In Nicole Perlroth’s blockbuster 2021 book, “This Is How They Tell Me the World Ends,” the former New York Times journalist conveys cybersecurity experts’ mounting anxiety about increasingly dangerous digital threats. From spyware to ransomware, the black market for cyber tools that skirt the law is lucrative and often poorly understood. Nicole points to catastrophic cyberattacks like NotPetya, a 2017 ransomware look-alike that attempted to obliterate Ukraine’s critical infrastructure before causing billions of dollars in damages worldwide. But even with geopolitical tensions now at a fever pitch, Nicole, now a cybersecurity advisor and investor, explains why “mutually assured digital destruction” has so far helped stave off major attacks on U.S. critical infrastructure.
In Nicole Perlroth’s blockbuster 2021 book, “This Is How They Tell Me the World Ends,” the former New York Times journalist conveys cybersecurity experts’ mounting anxiety about increasingly dangerous digital threats. From spyware to ransomware, the black market for cyber tools that skirt the law is lucrative and often poorly understood.
Nicole points to catastrophic cyberattacks like NotPetya, a 2017 ransomware look-alike that attempted to obliterate Ukraine’s critical infrastructure before causing billions of dollars in damages worldwide. But even with geopolitical tensions now at a fever pitch, Nicole, now a cybersecurity advisor and investor, explains why “mutually assured digital destruction” has so far helped stave off major attacks on U.S. critical infrastructure.
---------
Also covered in the podcast:
* The importance of educating board members about cybersecurity
* What constitutes a cyber weapon
* Why Nicole is optimistic about the future of ransomware
Blake: [00:00:00] Nicole, thank you so much for joining us on the show. Really appreciate it. I'm so excited for this conversation and I hope your new year is off to a great start so far.
Nicole: Yes. Thank you so much. I'm obviously a big fan of cac. I think the last time I was pregnant, I was very pregnant with Jay Kaplan at the Pentagon talking about cac, and then immediately went into labor and never got to write about it. So I feel like I owe sin a a huge favor here.
Blake: Oh, wow, okay. that is a very particular moment in time. So thank you for sharing that. and I did wanna kick things off right away by hearkening back to your New York Times bestselling book. This is how they tell me the world ends cyber weapons, arms race, now.
For any listeners who may be worried by that title, the world has not yet ended, I'm pleased to report. but Nicole, you did still deal with some pretty intense topics in that book, so I wanted to just start by picking out a phrase from the cover, which is this concept of cyber weapons, or digital weapons.
what does that term really mean to you?
Nicole: [00:01:00] Yeah. So to me, Stuxnet was a cyber weapon.
There's no question. using code that can sabotage or manipulate critical infrastructure. and the end result being the destruction of a key ingredient to a nuclear weapon that is a strategic cyber weapon. I think it gets more, messy when you get down to things like wanna cry.
North Korea using nation state tools that were stolen and leaked online from the NSA in a global ransomware attack that paused operations for a number of companies and police agencies and that kind of thing. Is that a cyber weapon? No. Maybe not by some people's definition, but it was an act of sabotage and destruction for some targets.
Um, Not Petya, I think was more of a cyber weapon in that it was a tool [00:02:00] used in an attack that was intended to look like ransomware, but actually wasn't ransomware. It was just an effort to decimate data and paralyzed data on target systems. And those targets included everything from Cher Noble's radiation monitoring equipment to Merck's vaccine production lines.
some people might say, calling that a cyber weapon goes too far, but I think it's certainly, one of the most dangerous, costly acts of cyber destruction we've seen. And maybe it doesn't matter whether we call it a cyber weapon or not. it's something that is sort of, uh, harboring of this new era we're in.
Now, I'd be curious to hear where you think, really sophisticated spyware fits into that discussion. the, of the likes produced by say, NSO group. And,I did want to ask you, I know this, the CEO of NSO group, I guess recently visited Washington dc to talk a little bit about use of spyware and, almost making a defensive as needed for, combating crime [00:03:00] or finding terrorists.
