Lets dive right in that this is not your first book on cybersecurity also you worked with your coauthor ten years ago called cyberwar. And that with some of your great reporting but that as appropriate footnotes. We wrote cyberwar and we said things then that militaries would become dominant in cyberscape in the landscape and attack each other in cyberwar and infrastructure would be part of the target set. And not with that damage and destruction. And sell at one level i decided to write this book to say we were right. [laughter] but also what has changed in those ten years. And we were right about some things but we were wrong about others. Guests, the military has become the dominant threat factors looking at the major attacks in the last three years that were military. And if you look at the targets they are going after infrastructure just last month the United States were less said we penetrated the power grid. And then just to attack them. And what was wrong as everybody ten did years ago and that you can have all the differences in the world but if the massage comes from you you are screwed. And the major difference in the landscape right now from ten years ago there are corporations that are in america that are pretty secure. Are they invulnerable . No. And im sure because there is no perimeter anymore but can they do damage to those quicksand the answer is no. That was a long list of American Companies that were in the ukraine that had their networks in the us destroyed. But theres also a list of companies in ukraine that didnt and then to be resilient and defend itself. And there are some answers and one of which is money. It is a gross metric but if they are spending 3 percent of their it budget on cybersecurity which is kind of normal for a lot of companies they will get hacked and hurt. At their spending eight or nine or 10 percent we found some spending 17 percent. That is your it budget on security year after year after year you can achieve a lot of security with todays technolog technology. With a cofounder and ceo that said i fear for the firm but in the book actually said with those two types. And the now he and others those are successfully repelling that money is a key factor. That there are many others and if you go back, i started in this business in 1997 if you wanted to defend your network and with that antivirus system which was a very good and in 1997 and that was the intrusion detection system that only sets off a sum he tries to get in perk of you want to spend money you couldnt but we met people that were running networks with 50 or 60 or 70 different it Security Products with almost as many vendors. But some are expanding six or 7 billion, Million Dollars per year trying to do it security and thousands of it security people running a network. So they can buy the products they are very specialized when there is a new product it comes out pretty quickly you have to constantly be buying and updating. The other thing that has changed is governance. It used to be the it security person was way down in the organizational hierarchy. And reporting to the deputy cio. Never saw the people running the company. Now there is a quarterly Board Meeting of a Major Company and on the agenda is a report from the chief officer reporting and metrics and showing whats happening at the quarterly meeting and the risks and what has to be done. That is just part and parcel now of the Board Meeting. And that csi oh is now way up on the food chain and now reporting to the ceo. In the book they dont like to use their name because nobody wants to be a target but they were in the ukraine and they were hacked. No damage was done. But it just so happened the chief Information Security officer was chairman of the board and one he wants many he doesnt have a budget he just spends. If there is a problem where somebody denies him what he needs now that is unusual but also a company that is really secure. I wrote a lot of stories about bad things happening and Companies Getting hacked and doing very bad things and im not sure i share all the optimism that may be the exposure to the bad things. So as you see the growth in the private sector, is it not also true that they are shutting down power grids quick. The actors are very sophisticated. And talk about Machine Learning in Artificial Intelligence and very few of them have anything but it turns out the adversarial ai is a thing. And i think right now its only being used by governments. It is. We talk in the book about the United States government showing itself over a few years ago and then to sponsor a Competition Among the universities for adversarial ai where they have five large devices on stage. And at the signal they all turned on and then for the next couple of hours all of these Artificial Intelligence programs they have to map the target to figure out how to get in, how to get the flag and capture the flag and then how to get out if youre trying to steal information getting in is only half the problem. And they have some very sophisticated defenses that no human in the world and that Response Time is down two minutes. And then when you mention in the book and the United States has the sharpest stone but we live but we live in the classiest house. We use a different phrase. People in glass houses should not throw code. And as a nation but they are stolen and then used by the attack tools that are stolen or seven years old but if you are being attacked you will not know what they are very stealthy. And if we are really good we can just go on the offense and deter the other guy and very little attention paid to the fact the key parts of the infrastructure and government that are really easy to attack and to destroy and disrupt and with those major corporations but the bad news