Lets dive right in. This is not your first book on cybersecurity. You coauthored on cyber were. Why follow up with this book now and what has changed . Guest thank you for reading the book and you may find some of your work and some of your great reporting referenced in the book. All appropriately footnoted. 10 years ago we wrote a book called cyber or and we said things than that militaries were going to become dominant and threatened the landscape of cyberspace and militaries will attack each other in cyberwar. We said infrastructure would become part of the target set and there could be large damage and destruction. Not just spewing information and at the time we were criticized. There was a great review in wired that said it was fiction. At one level we decided to write this book to say back, now we were right but we also wanted to say what has changed in 10 years and while we were right about some things we were wrong about others. Yes the militaries have become the dominant threat factors. If you look at the major attacks in the last three years involved in the military the iranian Russian Military american. If you look at the targets of the infrastructure just last month the United States more or less admitted they penetrated the russian electorate power grid after claiming they had done it to us so infrastructure target. Its not just spewing information. The largest destructive we had so far over 10 billion worth of damage. It wiped out. Host we were right about all that what we were wrong about and what you said 10 years ago is what everybody said 10 years ago. We were talking the major privilege the other day and he said you know you can have all the defenses in the world but if the masadas coming for you, you are screwed. You say in the book that the major difference in the landscape right now from 10 years ago is there are corporations, big corporations but there are corporations in america and they are pretty secure. Are they invulnerable to the facts . No but they are resilient to it. Can someone penetrate their effort . Not sure because theres no perimeter anymore but can they do damage to those companies and the answer is no. If you look at that attack was a long list of American Companies that were in the ukraine that had their networks in the u. S. But theres also a list of companies that you were ukrainian that but didnt then you try to ask whats the difference . What makes a company able to be resilient and defend itself while others dont. There are lots of answers to that question one of which the predominant determinant answer is money. How much have they spent . I know its a gross metric but if they are spending 3 of their i. T. Budget on cybersecurity which is kind of normal for a lot of companies they are going to get hacked and they are going to get hurt. If they are spending eight, nine, 10 on the high side because companies are spending 17 but if you are in at eight, nine, 10 of that i. T. Budget on the security protect and Services Year after year after year you can achieve a lot of security given todays technology as the defensive technology has evolved a lot. Host you mentioned the cofounder and ceo of krause and the ypf for their firm. In europe look you actually discuss sorted and out for some he had back in the day. There were two kinds those were hacked into and those that were hacked into and a noted he and others believe there are three companies those two and those that are essentially successfully repelling the attack as you said. He mentioned money is a key factor. Is that . Are there other factors . Guest money buys good product dax crowd strike is a great one but there are many others and what we saw if you go back to 1997 when you wanted to defend your network in 1997 you could buy all three. You could buy a firewall which wasnt very good to good ion antivirus system which wasnt very good and in 1997 there was a third product you could buy which was an intrusion detection system so you could have a linking light that would go off all the time if someone was trying to get in. If you wanted to spend more money you couldnt. We interview people from major wall street banks that are running networks with 50, 60, 70 different i. T. Security products from almost as many vendors. The really difficult task of integrating all of that. If you look at some like jpmorgan they are spending six, 700 billion a year, Million Dollars a year. A Million Dollars a year trying to do i. T. Security. You have thousands of i. T. Security people running that network. So they can buy a lot of products. The products evolve and they have become very specialized. When theres a new threat of product comes out pretty quickly after the threat does. You have to constantly be buying and constantly be updating but the other thing that is changed and i know this sounds wonky is governance. He used to be the i. T. Security person was way down in the organization of the hierarchy and reporting to the deputy cio and maybe not even to the cio. Maybe to the deputy cio. He never saw the people running the company. Now you go to quarterly Board Meeting of the Major Company and on the agenda every quarter theres a report from the chief Information Security officer and she is in the room and she is breathing on metrics and showing what is happen since the last quarter and showing what the risks are and what has to be done. And that is part and parcel now to a Board Meeting. The cis though the chief Information Security