I wouldn't call it a cyber weapon, but it's certainly a very. potent espionage tool. Surveillance tool. NSO group for those who've been, not paying attention over the last few years is they're an Israeli company that sells mobile spyware predominantly, that can be used to essentially turn your phone into an invisible ankle bracelet.
Nicole: And, I talk about in the book how one of my sources just came over to my. Engaged in some banter, and then before he left, said, take some pictures of my computer screen. And it was all of this internal documentation inside N S O about the capabilities of Pegasus, which is really their blockbuster product.
which is mobile spyware and some of the contracts, that they were negotiating with governments like Mexico and the United Arab Emirates for their sale. And that was the first time I'd heard of NSO Group, and that was around [00:04:00] 2015, 16. And then, The next time I heard about it was when it started popping up on the phones of human rights activists in the UAE of journalists in Mexico, of people who were actually nutritionist in Mexico who were advocating for a soda tax There. And really in these insidious use cases, and it was being used in some cases as an intimidation tool or a silencing tool, which was really disturbing. And so I was outing these cases in some cases on the front page of the New York Times and N S O mounted a pretty big defense of its product. They said that it had played a role in catching Chapo.
the Mexican drug, Lord, they said it had been used to thwart major terrorist attacks, but I think we never really got clear evidence. Of those cases, certainly in this era we're in where, apple is [00:05:00] increasingly adding encryption to our iPhones, et cetera. this is a potent tool for law enforcement and it can be used in a lot of legitimate use cases.
Nicole: unfortunately, we are hearing about too many cases in which it was used illegitimately or for corrupt purposes, or to suppress the first amendment or human rights or dissidents journalism, et cetera. And at the end of the day, it's not a cyber weapon, but it's certainly a critical ingredient for a surveillance state,with a lack of oversight.
And these are, you know, once you, once, once you've sold these tools, they can be reverse engineered. You can keep using their basic functionality and there was no way to kind pull this . Back.
Blake: Right. It's so interesting. It's really releasing this very powerful functionality. I think you're, I think you're right to draw a distinction between that and say like a weapon, which is just solely intended to maybe do damage or however you wanna define it. But it is so [00:06:00] interesting. These like zero click, like you don't even have to click on anything and suddenly you're infected and they can get.
Full visibility into everything that you're doing. one question that I have is with something so powerful and so expensive as well, these things can market. for upwards of seven figures, eight figures, even depending on the extent of it. if a zero click iPhone exploit that works across multiple devices, landed in your lap, what do you even do with that?
I feel like it's such a hot potato.
Nicole: Yeah, I think it is truly the crown jewels, that is what. Every government wants is a zero click remote code execution exploit that works on the iPhone or on Android phones. You know, it was interesting as I was doing my research to see that the cost of an Android exploit, that gave you the same capability was actually more expensive and we never really got to the bottom of it.
Was it that Android just enjoys more global market share, or was it that Android security had improved such that it was harder to hack? Than the iPhone. But what was really interesting to me is, [00:07:00] there is a market for these tools, for these exploits, and they're readily advertised on websites of companies like Erodium in the United States.
And we know NSO buys these exploits to bake into Pegasus. And there are other spyware technology. But what was interesting to me is as I was wrapping up my. I came across this new player in the space I'd never heard before, called Crowd Fence. I have no idea whether they're still operational, but, they were outbidding, the Erodium of the world, they were almost doubling. The asking price for an iPhone or iOS or Android exploit. And who did they provide those tools to? They exclusively provided them to the Saudis and Emiratis. And so in other words, American government agencies or agencies in the West were already being outbid by some of these Gulf states.
When it came to, it came down to it. And,that's just, Kind of [00:08:00] another red flag. I guess you'd say that these tools are , they're just out there. the West maybe at one point could claim control over this market. or could say that they could outbid anyone else in this market, but that's just not true anymore.
