approach that that Obama 94 00:05:11,880 --> 00:05:14,080 Speaker 1: wants the government to take. That's where that's where it 95 00:05:14,120 --> 00:05:16,560 Speaker 1: comes from, right right, And UM, I I read I 96 00:05:16,600 --> 00:05:18,960 Speaker 1: read a great write up that Michael Daniel, who is 97 00:05:19,040 --> 00:05:22,400 Speaker 1: Obama's cybersecurity coordinator, wrote up about it, UM and he 98 00:05:22,440 --> 00:05:24,960 Speaker 1: was just saying that that basically the Executive Order breaks 99 00:05:24,960 --> 00:05:28,720 Speaker 1: down into three parts and that's um basically just uh, 100 00:05:28,920 --> 00:05:32,159 Speaker 1: it covers information sharing first off, which means that it 101 00:05:32,520 --> 00:05:36,640 Speaker 1: really wants the different segments of the government to work 102 00:05:36,800 --> 00:05:39,760 Speaker 1: with all of these private companies that run run our 103 00:05:39,800 --> 00:05:44,800 Speaker 1: technology infrastructure and our power infrastructure, UM to share information 104 00:05:44,839 --> 00:05:50,240 Speaker 1: about any any cyber threats that are going on. And UM, yeah, 105 00:05:50,240 --> 00:05:53,800 Speaker 1: that's the first big section because obviously the issue here 106 00:05:53,880 --> 00:05:56,960 Speaker 1: is that sometimes the government gets information, but depending upon 107 00:05:57,000 --> 00:05:59,479 Speaker 1: the classification of that information, they may not be able 108 00:05:59,520 --> 00:06:03,200 Speaker 1: to share it very on a very wide distribution. And 109 00:06:03,360 --> 00:06:07,120 Speaker 1: beyond that, sometimes when you get information in the government, 110 00:06:07,160 --> 00:06:10,720 Speaker 1: it's really hard for the information to escape the government. 111 00:06:10,960 --> 00:06:12,640 Speaker 1: So in other words, this is supposed to lay the 112 00:06:12,640 --> 00:06:16,480 Speaker 1: groundwork to allow the government to share information with entities 113 00:06:16,839 --> 00:06:20,240 Speaker 1: that are critical to our infrastructure, and also going the 114 00:06:20,279 --> 00:06:26,560 Speaker 1: other way, giving giving those entities, uh basic incentive, thank 115 00:06:26,560 --> 00:06:29,440 Speaker 1: you so much, incentive to also share any information that 116 00:06:29,480 --> 00:06:31,880 Speaker 1: they have about some cyber texts, any cyber attacks that 117 00:06:31,960 --> 00:06:33,880 Speaker 1: might be occurring back to the government so that the 118 00:06:33,880 --> 00:06:37,080 Speaker 1: government can do more to help out right, And we'll 119 00:06:37,120 --> 00:06:39,760 Speaker 1: we'll dive into more about how that's a challenge in 120 00:06:39,800 --> 00:06:42,719 Speaker 1: a little bit because as it turns out, you know, 121 00:06:42,800 --> 00:06:50,000 Speaker 1: it sounds, yeah, totally everybody like like we just got attacked, 122 00:06:50,000 --> 00:06:52,080 Speaker 1: we should let the government know. But I'll get into 123 00:06:52,120 --> 00:06:57,080 Speaker 1: why a lot of companies don't really necessarily see that 124 00:06:57,200 --> 00:06:59,760 Speaker 1: as the best option, right right, All right, So that's 125 00:06:59,800 --> 00:07:04,880 Speaker 1: part one. Part to UM kind of outlines a flexible 126 00:07:05,160 --> 00:07:09,520 Speaker 1: risk based package of core practices based on existing standards 127 00:07:09,520 --> 00:07:14,040 Speaker 1: of cybersecurity. Yeah, so this is looking at there there 128 00:07:14,080 --> 00:07:18,440 Speaker 1: are several organizations already that are working toward the best 129 00:07:18,440 --> 00:07:21,960 Speaker 1: practices for cybersecurity, and so this is kind of trying 130 00:07:22,000 --> 00:07:24,080 Speaker 1: to to say, let's take a look at all of 131 00:07:24,120 --> 00:07:27,400 Speaker 1: this stuff and and pick and choose the best out 132 00:07:27,400 --> 00:07:29,840 Speaker 1: of all of it and use that as the framework 133 00:07:29,880 --> 00:07:33,120 Speaker 1: for what everyone should do. That's also possibly going to 134 00:07:33,160 --> 00:07:36,000 Speaker 1: be a bottleneck, but I'll get to that when we 135 00:07:36,080 --> 00:07:39,360 Speaker 1: get a little further into this. Yes. Yes, the third 136 00:07:39,480 --> 00:07:44,160 Speaker 1: The third part then deals with privacy protections, because when 137 00:07:44,240 --> 00:07:47,160 Speaker 1: you're dealing with these companies that have a lot of 138 00:07:47,200 --> 00:07:50,880 Speaker 1: private citizens data or even their own private corporate data 139 00:07:51,240 --> 00:07:53,280 Speaker 1: or you know, or or on the other end from 140 00:07:53,280 --> 00:07:56,520 Speaker 1: the government, the government doesn't doesn't want anything sensitive to 141 00:07:56,600 --> 00:07:59,880 Speaker 1: end up being revealed that they don't want to give out. Right. Yeah, 142 00:08:00,440 --> 00:08:04,320 Speaker 1: you know, companies have proprietary information for example, So let's 143 00:08:04,320 --> 00:08:08,360 Speaker 1: say that a cyber attack focuses on something that involves 144 00:08:08,400 --> 00:08:12,520 Speaker 1: proprietary information, information that is necessary for that company to 145 00:08:12,600 --> 00:08:15,880 Speaker 1: keep secret. It's a trade secret. It's something that allows 146 00:08:15,960 --> 00:08:18,480 Speaker 1: them to do business the way they do it and 147 00:08:18,520 --> 00:08:21,080 Speaker 1: make money and make money. Yeah. So for example, just 148 00:08:21,120 --> 00:08:23,080 Speaker 1: this is a random example that I just thought up 149 00:08:23,160 --> 00:08:26,880 Speaker 1: right now, but the Google algorithm. Okay, because Google algorithm, 150 00:08:26,960 --> 00:08:30,880 Speaker 1: that's essentially the the the recipe that tells Google how 151 00:08:30,960 --> 00:08:34,840 Speaker 1: to rank search results on any given query. Well, that's 152 00:08:34,840 --> 00:08:37,800 Speaker 1: a that's pretty useful information to have, especially if you're 153 00:08:37,800 --> 00:08:42,240 Speaker 1: building websites. But let's say that cyber they the Google 154 00:08:42,280 --> 00:08:45,040 Speaker 1: suffered a cyber attack and part of the information that 155 00:08:45,160 --> 00:08:48,040 Speaker 1: was compromised was this Google algorithm, which is kind of 156 00:08:48,080 --> 00:08:51,720 Speaker 1: like their their secret sauce. You know, it's it's not 157 00:08:51,960 --> 00:08:57,000 Speaker 1: not published, right, is the mathematical Horsey sauce. Yes, it is, Yes, 158 00:08:57,040 --> 00:08:59,360 Speaker 1: it's it's part of their eleven Herbs and spices, and 159 00:08:59,679 --> 00:09:03,000 Speaker 1: so they don't want the information getting out. And if 160 00:09:03,000 --> 00:09:05,600 Speaker 1: they were to report the information to the government, it's 161 00:09:05,600 --> 00:09:10,160 Speaker 1: possible that part of the distribution of information to everybody else, 162 00:09:10,320 --> 00:09:12,520 Speaker 1: you know, saying like, well, Google was attacked, so these 163 00:09:12,559 --> 00:09:14,600 Speaker 1: other companies need to be aware of this as well. 164 00:09:15,240 --> 00:09:18,440 Speaker 1: The worry is that the algorithm itself would become part 165 00:09:18,440 --> 00:09:21,960 Speaker 1: of that information distribution and then Google loses its advantage 166 00:09:21,960 --> 00:09:25,080 Speaker 1: in the marketplace. That's that's just a simple example, and 167 00:09:25,120 --> 00:09:27,560 Speaker 1: it may even be unrealistic in the sense of what 168 00:09:27,559 --> 00:09:31,040 Speaker 1: we're talking about here, but it's just to kind of illustrate, uh, 169 00:09:31,200 --> 00:09:34,000 Speaker 1: why the government needs to take this into account when 170 00:09:34,200 --> 00:09:37,520 Speaker 1: formulating policy. Yeah, and and so those are the basic 171 00:09:37,559 --> 00:09:40,480 Speaker 1: three parts and uh, and the administration is really big 172 00:09:40,559 --> 00:09:42,880 Speaker 1: on on saying that you know that that they want 173 00:09:42,920 --> 00:09:45,840 Speaker 1: to work really hard with with companies and with the 174 00:09:45,920 --> 00:09:48,720 Speaker 1: different government organizations to make all of this as sensical 175 00:09:48,960 --> 00:09:54,040 Speaker 1: and um, not like work, more like sharing and hugging. Yeah, 176 00:09:54,280 --> 00:09:56,800 Speaker 1: there needs to be sharing and hugging well while standing 177 00:09:56,920 --> 00:09:59,720 Speaker 1: shoulder to shoulder to keep the cyber attackers at bay. 178 00:10:00,320 --> 00:10:02,080 Speaker 1: And you know, and so they say that they worked 179 00:10:02,080 --> 00:10:06,840 Speaker 1: with with over two companies directly and and fifteen million 180 00:10:06,840 --> 00:10:09,720 Speaker 1: employees and all kinds of crazy numbers like that, trying 181 00:10:09,720 --> 00:10:13,439 Speaker 1: to trying to work to get this information together. And 182 00:10:13,440 --> 00:10:15,560 Speaker 1: and to be fair, we should also point out that 183 00:10:15,640 --> 00:10:18,360 Speaker 1: these are it's a directive, but again it does not 184 00:10:19,200 --> 00:10:22,720 Speaker 1: lay out step by step how this is going to happen. 