nations, nationalism, and cybersecurity. Network security actually might have been better from an alliterator standpoint, but I stuck with cybersecurity for this one because cyber. First a warning as we go into this, as I thought about this subject, actually just to back up one, if you need to get in contact with me, that's actually a very easy way to do

that. So Twitter is infosec life. But as we move into things, first a warning, I'm going to mention some security companies. It's not that I'm necessarily calling out specific companies as being unethical or doing something wrong, but rather as good examples of where we might have certain dilemmas in terms of duties and responsibilities within the security

space. So there's no claim of wrongdoing, but at the same time, perception equals reality. When you start seeing things mentioned in the press or public statements, it certainly casts certain impressions in terms of how we operate as an industry. So I think everyone's familiar with this story at this point, as far as Kaspersky and their trials and tribulations with the US government and the Dutch government and maybe the European

Union, that Kaspersky is just an arm of the Russian government and therefore cannot be trusted in sensitive networks. That's fairly clear cut. I mean, certainly the legal regime surrounding where Kaspersky is domiciled makes them into a fairly sticky situation, resulting in their announcement that they will move some indeterminate amount of operations to

Switzerland in the near future. Whether that actually solves the problem or not is probably not the case, but at least they're cognizant that there is a concern there and they're trying to address it. But a little closer to home, some of you may remember or may not remember because this didn't seem like it received all that much attention. At the closing day of RSA last year, you had former NSA Director General Keith Alexander on stage

with Nadav Zafir, who is former head of Israel's Unit 8200, their NSA-like equivalent or at least for hacking and such purposes, sharing a stage together, talking about what we need to do from a cybersecurity perspective. That's really weird. I thought it was really

weird at least. And what made it even more weird was when you look at what these guys are up to these days, Zafir runs something called Team 8, which is a sort of catch-all technical investment venture capital-ish organization that really seems to spend a lot of money in helping former 8200 companies kind of get started up. And then Mr. Alexander started something called

Ironnet Cybersecurity, and there are some controversies around some of the initial talent collection from the National Security Agency and potentially some intellectual property items there, but certainly very much people with former state-sponsored or state-directed signals intelligence and information security, information warfare, leadership roles, moving

into private industry into some fairly high-profile roles. But what really led to me doing this talk was a little after this happened, you had Kevin Mandia at a FireEye event in D.C. that was for the U.S. government community going on stage and making some very

curious comments. Again, I'm not trying to say that FireEye bad, others good or something. You get that Flash movie from like 2000 Good On You. But, you know, really looking at this from the perspective of like, OK, when you look at some of the statements that were made publicly and unprompted, it was just really freaking weird. So among other things, you

know, before putting out a public intelligence report, FireEye will typically tip off intelligence officials from the Five Eyes Alliance about the release. OK. Data sharing, that's kind of cool. Yeah, but then especially in light of the alleged Joint Special Operations Command operation, which Kaspersky labeled a malware slingshot,

you know, there were also some comments of like, you know, we'll play friendly with the home team. We won't out publicly this sort of malware and some other just comments that made it really interesting, like, well, where do loyalties really lie? Because if you go back in time a little bit and look at some things that have been publicly released, you know, put yourself in the shoes of, say, Belgium. It's not Belgium anymore. They've

been like subsumed under a greater conglomerate, I believe. But they were the victims of a hacking operation that was ostensibly for counterterrorism operations. But alleged nation state linked activity, the NSA broke into our GCHQ, one or the other broke into

the network in order to start monitoring and capturing communications ostensibly related to counterterrorism. Counterterrorism is not a bad thing. You know, from an ethical standpoint, that seems like a worthy goal. But from Belgium's standpoint, pretty sure they wanted anyone and everyone who was trying to break into the networks to get out of there, whether the reasons were chivalrous or otherwise. And so when you start getting into situations like this, it's a question for those who you're