And there are other states that technically are allies of ours. But have, let's say more reckless human rights records and far more limited freedom of the press. And there, you know, it could go down a huge list, long list of examples who are outbidding the United States for these tools.
And so, , maybe it's time we talk about the fact that the cat's out of the bag and we talk about, should there be, some kind of boundaries for this market or some kind of international agreements or rules. Or should companies like NSO be sanctioned or get in trouble or be blacklisted when they're caught selling these tools to governments that have less than stellar human rights records.
it's really interesting that you mentioned that evolution, and I know, and [00:09:00] you put in years of reporting ultimately into this. This is how they tell me the world ends, kicking off as I understand it, with, S four X 13, I guess this, illustrious. We'll call it, cybersecurity Conference in Miami Beach that draws some of the big control system and energy cybersecurity experts down to Florida once a year.
I guess what can you tell me about, how both these markets that we've been discussing have changed and just how much the cybersecurity landscape has evolved since you really started putting together the concept for this book?
you know, the reason I dedicated this full chapter to that one s four conference in Miami, was because, people like you and I and everyone in the cybersecurity industry knew that there was a market for zero days. we'd heard about it. It had been really hard as journalists to get to the bottom of it.
Nicole: Although people, certain journalists have made big dents in a space like Andy Greenberg's wired. Story with the guck, et cetera, but what really brought me to this project, Was that [00:10:00] S four because it was the first time I had met people, in this case, Luigi Donado, who had started al this, company based in Malta that sold zero days.
But they didn't just sell zero days. They sold zero days specifically in i c s systems and industrial control systems. And those are used as, we could start seeing that year. For acts of sabotage, like the Saudi Aramco attack, or a Stuxnet like attack. I mean, we haven't seen another Stuxnet, but things are getting pretty damn close. And so to me it was raising this different question, which was, okay. We know that the tools of traditional espionage has been sold for as long as people have, as long as human history, as long as people have been spying on one another, that's not new, but selling code that can be used. To sabotage, pipelines, power [00:11:00] grids, oil, gas, water name, your critical infrastructure, that's new.
And I know from my reporting at least that year, that there were a lot of adversaries for, US adversaries that had the will to do us harm in the space, but really lack the skills. , and so it raised the question were people like Luigi and Donato and Reon helping bridge that? For governments or who knows who that wouldn't otherwise have the know-how or skill sets to find those zero days and craft those exploits and click and shoot tools of destruction.
was this sort of a, something we should all be paying attention to? And I think it turned out the answer was yes, because as we saw over the next couple years, we started seeing, serious acts of destruction. Probably, the worst of which was the Russian black energy attacks in Ukraine.
Nicole: But,clearly governments were starting to focus here, and the market was really for government agencies [00:12:00] and many of whom, had the will to achieve the Stuxnet success of the United States, but very different motivations.
Blake: I wanted to go back to some of your experiences at the New York Times because I think it could be pretty interesting and even instructive for a lot of our listeners. And coming from a bit of a wonkier journalism background myself, I got a lot of leeway to write about some of these, nexus of energy and cybersecurity stories that you're alluding to, whether it's.
You know, Russian sand worm hackers targeting American nuclear plants, or whether it's, the blackouts in Ukraine caused by the black energy malware and these sophisticated tools. but I didn't really have to do a lot of convincing to skeptical editors of whether this belongs on the front page.
I, I'd be curious, uh, you know, how did you insist like, no, actually this is a big deal, we should be writing about this. How did you kind of break th break through in some of your pitches to your editors and I guess what made a cybersecurity story truly newsworthy for an outlet like the times.
Nicole: Yeah. I would say by far the hardest part of my time at the New York Times job was, Hacking the bureaucracy, , [00:13:00] and getting the masthead to care about cybersecurity. I don't think anyone realizes how tough a job that is So, you know, it's interesting just to go back a bit. You know when the Times hired me, this was like 2009, 2010, we were just starting to really learn about Stuxnet, which was obviously a game changer, but I was hired by the business desk.