185 00:10:22,800 --> 00:10:27,599 Speaker 1: It's more like saying to specific departments within the government, Hey, 186 00:10:27,640 --> 00:10:30,240 Speaker 1: this is what I want. Here's the result I want. 187 00:10:30,640 --> 00:10:33,480 Speaker 1: You have two hundred and forty days to return to 188 00:10:33,520 --> 00:10:37,120 Speaker 1: me the result I want go And it's up to 189 00:10:37,200 --> 00:10:41,000 Speaker 1: that individual department to determine what are the steps that 190 00:10:41,040 --> 00:10:43,880 Speaker 1: it needs to take in order to meet the requirements 191 00:10:43,920 --> 00:10:46,800 Speaker 1: of this executive order. Uh. This is also something that 192 00:10:46,840 --> 00:10:49,439 Speaker 1: I've seen critics point at, saying, a lot of the 193 00:10:49,480 --> 00:10:52,360 Speaker 1: time tables that are discussed within the Executive Order are 194 00:10:52,400 --> 00:10:56,920 Speaker 1: not necessarily realistic because you're talking about navigating such a 195 00:10:57,000 --> 00:11:00,360 Speaker 1: complex issue, not just from the technology side, but from 196 00:11:00,360 --> 00:11:04,319 Speaker 1: the existing policy side. That uh, that in order to 197 00:11:04,320 --> 00:11:07,680 Speaker 1: to find something that satisfies the needs of the Executive 198 00:11:07,760 --> 00:11:10,760 Speaker 1: Order and does not violate any of these other entities 199 00:11:10,760 --> 00:11:14,520 Speaker 1: that are already out there is a huge challenge. And 200 00:11:14,520 --> 00:11:18,080 Speaker 1: two hundred forty days, which is just one of the deadlines. 201 00:11:18,120 --> 00:11:19,840 Speaker 1: There's some that are like a hundred twenty days, depending 202 00:11:19,920 --> 00:11:21,640 Speaker 1: upon what it is. But it's just it's just not 203 00:11:21,760 --> 00:11:24,600 Speaker 1: enough time, right and especially considering that if you've been 204 00:11:24,640 --> 00:11:26,360 Speaker 1: paying attention to the news at all, and say the 205 00:11:26,400 --> 00:11:30,760 Speaker 1: past existence of reality, you may have noticed that the 206 00:11:30,800 --> 00:11:34,560 Speaker 1: different parts of American political system don't necessarily work together 207 00:11:34,640 --> 00:11:37,400 Speaker 1: extremely well, and so so things. I mean, for for example, 208 00:11:37,440 --> 00:11:39,880 Speaker 1: there was a Cybersecurity Act last year I believe that 209 00:11:39,960 --> 00:11:43,120 Speaker 1: tried to go through Congress. It made it past No, 210 00:11:43,280 --> 00:11:45,920 Speaker 1: that was the other one. It got failbustered by the Republicans. 211 00:11:45,920 --> 00:11:47,480 Speaker 1: They were saying that it was going to place too 212 00:11:47,520 --> 00:11:49,800 Speaker 1: much of a burden on the companies, that it would affect, 213 00:11:49,800 --> 00:11:51,840 Speaker 1: and and all kinds of stuff like that has been 214 00:11:51,840 --> 00:11:53,520 Speaker 1: going on for the past three and a half years, 215 00:11:53,600 --> 00:11:57,240 Speaker 1: or really since the mid nineties when computer networks became 216 00:11:57,280 --> 00:11:59,719 Speaker 1: a really integral part of business. Yeah. This this is 217 00:11:59,720 --> 00:12:03,240 Speaker 1: a complicated issue because on one hand, you're talking about 218 00:12:03,320 --> 00:12:07,520 Speaker 1: protecting a lot of private entities, and private entities do 219 00:12:07,600 --> 00:12:11,480 Speaker 1: not have any connection to the government other than paying taxes. Honestly, 220 00:12:11,520 --> 00:12:14,199 Speaker 1: as I'm sure we're all aware, but anyway, these private 221 00:12:14,280 --> 00:12:16,880 Speaker 1: entities don't necessarily have any other connection to the government. 222 00:12:16,880 --> 00:12:19,240 Speaker 1: They're not run by the government. It's not a socialist 223 00:12:19,320 --> 00:12:22,960 Speaker 1: kind of structure. It's private structure. Uh. But that means 224 00:12:23,000 --> 00:12:26,559 Speaker 1: that they you know, how far can the government come 225 00:12:26,640 --> 00:12:30,120 Speaker 1: in to try and protect these entities When the entity 226 00:12:30,160 --> 00:12:33,480 Speaker 1: itself is in control of something that's vital to the 227 00:12:33,520 --> 00:12:37,760 Speaker 1: operation of business or national security, then there it is 228 00:12:37,800 --> 00:12:40,160 Speaker 1: in the government's interest to come in and say, look, 229 00:12:40,240 --> 00:12:42,679 Speaker 1: I know that we don't have any uh any call 230 00:12:42,760 --> 00:12:44,960 Speaker 1: and how you run your business, that's not our job, 231 00:12:45,080 --> 00:12:48,040 Speaker 1: but we need to protect it because how your business 232 00:12:48,080 --> 00:12:53,480 Speaker 1: performs affects the citizens of this country. So I guess 233 00:12:53,480 --> 00:12:55,280 Speaker 1: we can start diving into the example order. Did you 234 00:12:55,360 --> 00:12:57,040 Speaker 1: have something else you wanted to mention before we did that? 235 00:12:57,080 --> 00:12:59,480 Speaker 1: And that's about it, all right, So here's the here's 236 00:12:59,480 --> 00:13:04,679 Speaker 1: an opening paragraph from part of the executive order. Does 237 00:13:04,720 --> 00:13:07,000 Speaker 1: the policy of the United States to enhance the security 238 00:13:07,080 --> 00:13:10,000 Speaker 1: and resilience of the nation's critical infrastructure and to maintain 239 00:13:10,040 --> 00:13:13,480 Speaker 1: a cyber environment that encourages efficiency, innovation, and economic prosperity 240 00:13:13,520 --> 00:13:18,000 Speaker 1: while promoting safety, security, business competentiality, privacy, and civil liberties. 241 00:13:18,040 --> 00:13:20,120 Speaker 1: We can achieve these goals through a partnership with the 242 00:13:20,160 --> 00:13:23,880 Speaker 1: owners and operators of critical infrastructure to improve cybersecurity information sharing, 243 00:13:23,920 --> 00:13:28,760 Speaker 1: and collaboratively develop and implement risk based standards. As a 244 00:13:28,760 --> 00:13:32,520 Speaker 1: as a mouthful, fascinating, that was so thrilling. It was, Yeah, 245 00:13:32,520 --> 00:13:35,959 Speaker 1: it's it's it's it's not quite legally ease, it's not 246 00:13:36,240 --> 00:13:40,640 Speaker 1: it's not so dense as to be uh, completely inoperable. 247 00:13:40,920 --> 00:13:42,840 Speaker 1: You can't understand a word of it without having like 248 00:13:42,880 --> 00:13:45,640 Speaker 1: three lawyers on your team, but it does. It does 249 00:13:45,800 --> 00:13:47,960 Speaker 1: make it kind of you know, it's it's this very 250 00:13:48,040 --> 00:13:51,319 Speaker 1: formal sort of language. Part of the issue here also 251 00:13:51,440 --> 00:13:54,520 Speaker 1: is that some people argue that the terms are not 252 00:13:55,320 --> 00:14:00,160 Speaker 1: narrowly defined enough to make it meaningful. For example, you 253 00:14:00,160 --> 00:14:04,400 Speaker 1: talk about operators of critical infrastructure, um, they there are 254 00:14:04,440 --> 00:14:07,400 Speaker 1: some people who say that that's not specific enough. You know, 255 00:14:07,480 --> 00:14:10,720 Speaker 1: you don't you know how what? What? What is infrastructure? 256 00:14:11,160 --> 00:14:13,760 Speaker 1: Are we talking? Are we talking just things like power grids? 257 00:14:14,240 --> 00:14:16,959 Speaker 1: I mean that would clearly be critical infrastructure. Does it 258 00:14:17,040 --> 00:14:20,480 Speaker 1: extend to UH to telephones, does it extend to dams? 259 00:14:20,640 --> 00:14:24,800 Speaker 1: Or doesn't extend to UH? To cybersecurity firms? Because if 260 00:14:24,840 --> 00:14:27,440 Speaker 1: you're talking about something now that where you're really trying 261 00:14:27,480 --> 00:14:30,360 Speaker 1: to protect people from cyber attacks, does that mean does 262 00:14:30,360 --> 00:14:33,720 Speaker 1: that extend to the point that cybersecurity firms become part 263 00:14:33,720 --> 00:14:37,880 Speaker 1: of this critical infrastructure because they are the protection against 264 00:14:37,960 --> 00:14:41,000 Speaker 1: that sort of thing. Um. I'm sure that those kind 265 00:14:41,040 --> 00:14:43,240 Speaker 1: of definitions will be worked out. And sometimes this sort 266 00:14:43,240 --> 00:14:46,880 Speaker 1: of legislation or these executive orders I should say, not 267 00:14:46,880 --> 00:14:49,360 Speaker 1: not legislation, but this executive order. And sometimes these things 268 00:14:49,400 --> 00:14:53,000 Speaker 1: are are vaguely worded on purpose to try and have 269 00:14:53,040 --> 00:14:56,040 Speaker 1: the broadest possible application, and then you narrow it down 270 00:14:56,160 --> 00:14:58,200 Speaker 1: as it's put into practice. And that's the feeling that 271 00:14:58,240 --> 00:15:00,200 Speaker 1: I get from this, and especially since they're kind up 272 00:15:00,200 --> 00:15:03,280 Speaker 1: going like, yeah, do this thing and you work it out. Yeah. 273 00:15:03,320 --> 00:15:05,480 