WEBVTT - Has the US lost the cyber war already? 0:00:04.400 --> 0:00:07.800 Welcome to tech Stuff, a production from I Heart Radio. 0:00:12.080 --> 0:00:14.840 Hey there, and welcome to tech Stuff. I'm your host, 0:00:15.040 --> 0:00:18.000 Jonathan Strickland. I'm an executive producer with I Heart Radio 0:00:18.160 --> 0:00:22.400 and a love of all things tech. And recently, the 0:00:22.480 --> 0:00:28.159 Pentagon's former chief of software, Nicholas Hilan, resigned, and he 0:00:28.280 --> 0:00:32.320 did not go quietly into that good resignation. No, he 0:00:32.400 --> 0:00:36.519 posted an explanation of why he chose to quit on LinkedIn, 0:00:37.040 --> 0:00:41.080 and he cited lots of very valid reasons for frustration. 0:00:41.680 --> 0:00:44.080 He expressed anger at how he would have to try 0:00:44.080 --> 0:00:47.280 and chase down budgets in order to fund any sort 0:00:47.320 --> 0:00:51.400 of project or research or development and deployment, and just 0:00:51.520 --> 0:00:55.000 you know how hard that was and exhausting and never ending. 0:00:55.440 --> 0:00:58.560 He pointed out how the US military complex is still 0:00:58.600 --> 0:01:02.600 focused largely on trip aditional weapons systems like fighter jets 0:01:02.640 --> 0:01:06.040 and guns and stuff, and not so much on the 0:01:06.080 --> 0:01:09.960 digital side of warfare. He argued that China is so 0:01:10.000 --> 0:01:12.840 far ahead of the United States in this regard, along 0:01:12.880 --> 0:01:17.360 with its advances and artificial intelligence, that the cyber war 0:01:17.560 --> 0:01:21.319 is effectively over already in China's already won. So today 0:01:21.360 --> 0:01:24.479 I thought I would really tackle these issues and examine 0:01:24.520 --> 0:01:29.520 them are his frustrations all valid? Has the United States 0:01:29.560 --> 0:01:33.120 lost the cyber war already? Well, the first thing we 0:01:33.160 --> 0:01:37.959 should do is acknowledge that cybersecurity in the United States, 0:01:38.640 --> 0:01:43.560 particularly at the federal level, like not a specific company 0:01:43.640 --> 0:01:48.360 or specific trend, but looking at federal cyber security, it's 0:01:48.400 --> 0:01:54.800 pretty lousie, particularly for you know, critical organizations like the 0:01:54.840 --> 0:01:58.920 Department of Defense. And there are many reasons why this 0:01:59.000 --> 0:02:03.040 is so. Some of those reasons are fairly intuitive, which 0:02:03.080 --> 0:02:06.360 means I'm still going to go over them because that's 0:02:06.360 --> 0:02:10.680 how I roll. For example, we know that technology advances 0:02:10.840 --> 0:02:15.120 at a really rapid pace. Uh not all technology evolves 0:02:15.160 --> 0:02:17.120 at the same speed, you know, not all of it 0:02:17.160 --> 0:02:21.520 goes super fast. Gordon Moore observed that because of you know, 0:02:21.600 --> 0:02:25.519 multiple factors, primarily market based ones, the number of discrete 0:02:25.520 --> 0:02:27.960 components that we could cram on a square inch of 0:02:27.960 --> 0:02:32.600 silicon would double every two years or so. Now that 0:02:32.639 --> 0:02:36.560 observation became Moore's law, and today we usually interpret that 0:02:36.600 --> 0:02:41.560 as meaning that a new computers processor will be twice 0:02:41.560 --> 0:02:44.400 as powerful as the ones from two years before. So 0:02:44.440 --> 0:02:48.280 the computers of today are twice as fast or can 0:02:48.360 --> 0:02:50.960 compute twice as much. In the same amount of time 0:02:51.639 --> 0:02:55.160 as the computers we produced two years ago and so on. Now, 0:02:55.200 --> 0:02:58.360 for multiple reasons, we've had to find new methods to 0:02:58.440 --> 0:03:01.400 try and keep Moore's law active. It's not it's not 0:03:01.440 --> 0:03:05.160 a guarantee. It was an observation, and now it's almost 0:03:05.200 --> 0:03:09.320 like a challenge. So there's there's nothing that says that 0:03:09.400 --> 0:03:13.160 this trend will continue forever. In fact, you know, we 0:03:13.240 --> 0:03:17.960 might be able to kind of keep the trend going 0:03:18.120 --> 0:03:21.320 by fudging some of the definitions and changing up the 0:03:21.360 --> 0:03:24.359 way as we do things. But my point is that 0:03:24.960 --> 0:03:30.400 