officer is now reporting way up on the food chain and the really good company reporting to the ceo. We talk about a company in the book. They dont like to use their name because no one wants them to target them but they were in the ukraine and they got hacked but no damage was done. It just so happens the chief Information Security officer reports to the chairman of the board right over everybody else and when he wants money he can have a budget. When he has a problem where someone is denying him what he needs he talks to the chairman of the board. Thats unusual but its also example of a company thats really insecure. Host ive read a lot of stories about that things happening a Company Getting hacked in an infrastructure getting hacked. Russia doing very bad things and im not sure i share all the optimism but maybe its just that exposure to bad things happening. Im curious as you have seen this growth of the private sector governance, money and so on and so forth is it not true the adversaries are shutting down power grids and so forth . Guest the threat actors are very sophisticated and the chapter was about Machine Learning and Artificial Intelligence and as you know, you ugoda elvy cybersecurity conferences. Every company now is advertising Machine Learning in the cloud. Its all buzzwords. Very few of them actually have anything that is really sophisticated Machine Learning. It turns out the adversarial ai, the adversarial Artificial Intelligence is the same thing and i think right now its used by government but it has been used by the government. We talk in the book about one time the United States government showed itself. A few years ago at the Hacker Convention blackout where the pentagons research arm spoke to the Competition Among universities for adversarial ai where they had to think it was five large devices of onstage and up the signal they all turned on. For the next couple of hours there was no human intervention and all of these Artificial Intelligence programs attack the target, very well defended target and they had to mount the target figure out how to get in, how to get around the defenses, how the getting capture the flag and then how to get out. It turns out if you are trying to steal information getting in is only half the problem. And they did it. They got through very sophisticated targets with no human in the loop. I think thats happening now and it means the Response Time that you have to defend the network gets out in minutes not days or hours. Host another metaphor you mentioned the book is the one of glass houses and this is about offense and defense that youre mentioning. Leveling the Playing Field. One of the things that you say is the United States is a sharp as any country in the world and we live in the classiest cup. Would he mean by that . Guest in the last book we used a different phrase which was people who live in glass houses shouldnt throw code. We are really good on the offense. I know the nsa and the cia did bad reviews from time to time for not defending in their attack tools get stolen by the attack tools stolen are several years old and at any given time the tools that they are using are really good. If you are being attacked by the United States government you arent going to know it. They are very stealthy. Host theres a lot of tendency in the government and both rob and i served in the white house on cyber jobs. Theres a tendency in the government to say what we are really good. We can just go on the offensive deter the other guy and very little attention insufficient attention paid to the fact that they are key parts of our infrastructure and our government that are really easy to attack and really easy to destroy or to disrupt. The good news we talk about in the book is the major corporation. The bad news is the government and the military are quite and therefore we do see her on Cyber Weapons being stolen and used against us. We do see the defense Science Board, the Government Accountability office year after year issuing reports that are very expensive and very sophisticated of the logical Weapon System that are easily hacked and the list of those Weapons Systems the gao and the defense Science Board has talked about it. Its staggering. The f35, the freedom class navel combat and the patriot antimissile systems. He goes on and on and we paint a picture that someday the United States has to go to war against the sophisticated cyber opponent we may trap all the shiny objects out on the battlefield and they will be hacked. Host i want to get to war an escalation in a moment but we will table that for now. Another theme in the book the yucaipa with a lot is the dynamic of the government and the private sector who ultimately should be responsible for National Defense and National Cybersecurity and you and your coauthor ultimately come down the side of the private sector should the first and foremost dealing with support notches from the government of the government taking over. Is it just because of what you just mentioned that they can secure their own networks and so forth or are there more reasons why . That would be good place to start. Why should you be defending other people if you cant defend yourself . There is a belief among some ceos and some corporate boards to say you want me to spend all this money defending against the Russian Military or the Chinese Military . I thought we had the Defense Department protect us against Foreign Military. I thought i pay taxes