Speaker 1: So I'm gonna go through a little bit kind of 274 00:15:05,520 --> 00:15:07,760 Speaker 1: point by point of some of the sections here, and 275 00:15:07,800 --> 00:15:10,480 Speaker 1: then after I do that, we'll we'll kind of talk 276 00:15:10,520 --> 00:15:13,560 Speaker 1: about some of the the not just criticisms, but just 277 00:15:13,600 --> 00:15:17,000 Speaker 1: some of the observations people have made about this. So, 278 00:15:17,000 --> 00:15:20,440 Speaker 1: so it begins by talking about distributing reports of detected 279 00:15:20,480 --> 00:15:24,400 Speaker 1: cyber security threats to private sector companies as long as 280 00:15:24,400 --> 00:15:28,240 Speaker 1: those reports do not endanger investigations and law enforcement efforts 281 00:15:28,320 --> 00:15:31,600 Speaker 1: and they are unclassified. So, in other words, when the 282 00:15:31,640 --> 00:15:34,520 Speaker 1: government gets, say a report that there's a threat, a 283 00:15:34,600 --> 00:15:39,160 Speaker 1: cyber threat, uh, this is what would allow the government 284 00:15:39,200 --> 00:15:43,000 Speaker 1: to send that information out to the various parties that 285 00:15:43,120 --> 00:15:45,920 Speaker 1: could be affected by this cyber threat and to kind 286 00:15:45,920 --> 00:15:48,680 Speaker 1: of give them a heads up saying, look, we've detected 287 00:15:48,720 --> 00:15:53,840 Speaker 1: that there's some operation in let's say China, whether it's 288 00:15:54,000 --> 00:15:56,800 Speaker 1: state backed or it's a group of hackers who are 289 00:15:56,840 --> 00:15:58,800 Speaker 1: working on their own or whatever, or maybe it's a 290 00:15:59,240 --> 00:16:01,800 Speaker 1: Russian group that looks like it's working out of China. 291 00:16:02,680 --> 00:16:04,960 Speaker 1: This is complicated. We can't really be sure because the 292 00:16:04,960 --> 00:16:08,000 Speaker 1: way the internet works in the way hackers get around 293 00:16:08,000 --> 00:16:10,440 Speaker 1: this sort of thing. But they've detected that there's this 294 00:16:10,520 --> 00:16:13,520 Speaker 1: credible threat, and they've detected what the potential targets are. 295 00:16:13,880 --> 00:16:16,360 Speaker 1: This part of the executive order gives the government the 296 00:16:16,400 --> 00:16:19,640 Speaker 1: ability to say, hey, heads up, it's coming in. And 297 00:16:19,680 --> 00:16:22,880 Speaker 1: this is actually an expansion of a currently existing program 298 00:16:23,120 --> 00:16:28,040 Speaker 1: um called the Defense Industrial Based Information Sharing Program, which 299 00:16:28,120 --> 00:16:31,360 Speaker 1: I believe currently exists to allow government contractors to receive 300 00:16:31,440 --> 00:16:34,680 Speaker 1: real time reports about these threats. Right, and so again, 301 00:16:34,880 --> 00:16:38,440 Speaker 1: the reason why they say it can't endanger investigations is clearly, 302 00:16:38,480 --> 00:16:42,760 Speaker 1: if there's a like UH and a law enforcement group, 303 00:16:42,760 --> 00:16:45,280 Speaker 1: whether it's it's the United States or it could be 304 00:16:45,400 --> 00:16:50,960 Speaker 1: some UH international type of UH law enforcement group looking 305 00:16:51,000 --> 00:16:55,400 Speaker 1: into the problem, then by sharing information, you could compromise 306 00:16:55,560 --> 00:16:59,280 Speaker 1: that that investigation. So it's a delicate thing. It's it's 307 00:16:59,320 --> 00:17:01,480 Speaker 1: not something where every single time there's going to be 308 00:17:01,480 --> 00:17:03,680 Speaker 1: a threat, there's automatically going to be a report generator 309 00:17:03,720 --> 00:17:05,600 Speaker 1: that gets sent out. It's going to be a case 310 00:17:05,640 --> 00:17:09,960 Speaker 1: by case basis. The next section talks about how classified 311 00:17:10,000 --> 00:17:13,800 Speaker 1: reports will go to critical infrastructure entities that are authorized 312 00:17:13,840 --> 00:17:17,840 Speaker 1: to receive them. So there will be some privately held 313 00:17:17,880 --> 00:17:22,840 Speaker 1: companies that will be authorized to receive classified information, assuming 314 00:17:22,840 --> 00:17:25,920 Speaker 1: that classified information relates to that entity in some way. 315 00:17:26,040 --> 00:17:27,840 Speaker 1: I think it's also talking a little bit about trying 316 00:17:27,840 --> 00:17:33,520 Speaker 1: to expedite the process of getting clearances for appropriate uh 317 00:17:33,880 --> 00:17:37,760 Speaker 1: A individuals and also state and government representatives to give 318 00:17:37,880 --> 00:17:40,560 Speaker 1: that stuff. Yeah, exactly, yes. So this this again is 319 00:17:40,600 --> 00:17:42,919 Speaker 1: kind of like cutting away some of the red tape 320 00:17:43,400 --> 00:17:47,159 Speaker 1: that would exist between information and the and the entity 321 00:17:47,240 --> 00:17:50,119 Speaker 1: that would most benefit from receiving it, uh in a 322 00:17:50,240 --> 00:17:53,760 Speaker 1: in a cyber attack kind of situation. It would also 323 00:17:53,840 --> 00:17:57,600 Speaker 1: expand the Enhanced Cyber Security Services Program to all critical 324 00:17:57,640 --> 00:18:03,360 Speaker 1: infrastructure sectors, which is a voluntary information sharing program and 325 00:18:03,440 --> 00:18:05,840 Speaker 1: it offers this is where you were talking about, it's 326 00:18:05,840 --> 00:18:08,560 Speaker 1: offering the cross fight info to the private sector folks, 327 00:18:08,600 --> 00:18:12,520 Speaker 1: but also it's a sharing program that is supposed to 328 00:18:12,640 --> 00:18:18,280 Speaker 1: encourage companies to share information between each other to say, uh, 329 00:18:18,320 --> 00:18:22,000 Speaker 1: there's this cyber attack that we've we've detected and it 330 00:18:22,040 --> 00:18:25,280 Speaker 1: could affect your industry as well as ours. So the 331 00:18:25,320 --> 00:18:28,520 Speaker 1: idea is that it's supposed to encourage these companies to participate, 332 00:18:28,560 --> 00:18:32,280 Speaker 1: but it is voluntary. We'll get into that when we 333 00:18:32,320 --> 00:18:37,280 Speaker 1: get into the criticisms. Um Also, beyond the security clearance 334 00:18:37,320 --> 00:18:41,240 Speaker 1: being expedited, we have private sector experts will be invited 335 00:18:41,359 --> 00:18:43,840 Speaker 1: to come and speak to the government on a regular 336 00:18:43,880 --> 00:18:46,399 Speaker 1: basis to keep the government informed about cyber risks and 337 00:18:46,480 --> 00:18:49,040 Speaker 1: the best practices to respond to them. Now, this is 338 00:18:49,119 --> 00:18:51,520 Speaker 1: essentially the part of the executive Order that recognizes the 339 00:18:51,520 --> 00:18:54,280 Speaker 1: fact that the people who hold positions of power in 340 00:18:54,359 --> 00:19:01,000 Speaker 1: politics may not be technologically qualified. They maybe savvy, but 341 00:19:01,080 --> 00:19:05,000 Speaker 1: even a technologically savvy person would not necessarily be up 342 00:19:05,000 --> 00:19:08,200 Speaker 1: to date on the latest cyber threats. And so this 343 00:19:08,280 --> 00:19:11,080 Speaker 1: is this is to give the government the chance to 344 00:19:11,720 --> 00:19:17,879 Speaker 1: maintain a an ongoing dialogue with experts in the cybersecurity 345 00:19:17,920 --> 00:19:21,399 Speaker 1: field so that the best policies are formed as a result, 346 00:19:21,440 --> 00:19:23,560 Speaker 1: and that the best practices are formed as a result, 347 00:19:23,600 --> 00:19:26,679 Speaker 1: because what works today may not work in three months. 348 00:19:26,840 --> 00:19:31,240 Speaker 1: It's a funny thing about technology. And then, uh, the 349 00:19:31,840 --> 00:19:35,879 Speaker 1: next section is the one that's all about privacy and 350 00:19:35,920 --> 00:19:39,680 Speaker 1: civil liberties because apparent that it's it's a really big 351 00:19:39,720 --> 00:19:42,199 Speaker 1: issue in the idea that a lot of these companies 352 00:19:42,240 --> 00:19:45,200 Speaker 1: have a lot of our data, not just corporate data, 353 00:19:45,240 --> 00:19:48,720 Speaker 1: but our personal data. So think about it like power companies, 354 00:19:48,760 --> 00:19:53,040 Speaker 1: gas companies. Uh, you've got you've got credit card companies. 