this particular subcategory of tech has a really aggressive trend 0:03:30.440 --> 0:03:35.720 when it comes to advancement or evolution. Well, not everything 0:03:35.760 --> 0:03:39.200 advances that quickly, like battery technology is a great example 0:03:39.280 --> 0:03:43.280 of tech that has a much slower evolutionary path, but 0:03:43.360 --> 0:03:46.720 a lot of stuff does change pretty fast. The world 0:03:46.720 --> 0:03:50.760 of software is another example. Developers generate enormous amounts of 0:03:50.800 --> 0:03:54.920 code every single day. Some are working on mission critical 0:03:55.000 --> 0:03:57.960 systems that play a part in important organizations like the 0:03:58.000 --> 0:04:01.160 Department of Defense, uh saw are making the next version 0:04:01.160 --> 0:04:04.360 of Candy Crush. But the point is that software development 0:04:04.360 --> 0:04:08.560 happens super fast, and sometimes developers might overlook things that 0:04:08.600 --> 0:04:12.360 can lead to a potential vulnerability in the system. Like there, 0:04:12.400 --> 0:04:14.720 they might be focused more on I need to make 0:04:14.760 --> 0:04:18.120 this code work, and less on is there some way 0:04:18.160 --> 0:04:22.120 that someone could leverage this code in a way I 0:04:22.160 --> 0:04:27.000 did not intend. Now, in an ideal world, every developer 0:04:27.000 --> 0:04:29.520 out there would have plenty of time to test code 0:04:29.720 --> 0:04:32.839 thoroughly and conduct some penetration testing to make sure that 0:04:32.880 --> 0:04:35.839 the code doesn't have any vulnerabilities in it before ever 0:04:35.920 --> 0:04:39.200 deploying it. But in the real world we run up against, 0:04:39.279 --> 0:04:44.000 you know, stuff like deadlines and and budgets. These are 0:04:44.320 --> 0:04:47.279 things that mean that sometimes we have to push stuff 0:04:47.279 --> 0:04:51.560 out the door before we can do all the testing 0:04:51.640 --> 0:04:54.520 we would like. So sometimes we see code deployed that 0:04:54.640 --> 0:04:57.560 does have gaps in it, gaps that determined hacker might 0:04:57.560 --> 0:05:01.680 discover and exploit. Nelly. Important element for us to consider 0:05:01.760 --> 0:05:06.040 here is that all this development in tech, from hardware 0:05:06.240 --> 0:05:10.479 to software and all the related fields, it's happening all 0:05:10.520 --> 0:05:13.039 the time. The world of tech really drives home what 0:05:13.160 --> 0:05:17.400 the Greek philosopher Heraclitis said way back in around four 0:05:17.880 --> 0:05:21.880 b C, which is the only thing constant is change. 0:05:22.440 --> 0:05:26.359 The tech world is fast paced and fluid. Now let's 0:05:26.400 --> 0:05:31.599 talk about the world of policy and governments. Governments cannot 0:05:31.640 --> 0:05:35.680 be nearly as nimble as the tech sector. Governments move 0:05:35.800 --> 0:05:40.799 at a much slower pace, glacial, some might say, depending 0:05:40.880 --> 0:05:44.400 upon their point of view. So forming policy takes time. 0:05:44.600 --> 0:05:47.279 You have to have someone to propose it, for one thing, 0:05:47.720 --> 0:05:50.040 and then that person has to get buy in from 0:05:50.240 --> 0:05:52.640 other parties in order to form a plan of action. 0:05:53.279 --> 0:05:55.279 There has to be a vote on that plan of 0:05:55.320 --> 0:05:58.080 action to make sure their support for it. There needs 0:05:58.080 --> 0:06:00.320 to be a budget assigned to that plan of action. 0:06:00.360 --> 0:06:02.560 There's got to be someone in charge. There needs to 0:06:02.600 --> 0:06:06.159 be deliverable as assigned, and some means of holding the 0:06:06.240 --> 0:06:09.640 project accountable for achieving the goals that are set out 0:06:09.680 --> 0:06:12.679 by the policy. You need to have metrics these steps 0:06:12.720 --> 0:06:17.400 I'll take a lot of coordination, cooperation, and time. Complicating 0:06:17.440 --> 0:06:20.080 matters is the fact that in the United States the 0:06:20.120 --> 0:06:25.039 average age of federal level policy makers is pretty up there. 