Militaries would attack each other in cyber war, we said infrastructure will become part of the target set and there can be large damage and destruction. Not just information damage. At the time we are criticized to integrate review that said file under fiction. So i think at one time robin i decided to write the book that we were right but we also wanted to say, what has changed in the ten years and while we were right about something, we were wrong about others. Yes the militaries have become the dominant threat and if you look at the major attacks in the last three years of all the military, arena, north korea, chinese, russia, america if you look at the target they are going after every structure and just last month the United States more or less submitted they penetrated the power grid claiming they had done it to us. It is destruction if you look at the attack, the largest destructive attack over 10 billion worth of damage, it is wiped out networks to not just attack them and still. We write about all that, what we were wrong we said ten years ago you cannot defend herself y. He said, you can have all the defenses in the world but if the mossad is coming for you, you are screwed. We say in the book about the difference in the landscape right now from ten years ago is there are corporations, big corporations in america that are pretty secure. Are they invulnerable to the attacks . No but there resilient. Can someone penetrate their network . Im not sure because theres no perimeter. But can they do real damage to those companies and the answer is, no. If you look at that, theres a long list of American Companies there were in the ukraine the heather networks in the u. S. Destroyed. But there is also a list of companies in the ukraine that did not. But we tried to ask, what is the difference, what makes a company able to be resilient and defend itself while others do not. There are lots of answers to the question, one of which the predominance, money. How much do they spend. I know its a gross metric, but if they are spending 3 of their it budget on cybersecurity, which is kind of normal for a lot of companies they will get attacked and hurt. And if they are spending eight, nine, 10 on the high side, we saw committees spending 17 . If youre in the eight, nine, 10 of the it budget, on the Security Product and services, year after year after year, you can achieve a lot of security given todays technology that evolved a lot. You mentioned the cofounder of crowd strike in the firm. In the book you discussed back in the day there was two companies and they were hacked and did not know. He and others believe there are three companies, those two in addition those that are essentially successful repelling the attack edges and. Money is a key factor are there other factors, what else has let us to create the third class. Money buys good product and there are good products. And what we saw, i started in this business and 1987, when you wanted to defend your network you could buy one of three products, you could buy firewalls which were not very good, you could buy in antivirus system which was not very good, and in 1997 there is the third product that you could buy which was an intrusion Protection System so you can have a blinking light that would go off all the time. If you wanted to spend more money you really cannot. He interviewed people from major wall street banks that were running networks with 50, 60, 70 different it Security Products with almost as many vendors so they have the really difficult task of integrating all that. But if you look at j. P. Morgan, their spending six, 700 billion a year 600 or 700 million a year trying to do it security and have thousands of it security people running the network. So they can buy a lot of products. The products have dissolved and governed specialized when theres a new threat, a product comes out pretty quickly after the threat. You have to constantly be buying and updating. The thing that has changed, and i know this sounds wonky. It is governance. It used to be the ic it securitn was way down in the hierarchy and reporting to the deputy cio, maybe not even to the cio, but ever so the people are running the company. Now you go to a Board Meeting of a Major Company in on the agenda every quarter is a report from the chief Information Security officer and she is in the room and she is breaking on metrics and showing what is happened since the last quarterly meeting. And showing what the risks are and will has to be done. That is just on personal the Board Meeting. In the cia also the chief Information Secure the officer is reporting way up on the food chain in the real Big Companies reporting to the ceo. We talk about a company in the book, they do not like to use their name because nobody wants to be a target. But they were in the ukraine and got hacked and no damage was done and it just so happens that the chief Information Security officer reports to the chairman of the board way over everybody else and when he wants money, he cahedid not have a budget, he jt been sprayed when he has a problem that somebodys denying him what he needs he talks to the chairman of the board. That is unusual an example of the company that is really secure. I read a lot of stories about bad things happening people getting hacked, and people nurture during very bad things. Im not sure i share all the optimism but maybe the exposure to the bad things happening so im curious as youve seen the gross and the private sector for governance investment support. Is it not also true that officers are knocking better and what they doing . The actors are very sophisticated. The chapter in the book about Machine Learning. In Artificial Intelligence. And as you know, you