To cover enterprise technology, specifically cybersecurity, like Yon Fest, it's just , you know who's acquiring, who, you know, how are the antivirus companies doing? Should I cover their earnings announcements? That kind of
Blake: File under boring, but important. it's,
Yes. that's important news in its
Nicole: sure, sure. Well, and back then, the acquisition stories weren't that interesting.
the, the economy was still recovering from 2008 and,the acquisitions were small and usually it was semantic or McAfee or I guess intel that were doing a lot of the acquiring and yada yada. but [00:14:00] really the story was, antivirus isn't working. the perimeter's gone. hackers are finding new ways into the enterprise.
Nicole: Bring your own devices a freaking nightmare. The cloud's gonna be a freaking nightmare. And how many times can you tell that story? but the more interesting thing that was happening was I kept hearing this phrase. There's only two types of companies left in the United States. Companies that have been hacked, companies that don't know they've been hacked, which we can originally attribute to Dimitrio one of the co-founders of CrowdStrike, but was being plagiarized to death.
Keith Alexander was testifying before Congress that we were witnessing the greatest wealth transfer in history. and he was referring to Chinese IP theft. I think James Comey had some similar quote along the same lines. And so from a journalist perspective, to me, there was nothing happening in the cybersecurity in industry that was as interesting as, is that true?
Nicole: Our companies have everyone really been hacked is all of our IP now in [00:15:00] China. And so that's where I started. And it was really hard to get companies to open up about this, I think, because a lot of them worried about what their, what it would do to their share price if it came out that their IP had been stolen, what it would do to their potential acquisition.
Again, everyone was still in sort of recession recovery mode. no one wanted to talk about this. They were worried they'd get a scarlet letter on their forehead. , what happened next I think was a blessing and a curse. But for your question, this is what happened. The times was hacked by China, and by the way, the story wasn't assigned to me.
there was one editor who heard about it. I started hearing something from our IT department at the Times,who were always a fantastic resource for. and I just started reporting on it. And Mandiant was still not really a household name then, but we brought Manian in. I could see how.
Nicole: Really not helpful. The FBI was, they came in with their binders [00:16:00] and you have this feeling as a journalist or even as a citizen, like, all right, who did it? when are we gonna see people in handcuffs and said, they ask you a bunch of questions, they close their binders and you're lucky if you ever hear from them again.
and I was hearing from Manian like, you're just won a thousands. sorry, this is what they do. And I was, how they moved laterally through an organization, ultimately what they were after, what incident response looked like in real time. We would talk and joke about the Beijing Summer intern who rolled into our networks at 9:00 AM Beijing time and rolled out around five.
Nicole: Ultimately in search of our sources and just the headache it caused for the organization, calling. My colleagues who were in China who hadn't even been told that they had been hacked. it was just, the whole thing was just, I, it was an incredible opportunity to see what this actually looks like.
And I knew it was playing out at companies all over the US that were, we're covering it up. And to the times, great credit, they let me [00:17:00] tell the story on the front page and there was at the very last minute, some second guessing, like the masthead was like, wait a minute. Why are we telling this story?
I think someone asked what will our competitors say? The Wall Street Journal, the Washington Post. And I remember saying, listen, I am, this is way above my pay grade, but my two senses, I don't think they're gonna say very much because I think there's a very high likelihood. that they have been hacked to.
Nicole: And ultimately I think that argument when the day and when the story came out, it was like you weren't cool if you hadn't been hacked by China. Suddenly everyone started raising their hands and it really cracked open the conversation nationally. And, next we did the story with Man Manian on the Shanghai based PLA group who was conducting a lot of these hacks, which also opened up the, this conversation much more and ultimately led the way for indictments and the threat of sanctions and on.