0:06:25.160 --> 0:06:28.440 So right now in the US, the average age in 0:06:28.480 --> 0:06:31.799 the US Senate is sixty four point three years old. 0:06:32.160 --> 0:06:34.920 The average age in the House of Representatives is fifty 0:06:34.960 --> 0:06:38.839 eight point four years old. Now, generally speaking, the average 0:06:38.880 --> 0:06:43.480 American is twenty years younger than the representative who you 0:06:43.480 --> 0:06:46.440 know represents them. Now. I don't want to engage in 0:06:46.480 --> 0:06:50.200 ages um here, especially since I'm forty six. I'm no 0:06:50.360 --> 0:06:53.919 Spring Chicken. I don't want to make too many generalizations. However, 0:06:54.160 --> 0:06:56.599 there is something to be said about people who have 0:06:56.760 --> 0:07:00.440 spent a career in politics who might not be the 0:07:00.520 --> 0:07:04.400 most tech savvy individuals out there. In fact, if you 0:07:04.480 --> 0:07:08.159 do a search on how tech savvy is Congress, you're 0:07:08.160 --> 0:07:12.160 gonna find numerous pieces about how Congress is woefully behind 0:07:12.160 --> 0:07:15.760 the times when it comes to even a basic understanding 0:07:15.840 --> 0:07:18.520 of where tech is and what it is capable of. 0:07:19.360 --> 0:07:22.560 The gap and knowledge with regard to tech is a 0:07:22.640 --> 0:07:26.720 serious problem. And in case you think I'm being hyperbolic here, 0:07:26.720 --> 0:07:29.840 I'll point to one of those tech savvy articles I 0:07:29.880 --> 0:07:32.320 just mentioned. This is something that I really feel you 0:07:32.320 --> 0:07:35.360 should read if you have the chance. It's titled How 0:07:35.440 --> 0:07:39.680 Congress Got Dumb on Tech and how it can get Smart. 0:07:40.120 --> 0:07:44.640 It was written by Grace Gedyer and published in Washington Monthly. 0:07:45.080 --> 0:07:48.880 Grace's piece details how some members of Congress have never 0:07:48.920 --> 0:07:53.240 so much as sent out an email. Okay, so email, 0:07:53.440 --> 0:07:56.240 in case you're not aware, dates back to the early 0:07:56.400 --> 0:07:59.400 nineteen seventies. So let that sink in for a second. 0:08:00.000 --> 0:08:04.440 There are politicians who are at least theoretically representing the 0:08:04.480 --> 0:08:09.320 interests of citizens who live in those politicians districts, and 0:08:09.360 --> 0:08:13.160 these politicians are unfamiliar with the technology that was invented 0:08:13.560 --> 0:08:19.600 fifty years ago, half a century ago. So how up 0:08:19.640 --> 0:08:22.320 to speed do you think these same people are going 0:08:22.360 --> 0:08:24.640 to be when it comes to stuff like a distributed 0:08:24.720 --> 0:08:30.040 denial of service attack or state sponsored hacker groups. Now 0:08:30.080 --> 0:08:33.160 I'll give you a specific example of an embarrassing lack 0:08:33.240 --> 0:08:38.760 of understanding. Recently, the governor of Missouri, Mike Parson, accused 0:08:38.760 --> 0:08:42.920 a reporter from the St. Louis Post Dispatch that's a newspaper, 0:08:43.559 --> 0:08:46.040 of being a hacker. Now, what the reporter had done 0:08:46.720 --> 0:08:50.400 was found out that the HTML code on a Missouri 0:08:50.480 --> 0:08:54.520 Department of Education website contained the private information of school 0:08:54.520 --> 0:08:59.240 teachers and administrators, including things like social security numbers. Now, 0:08:59.280 --> 0:09:02.240 that private inform ation was not visible on the web 0:09:02.280 --> 0:09:04.360 page itself if you were looking at the web page, 0:09:04.840 --> 0:09:07.719 it wasn't right out in front of everything. But if 0:09:07.720 --> 0:09:10.960 you looked at the HTML code, you could see it. 0:09:11.480 --> 0:09:14.040 So Governor Parson said the reporter was a hacker and 0:09:14.040 --> 0:09:17.520 should be prosecuted. Now, some of you all out there 0:09:17.559 --> 0:09:24.440 are probably already saying, what excuse me? So if you 0:09:24.559 --> 0:09:27.880 are not aware web browsers, let you look at the 0:09:27.960 --> 0:09:31.480 underlying HTML code of a page. And this is a 0:09:31.520 --> 0:09:34.520 great tool if you're building a web page. Being able 0:09:34.559 --> 0:09:37.600 to switch between what you see in a browser and 0:09:37.760 --> 0:09:41.719 the HTML code can help you troubleshoot problems. If you're 0:09:41.800 --> 0:09:45.680 learning HTML. Using this, let's you see how any given 0:09:45.720 --> 0:09:48.080 web page is set up. You can actually look at 0:09:48.120 --> 0:09:50.240 the code and say, oh, so that's how they did that. 0:09:50.679 --> 0:09:57.000 More importantly, it's super easy to do in Chrome, for example. 