355 00:19:53,080 --> 00:19:55,480 Speaker 1: You should you know, all sorts of vendors out there 356 00:19:55,520 --> 00:20:00,800 Speaker 1: have information, social networking companies, all of these have personal 357 00:20:00,840 --> 00:20:05,119 Speaker 1: information that could put citizens at risk if that information 358 00:20:05,160 --> 00:20:08,840 Speaker 1: were shared to a broader audience. So that's the part 359 00:20:08,840 --> 00:20:12,520 Speaker 1: where the executive Order says, Okay, we want this culture 360 00:20:12,760 --> 00:20:15,000 Speaker 1: of sharing. We want to be able to get the 361 00:20:15,040 --> 00:20:17,399 Speaker 1: information to where it needs to be so that we 362 00:20:17,440 --> 00:20:20,360 Speaker 1: can protect ourselves, but we don't want to do that 363 00:20:20,520 --> 00:20:24,639 Speaker 1: at the expense of personal privacy and civil liberties. We 364 00:20:24,680 --> 00:20:29,360 Speaker 1: don't want to violate anyone's privacy or expectation to privacy. Um, 365 00:20:29,400 --> 00:20:32,719 Speaker 1: so we don't want a credit card company to send 366 00:20:32,960 --> 00:20:36,919 Speaker 1: information to some other entity that just so happens to 367 00:20:37,000 --> 00:20:41,240 Speaker 1: have the the all the credit card numbers, names, addresses, 368 00:20:41,280 --> 00:20:44,000 Speaker 1: credit scores of everyone who's a customer with that credit 369 00:20:44,040 --> 00:20:47,320 Speaker 1: card company, because that would be a bad thing. And 370 00:20:47,440 --> 00:20:49,560 Speaker 1: so one of the things that this this requires is 371 00:20:49,640 --> 00:20:54,520 Speaker 1: a regular assessments in public reporting of any kind of mishaps. Yeah, 372 00:20:54,600 --> 00:20:57,879 Speaker 1: so it's an ongoing dialogue again with the government to 373 00:20:57,920 --> 00:21:02,080 Speaker 1: make sure that this is done an appropriate way, because 374 00:21:02,160 --> 00:21:06,040 Speaker 1: I mean, obviously, when when people start to worry about security. 375 00:21:06,400 --> 00:21:10,120 Speaker 1: It's it can be I won't say easy, but it's 376 00:21:10,160 --> 00:21:13,960 Speaker 1: possible that you overlook other concerns that you should really 377 00:21:14,160 --> 00:21:16,919 Speaker 1: take into mind when you're trying to protect yourself. We 378 00:21:17,240 --> 00:21:20,080 Speaker 1: we usually see this in the wake of some sort 379 00:21:20,119 --> 00:21:24,080 Speaker 1: of actual attack, where an attack happens and then we 380 00:21:24,160 --> 00:21:25,879 Speaker 1: just want to respond to that and make sure it 381 00:21:25,920 --> 00:21:30,400 Speaker 1: doesn't happen again. And you can easily set aside other 382 00:21:30,480 --> 00:21:32,199 Speaker 1: concerns that you really need to keep in mind the 383 00:21:32,200 --> 00:21:34,840 Speaker 1: whole time. Well, before we move on to the rest 384 00:21:34,920 --> 00:21:37,159 Speaker 1: of the executive Order, I think now would be a 385 00:21:37,160 --> 00:21:40,320 Speaker 1: good time to take a quick break and thank our sponsor, 386 00:21:40,800 --> 00:21:43,880 Speaker 1: and now back to the show. So the next section 387 00:21:45,040 --> 00:21:50,000 Speaker 1: is all about consulting and getting various departments to talk 388 00:21:50,040 --> 00:21:52,960 Speaker 1: to each other to improve security measures, so when one 389 00:21:53,200 --> 00:21:57,119 Speaker 1: group sees something that's working, it can communicate that with 390 00:21:57,160 --> 00:21:59,320 Speaker 1: other groups. It's kind of it's kind of this idea 391 00:21:59,359 --> 00:22:05,280 Speaker 1: of UH inciting cooperation between departments and other entities. Then 392 00:22:05,560 --> 00:22:08,800 Speaker 1: there's a section. I've got a direct quote here, and 393 00:22:09,640 --> 00:22:12,920 Speaker 1: the Secretary of Commerce shall direct the Director of the 394 00:22:13,040 --> 00:22:18,320 Speaker 1: National Institute of Standards and Technology UH for here. Henceford 395 00:22:18,359 --> 00:22:21,600 Speaker 1: known as a director to lead the development of a 396 00:22:21,680 --> 00:22:26,240 Speaker 1: framework to reduce cyber risks to critical infrastructure, henceforth known 397 00:22:26,280 --> 00:22:30,280 Speaker 1: as the cybersecurity Framework. The cybersecurity Framework shall include a 398 00:22:30,280 --> 00:22:35,320 Speaker 1: set of standards, methodologies, procedures, and processes that align policy, business, 399 00:22:35,359 --> 00:22:39,879 Speaker 1: and technological approaches to address cyber risks. That's essentially saying 400 00:22:40,359 --> 00:22:43,760 Speaker 1: you have to take everything into consideration and make it 401 00:22:43,880 --> 00:22:48,440 Speaker 1: into a cyber security approach that takes all of that 402 00:22:48,520 --> 00:22:51,640 Speaker 1: into account and works, which is huge. I mean, that's 403 00:22:51,640 --> 00:22:57,720 Speaker 1: just incredibly complex. I mean, policy alone is complicated, yes, 404 00:22:57,800 --> 00:23:00,160 Speaker 1: a little bit. And then you've got technology, which is 405 00:23:00,520 --> 00:23:05,120 Speaker 1: constantly evolving. So what by the time you're finished drafting 406 00:23:05,119 --> 00:23:11,480 Speaker 1: a policy, it may be that the technology has so Now, granted, 407 00:23:11,920 --> 00:23:14,760 Speaker 1: I'm not blaming anyone for this, because it's just that's 408 00:23:14,800 --> 00:23:18,320 Speaker 1: just how reality is. And I don't know how else 409 00:23:18,320 --> 00:23:20,640 Speaker 1: you could word this in a way that would make 410 00:23:20,720 --> 00:23:23,080 Speaker 1: sense and and get across the importance of what needs 411 00:23:23,119 --> 00:23:24,600 Speaker 1: to be done. Yeah, and and that is that is 412 00:23:24,600 --> 00:23:26,480 Speaker 1: a good I mean, I feel like they've got enough 413 00:23:26,520 --> 00:23:28,679 Speaker 1: of a cautionary air about it that it's not just 414 00:23:28,760 --> 00:23:30,600 Speaker 1: you know, they're not just sitting there quoting Tim Gotten 415 00:23:30,600 --> 00:23:33,760 Speaker 1: going well, make it work. But yeah, yeah, but it 416 00:23:33,840 --> 00:23:37,120 Speaker 1: does kind of start to set in how enormous this 417 00:23:37,160 --> 00:23:40,399 Speaker 1: issue is. It's also enormously important, So I'm very glad 418 00:23:40,440 --> 00:23:42,919 Speaker 1: that the government is looking into it, and they have 419 00:23:43,080 --> 00:23:45,760 Speaker 1: been looking into it. That whould also I'm sure we 420 00:23:45,920 --> 00:23:48,280 Speaker 1: kind of alluded to it already. This is not the 421 00:23:48,320 --> 00:23:51,320 Speaker 1: first time the government has looked at cybersecurity, but it's 422 00:23:51,440 --> 00:23:53,760 Speaker 1: it's you know, they're seeing it as it's just going 423 00:23:53,800 --> 00:23:56,960 Speaker 1: to get increasingly important as time goes on. Next, they 424 00:23:57,080 --> 00:24:02,080 Speaker 1: said that the Cybersecurity Framework shall provide a poritized, flexible, repeatable, 425 00:24:02,080 --> 00:24:06,840 Speaker 1: performance based and cost effective approach, including information security measures 426 00:24:06,840 --> 00:24:10,840 Speaker 1: and controls, to help owners and operators of critical infrastructure, identify, assess, 427 00:24:10,920 --> 00:24:15,000 Speaker 1: and manage cyber risk. This is also a huge thing. 428 00:24:15,119 --> 00:24:16,879 Speaker 1: I mean, it's it's it's a it's a tall order 429 00:24:16,960 --> 00:24:20,680 Speaker 1: because you're talking about an approach that is going to 430 00:24:20,680 --> 00:24:25,560 Speaker 1: work in The approach ideally should work in every case 431 00:24:25,720 --> 00:24:30,600 Speaker 1: across multiple industries, because the idea of it being repeatable 432 00:24:30,680 --> 00:24:33,840 Speaker 1: means that it can't be something that, oh, because this 433 00:24:34,080 --> 00:24:37,640 Speaker 1: threat was the specific to this industry, then it can't 434 00:24:37,680 --> 00:24:40,480 Speaker 1: work for over here and or or even just that 435 00:24:40,840 --> 00:24:43,720 Speaker 1: because our approach work for this threat but the reason 436 00:24:43,760 --> 00:24:45,800 Speaker 1: why it worked for this threat was because of x 437 00:24:46,400 --> 00:24:49,119 Speaker 1: uh that you know, that might mean that it's not repeatable. 438 00:24:49,200 --> 00:24:51,680 Speaker 1: So it's a very challenging thing. Again, I'm not saying 439 00:24:51,720 --> 00:24:54,320 Speaker 1: it's impossible, but you know, and again and there's not 440 00:24:54,400 --> 00:24:56,199 Speaker 1: much they could What else are they gonna say, like 441 00:24:56,800 --> 00:24:59,680 Speaker 1: produce an infinite number of responses that can work in 442 00:25:00,000 --> 00:25:02,480 Speaker 1: any given situation, depending upon which response you're using in 443 00:25:02,520 --> 00:25:04,399 Speaker 1: which industry. I mean, that just wouldn't work. Oh no, no, 444 00:25:04,560 --> 00:25:06,399 Speaker 1: And they do talk a lot about scaling. They want 445 00:25:06,440 --> 00:25:07,959 Speaker 1: to make sure that this is going to work just 446 00:25:08,000 --> 00:25:11,000 Speaker 1: as well for for small small companies as well as 447 00:25:11,040 --> 00:25:14,280 Speaker 1: big companies, and yeah, across the board. But that just 448 00:25:14,320 --> 00:25:16,199 Speaker 1: makes it harder. Yeah, yeah, in fact, and then the 449 00:25:16,240 --> 00:25:18,800 Speaker 1: next section says, you gotta do all this without impacting 450 00:25:18,800 --> 00:25:22,840 Speaker 1: business and privacy. So you have to come up with 451 00:25:22,960 --> 00:25:26,680 Speaker 1: a way to protect our businesses and our infrastructure in 452 00:25:27,040 --> 00:25:29,200 Speaker 1: such a way that it's not going to negatively impact 453 00:25:29,200 --> 00:25:32,000 Speaker 1: those businesses. So you can't come up with a plan 454 00:25:32,480 --> 00:25:35,879 Speaker 1: that protects everyone, but it ends up taking a cut 455 00:25:35,920 --> 00:25:39,159 Speaker 1: of everyone's profits because they have to do spend so 456 00:25:39,200 --> 00:25:41,440 Speaker 1: many work hours doing this thing. Oh you know, which 457 00:25:41,520 --> 00:25:45,120 Speaker 1: is why the Republicans last year filibustered that last Act 458 00:25:45,200 --> 00:25:47,880 Speaker 1: and and and it's tough, I mean uh. And we'll 459 00:25:47,880 --> 00:25:50,560 Speaker 1: get into more about wine stuff in a second. Also, 460 00:25:50,680 --> 00:25:53,000 Speaker 1: the that's where they introduced the idea of the open 461 00:25:53,040 --> 00:25:57,200 Speaker 1: public review and comment process so that this becomes an 462 00:25:57,280 --> 00:26:01,320 Speaker 1: evolving policy over time, which again I'm very glad that 463 00:26:01,400 --> 00:26:03,679 Speaker 1: kind of stuff is built into this executive order. It 464 00:26:03,800 --> 00:26:07,879 Speaker 1: recognizes that this is a problem that is going to 465 00:26:08,000 --> 00:26:11,840 Speaker 1: change over time, and you cannot create a policy and 466 00:26:11,960 --> 00:26:15,040 Speaker 1: expected to be evergreen, and that it's going to that 467 00:26:15,119 --> 00:26:18,560 Speaker 1: one approach once you've once you've established it is going 468 00:26:18,600 --> 00:26:22,320 Speaker 1: to work forever. This is the sort of interesting because 469 00:26:22,320 --> 00:26:25,119 Speaker 1: there are other policies that were created back when the 470 00:26:25,160 --> 00:26:29,280 Speaker 1: telephone industry was first coming into prominence that still affect 471 00:26:29,280 --> 00:26:32,000 Speaker 1: how the Internet works today. And there are a lot 472 00:26:32,040 --> 00:26:35,440 Speaker 1: of people who who protest that. They say, look, these 473 00:26:35,480 --> 00:26:39,240 Speaker 1: were policies that were made for a much older telecommunications 474 00:26:39,280 --> 00:26:42,800 Speaker 1: network that could do a very limited number of things, 475 00:26:43,160 --> 00:26:45,840 Speaker 1: and now you're applying it to a much more complex 476 00:26:45,880 --> 00:26:49,879 Speaker 1: system that is far more sophisticated, and the implications for 477 00:26:49,960 --> 00:26:53,920 Speaker 1: how it works are far more complicated. Expecting those rules 478 00:26:53,960 --> 00:26:57,560 Speaker 1: to apply to this thing is unrealistic, and you've got 479 00:26:57,560 --> 00:27:00,280 Speaker 1: a lot of that kind of discussion going on, mostly 480 00:27:00,400 --> 00:27:03,199 Speaker 1: in in uh interest groups that like you know that 481 00:27:03,280 --> 00:27:07,920 Speaker 1: are forming up about protecting the Internet. But um, anyway, 482 00:27:07,960 --> 00:27:09,680 Speaker 1: that's that's kind of a similar thing like that. It 483 00:27:09,800 --> 00:27:12,840 Speaker 1: built into this is saying let's have this ongoing public 484 00:27:12,880 --> 00:27:17,440 Speaker 1: discourse so that we can avoid this if if possible, 485 00:27:17,440 --> 00:27:20,200 Speaker 1: it's gonna be you know, we're gonna see it anyway, 486 00:27:20,280 --> 00:27:22,680 Speaker 1: because it's impossible to avoid it completely, but at least 487 00:27:22,720 --> 00:27:26,879 Speaker 1: they're looking into that. Then you've got the Latin next 488 00:27:27,600 --> 00:27:30,159 Speaker 1: section where it says the Secretary and coordination with sector 489 00:27:30,240 --> 00:27:33,720 Speaker 1: specific agencies, shall establish a voluntary program to support the 490 00:27:33,760 --> 00:27:36,399 Speaker 1: adoption of the Cybersecurity Framework by owners and operators of 491 00:27:36,400 --> 00:27:39,639 Speaker 1: critical infrastructure and any other interested entities to get a 492 00:27:40,000 --> 00:27:45,840 Speaker 1: the program. Um, here's that voluntary program bit again. Okay, 493 00:27:46,880 --> 00:27:49,159 Speaker 1: I'll say that just until I finished this last one. 494 00:27:49,160 --> 00:27:52,240 Speaker 1: Here's my last point. Within one fifty days of the 495 00:27:52,359 --> 00:27:54,640 Speaker 1: date of this order, the Secretary shall use a risk 496 00:27:54,720 --> 00:27:58,760 Speaker 1: based approach to identify critical infrastructure where cybersecurity incident could 497 00:27:58,760 --> 00:28:02,000 Speaker 1: reasonably result and kind strophic, regional, or national effects on 498 00:28:02,040 --> 00:28:06,440 Speaker 1: public health or safety, economic security, or national security entities 499 00:28:06,480 --> 00:28:10,359 Speaker 1: identified as such can then appeal that. So, in other words, 500 00:28:10,640 --> 00:28:14,560 Speaker 1: if you are the head of a company and the 501 00:28:14,640 --> 00:28:17,600 Speaker 1: United States government government starts to look at all the 502 00:28:17,600 --> 00:28:20,680 Speaker 1: companies that are part of this infrastructure and they identify 503 00:28:20,720 --> 00:28:25,160 Speaker 1: your company as being one of these incredibly critical Yes, 504 00:28:25,359 --> 00:28:28,120 Speaker 1: not like it's critical because of the services you provide 505 00:28:28,480 --> 00:28:30,640 Speaker 1: and the likelihood that you would be a target for 506 00:28:30,840 --> 00:28:35,120 Speaker 1: a cyber attack. Um, then they could designate you as 507 00:28:35,119 --> 00:28:38,680 Speaker 1: such and you would be able to appeal because if 508 00:28:38,760 --> 00:28:42,720 Speaker 1: you are one of these critical infrastructure entities, you're going 509 00:28:42,760 --> 00:28:45,440 Speaker 1: to have to jump through a lot more hoops than 510 00:28:45,480 --> 00:28:48,720 Speaker 1: you would if you were not. So companies actually kind 511 00:28:48,760 --> 00:28:50,920 Speaker 1: of have an incentive to not be one of these 512 00:28:50,960 --> 00:28:53,640 Speaker 1: things because then they if they are one, they're going 513 00:28:53,640 --> 00:28:57,960 Speaker 1: to have to conform to more UH specific policies. Right 514 00:28:58,000 --> 00:29:02,440 Speaker 1: because they are considered critical elements of the infrastructure. It 515 00:29:02,440 --> 00:29:05,640 Speaker 1: takes that sticky voluntary term a little bit out of it. Yeah, 516 00:29:05,720 --> 00:29:08,680 Speaker 1: it does, because if they say, hey, no, really, really 517 00:29:09,680 --> 00:29:12,760 Speaker 1: you you are super important and if you go down, 518 00:29:12,840 --> 00:29:15,400 Speaker 1: then the United States is in a lot of trouble. 519 00:29:15,560 --> 00:29:18,600 Speaker 1: So you are part of this critical infrastructure, whether you 520 00:29:18,640 --> 00:29:20,920 Speaker 1: like it or not. So therefore, because of this, we 521 00:29:20,960 --> 00:29:24,400 Speaker 1: need you to follow these directions. Uh, and other companies 522 00:29:24,520 --> 00:29:26,440 Speaker 1: might be like, you know, I'd really like it if 523 00:29:26,480 --> 00:29:28,400 Speaker 1: I had more of a choice, because then I could 524 00:29:28,440 --> 00:29:30,800 Speaker 1: choose not to do that, and that would be awesome. 525 00:29:31,160 --> 00:29:34,160 Speaker 1: So that's why there's that appeal process, and that's where 526 00:29:34,160 --> 00:29:37,520 Speaker 1: we come to the problem with the voluntary nature of 527 00:29:37,720 --> 00:29:41,719 Speaker 1: much of this policy. The idea here is that again 528 00:29:41,840 --> 00:29:45,760 Speaker 1: we don't in the United States in particular, there's there's 529 00:29:45,760 --> 00:29:50,600 Speaker 1: a stigma against the government and private business. And and 530 00:29:50,680 --> 00:29:53,680 Speaker 1: I'm not saying that it's unwarranted. I'm not saying that 531 00:29:53,720 --> 00:29:56,680 Speaker 1: we should have a socialist country where every single business 532 00:29:56,760 --> 00:29:59,760 Speaker 1: is owned, at least in part or operated by the government. 533 00:29:59,840 --> 00:30:01,720 Speaker 1: That that's not what I'm saying at all. What I'm 534 00:30:01,720 --> 00:30:04,080 Speaker 1: saying is that it does mean that in order to 535 00:30:04,160 --> 00:30:09,880 Speaker 1: preserve this very important, very American idea of private business, 536 00:30:10,160 --> 00:30:12,960 Speaker 1: we don't let the government just come in and take 537 00:30:13,000 --> 00:30:15,960 Speaker 1: over and regulate us or or protect us to a 538 00:30:15,960 --> 00:30:18,000 Speaker 1: certain point. I mean, it's sort of our business. Yeah, 539 00:30:18,000 --> 00:30:21,600 Speaker 1: So there's there's a delicate nature here, and it's again 540 00:30:21,720 --> 00:30:23,640 Speaker 1: it's one of those things where it's it's a very 541 00:30:23,680 --> 00:30:28,600 Speaker 1: American approach and it's it's tough to work something like 542 00:30:28,640 --> 00:30:32,040 Speaker 1: cybersecurity in there and not make it a voluntary program, 543 00:30:32,040 --> 00:30:34,840 Speaker 1: because if we made it mandatory, the government would essentially 544 00:30:34,880 --> 00:30:37,720 Speaker 1: be saying, look, we're not telling you how to sell 545 00:30:37,800 --> 00:30:40,280 Speaker 1: your widgets, but we aren't telling you how to protect 546 00:30:40,320 --> 00:30:43,800 Speaker 1: your network. And that gets complicated. Even even if it's 547 00:30:43,880 --> 00:30:48,000 Speaker 1: for the greater good, it's it's a it's a tough thing. 