go to the cybersecurity conferences. Every company is advertising Machine Learning and the clock. Very few actually have anything thats really sophisticated Machine Learning. But it turns out the adversarial a. I. And the serial Artificial Intelligence is the same thing. And i think right now italy being used by governments but it is being used by government and we talk about with the United States government showed itself a little. A few years ago at the Hacker Convention where the Pentagon Research sponsor Competition Among universities for adversarial a. I. Where they had five large devices on stage and of the signal the altar known in humans walked away and for the next couple of hours it was human intervention and all the Artificial Intelligence programs attack the target. It was very well defended target and they had to map it, figure out how to get in and how to get around and how to get the flag and capture the flag and how to get it out because if youre trying to steal information, getting in and getting out they get to very sophisticated defenses with no human in the loop. I think that is happening now. And it means the Response Time that you have to defend the network get down to minutes, not days or hours. Another metaphor is from the glasshouse, this is the offense and defense as you mentioned in leveling the playing go. One of the things that you say in the United States has a sharpest stone in the country in the world. What do you mean by that, we used a different phrase which was people who live in glass houses should not throw a room. We give off a lot of good information and anno and the cit defending their own attack tools and they get stolen and used by other people. But the tools that are stolen are several years old and i think within time the tools they are using are really good and if youre being attacked by the united sees government you will not know it, there is a lot of tennessee and the government on policy and jobs. There is a lot for the government to say, we could just go on the offense and deter the other guy and very little attention or insufficient attention paid that there are key parts of our infrastructure and our government that are really easy to attack and really easy to destroy and disrupt the place. The good news we talk about is some major corporations, the bad news is the government and the military really good of the distance. And therefore we do see the weapons being stolen and used against us. We do see the defense science board, the Government Accountability office, year after year issuing reports but are very expensive and very sophisticated technological Weapon System are easily hacked in the list of those references, the gao has talked about it is staggering, the f35, freedom class naval combatant, its a sad patriot antimissile system. It goes on and on. You come down but the private sector should be dealing with that and with support from the government and the government taking over of another advocate would be about idea. Is because what you mention because of networks and so for forth, are there more reasons why . That be a good place to start. If you can defend yourself why defend other people. There is a tendency among ceos and some corporate boards to say you want me too spend all this money defending against the Russian Military or the chinese military. I thought we had the Defense Department to protect us against for military, i thought i pay taxes for that which a lot of these corporations do not pay taxes. But thats a different story. And they think we should have Cyber Command defend u. S. Steel or the banks. But if you go and talk to the banks and say do you really want to hand over your defense to cyber commit, they are horrified at the thought, they dont want the u. S. Government running around, the u. S. Government does not know anything about government banks. This is a very complicated thing. There is nothing in the government like it. Theyre not running a parking, they dont have the expertise. Expertise is in short supply. Highly qualified people are in short supply. So we think the panacea of having Cyber Defense defend us, theyll have to defend themselves. They can get help, outsource security, there are many securities that will come in and run the security of your network if you cant support yourself. If you put your network in the cloud, amazon will do a good job securing it or many securities provided to do that. What recent government should do is to a level playing for real by having a smart regulation, that doesnt mean the regulation that exists, the screw has been court of an inch and turned to the right three times. This is the goal. California had a lot of criticism last year for passing legislation which devices must be secure, they do not say much more than that and what does that mean, we need a standard. But its also a pretty good start of saying you a legal obligation and putting a device on the internet that is one something or an iv drip machine or power grid. You figure out how to do that. And get the industry together and come up with standards that are realistic, if theyre not good enough, though safe thats not enough. Which can happen. In the industry to get together in the government is saying you need to do more. On the title of your book they are defended by the government and the military and the concept they mentioned earlier in cyber spiraling into kinetic war, and greasy adversaries do things like the program, given that the risks are that high, why not give the pentagon a few hundred billion dollars to get dedicate and taken the lead on. In the knowledge about how the security and private network is really in the hands of the industry, you mentioned airplanes, ive done a lot