0:09:57.480 --> 0:09:59.920 In order to look at the HTML code for any 0:10:00.040 --> 0:10:02.160 web page doesn't have to be a web page, you won't, 0:10:02.240 --> 0:10:05.600 it's any web page. All you do is right click 0:10:06.040 --> 0:10:10.040 on the web page and you choose view page source 0:10:10.480 --> 0:10:12.760 and it will give you the HTML code. Alternatively, you 0:10:12.800 --> 0:10:15.040 could just hold down the control button and type the 0:10:15.120 --> 0:10:20.000 letter you Boom, you got the HTML code, no hacking involved. 0:10:20.280 --> 0:10:23.240 You can do it on any web page and like 0:10:23.480 --> 0:10:26.200 you know, when you think about it, that's essentially the 0:10:26.280 --> 0:10:31.080 code that the web browser receives. Then the web browser says, oh, 0:10:31.240 --> 0:10:34.680 this code means that the page needs to look like this, 0:10:34.840 --> 0:10:36.400 and that's why you see it the way it is 0:10:36.400 --> 0:10:40.920 on your screen. So there there shouldn't be anything in 0:10:40.960 --> 0:10:44.800 the HTML code that is bad like that shouldn't be 0:10:44.800 --> 0:10:48.840 there because ultimately HTML is just instructions for your web browser, 0:10:49.200 --> 0:10:52.240 so that knows how to display the information there. And 0:10:52.320 --> 0:10:56.440 that's my point. Governor Parson didn't or perhaps still to 0:10:56.520 --> 0:11:00.760 this day, doesn't understand that there's no hacking going on here. 0:11:01.240 --> 0:11:05.920 This is a browser tool working as intended. It's something 0:11:06.080 --> 0:11:10.160 anyone can do with no training, which means the State 0:11:10.200 --> 0:11:14.360 of Missouri was negligent and exposed the private information of 0:11:14.400 --> 0:11:17.080 a lot of people to anyone who just happened to 0:11:17.080 --> 0:11:20.680 look at the HTML source code. At best, you could 0:11:20.679 --> 0:11:24.560 say that Governor Parson was deflecting, attempting to shift the 0:11:24.640 --> 0:11:28.439 blame and hold the reporter responsible for an error that 0:11:28.480 --> 0:11:31.520 the state had made. At worst, you would have to 0:11:31.520 --> 0:11:35.200 say Governor Parson just playing doesn't understand web browsers, which 0:11:35.280 --> 0:11:38.439 doesn't necessarily fill you with confidence that he understands any 0:11:38.520 --> 0:11:43.480 other matters relating to technology and and seeing how tech 0:11:43.600 --> 0:11:47.960 plays such an important part two pretty much everything we 0:11:48.040 --> 0:11:52.400 do all the time these days. This is a huge challenge. 0:11:52.520 --> 0:11:57.040 After all, its Congress's job to form laws and regulations 0:11:57.080 --> 0:11:59.080 at the federal level, and at the state level we 0:11:59.120 --> 0:12:01.560 see the same sort of sing I'm concentrating on the 0:12:01.600 --> 0:12:06.520 federal level because otherwise it starts getting really fragmented. But 0:12:06.640 --> 0:12:10.079 the same thing holds true in states too. If Congress 0:12:10.240 --> 0:12:12.319 at the federal or state level, doesn't have a full 0:12:12.400 --> 0:12:16.760 understanding of technology, how can we expect them to regulate 0:12:16.800 --> 0:12:21.120 it or to form policies that makes sense. So we're 0:12:21.240 --> 0:12:26.160 literally seeing a growing chasm between the fundamental ways technology 0:12:26.200 --> 0:12:31.320 plays a part in our lives and politicians understanding of technology. 