investing or entrusting the security of your network, you know, where do their necessary boundaries or values lie? So we've done some headlines. Why are we here? So I haven't done an introduction yet. And that's intentional. I figured we'd start with,

you know, what's going on. And then we'll talk about me because me has a lot to do with why I think about this way too much. So my story is I was actually a philosophy graduate student once upon a time. I ended up quitting at the University of Chicago back at like 2005. I escaped with a terminal master's degree. I spent my time mostly doing the ontological ethics, like post-county and sort of work in that

field and a little bit of logic stuff and whatnot. It's been a few years. My German sucks now. I found that out to my chagrin when I went to Troopers in Heidelberg this past year. But nonetheless, that's kind of my foundational background. Like I think about this crap a lot in ways that are been sharpened by some formal training and work. But like I said, I dropped out

and then I ended up in a cube farm because you got to do something in order to pay the bills. Cube farm was boring. So I joined the Navy. So did that, you know, thinking that I wanted to do cool stuff, but then they put me back in a cube farm because I had done, I had done computer stuff in the other cube farm. So then I did some other stuff. I made a drug deal and ended up going to

Afghanistan with some people who do interesting things and wear fancy uniforms like that one. You know, that ended up finishing up and I continued doing government service. So then I ran incident response operations at Los Alamos National Laboratory for a few years after I got out. So continued government service. And then I joined a vendor, dirty vendor, you know,

Dragos company I work for right now. I do threat intelligence work there. You know, we have some very interesting taglines. Superheroes don't do infrastructure. It's why we're here. That's very humble, I guess, you know, company mission safeguarding civilization. It's like, all right, interesting. You know, like you're coming from this background, like, wait, so are you a Fed?

Now, full disclosure, I do still hold certain credentials with the Department of Energy. I'm a guest scientist, which coming from an almost exclusive humanities background for most of my education, I find to be absolutely hilarious. But, you know, so there is a potential conflict on my end. Like, you know, I like to phrase it that I'm willing to help any and anyone

out in order to solve the problems of defense and want nothing whatsoever to do with offense. But that same sort of thing that we were talking about with Mr. Mandia and his company and some other entities like, so Joe, where do your loyalties lie? Well, the main thing is, is that am I a Fed? No, they don't pay me any money, among other things. And I'm happy to collaborate with them, but I don't work for them. But it's really

touching trying to phrase that in a way to get others to really trust you and accept that what you're doing is above board, so to speak. Because again, as I mentioned at the start of this, you know, for better ill perception equals reality. For example, if you look at this map, you'll see that the lovely Drago's headquarters is located up here in Hanover, Maryland, just off of Dorsey Road, which is about, if there's no

traffic, which there's never no traffic, you can do this in about five minutes to get to the main entrance to Fort Meade. So that almost screams like, oh, you guys are an NSA spin off. And if you look at the resume for the people that work for the company, like, yeah, there's a lot of people who have backgrounds in the intelligence community. So again, perception equals reality. Can you

really come up here and tell us or whatever, like, oh, ethical quandaries and conflict of duties? Where do you stand? It's like, yeah, it's a really touchy subject. Because, again, this perception is a hard thing to fight off against, especially if you're trying to tell someone who is running, say, electric power operations in Saudi Arabia, or, you know, oil and gas operations in Russia. From an infrastructure perspective, as an

ICS security company, I don't want an oil and gas plant in Russia exploding. That's not cool. I don't think anyone should be in civilian power infrastructure in Iran. Iran might not be a very nice place to live in, but their people are just as nice and just as valuable as anyone else in my mind. And civilian power infrastructure, that's just not a place where anyone should be playing around. That's a separate argument we

could have offline over drinks somewhere in a less crowded section of the glorious place that is Caesars. But you know, the main thing is that we look at governments as, especially when you start getting into spaces like critical infrastructure, industrial control systems, and a lot of the really fancy sort of industrial espionage secret stealing. Who's running most of the offense? Governments. But