That single hack though. , I [00:18:00] think arguably changed the national conversation from one a victim blaming to, we have a huge freaking problem on our hands as a country.
Blake: well drawing connection to your current role as a cybersecurity advisor to various companies, including I saw recently. Congratulations, ballistic Ventures coming on board there. not to mention your role as an advisor for the, cybersecurity and infrastructure security agency. I'm wondering, those conversations with the masthead, that's convincing, how does that play out in boardrooms nowadays?
How do you get, companies that may be skeptical of cybersecurity, of doing something about this problem? Are there any parallels there?
Nicole: Yes, and I think this has been the ninth live l ninth life of my book. being a cybersecurity journalist in the space, we have multiple audiences. It's one of the biggest challenges of your job. How do you satisfy. , the technical cybersecurity InfoSec community, and all of the nitpicking that they're going to have without losing the mainstream audience.
But it's really important [00:19:00] for everyone to understand what the stakes are and where this thing's going. And I always put up a picture of my mom. I'm writing this for my mom who texts me once a week. How do I save that picture of your kid that you just texted me? I'm not writing it for the technical audience.
Nicole: It would keep me up at night and I'll panic about whether I'm getting every technical description correct, but I have to write for my mom because I'm, if I'm not writing for my mom, mission will not be accomplished here, which is get everyday people to care. What I wasn't thinking was. Policy makers actually needed this.
they needed a translator badly. and that boards really needed this. And so I've been doing a lot of board level education. And the number one thing that they say is, we thought we were cutting edge because we would hear directly from Marcis. Once a year or twice a year, or we had this one person from Salesforce on our board, so we checked off the technical box there.
Nicole: But [00:20:00] after reading your book, we realized we've been actually negligent in some regard here because we weren't asking the right questions. We didn't even know which questions to ask. We didn't understand that businesses are now us. , we are now on the front lines of geopolitical conflict, which became very apparent with the not Petia attack.
and so I think that has really been the biggest blessing, is that if my goal was awareness, mass awareness, high level awareness, that has been happening, the question now is, okay, finally they're saying we get it. you've got us, you've got our attention, we've brought you in here. , we're aware, we have the appetite, but how do we get from awareness to operationalizing these solutions?
Nicole: Because it sounds to us like nothing works and these things are getting through no matter what we do. And we're fed up with our cio, [00:21:00] CISO coming in and asking us for more money every single quarter. And I think that is the biggest challenge. And then it gets even hard. , when you move from the Fortune 500, what is that?
Fortune 400? Fortune 500, down to the, what we're calling, target rich, security, poor, entities like water treatment facilities and high stakes targets that would be of extreme interest to an adversary, or have a lot of urgency to a ransomware attack that don't even have one single IT guy on staff.
So the good news is, . We are all aware now, and if you're not aware of this threat, like you really have an ostrich head in the sand problem and you have other problems, but we're all aware the question is now. Now what do we do?
And actually, to circle back to what you said earlier about this notion, this quote attributed to Dimitri Perovich.
Blake: You're either, you're, either you've been hacked or you just don't know that you've been hacked. And to your [00:22:00] question, is it true? I feel like it can be so challenging in this space to really suss out when something's an exaggeration and when it's actually caused for alarm. a quote from, national Cyber Director, Chris English comes to mind.
It's a little old, but back in 2019, he asked, Quote, why are the Russians as we speak, managing 200,000 implants in US? Critical infrastructure malware, which has no purpose to be there for any legitimate intelligence reason. And as somebody who's reported on this Russia link cyber espionage.
I mean, 200,000. I just, I heard that quote and I was like, wait a minute. What? They're just ready to flip a switch and cause all sorts of havoc in our critical infrastructure. Should we be running around like chickens with our heads cut off? What is going on here? I guess I'd be curious to, to hear,what you think of that in this concept of APTs advanced persistent threats almost lurking and waiting for some moment to act.