0:12:31.440 --> 0:12:34.720 For some, you might as well substitute the word magic 0:12:35.200 --> 0:12:38.400 for technology. You know, as Arthur C. Clark said in 0:12:38.520 --> 0:12:44.480 his Third Law, any sufficiently advanced technology is indistinguishable from magic. Well, 0:12:44.520 --> 0:12:47.840 it appears that, at least for some politicians, the advance 0:12:47.920 --> 0:12:51.760 and technology doesn't have to be particularly impressive Web browsers, 0:12:52.160 --> 0:12:56.360 they'll do the trick. Now, I'm not saying politicians all 0:12:56.400 --> 0:13:01.040 need to become engineers or computer scientists, and politicians can 0:13:01.120 --> 0:13:04.880 and do rely upon subject matter experts to help them 0:13:04.960 --> 0:13:10.400 navigate unfamiliar territory. Whether the politicians grasp what those experts 0:13:10.440 --> 0:13:13.760 are saying is a matter for debate, but at the 0:13:13.840 --> 0:13:17.360 very least they do call upon experts. If you've ever 0:13:17.400 --> 0:13:21.560 watched any video or read any transcripts of these types 0:13:21.600 --> 0:13:24.080 of meetings, even if it's something like one of the 0:13:24.120 --> 0:13:28.000 times where you know, Facebook representatives have to appear before Congress, 0:13:28.200 --> 0:13:32.880 if you look at those transcripts, you might walk away 0:13:32.920 --> 0:13:35.439 with a pretty low opinion of some of the politicians, 0:13:35.480 --> 0:13:38.760 at least when it comes to their you know, tech savvy. 0:13:38.920 --> 0:13:41.400 You might also take issue with the saying there are 0:13:41.440 --> 0:13:45.240 no such thing as as dumb questions, because after reading 0:13:45.240 --> 0:13:48.679 one of those transcripts, you'd say, I beg to differ. Now, 0:13:48.720 --> 0:13:50.520 this also means there can be a certain lack of 0:13:50.640 --> 0:13:53.640 urgency on the part of political leaders to address matters 0:13:53.640 --> 0:13:56.600 that relate to tech unless they feel that it's directly 0:13:56.679 --> 0:14:00.800 threatening them, and this has both good and bad consequences. 0:14:00.840 --> 0:14:04.280 One of the good consequences is that we don't frequently 0:14:04.320 --> 0:14:07.760 see US politicians rush to fund some tech initiative that 0:14:07.880 --> 0:14:12.080 is completely unproven or unsuitable. We're not seeing you know, 0:14:12.120 --> 0:14:18.640 taxpayer money thrown at problems without due consideration. In this regard. Typically, 0:14:19.200 --> 0:14:22.280 most politicians are a bit cautious when it comes to 0:14:22.440 --> 0:14:26.840 authorizing money for something they don't actually understand. And in 0:14:26.880 --> 0:14:30.120 some cases this is a good thing. On the bad side, well, 0:14:30.120 --> 0:14:32.320 we don't see enough support for strategies that could do 0:14:32.360 --> 0:14:35.160 a lot of good either. And there are threats out 0:14:35.200 --> 0:14:39.880 there and they are there here now. So for several reasons, 0:14:40.320 --> 0:14:43.320 politics moves at different pace than tech. One other one 0:14:43.360 --> 0:14:46.320 I didn't really cover is that, of course we elect 0:14:46.360 --> 0:14:50.880 politicians and these processes because they can take so long, 0:14:51.400 --> 0:14:56.000 sometimes they will span beyond one person's term of office. 0:14:56.720 --> 0:15:00.920 And when people change in offices, often we will see 0:15:00.960 --> 0:15:06.120 priorities change and we'll see support for stuff shift, and 0:15:06.200 --> 0:15:09.640 that can slow things down again because again, politics, you know, 0:15:09.760 --> 0:15:12.560 works on its own kind of time frame and its 0:15:12.560 --> 0:15:16.240 own cycles, and that can be disruptive for things where 0:15:16.360 --> 0:15:19.680 you know you're trying to put in a cybersecurity policy. 0:15:19.840 --> 0:15:23.640 This is really problem no one this this timing issue 0:15:23.640 --> 0:15:26.840 when it comes to creating a strong cybersecurity policy, because 0:15:26.880 --> 0:15:30.360 just getting the policy makers up to speed as a challenge. 0:15:30.720 --> 0:15:33.240 Getting that buy in is hard, and there's always the 0:15:33.240 --> 0:15:36.720 possibility that someone will have a misguided but compelling approach 0:15:36.800 --> 0:15:39.320 and then we'll go down the wrong path. Like, you know, 0:15:39.360 --> 0:15:41.800 if I were to appear in front of Congress and 0:15:41.840 --> 0:15:45.000 if I made an impassioned appeal for a certain path 0:15:45.120 --> 0:15:48.600 towards security, and it really did sound like I knew 0:15:48.600 --> 0:15:51.480 what I was talking about, I might get support even 0:15:51.520 --> 0:15:54.560 if I'm totally wrong, just because I sound like I'm 0:15:54.600 --> 0:15:58.600 an authority. That's what we call an appeal to authority. 