of work with the aviation and what strikes me about the aviation, is probably a metaphor for other industries, individual airlines, some of them are pretty good, the product of the 737 max are pretty damn good. The aircraft is generally great in terms of cybersecurity. There is a whole lower level in the supply chain and companies you never heard of and all the airlines used in all the airports used to provide an infrastructure layer, they are not regulated. Most of them are not secure and if you take down this company that no one ever heard of all the flight controls that the pilots have, they dont work in all the kiosks in the airport where you get your tickets do not work. So what the government can do is say the requirement is to secure your own product and secure your own network and your own ecosystem. And to identify the supply chain in the interdependencies and have an industry Work Together toward the entire industry is secure. And you say in the book the government has a role to play whether nudging, information sharing, you help set up this when youre in government so it does have a role to play but its sort of a less blunt into that, im curious how you think the turbo ministration is currently doing on cybersecurity a guess we will start with industry on the defense side. Administration in a long time to write a National Strategy. I have written two of them. The National Strategy is pretty good. Its a lot from previous strategies. Thats not the only reason it is pretty good. Its disconnecting what the government is doing to find that out yet to have a governmental mechanism to implement the strategy and the turbo ministration has gone for all reasons disassembly parts of the government that we need in a used to have a senior person in the government saying that person is in charge of cybersecurity, policy, we dont have that anymore. Early in the ministration they got a guy named rob joyce, he used to work for nsa and still does and he was there in the white house where everyone in the industry and expertise, everyone thought that is good and then joh john on john boehnd fight him. He did not replace him at the white house. At the state department we of a small team, two small worrying about International Norms and control negotiation someday and really need cyber norms and International Norms so on paper the strategy looks good and very little going on to implement and in terms of regulation, the turbo ministration literally says any new regulation has to identify two regulations to abolish before you can have one new one. And im sure thats a scientifically formula the anymore, the regulation and frankly to a lot of people in congress. So they say no regulation but the federal government does regular and cyber government all the time. We list 12 different Government Agencies have cyber regulations at the federal level. Theyre all inconsistent, they were never developed ballistically. What we call for is a clean slate on the federal regulation, lets have all the regulators come together and together figure out an architecture that makes sense in Different Industries you can of different feature sets but you not have differences that we intentionally made, not that we stumbled into. In addition to the corporate level trying to figure out what regulation has to worry about in the inconsistent, then you have regulation at the state level and the reason you have great regulations coming out of new york and some out of california, the reasons of those of the state level is because the federal government incident. Lets get back to bolton, he does defense argue that they do not push from his position. But you are right. He was up every year. Once he left it was illuminated. So there is no court nader at the white house. But i think both of his critics disrupted things at the white house impulses. So one of those specific things that we will get a little wonky but one of my favorite topics is President Trump tiny referendum 13. In that effectively a reversed policy that was in place under the obama ministration that required an elaborate process anytime a Cyber Command wanted to use offensive cyber operation. Even those classified from them random the pentagon is to have a much freer hand into the cyber attacks. Im curious what do you think of that approach, is that necessary to deal with russia and others and are you worried that that might lead to things spiraling out of control . We talk about in the book, before trump signed the National Security, for the happen the congress did something that almost nobody noticed that the time, the Defense Authorization bill, there is language slipped in the said preparation of the battlefield which is a buzzword, preparation through cyber activity in peacetime is considered normal military activity and if you read that you may not understand at all, what that means is our military in peacetime can hack its way into Foreign Military, command control and communications. And plant bombs back so when we go to war, we can push a button and that weapon will die or that network will die. Because you cannot do that when the word starts, you have to have had done that way in advance which takes weeks and sometimes months to do this work and you have to keep it updated. Our military was not doing that. That is a secret to which we revealed in the book that despite the fact that they thought Cyber Command was running around and hacking the way into things, it was not. It was not hacking its way into Foreign Military networks because the Obama Administration really did but in a very serious steps they had to go through to get to the approval because they thought they were like to and they were told no one will ever know it was us and the iranians