Nicole: Yeah, I'll address that, but I'll go back a little bit before Russian implants to talk about, there was a hack that really bothered me that I covered. , and [00:23:00] I think it was back in 2012, it was a Canadian company called Tvet and they provide provided software to I think the vast majority of North American pipelines.
And they were badly hacked by a Chinese a p t. And,the Dale Petersons and the S four attendees of the world were saying, this is not getting enough coverage. Because essentially if you wanted. A blueprint to the North American Pipeline Network. This is the company that you would hack. Now, it doesn't have any brand recognition whatsoever, so Target was getting, most of the airtime that following year.
But to me, this was the far more serious threat. And so I covered that story and you have to be very careful, not to scare everyone, but I had some lines in my coverage that. We've been covering a lot of Chinese IP theft and trade secret theft. The question is, is this IP theft? You know, is, is, is the, is China so [00:24:00] interested in clean energy or digital digitizing critical infrastructure that this is the IP they want?
because this the, this is the keys to the kingdom. If you wanted to pull off a pipeline attack at scale, that would freeze the United States. And so there was some just wording around, is this just espionage or should we be worried about something more sinister, more sabotage like, and I remember just getting a ton of crap on Twitter about this, that I was stoking, fud, fear, uncertainty, and doubt being a really alarmist. Fast forward to, I think last year it was, that the, or 2021 that the US declassified its findings that China was in our pipelines and it wasn't, they were not there for IP theft, that they were there for some kind of foothold. In the event of some geopolitical escalation or conflict that they would have a foothold to essentially [00:25:00] hold our gas pipeline network hostage.
And I think they were referring to, although they don't say it, the tell event like attacks. yeah, it's really hard as a journalist as these things are happening and they were happening so fast to point out. here's what's happened and no, nothing's happened yet. We don't need to scare everyone, but hey, this target, is the exact target you would pick if you wanted to pull off, a colonial pipeline attack at scale.
and and then Russia just started making that threat very obvious and never more so obvious than with the black energy Ukraine attacks. And when I would interview people in the administration, then the Obama administration, and I think I had this in the book, they would say, until then,
We thought, this is a gentleman's game. You're spying on us. We're spying on you. Occasionally we dig into your critical infrastructure. We make maybe a little bit more of a loud show of it when we get into your power grid, that kind of thing. But no one's [00:26:00] actually going to use this access for sabotage.
And then after Ukraine, it was sort of like, okay, we need to all sit back and change our risk calculus here I will say to the flood point, I'm really glad you brought up the pipeline espionage and the risk there because, that's an issue that was near and dear to my heart, reported on it very closely in my time at,Politico and e news.
Blake: And, part of what was so alarming is unlike even a colonial incident, which, impacted fuel supplies, gasoline, jet fuel, the, like, you know, substance. we have this network of natural gas pipelines throughout the country that feeds into power plants, often relies on just in time deliveries because it's coming in a gaseous form, so it's not as easy to store and use.
So if that were disrupted, there's a huge risk there of actually causing a lot of problems cascading across critical infrastructures. And yeah, I don't think you're exaggerating at all to be like, Hey, Maybe we should pay attention to this. It's, it's not you can't just brush it under the rug and hope that hackers are never gonna try that because we've just seen so many [00:27:00] disruptions.
I guess the natural follow up to that though is, why haven't we seen this chap sprung? Yes, okay. We saw the ransomware disruption of colonial that almost seemed bumbling. If not accidental, then certainly the attackers bit off more than they could chew. why haven't we seen these advanced persistent threats really?
cos havoc on the scale of a not pet yet. I guess that was one example, but again,
Nicole: yeah. But we weren't the direct target, and why weren't we? I think is also another way to phrase this question. I think. We have settled into this era, and it's precarious for sure, but of mutually assured digital destruction. yes, China has access to our pipelines, but they also hold a huge amount of US currency, , why would they want to sabotage the United States and sabotage the economy essentially at Sabo?
they'd be kicking themselves if they did Russia, they. I worry about them more, especially right now because increasingly they have less to lose as we detach them from the global [00:28:00] economy. And I did this story with David Sanger, about how under Trump. The sort of rules around what cyber could cyber command could do in terms of who they could attack were loosened.