for that. A lot of these corporations dont pay taxes but thats another story and they kind of think well we should just have cybercommand to send to u. S. Steel or defend Wells Fargo Bank you can talk to the banks and say do you really want to hand over your defense to cybercommand . They are horrified at the thought. They dont want the u. S. Government running around in their network. The u. S. Government does know how to run a bank network or its a very complicated thing and theres nothing in the government like it. They dont know how to run a power grid, how to secure a power grid. They dont have the expertise. Expertise is in short supply. People are in short supply. We think this panacea of lets just have cybercommand is a pipe dream. Individual companies have to defend themselves. They can get help. They can outsource. There are managed Security Service companies that will come in and run the security of your network if he can do it yourself. If you put your network in the cloud amazon is going to do a pretty good job securing it and then you can layer your security over that or have a security provider do that. What we think the government should do is set a level Playing Field by having smart installation. That doesnt mean the kind of regulation says this group has to be a quarter of an inch and turn to the right three times that smart regulation that says this is the goal. California got a lot of criticism for passing legislation that says the internet of things must be secured. They didnt say much more than that. We need a standard. Well yeah but its also pretty good start saying you have a legal application. If youre putting a device on the im at that went Something Like a heart lung machine or an i. V. Drip machine or a power grid you need to secure it. You figure out how to do that and come up with industry standards that are realistic and if they are not good enough then the government can look at the standards and say well you know we dont think thats enough which is happen with the power grid. The industry did get together and came up with their own regulations. Now the government is saying i think you need to do more. Host the demographics on the title of your book the concept you mentioned earlier about Cyber Attacks starting a war and we see things like this about elections and the power grid. There are worries about planes being hacked. Given that the risks are that high why not just throw our hands up and give the pentagon 100 million to dedicate to a Security System . Guest they dont know how and the knowledge of god how the security ferries in a private network is in the hands of the network. Ive done a lot of work in the Aviation Industry and what strikes me about the Aviation Industry is probably a metaphor for other industries. Individual airlines, some of them are pretty good. Product despite whats happened the products are pretty good. The engines are great. The aircraft is different generally gratis for a cybersecurity and then this whole lower level of the supply chain of companies you have never heard of that all the airlines use are all the airports use to provide an infrastructure plan. They are not regulated and most of them are not secure and if you take down this Noname Company that no one has ever heard of all of a sudden all the flight controls those little ipads with a plan on it dont work in all but the kiosk in the airports it give you your ticket dont work. But the government can do i think you say they are our requirements not only to secure your own product and secure your network but to secure your own ecosystem to identify the supply chain to identify the future dependency and to have an industry Work Together to ensure that the entire industry is secured. To be clear you say in the book the government is of a role to play whether nudging it in the right direction or information sharing you set up the first information Housing Center when you are in government. Its sometimes a lesson lot one i guess. With that and im curious how you think the Trump Administration is currently doing on cybersecurity. I guess i will start with working with private industry and helping secure on the defensive side hour after structure. They are the First Administration long time to write a National Strategy and as a guy, ive written two of them are the National Strategy of the Trump Administration is pretty good. Id give it a b . I think its disconnected from what the government is doing a better size than the problem. Its fine that the strategy but you have to have a governmental mechanism to implement the strategy and the Trump Administrations done that for odd reasons. Disassembling the parts of the government that we need. We used to have a senior person in the government has said that person is in charge of cybersecurity, policy and implementation. We dont have that anymore. Early in the administration they had a great guy named rob choice. I he used to work for nsa, still does. He was there in the white house with everyone in the industry. Everyone. Thats good and then john bolton came and fired him. He didnt replace him at the white house. As the state department we have a small team, two small but nonetheless we had a team worrying about International Norms and perhaps arms control negotiations. We really need cyber norms and International Norms and control. So on paper the strategy looks good. There is little reaction going on to implement it in terms of regulation the Trump Adminis