0:15:59.120 --> 0:16:02.120 That's an argument which I claim that my credentials stand 0:16:02.160 --> 0:16:05.280 as evidence that my argument is sound. The argument doesn't 0:16:05.320 --> 0:16:09.440 have to stand on its own. I'm using my credentials 0:16:09.720 --> 0:16:13.240 as if that is enough to say this is the 0:16:13.280 --> 0:16:15.840 way we need to go. That's actually a fallacy. It's 0:16:15.880 --> 0:16:17.760 the sort of thing that a debate club would jump 0:16:17.760 --> 0:16:19.520 on right away, and in fact, a lot of people 0:16:19.520 --> 0:16:21.680 in Congress would probably do it too, because a lot 0:16:21.720 --> 0:16:26.560 of those folks started off in debate club. Well. Even 0:16:26.640 --> 0:16:29.560 when things go well, when Congress is getting good guidance 0:16:29.640 --> 0:16:33.960 from thought leaders in cybersecurity, when they fashion policies that 0:16:34.000 --> 0:16:36.560 are effective and on point, the process can still be 0:16:36.600 --> 0:16:39.480 slow enough that by the time the policy becomes active, 0:16:39.920 --> 0:16:42.720 the field has changed enough so that whatever protection was 0:16:42.800 --> 0:16:45.920 offered has been compromised in the process. Because it's no 0:16:46.000 --> 0:16:49.400 longer the best practices, right, Like, by the time you 0:16:49.440 --> 0:16:51.760 finally get to the point where now we can put 0:16:51.760 --> 0:16:55.520 this into place, best practices have evolved beyond that. That's 0:16:55.520 --> 0:16:57.920 not to say that the policies are completely worthless, but 0:16:58.040 --> 0:17:00.760 rather that they're always lagging behind. It is the state 0:17:00.800 --> 0:17:03.400 of the art and technology. Now, when we come back, 0:17:03.440 --> 0:17:06.800 we'll look at another matter that affects US cyber strategies, 0:17:06.840 --> 0:17:11.120 and well, it's all about the Benjamin's baby. Let's take 0:17:11.160 --> 0:17:20.920 a quick break. Okay, we're gonna move on to other 0:17:20.960 --> 0:17:23.840 issues that complicate matters when it comes to formulating an 0:17:23.840 --> 0:17:30.000 effective national cybersecurity strategy, and a huge one is organization. Alright, 0:17:30.040 --> 0:17:34.080 so we often refer to the Pentagon as an organization, 0:17:34.160 --> 0:17:37.080 but it's really a massive building. The Pentagon is a 0:17:37.200 --> 0:17:40.240 structure of physical structure. It is the headquarters for the 0:17:40.280 --> 0:17:43.480 United States Department of Defense. So when we say the Pentagon, 0:17:44.160 --> 0:17:47.080 we're often actually referring to the do o D, the 0:17:47.119 --> 0:17:50.760 Department of Defense, not the physical building. So I will 0:17:50.760 --> 0:17:54.399 occasionally be using Pentagon in that regard in this podcast. 0:17:54.800 --> 0:17:58.960 The Department of Defense has three main sub departments within it, 0:17:59.240 --> 0:18:03.080 the Army, the Navy, which also has the Marines in it, 0:18:03.480 --> 0:18:06.480 and the Air Force. And there are other agencies within 0:18:06.520 --> 0:18:10.000 the d o D. For example, there's the Defense Advanced 0:18:10.040 --> 0:18:14.160 Research Projects Agency that's DARPA. You also have the National 0:18:14.200 --> 0:18:17.520 Security Agency that's ESSAY, that's part of the d D two. 0:18:18.280 --> 0:18:21.800 And then each of the three main departments, the Army, 0:18:21.880 --> 0:18:24.359 the Navy, and the Air Force all have multiple agencies 0:18:24.359 --> 0:18:27.800 and divisions under them. So if you had an organ 0:18:27.880 --> 0:18:31.320 chart for the Department of Defense that was even just 0:18:31.400 --> 0:18:35.400 a few levels deep, it would just be massively complicated. 0:18:35.440 --> 0:18:38.840 There'll be interconnecting relationships and potentially a few cases where 0:18:38.880 --> 0:18:41.320 it might be confusing to see who reports to whom. 0:18:42.040 --> 0:18:44.280 Sometimes that can be confusing to the people in the 0:18:44.359 --> 0:18:50.640 organizations themselves. Now within this organization of organizations, you've got 0:18:50.680 --> 0:18:55.879 different departments responsible for stuff like establishing, maintaining and protecting networks. 