is that government in the military is really bad at defense. And then the cyberweapons to be stolen and used against us. And the gao and year after year issuing reports that are very expensive, very sophisticated technological weapon systems and the list of those weapon systems with gao but if the United States has to go to war against a sophisticated cyberopponent we could put all of these shiny objects onto the battlefield and it wont hurt because they had about work because they have been hacked. Host getting to war and escalation but another theme of the book but also whose those should be response of national cybersecurity. And then the government taking over and that is a bad idea. Is that just because of what you just mentioned or is there more reasons why cracks work thats a good place to start. So why should you be defending other people cracks there is a tendency among some ceos frankly in some corporate boards you want me to spend all this money to defend against the russian or Chinese Military cracks i that we had the Defense Department to protect us. I thought i pay taxes for that. A lot of these corporations dont pay taxes but that is another story. And they think just to defend us steel or wells fargo, how does he talked to the bank and say hand over your defense to cybercommand. They dont want the Us Government running around. They dont know anything about that it is very complicated and theres nothing in the government like it it is in the power grid they dont have the expertise. Expertise is in short supply people who are qualified are in short supply. So this panacea is a pipe dream. Individual companies have to become themselves. They can get help and they can outsource security and the security of your network if you cannot do it yourself. Amazon will do a pretty good job to layer your own security or have manage security provided. But to set a level Playing Field and have smart regulation. To have a regulation that says this is the goal. California got a lot of criticism last year to pass legislation that the devices must be secure. Its much more than that. What does that mean cracks we need a standard. But is also a pretty good start. You have a legal obligation. You cannot put a device on the internet like a heart lung machine or iv drip machine. You have to secure it. You figure out how to do that. And get the industry to gather to come up with industry standards. And if thats not good enough then the government can look at those and say thats not enough. Which has happened the industry did get together with the regulations and now the government says you have to do more. The title of your book is the fifth to mean the other for our airland to see in space traditionally defended by the government and the military. So the concept you mentioned earlier, then to take down the power grids quicks and with those cyberattacks even of the risks are not that high and with a few hundred billion dollars. The knowledge how to expand really is in the hands of industry. I have done a lot of work with the aviation industry. And what strikes me is its a metaphor for other industries. Look at the airline some of them are pretty good but like the 737 c max the engines are great the aircraft is great in terms of cybersecurity but there is a whole lower level in the supply chain of companies that all the airline jews are all the airports use of the infrastructure layer that are not regulated and if its a company nobody has heard of with those flight controls that the pilots have with their little i plan on i had with the flight plan dont work now all over the kiosk in the airport. So what the government can do is say the requirements of the security of our own product or the security of the ecosystem to identify the supply chain or the interdependency and to have an industry Work Together that the entire industry is together. And government does have a role to play. Weather information sharing and it does have a role to play. And to that and im curious how you think the Trump Administration is doing in cybersecurity. So we will start to help secure on the defensive side our critical infrastructure. This is the First Administration in a long time to write a national strategy. I have written two of them. National strategy is pretty goo good. I would give it a b . But it is pretty good. I think its disconnected from what the government is doing and that has always been the problem but to find a strategy you have to have a governmental mechanism to implement the strategy. And the Trump Administration has gone about four odd reasons disassembling parts of the government that we need. Reese to have a senior person and that person is in charge of cybersecurity policy. We dont have that anymore. And early in the administration a guy who used to work for nsa was there in the white house everybody thought that was good then john bolton fired him. But he did not replace him at the white house. At the state department we have a small team worrying about the National Norms and arms control negotiations if we have cybernorms or interNational Norms of arms control. So on paper the strategy looks good even though theres very little going on to implement and in terms of regulation the Trump Administration literally says any new regulation has to identify two regulations to be abolished before you can have new one. I am sure that is at odds with the formula but the regulation and frankly to a lot of people in congress. So they say no regulations but the federal government does regulation in cyberall the time. Twelve different Government Agencies have cyberregulations at the federal level. There always consistent and never developed and what we call four is a clean slate on federal regulation and to figure out the architecture that makes