548 00:30:48,080 --> 00:30:51,600 Speaker 1: And I mean I certainly if I owned a big business, 549 00:30:51,680 --> 00:30:54,600 Speaker 1: I would be thinking, look, I don't want to have 550 00:30:54,760 --> 00:30:58,080 Speaker 1: yet another set of policies that I have to uh, 551 00:30:58,120 --> 00:31:00,680 Speaker 1: I have to keep up with and follow up with 552 00:31:00,800 --> 00:31:02,959 Speaker 1: and spend my time and money taking care of. Right. 553 00:31:02,960 --> 00:31:05,520 Speaker 1: I don't want to get certified every couple of years 554 00:31:05,560 --> 00:31:08,160 Speaker 1: to make sure that I'm following this. Let me do 555 00:31:08,240 --> 00:31:10,800 Speaker 1: it on my own. It's in my best interest to 556 00:31:10,880 --> 00:31:13,600 Speaker 1: make sure that I'm not going to get attacked anyway. Yeah, exactly. 557 00:31:13,640 --> 00:31:17,440 Speaker 1: That's that's the business owner perspective is saying, look, I 558 00:31:17,440 --> 00:31:19,640 Speaker 1: don't want to get attacked because if I get attacked, 559 00:31:19,720 --> 00:31:22,600 Speaker 1: it hurts my bottom line. So I have I have 560 00:31:22,720 --> 00:31:29,360 Speaker 1: a market driven reason to prevent attacks. But the on 561 00:31:29,400 --> 00:31:31,920 Speaker 1: the flip side of that, the United States is saying, look, 562 00:31:31,920 --> 00:31:35,480 Speaker 1: these attacks are sophisticated, they're coming from multiple points, they 563 00:31:35,520 --> 00:31:40,160 Speaker 1: are using different methods to attack different systems, and in 564 00:31:40,200 --> 00:31:42,760 Speaker 1: some cases it may just be that your company isn't 565 00:31:42,840 --> 00:31:46,200 Speaker 1: a specific target, but it's part of a larger group 566 00:31:46,200 --> 00:31:50,000 Speaker 1: of targets, and we have to protect the United States citizens. 567 00:31:50,040 --> 00:31:53,280 Speaker 1: So there's their valid arguments on either side. Now, making 568 00:31:53,280 --> 00:31:57,160 Speaker 1: it a voluntary program helps both parties because the government 569 00:31:57,200 --> 00:32:00,200 Speaker 1: isn't saying, look, you have to follow this out of 570 00:32:00,280 --> 00:32:03,160 Speaker 1: rules or you can't do business in the the United States, 571 00:32:03,440 --> 00:32:06,600 Speaker 1: and the business can say, well, do we want to 572 00:32:06,640 --> 00:32:09,160 Speaker 1: be part of this so that we can help protect 573 00:32:09,240 --> 00:32:13,120 Speaker 1: our business as well as make sure that in our 574 00:32:13,160 --> 00:32:15,760 Speaker 1: own lives we don't go home and the power goes 575 00:32:15,760 --> 00:32:18,000 Speaker 1: off right right. And this is actually kind of in 576 00:32:18,040 --> 00:32:21,400 Speaker 1: contrast to UH. Interestingly enough, the European Commission also just 577 00:32:21,480 --> 00:32:25,440 Speaker 1: in this past week released a bunch of cybersecurity stuff 578 00:32:26,560 --> 00:32:29,040 Speaker 1: UM and and and there sounds like it might be 579 00:32:29,080 --> 00:32:31,960 Speaker 1: a little bit more mandatory. They want to introduce a 580 00:32:32,000 --> 00:32:36,440 Speaker 1: Computer Emergency Response Team a k A CERT to UH, 581 00:32:36,640 --> 00:32:40,560 Speaker 1: introduce laws compelling companies to disclose attack details to to 582 00:32:40,680 --> 00:32:44,200 Speaker 1: this national authority and and that this each each sert 583 00:32:44,440 --> 00:32:48,840 Speaker 1: would be responsible for defending these companies against attack, so 584 00:32:49,480 --> 00:32:50,760 Speaker 1: you know, and and it's it's it's in a little 585 00:32:50,760 --> 00:32:52,600 Speaker 1: bit more of of a planning stage, I think, than 586 00:32:53,040 --> 00:32:58,760 Speaker 1: than what Obama's orders outlining. But it is nonetheless, you know, 587 00:32:59,360 --> 00:33:02,120 Speaker 1: just just a little bit of contrast there. See, I 588 00:33:02,240 --> 00:33:06,480 Speaker 1: just wonder if the CERTs are a breath mint or 589 00:33:06,520 --> 00:33:10,120 Speaker 1: a candy mint. That's the first thing I thought. As 590 00:33:10,160 --> 00:33:12,880 Speaker 1: soon as you said certain, my brain turned off. These 591 00:33:12,920 --> 00:33:16,920 Speaker 1: are the deep questions that we ask here on tax staffs. 592 00:33:17,040 --> 00:33:19,840 Speaker 1: Shows you how Jonathan Strickland works, which is that he 593 00:33:19,960 --> 00:33:24,800 Speaker 1: is distracted by shiny things and puns and mints and mints. Yeah, 594 00:33:24,840 --> 00:33:30,160 Speaker 1: they are intensely flavorful. So yeah, I mean that voluntary 595 00:33:30,200 --> 00:33:31,920 Speaker 1: approach is one of the things that some people are 596 00:33:31,960 --> 00:33:37,760 Speaker 1: saying makes the Executive Order lack teeth because without without 597 00:33:38,040 --> 00:33:44,160 Speaker 1: really providing strong incentives, companies have no reason to join 598 00:33:44,280 --> 00:33:47,440 Speaker 1: this because because in the long run it will be 599 00:33:47,480 --> 00:33:52,200 Speaker 1: more work to have to conform to whatever the policy requires. Now, 600 00:33:52,240 --> 00:33:55,000 Speaker 1: if the incentives are big enough, whether they're you know, 601 00:33:55,080 --> 00:33:59,120 Speaker 1: tax breaks or whatever, then maybe companies will end up 602 00:33:59,200 --> 00:34:02,000 Speaker 1: joining because they'll think, well, whatever the work is to 603 00:34:02,360 --> 00:34:05,200 Speaker 1: conform to the policy. It's going to be balanced out 604 00:34:05,240 --> 00:34:08,399 Speaker 1: by the incentives. So the incentives, although they haven't been 605 00:34:08,400 --> 00:34:11,160 Speaker 1: really uh you know, they haven't been listed out yet, 606 00:34:11,400 --> 00:34:16,120 Speaker 1: it's possible they could be attractive enough for for companies 607 00:34:16,160 --> 00:34:18,200 Speaker 1: to join this. But that was one of the big 608 00:34:18,480 --> 00:34:22,320 Speaker 1: arguments I saw was that by making it voluntary, although 609 00:34:22,880 --> 00:34:27,600 Speaker 1: every single UM business analysts I saw who said it, 610 00:34:27,600 --> 00:34:29,480 Speaker 1: they said, well, the problem is it's voluntary, so it's 611 00:34:29,480 --> 00:34:31,279 Speaker 1: not gonna work very well. But on the other hand, 612 00:34:31,280 --> 00:34:34,160 Speaker 1: if it were mandatory, everyone would be freaking out. So 613 00:34:34,920 --> 00:34:38,680 Speaker 1: it's almost like there's no right approach, right unless unless 614 00:34:38,680 --> 00:34:40,960 Speaker 1: you're able to provide those amazing incentives you could, you 615 00:34:40,960 --> 00:34:43,799 Speaker 1: cannot make it mandatory and not have everyone riot. Yeah, 616 00:34:44,000 --> 00:34:47,440 Speaker 1: so um. The Also they mentioned that the the this 617 00:34:47,560 --> 00:34:52,040 Speaker 1: framework idea is incredibly complex, and part of that is 618 00:34:52,080 --> 00:34:54,760 Speaker 1: because they're already a lot of security frameworks that government 619 00:34:54,800 --> 00:34:58,359 Speaker 1: agencies have to abide by. So there's and I could 620 00:34:58,400 --> 00:35:00,919 Speaker 1: give you a list of acronyms and not being able 621 00:35:00,960 --> 00:35:02,680 Speaker 1: to tell you what any of them mean, but I'm 622 00:35:02,719 --> 00:35:06,120 Speaker 1: not going to insult you or myself by doing that. 623 00:35:06,280 --> 00:35:09,359 Speaker 1: But there are a lot of security frameworks already and 624 00:35:09,440 --> 00:35:13,640 Speaker 1: so this policy would have to work, uh, in an 625 00:35:13,680 --> 00:35:17,960 Speaker 1: alignment with those, because we've already got these rules that 626 00:35:17,960 --> 00:35:21,080 Speaker 1: that departments in the government have to follow, and so 627 00:35:21,239 --> 00:35:24,120 Speaker 1: unless they were to get rid of all that in 628 00:35:24,200 --> 00:35:27,120 Speaker 1: order to streamline it, this would be yet another set 629 00:35:27,160 --> 00:35:28,839 Speaker 1: of rules. So you think about it. If you've ever 630 00:35:28,920 --> 00:35:33,840 Speaker 1: had more than one boss, like at a time, and 631 00:35:34,040 --> 00:35:39,120 Speaker 1: you have different directions coming from both bosses, and you 632 00:35:39,160 --> 00:35:41,719 Speaker 1: have to figure out how to complete a project that 633 00:35:41,800 --> 00:35:44,600 Speaker 1: follows all of these rules, and some of them contradict 634 00:35:44,640 --> 00:35:47,359 Speaker 1: each other. You know, I've had that. Yeah, that's it 635 00:35:47,400 --> 00:35:50,560 Speaker 1: wasn't fine. I didn't like that. Just a stressful, frustrating experience. 