0:18:56.440 --> 0:18:59.080 You've got different groups that are running on different pieces 0:18:59.119 --> 0:19:03.080 of hardware and software. Some might be locked into systems 0:19:03.160 --> 0:19:07.680 that no longer get support, and we call these legacy systems. 0:19:08.280 --> 0:19:10.840 This is a problem a lot of us encounter in technology, 0:19:10.960 --> 0:19:13.960 not just in the government sphere, but it can happen 0:19:14.000 --> 0:19:17.080 in businesses too. So if you've ever bought a product, 0:19:17.640 --> 0:19:21.360 like let's say that you bought a computer from a company, 0:19:21.400 --> 0:19:24.760 and later on down the line, that computer company goes 0:19:24.800 --> 0:19:27.760 out of business, Well, you might find yourself kind of 0:19:27.760 --> 0:19:29.920 stuck because you're no longer going to get support from 0:19:29.920 --> 0:19:34.159 that company. Right if they were uh previously releasing like 0:19:34.280 --> 0:19:37.840 firmware updates for your for your device, You're not going 0:19:37.880 --> 0:19:41.040 to get those anymore because the company doesn't exist anymore. 0:19:41.080 --> 0:19:44.640 So the stakes become higher because now you're relying on 0:19:44.720 --> 0:19:49.240 something that no longer has support from the manufacturer, but 0:19:49.320 --> 0:19:52.080 you're still dependent upon it. I see this happen with 0:19:52.160 --> 0:19:55.080 like back end systems a lot where a company will 0:19:55.119 --> 0:19:58.600 invest a lot of money into a back end system 0:19:58.640 --> 0:20:02.119 and build pretty much its entire infrastructure on top of 0:20:02.160 --> 0:20:07.800 this back end system. That system will age out, but 0:20:07.880 --> 0:20:10.720 to migrate everything off of that system onto something else 0:20:10.760 --> 0:20:16.400 would be an enormous uh sink of of money and 0:20:16.480 --> 0:20:22.879 time and other resources, and it's a nightmare. So again, 0:20:22.920 --> 0:20:25.960 this happens in companies, not just in governments, but when 0:20:26.000 --> 0:20:30.439 it happens in governments it's particularly rough. Um, you know, 0:20:31.240 --> 0:20:34.359 the organization ends up building products on top of this 0:20:34.680 --> 0:20:38.320 and the underlying stuff is the foundation, and when it 0:20:38.359 --> 0:20:40.600 does come time to migrate, you've got to figure out, well, 0:20:40.600 --> 0:20:44.399 how can I do this without interrupting services. For a company, 0:20:44.440 --> 0:20:47.520 that's important because you want to keep generating revenue. For 0:20:47.520 --> 0:20:50.600 a government, that's important because you've got to keep governing. Right, 0:20:51.000 --> 0:20:53.880 you can't just say like, all right, well y'all all 0:20:53.960 --> 0:20:57.359 just behave and uh, well you're gonna go away for 0:20:57.400 --> 0:21:02.520 a month and migrate our systems on the new new network. Uh, 0:21:02.600 --> 0:21:05.040 then we'll be back and you know, whatever is not 0:21:05.080 --> 0:21:07.800 on fire, I'm sure it's fine, and anything that is 0:21:07.840 --> 0:21:10.440 on fire, we'll get to it. Like, you can't do that, 0:21:10.720 --> 0:21:14.680 So it's a huge challenge. So there are government offices 0:21:14.720 --> 0:21:17.600 that are, you know, at least partly dependent upon legacy systems, 0:21:17.680 --> 0:21:21.080 and these systems sometimes they have vulnerabilities, you know, just 0:21:21.119 --> 0:21:23.600 like any other system. They can have things where it 0:21:23.680 --> 0:21:27.879 was an oversight and some intruder has figured out here's 0:21:27.920 --> 0:21:31.920 my entry point into this network. And without ongoing support, 0:21:32.400 --> 0:21:36.520 you know, those vulnerabilities go unaddressed. There's no patch for them. 0:21:36.560 --> 0:21:38.800 So that means if you are someone who is determined 0:21:38.800 --> 0:21:41.760 to exploit a system and you happen to know what 0:21:41.960 --> 0:21:45.800 hardware or software is being used within that organization. You 0:21:45.880 --> 0:21:49.919 can perhaps formulate a plan of attack that leverages that 0:21:50.119 --> 0:21:53.040 vulnerable system, and you can have a pretty decent level 0:21:53.040 --> 0:21:56.400 of confidence that you'll be able to pull it off 0:21:56.440 --> 0:22:00.480 because chances are no one's patched that vulnerability. It's why 