Nicole: They no longer needed to get presidential approval,for what's called cna, computer network attacks. And so one of the first things we learned that they were doing, which we reported publicly, was, uh, attacking the Russian grid. And they weren't being quiet about it, they were being loud about it.
And that this was an operation specifically. aimed at messaging, if you dare due to us , what you just did to Ukraine in 2015 and 2016, expect the same back. And no, that's where we are is and you, we don't cover it as well, I think here in the us but, China's response to a lot of these accusations that they've been hacking us has always been, we are also targets of cyber attacks.
And, I think there was a Chinese company, and I'm sorry I'm blanking on the name, but they just put [00:29:00] out a great report on some of the attacks they're seeing and they are reporting that China's also likewise seeing a lot of. probes of its critical infrastructure. So I think we have entered this new era of, yeah, we're all in each other's systems, holding guns to each other's heads.
And you'd have to think very carefully about whether you wanna pull the trigger, because it would only be moments before you two would suffer the same attack. Now, where I think it gets interesting is attribution, and I think that's really where the US and the West are at a strategic disadvantage here.
Because if an attack comes from the west, usually comes from cyber command or one of the intelligence agencies, although, there's a line there between espionage and attack. When it comes to our adversaries, it's not coming from inside the building. , in Russia's case, they outsource a lot of their dirty work to cyber criminals.
in China, they've moved a lot of the responsibility for [00:30:00] these operations from the P L A to not just the Ministry of State Security, but to the satellite network of private citizens who work or moonlight at the behest of the Ministry of State Security, we've indicted. and I think sanctioned Iranian front companies, that do a lot of this work.
you know, the, the lines are far more blurred when it comes to our adversaries. And then when you look at, and you've covered these attacks really well, some of the attacks we really worry about. Coming from Russia, you can see that they're playing around with attribution.
and I think it's because they don't wanna get caught red-handed when one of these things happens because they know that we will respond in kind. And I think that's where a lot of the back channel. Negotiations conversations have been, I think they've been very direct between state officials.
Nicole: Hey, just so you know, this is how we would respond. that was Biden's first conversation with Putin and Geneva. Here's the list of our 16 critical infrastructure. [00:31:00] Sectors, if there were to be another attack, like Colonial Pipeline, even from a cyber criminal group or directly from the G R U, expect the same.
I feel like so often in this space it's, it's, it's doom and gloom, right? Threats keep getting worse. Uh, actors getting more sophisticated in their, in their techniques. Um, Let's talk about some cybersecurity victories.
Blake: Uh, what do you think has really improved, for instance, since you started reporting on, uh, on, on, for your book?
Nicole: So I think the most badass win, um, has come in the last. Which is that the Department of Justice and the FBI announced That they had gotten inside hive ransomware, group, and were quietly, securing decryption keys for victims and passing them to victims so that they basically, kept victims from having to pay something like $130 million in ransom.
Awesome . You know, I've definitely been, critical [00:32:00] of some of these off, you know, this focus on offense, but maybe offense is our way out of this ransomware hell we're in, where it's really about, hacking these groups and quietly surreptitiously sabotaging them at every turn. so I think that's number one too.
We've always had this question of what is the actual tie between the Kremlin and these Russian cyber criminal groups? Russia's just making it very obvious at every turn, just how tightly connected they are. I think, hive, the State Department put up a bounty site for some of its members.
we'll pay you this bounty if you give us any information leading to the arrest of one of its members. And immediately Russia block. Access to that website. You know why? clearly some of their members are of strategic use to the Kremlin. and then I remember very early on in the Ukraine invasion, Conti came out and just said it, they just said, if there are any attacks on Russian infrastructure, we will respond in kind.