636 00:35:50,560 --> 00:35:52,920 Speaker 1: Now expand that out to an entire government department and 637 00:35:52,960 --> 00:35:57,360 Speaker 1: you understand why they can get a little antsie at times. Um. 638 00:35:57,520 --> 00:36:02,560 Speaker 1: Then also there's still some questions about the privacy implications. Uh. 639 00:36:02,680 --> 00:36:07,040 Speaker 1: While the the executive order does talk about being careful 640 00:36:07,080 --> 00:36:12,240 Speaker 1: about privacy, it doesn't lay out any specifics on the approach, 641 00:36:12,280 --> 00:36:16,040 Speaker 1: and so that always makes people a little nervous. Yeah, 642 00:36:16,120 --> 00:36:19,840 Speaker 1: until until we know the particulars, you can't really be 643 00:36:19,920 --> 00:36:23,520 Speaker 1: sure that your privacy is going to be uh protected. Yeah, yeah, 644 00:36:24,000 --> 00:36:27,239 Speaker 1: it's supposed to be but until until I know the specifics, 645 00:36:27,280 --> 00:36:28,959 Speaker 1: we can't be sure. And are we going to apply 646 00:36:29,080 --> 00:36:32,799 Speaker 1: these same security measures to the to the information to 647 00:36:32,840 --> 00:36:35,000 Speaker 1: get sent out as a result of these security measures, 648 00:36:35,040 --> 00:36:38,320 Speaker 1: because otherwise it's just it's it's a it's a definite 649 00:36:38,920 --> 00:36:42,720 Speaker 1: vicious cycle. Uh. And and just you know again, because 650 00:36:42,760 --> 00:36:45,080 Speaker 1: there's so little detail here, you know, it's it's it's 651 00:36:45,360 --> 00:36:49,160 Speaker 1: putting a lot of of responsibility on these different departments. 652 00:36:49,560 --> 00:36:52,839 Speaker 1: It's hard to say how well this approach will work 653 00:36:52,880 --> 00:36:56,000 Speaker 1: because honestly, we just have the framework of what it's 654 00:36:56,000 --> 00:36:58,719 Speaker 1: supposed to do, not how it's supposed to do it. 655 00:36:59,280 --> 00:37:01,080 Speaker 1: So so it's a little too early for us to 656 00:37:01,120 --> 00:37:04,320 Speaker 1: say whether or not the policy that comes out of this, 657 00:37:04,440 --> 00:37:06,880 Speaker 1: assuming that one does come out of it, will be 658 00:37:06,920 --> 00:37:08,480 Speaker 1: a good one or a bad one. Because when we 659 00:37:08,520 --> 00:37:11,319 Speaker 1: also have to have Congress way in on this. Uh, 660 00:37:11,360 --> 00:37:14,240 Speaker 1: this is an executive order, but if we want laws passed, 661 00:37:14,280 --> 00:37:18,719 Speaker 1: that's when you start looking to Congress. And a lot 662 00:37:18,760 --> 00:37:21,320 Speaker 1: of the issues that have happened in the past few 663 00:37:21,480 --> 00:37:26,080 Speaker 1: years that have to do with security online also seemed 664 00:37:26,160 --> 00:37:31,960 Speaker 1: to involve intellectual property. Um, and that's I think it's 665 00:37:32,000 --> 00:37:37,960 Speaker 1: pretty ugly. I mean, we have and sis, these were 666 00:37:38,000 --> 00:37:41,640 Speaker 1: things that we're not just about protecting the well, that's 667 00:37:41,640 --> 00:37:44,680 Speaker 1: about protecting businesses use it, but not from cyber attacks 668 00:37:44,680 --> 00:37:46,920 Speaker 1: so much as piracy. But you know, that's the kind 669 00:37:46,920 --> 00:37:48,120 Speaker 1: of stuff that we see have and all the time, 670 00:37:48,120 --> 00:37:50,440 Speaker 1: because we've got a lot of powerful interest groups that 671 00:37:50,600 --> 00:37:55,400 Speaker 1: are campaigning very hard with certain members of Congress to 672 00:37:55,640 --> 00:37:59,920 Speaker 1: put forth legislation that would protect their industries and possibly 673 00:38:00,560 --> 00:38:05,040 Speaker 1: hurt uh, innocent users of the Internet as a result, 674 00:38:05,440 --> 00:38:09,960 Speaker 1: mostly through unintended consequences, not necessary, not not on purpose. Yeah, 675 00:38:10,000 --> 00:38:12,080 Speaker 1: I mean, but but but just like the Cyber Intelligence 676 00:38:12,120 --> 00:38:15,720 Speaker 1: Sharing and Protection Act of CISPA UM, you know, failed 677 00:38:15,800 --> 00:38:18,480 Speaker 1: to make it through the Senate. It was because it 678 00:38:18,520 --> 00:38:21,360 Speaker 1: was because basically the White House said, in this form 679 00:38:21,360 --> 00:38:24,640 Speaker 1: we're going to veto it because of privacy issues. Yeah. Yeah, See, 680 00:38:24,680 --> 00:38:28,040 Speaker 1: it's not an easy problem to solve at all. I mean, 681 00:38:28,080 --> 00:38:31,240 Speaker 1: there's there are a lot of mind fields around this problem. 682 00:38:31,280 --> 00:38:34,759 Speaker 1: So if it were just as simple as let's oh, 683 00:38:34,920 --> 00:38:37,879 Speaker 1: here here's your problem. Your firewall for the United States 684 00:38:37,960 --> 00:38:40,200 Speaker 1: wasn't flipped on, let me just turn the switch, then 685 00:38:40,239 --> 00:38:42,520 Speaker 1: that would be great. Unfortunately that's not the not not 686 00:38:42,640 --> 00:38:45,839 Speaker 1: the case. So yeah, it's it's gonna be it's gonna 687 00:38:45,840 --> 00:38:51,719 Speaker 1: be a tough tough act to to enact. Really, it's 688 00:38:51,719 --> 00:38:54,799 Speaker 1: gonna be a tough policy to create because to make 689 00:38:54,840 --> 00:38:59,000 Speaker 1: it effective and yet not violate our privacy or civil 690 00:38:59,000 --> 00:39:01,759 Speaker 1: liberties well or put too much of a burden on 691 00:39:01,800 --> 00:39:05,400 Speaker 1: private business, or not give enough incentive for private business 692 00:39:05,400 --> 00:39:09,239 Speaker 1: to even get involved with it. Um It's it's not 693 00:39:09,400 --> 00:39:11,880 Speaker 1: an easy thing to do, certainly not. And it also 694 00:39:11,960 --> 00:39:14,520 Speaker 1: requires a kind of a base level of just people 695 00:39:14,560 --> 00:39:16,880 Speaker 1: being aware of stuff. I mean, for example, in in 696 00:39:17,000 --> 00:39:20,080 Speaker 1: the news this week. Last week there was that kind 697 00:39:20,120 --> 00:39:23,360 Speaker 1: of hilarious thing where where the emergency alert system was 698 00:39:23,400 --> 00:39:26,080 Speaker 1: hacked in um On, Tanta, Michigan, California, and New Mexico, 699 00:39:26,120 --> 00:39:29,120 Speaker 1: I think, and they sent out that um hacker sent 700 00:39:29,160 --> 00:39:32,799 Speaker 1: out this zombie apocalypse warning. Oh right, right right, I 701 00:39:32,880 --> 00:39:37,400 Speaker 1: remember that. Yeah, the whole emergency alert the deadhead of 702 00:39:37,480 --> 00:39:39,600 Speaker 1: risen from the grave, that kind of thing, right right, 703 00:39:39,640 --> 00:39:41,919 Speaker 1: I think? I think, yeah, gaker, someone reported that four 704 00:39:41,960 --> 00:39:44,400 Speaker 1: people proceeded to freak write the hell out, and they 705 00:39:44,480 --> 00:39:48,279 Speaker 1: definitely called in. Four people called in concern, and of 706 00:39:48,320 --> 00:39:51,560 Speaker 1: course they may have just called in to ask y'all, 707 00:39:52,160 --> 00:39:54,799 Speaker 1: did you get hacked? We don't know. We don't know 708 00:39:54,840 --> 00:39:56,239 Speaker 1: what the nature of the calls were. We just know 709 00:39:56,320 --> 00:39:58,520 Speaker 1: that four people did actually call in. So whether or 710 00:39:58,520 --> 00:40:01,040 Speaker 1: not they were truly worried that the dead had risen 711 00:40:01,480 --> 00:40:03,680 Speaker 1: or they were just wondering what the heck went on, 712 00:40:04,200 --> 00:40:07,560 Speaker 1: we don't know. Right. But supposedly, according to the president 713 00:40:07,600 --> 00:40:12,280 Speaker 1: of the Michigan Association of Broadcasters, UH they routers reported 714 00:40:12,320 --> 00:40:15,280 Speaker 1: that they believed the hackers succeeded because the TV stations 715 00:40:15,280 --> 00:40:19,319 Speaker 1: had never changed the default passwords that were installed in 716 00:40:19,360 --> 00:40:25,320 Speaker 1: their hardware. Yeah, password one to three guys. It's great 717 00:40:25,640 --> 00:40:27,640 Speaker 1: and and and that kind of thing. I mean, just 718 00:40:27,640 --> 00:40:29,759 Speaker 1: just basic, you know. It's it's we really need to 719 00:40:31,080 --> 00:40:33,840 Speaker 1: just educate everyone about how the internet works, maybe, or 720 00:40:34,120 --> 00:40:36,399 Speaker 1: or just make sure that everyone cares enough. We'll let 721 00:40:36,400 --> 00:40:40,960 Speaker 1: people know that there are uh default passwords and they 722 00:40:41,000 --> 00:40:45,200 Speaker 1: are pretty much standard across all devices of us from 723 00:40:45,200 --> 00:40:48,040 Speaker 1: a certain manufacturer. I mean maybe that it's admin for 724 00:40:48,200 --> 00:40:51,560 Speaker 1: one and password for another, but they are standard across. 