0:22:00.520 --> 0:22:03.199 some experts call for a more modular approach when it 0:22:03.240 --> 0:22:07.919 comes out to planning network architecture. That way, administrators can 0:22:07.960 --> 0:22:13.160 swap out modules within the network architecture if necessary, particularly 0:22:13.640 --> 0:22:17.040 if they're working with stuff that's open source, where you know, 0:22:17.160 --> 0:22:22.080 the open source community finds and addresses vulnerabilities at a 0:22:22.200 --> 0:22:27.760 very quick pace, so that you're constantly with the most secure, 0:22:27.880 --> 0:22:31.640 most recent version of whatever it is you're working on. Okay, So, 0:22:32.119 --> 0:22:34.840 there are also a few big authorities in the federal 0:22:34.880 --> 0:22:38.880 government that are concerned with cybersecurity. For example, the Department 0:22:38.920 --> 0:22:43.840 of Homeland Security has the Cybersecurity and Infrastructure Security Agency 0:22:44.080 --> 0:22:48.640 or sees A c I s A. Uh So, there 0:22:48.640 --> 0:22:51.960 are some that are important when it comes to stuff 0:22:52.000 --> 0:22:56.320 like rolling out standards that all agency offices should follow, 0:22:57.080 --> 0:23:01.080 and once you get past that, there's a much more 0:23:01.200 --> 0:23:05.000 fractured landscape. A Senate report in two thousand nineteen recommended 0:23:05.000 --> 0:23:08.520 a more coordinated approach to cybersecurity to try and bring 0:23:08.600 --> 0:23:12.760 things into kind of a more focused effort, because what 0:23:12.840 --> 0:23:16.200 we were seeing is a very patchwork approach towards UH 0:23:16.440 --> 0:23:21.000 design and implementation of cybersecurity measures. Then you've got stuff 0:23:21.000 --> 0:23:23.479 like budgets to contend with. Every single department has its 0:23:23.520 --> 0:23:26.560 own budget and that gets funneled down into different sub 0:23:26.600 --> 0:23:31.480 departments and projects. So when it comes to weapons systems development, 0:23:31.880 --> 0:23:35.600 the typical approach is to spend thirty of your budget 0:23:35.720 --> 0:23:40.119 on development and procurement and the other goes to sustaining 0:23:40.160 --> 0:23:43.639 the weapons system and maintaining it. Now, that's according to 0:23:44.040 --> 0:23:48.760 Heidi Shiu, who is the current Under Secretary of Defense 0:23:48.880 --> 0:23:53.000 for Research and Engineering UH. She had previously served as 0:23:53.040 --> 0:23:57.680 the Assistant Secretary of the Army for Acquisition, Logistics, and Technology, 0:23:57.760 --> 0:24:00.920 so she has a history with the process of setting up, 0:24:01.480 --> 0:24:04.760 you know, weapons systems and technology systems. So when we 0:24:04.800 --> 0:24:08.680 talk about cybersecurity on a national scale, that actually does 0:24:08.760 --> 0:24:11.919 overlap with weapons systems, both from an you know, an 0:24:11.960 --> 0:24:15.400 attack perspective and a defense perspective. So we're not talking 0:24:15.400 --> 0:24:18.000 about traditional weapons. We're not talking about guns or tanks 0:24:18.080 --> 0:24:21.080 or missiles or anything like that. And that's kind of 0:24:21.320 --> 0:24:25.080 show use point. She was saying that that thirties seventies 0:24:25.119 --> 0:24:32.360 split to procurement and deployment and to sustaining. That doesn't 0:24:32.359 --> 0:24:34.679 really make sense when you're looking at it from a 0:24:34.760 --> 0:24:38.000 cyber front, and that really we should flip that ratio 0:24:38.080 --> 0:24:42.800 around with sevent budgets being dedicated to development and procurement 0:24:43.160 --> 0:24:48.640 and reserved to sustaining and maintaining weapons systems. So budgets, 0:24:48.680 --> 0:24:51.480 by their nature, not only limit how much we can 0:24:51.560 --> 0:24:56.200 spend on any given thing, but how we can spend 0:24:56.240 --> 0:24:58.960 money on that thing. And if we adhere to the 0:24:59.000 --> 0:25:01.800 older philosophy as we hinder our efforts to get up 0:25:01.800 --> 0:25:06.120 to speed in the digital realm. As Nicholas La pointed 0:25:06.119 --> 0:25:10.080 out in his resignation, getting those budgetary dollars is a 0:25:10.119 --> 0:25:13.560 never ending pursuit. You have to get buy in from 0:25:13.600 --> 0:25:15.960