Blake: it gets back to your previous question. and my comments on [00:33:00] attribution, like they can't use this cover of, oh, that's a cyber criminal group when they're clearly, so closely tied in with them. So I just point that out because I think, it would give us the ability to respond to some of these very serious ransomware groups, in an escalated way versus a bumbling group of cyber criminals when it's clear that they have some closer nexus to the state. I remember Conti Conti tried to roll that back so fast and nobody was buying it. . They're like, you said it, it's out there. Cat's out of the bag. We, we know where you stand now, Conti. Sorry
Nicole: Yes. Yes. Sorry. Sorry. Um, right. And then, you know, then, then there was the chapter where one of its Ukrainian members just, you know, doxed, uh, their colleagues in Russia. So, yeah, very interesting. Um, Another win that we actually touched on as well is just awareness. You know, that boards are really talking about this,Even in this economy, they're [00:34:00] willing to continue to up budgets and do whatever it takes, um, to, to stop the next, not petia attack from, from holding them hostage or, or destroying their data. I think, um, You know, the, where I now sit as an advisor to cisa, you know, CISA doesn't have regulatory authority.
You know, it's, it's, it's definitely not the, you know, it's not the irs. It's not the fda. Um, but I think they've done a really good job partnering with the private sector and bringing the private sector on voluntarily. And, you know, providing the private sector with kind of quantifiable metrics about where, how they stack up.
So their latest goal here, and, and this is gonna be a big focus for 2023, is what they're calling cybersecurity performance goals. You know, giving just board the language to, to ask their CSO and their CIO and their CTO. You know, do we have this, you know, are we using cac? Are we getting penetration [00:35:00] tests?
Do we have multifactor authentication rolled on the backend? How are we vetting our suppliers and contractors? You know, it, it's finally just giving them access to the right questions. And I think that really you can't, that that cannot be understated. Um, how important that will be when it comes to kind of improving our attack surface.
I'm gonna stop you before you can jinx it or say anybody. No, yes.
Blake: Quote Nicole. Things aren't as bad as I thought there would be. There we go. We're we're, we're, we're set. Cybersecurity is solved. You heard it here first. Uh, no. Knock on wood.
Yeah,based on this conversation. I'm still gonna be looking over my shoulder a little bit going forward. And Nicole, thank you so much for coming on the podcast. I did have one final question for you before, uh, before we part ways here, which is, uh, what's something we wouldn't know about you by looking at your LinkedIn profile?
Nicole: Oh, okay. well, my husband has a heli ski Alaskan heli ski guide company, and so I do a lot of heli skiing.[00:36:00]
Blake: I'm sorry, jumping out of a helicopter in skis.
Nicole: Yes. I mean, you don't jump out. I wanna make that clear. Some people do in these videos. I don't. We safely land. I get out and I go, um, skiing. But yeah, it's like, I feel like there are a lot of people in cybersecurity who have these passion or hobbies like. George Kurtz at Crowd Trick does race car driving.
Blake: You know, it's like people get their adrenaline rush in these totally other areas, and I always thought that someone should do a story about that. Well that's, that's amazing to me, both as somebody from Florida and somebody without that Cool. Of a hobby. Uh, I do have an Instagram for my cat. I don't know if that counts for something.
Nicole: well, you could do, you know, spear fishing or.
Blake: Spearfish, uh, see why haven't I thought of this? Okay, well, thank you for the idea. Please be safe when you're hell, hella skiing.
I mean, that does sound like fun to be fair.
Nicole: Yes. Um, and just to give you a sense of how safe it is, I wentwhen I was seven months pregnant with my 80 year old dad. [00:37:00] So, you know, you can make it as dangerous or safe as you want, but highly recommend it.
Blake: I, um, I'll add it to the bucket list. Well, thanks again, Nicole
Nicole: Thank you so much.