725 00:40:51,560 --> 00:40:53,480 Speaker 1: And once you know what those standards are, that's the 726 00:40:53,520 --> 00:40:55,200 Speaker 1: first thing you try. And you can find them on 727 00:40:55,239 --> 00:40:57,600 Speaker 1: the internet, that's yeah, So you can find them by 728 00:40:57,640 --> 00:40:59,440 Speaker 1: buying one. That's all you have to do is go 729 00:40:59,440 --> 00:41:01,200 Speaker 1: out and you buy one of each thing and they're 730 00:41:01,239 --> 00:41:03,640 Speaker 1: not that expensive, Like you buy some routers, they're not 731 00:41:03,680 --> 00:41:06,680 Speaker 1: that that expensive. By buying each one and installing, you 732 00:41:06,719 --> 00:41:09,520 Speaker 1: see what the default password is, and then you just 733 00:41:09,600 --> 00:41:12,000 Speaker 1: add that to your dictionary attack. You know, you make 734 00:41:12,040 --> 00:41:15,920 Speaker 1: that priority one. So first first round of dictionary attack, 735 00:41:16,320 --> 00:41:19,480 Speaker 1: use the default password. If that works, your golden if not, 736 00:41:19,880 --> 00:41:22,759 Speaker 1: moved a step two. So I mean, yeah, it's it's 737 00:41:22,760 --> 00:41:24,960 Speaker 1: not good. And then on top of that, like on 738 00:41:25,000 --> 00:41:26,960 Speaker 1: a related thing, we haven't done an episode about this, 739 00:41:27,040 --> 00:41:30,600 Speaker 1: but on a kind of related idea about information online 740 00:41:30,680 --> 00:41:33,880 Speaker 1: and protecting ourselves and making sure we can respond to threats. 741 00:41:34,640 --> 00:41:39,520 Speaker 1: Another report that happened earlier in it was about the 742 00:41:39,560 --> 00:41:44,160 Speaker 1: FBI asking essentially asking internet companies for a wire tap 743 00:41:44,280 --> 00:41:48,280 Speaker 1: friendly back door into their systems. Now, this included everything 744 00:41:48,320 --> 00:41:52,160 Speaker 1: from infrastructure to actual corporations, and the FBI said, we 745 00:41:52,200 --> 00:41:54,680 Speaker 1: want to be able to get in there and check 746 00:41:54,719 --> 00:41:57,800 Speaker 1: on information when we are looking for things like cyber 747 00:41:58,400 --> 00:42:01,879 Speaker 1: terrorists or cyber warfare attacks and perhaps not thinking about 748 00:42:01,880 --> 00:42:04,239 Speaker 1: the fact that every time you you cut a new 749 00:42:04,280 --> 00:42:06,399 Speaker 1: door in a wall, it's that door can be used 750 00:42:06,400 --> 00:42:09,640 Speaker 1: by anybody exactly that's the issue here is that inner. 751 00:42:10,160 --> 00:42:12,440 Speaker 1: First of all, most of these systems already have back doors, 752 00:42:12,760 --> 00:42:15,279 Speaker 1: so really it would mean giving the FBI access to them, 753 00:42:15,320 --> 00:42:17,959 Speaker 1: because you have to have a way for an administrator 754 00:42:18,000 --> 00:42:20,200 Speaker 1: to get hold of the system so that when something 755 00:42:20,200 --> 00:42:22,359 Speaker 1: goes wrong, the administrator can fix it. As I learned 756 00:42:22,440 --> 00:42:26,279 Speaker 1: in the documentary Durassic Park. Yes, very important, that's a 757 00:42:26,280 --> 00:42:29,720 Speaker 1: good one. Yeah. Also it shows that when you create 758 00:42:29,840 --> 00:42:33,120 Speaker 1: a security back door that an administrator can get into, 759 00:42:33,400 --> 00:42:35,960 Speaker 1: a twelve year old girl can hack in because she 760 00:42:36,120 --> 00:42:38,959 Speaker 1: knows Unix was that Unix? I think it was Unix, 761 00:42:39,520 --> 00:42:42,600 Speaker 1: all of that out of I know this, I know, 762 00:42:42,719 --> 00:42:44,319 Speaker 1: she says, I know this, and then she sits down 763 00:42:44,320 --> 00:42:47,040 Speaker 1: in types and then by the third thing she's in. Uh, 764 00:42:47,080 --> 00:42:50,200 Speaker 1: because that's the rule of three in the Internet of Hollywood. 765 00:42:50,480 --> 00:42:55,000 Speaker 1: But yeah, the the point here is that by introducing vulnerabilities, 766 00:42:55,080 --> 00:42:59,160 Speaker 1: you have created the opportunity for the bad guys whoever 767 00:42:59,239 --> 00:43:01,680 Speaker 1: you want to say are the bad guys, to go 768 00:43:01,800 --> 00:43:05,320 Speaker 1: and infiltrate a system, so you don't Generally, that's considered 769 00:43:05,320 --> 00:43:07,440 Speaker 1: by most security experts to be what we call a 770 00:43:07,560 --> 00:43:11,719 Speaker 1: bad thing, giving more opportunity to people to infiltrate a 771 00:43:11,760 --> 00:43:14,319 Speaker 1: system is not a great idea. It doesn't help you 772 00:43:14,400 --> 00:43:19,200 Speaker 1: be safe. So we've got a lot of focus on 773 00:43:19,280 --> 00:43:24,040 Speaker 1: this this problem, and I'm at least confident that the 774 00:43:24,120 --> 00:43:27,879 Speaker 1: government is aware that there are experts out there who 775 00:43:28,000 --> 00:43:31,839 Speaker 1: can help guide this conversation. Whether they listen or not, 776 00:43:32,040 --> 00:43:34,840 Speaker 1: that's you know, that that remains to be seen. But 777 00:43:34,960 --> 00:43:39,919 Speaker 1: I hope that they are careful enough to consider exactly 778 00:43:40,040 --> 00:43:43,480 Speaker 1: the implications of these these policies so that when they're 779 00:43:43,560 --> 00:43:46,839 Speaker 1: enacting them, when they start to really build them out, uh, 780 00:43:46,880 --> 00:43:50,080 Speaker 1: they are doing it with the most accurate information. And 781 00:43:50,480 --> 00:43:52,440 Speaker 1: I already think they really do have the best of 782 00:43:52,440 --> 00:43:55,920 Speaker 1: intentions as far as cybersecurity is concerned. Whether or not 783 00:43:56,239 --> 00:43:59,839 Speaker 1: you agree considering you know, the business side of things 784 00:44:00,040 --> 00:44:02,759 Speaker 1: that that that's different, but but at least from the 785 00:44:02,800 --> 00:44:05,120 Speaker 1: idea we need to protect ourselves, I think we all 786 00:44:05,160 --> 00:44:07,960 Speaker 1: agree on that that the cyber threat is a real threat, 787 00:44:08,360 --> 00:44:10,719 Speaker 1: and it's a growing threat, and as we relying more 788 00:44:10,760 --> 00:44:13,000 Speaker 1: and more on these systems, it's just going to get 789 00:44:13,040 --> 00:44:17,120 Speaker 1: even to become an even more attractive target for someone 790 00:44:17,120 --> 00:44:19,920 Speaker 1: who wants to really wreak some havoc. So for all 791 00:44:19,920 --> 00:44:23,239 Speaker 1: those doctor evils, out there. I am not one, No, 792 00:44:23,400 --> 00:44:27,839 Speaker 1: certainly not. I don't own a cat. So anyway, that's 793 00:44:27,920 --> 00:44:31,359 Speaker 1: that's kind of the story about where we are right now. 794 00:44:31,400 --> 00:44:34,480 Speaker 1: As far as the the idea of trying to protect ourselves, 795 00:44:35,200 --> 00:44:37,359 Speaker 1: I know it was vague, but that's because again the 796 00:44:37,480 --> 00:44:40,600 Speaker 1: executive order was necessarily even it's all vague right now, 797 00:44:40,680 --> 00:44:42,759 Speaker 1: so you know, keep keep checking back. We'll let you 798 00:44:42,760 --> 00:44:46,759 Speaker 1: know if there are any definite development right and and 799 00:44:46,800 --> 00:44:49,839 Speaker 1: again I'll be amazed if this, if everyone is able 800 00:44:49,880 --> 00:44:51,480 Speaker 1: to meet the deadlines that are laid out in this 801 00:44:51,520 --> 00:44:54,400 Speaker 1: executive order. It would It's not that it's impossible, it 802 00:44:54,400 --> 00:45:00,480 Speaker 1: would just require a pretty remarkable turnaround. So we'll see 803 00:45:00,480 --> 00:45:05,680 Speaker 1: how it develops. We'll see how this could potentially impact business, individuals, 804 00:45:06,239 --> 00:45:09,120 Speaker 1: um and even our our national security. It's an important thing. 805 00:45:09,160 --> 00:45:11,160 Speaker 1: And keep in mind, you know, of course, for those 806 00:45:11,160 --> 00:45:13,440 Speaker 1: of us in the United States, there are lots of 807 00:45:13,480 --> 00:45:15,720 Speaker 1: other nations that are looking into this as well. Lauren 808 00:45:15,840 --> 00:45:19,480 Speaker 1: was talking about the European Union looking into ways of 809 00:45:19,520 --> 00:45:23,759 Speaker 1: protecting uh the the infrastructure in Europe. But this is 810 00:45:23,760 --> 00:45:27,160 Speaker 1: not localized to the United States as particular approaches. But 811 00:45:27,320 --> 00:45:30,800 Speaker 1: the problem is worldwide, So we're just gonna see lots 812 00:45:30,800 --> 00:45:34,200 Speaker 1: of different takes on this system and whether or not 813 00:45:35,000 --> 00:45:37,640 Speaker 1: any of them work better than others well, which is 814 00:45:37,719 --> 00:45:41,040 Speaker 1: let to wait and see. So with that in mind, 815 00:45:41,040 --> 00:45:43,480 Speaker 1: if you guys have any topics you would like us 816 00:45:43,520 --> 00:45:46,759 Speaker 1: to tackle in future episodes of tech Stuff, here's what 817 00:45:46,880 --> 00:45:49,200 Speaker 1: I would like you to do. I would like you 818 00:45:49,280 --> 00:45:52,200 Speaker 1: to send us an email our addresses tech stuff at 819 00:45:52,360 --> 00:45:55,360 Speaker 1: Discovery dot com, or let us know on Facebook or 820 00:45:55,400 --> 00:45:59,000 Speaker 1: Twitter are handled both of those as text stuff hs 821 00:45:59,239 --> 00:46:02,160 Speaker 1: W and Laura and I will talk you again really 822 00:46:02,239 --> 00:46:06,120 Speaker 1: soon for more on this and thousands of other topics. 823 00:46:06,360 --> 00:46:11,960 Speaker 1: Is it how stuff works dot com