sense and if there are differences and differences that we intentionally made. Because in addition to what they have to worry about if they are inconsistent the reason you have a great regulation coming out of new york and some out of california because the federal government is not doing it. Talking about ambassador bolton. I stayed for ten years. So there is no cybersecurity coordinator at the white house but both of his critics disrupted things at the white house so well get some wonky here but President TrumpNational Security strategy that rescinded and reverse policy that had an elaborate process that cybercommand wanted to use and from what we understand from the memorandum. And also a cyberattacks. So just what you think of that approach is that necessary and are you aware that could lead to things spiraling out of control. Before he signed the National Security memo, before that happened in the senate on in the end to defend the authorization bill that said for preparation of the battlefield which is a buzzword through cyberactivity in peacetime is considered normal military activity. And if you read that what that means is that our military and peace time with foreign communications. So when we go to war, we can push a button because you cannot do that when the war starts. We have to do that way in advance it takes weeks or months and you have to keep updating. Thats a secret which we revealed in the book despite the fact of cybercommand running around but it wasnt hacking its way is the Foreign Military networks because it wasnt authorized or the Obama Administration implemented a very serious steps that you have to go through to get approval. Because they thought they were lied to and the iranians for years and from the people of europe it did leave the building and with that Network Connection but thats another story for call but it did and other people caught it but its only the way it was written it was nearly destroyed. But other people caught it so they said that will not work that didnt do as much damage as you told me it would do we are the first nation state to be seen engaged in that cyberwar we will make it very hard to do that again. But the pendulum is over here are over here so the administration really makes it difficult for the battlefield for the cia and then normally with trump way over here to devour that power and i think excessively to free president s on with the president in the white house when they have authority to go do something but the president gets blamed the president has a right and an obligation to have oversight. And he has to and excessive degree. But the counterpoint those critics would say maybe you are right the First White House should act but do you agree with that . That is a tough one because otherwise the white house to be doing a good job of that right now. Host talk about the white house scenarios between the United States and in the book you have a vivid scenario with hostilities between israel and iran for the United States to become involved and in this scenario you describe is seen in the situation room that the assistance has been blocked and the scene ends with the president turning to the secretary of defense to say do it. Do you think that is a scenario that is truly possible . Is at a remark on this white house or any white house quick. It is a short piece of fiction in the book and i think it is realistic. Add to that piece of fiction we take it apart and analyze it this captioned in the fictional scenario and then deconstruct that. So yes it could happen. In fact it almost did. Three weeks before the book came out the United States did a cyberattack on iran my coauthor and i said now the scenario will take place before the book is out. I think it could. What we see is the scenario is israel gets attacked. In fact it has been bombing iranian facilities in syria in the real world. And they will not take it anymore and they will launch an attack back and if they use their friends hezbollah and hamas all of the rockets in the missiles that they have come it could overwhelm the israeli differences there is a gray antimissile system and it does that numbers cannot overwhelm things like that. So in that scenario they turn to the United States like they did in the 73 war and say quick. Sent us these things. Then in 1973 the United States with Richard Nixon actually did launch an immediate outreach and sent his real arms that went straight from the airport and straight into battle. That change the tide and they won the 73 war. We couldnt nod if we have an enemy like russia or somebody who wants to attack the logistics system. So to do that the power plans have to do that so even with the military that the military relies on you can stop the resupply. Talking about the apocalyptic war and the middle east but theres much i want to get to. And for the internet that we fully endorse and the likely time to have a new approach. So why do you not believe that to be global anymore quick. That basically but that is the name of the agreement of the countries most of those in the eu. That eliminated internal borders but what we are suggesting is how that might happen in cyberspace if youre going to have countries like russia or iran or north korea or china with cybersecurity and the left cooperating in the investigation with criminals attacking us but if it is the government as in the case of north korea for us to say you cannot play in our yard. Maybe we say this is a protected garden of likeminded nations that help each other. That do prosecute cybercrime and share information and Security Standards and agree on the seven international laws. And if you are not part of that or agree on those norms or implement them, then you dont get to play. Something that we did back in the