private companies, though, in a sort of weird way that this field has played out, are often the ones who are at the forefront of security. So I don't have that slide. Next, we'll get back to it. It's very strange that in an environment where you have things that are supposedly very vital towards the common good or public good that are

being attacked by ostensibly public entities or public serving entities, albeit for different countries. And then the ones who are entrusted with defending against them were at least doing the best job for defending against them. No offense to anyone here who works for DHS. That, you know, it's private companies that are motivated mostly by the profit motive. I think I'm a little bit different. But at

the end of the day, if Dragos doesn't make money, I don't have a job. The same goes for Kaspersky, FireEye, ESET, Symantec, etc. So furthermore, you know, when you look at who are the ones disclosing these breaches and sort of pushing the defensive line forward, like yes, DHS, German BSI, Japan cert, awesome people, Circlu, all released,

you know, pretty cool reports and whatnot. But a lot of the information driving this are releases by private security companies in the course of their business. So examples, we can go all the way back. Seems like it's weird saying all the way back to APT1, Stuxnet, Drink, Fancy Bear, Electrum, Charming Kitten, etc. You know, all state

sponsored sorts of cyber intrusion events, and all broadcast by private security companies, which also when you start looking at the private security companies in question, either have lots of sort of government intelligence community ties, or lots of intelligence and government style contracts. So examples of this, you know,

the re re re re release of this story of Russia's hacking the US power grid from last year, which was then made public again two weeks ago, and then made public again a week ago with the same story. You know, DHS certainly has taken the lead on a lot of the public reporting on that. Dragos has responded to some of that and Symantec really pushed that narrative forward a lot as well. But then you also have

stories like China hacking a Navy contractor, okay, getting caught by a private security company and pushing that information out in the wild, probably a little embarrassing that government might not want that information to have come out. And then I referenced this earlier, Kaspersky disclosing the JSOC operation that was extensively for counter terrorist purposes in the greater Middle East. So in looking at this, you know, we

have private companies involved in this space doing their thing, what are their incentives, you know, their incentives are theoretically shaped by clients and determined by markets, again, the end of the day, they want to make money, if you adopt the perspective, which is a very strange perspective to adopt that companies are citizens, or at least, you know, have some element of

personhood, you know, presumably, they have a right to continue existing or whatever, trying to make a living within this, you know, capabilities and limitations of what is right and what is wrong. But as part of that, and you start getting into the sort of organizational needs in order to continue operations, continue mindshare, build revenue and business growth, and what sort of compromises

and actions do you start to take? And so now you start getting into a potential conflict between those sort of, you know, private needs and those otherwise strategic or public requirements. So looking at those, how do these, you know, presumably, you know, you can argue, for example, that terrorists are bad, maybe killing them is wrong, but certainly making them not capable of terrorism is

probably a good thing, people would be better off. But in the course of doing this, like, okay, so slingshot is very, was very much a endpoint directed item, but they were midpoint sort of items that come into play to allow it to occur. So any of those innocent midpoints, it's not like the telco providers or the mobile device

providers or whatever, we're willingly assisting terrorists. But in the course of their being compromised, or otherwise their security circumvented, has the private security company done something wrong? Maybe not in this case, or whatever, but it starts getting a lot fuzzier as you get into different sorts of activity. Another consideration, and we're kind of jumping around a bit at this point. So I apologize for

that, you know, so we've talked about organizations talked about relationships of organizations to governments, let's talk about the actual people. So I've told you my story already. And you know, how I have a background that might make some suspicious of my intentions and where I'm coming from. But, you know, it's not like I'm the only one. Certainly the mass exodus of technical talent from the National Security Agency over the years has resulted in a great many

people throughout the greater DC and Southern Maryland area now working for various private companies. But that's certainly not the only one. I don't know if anyone here works for a security company, but has anyone been like 8200 before in terms of a presentation? So that's a term used or whatever for and the same goes for the NSA that yeah, our company we have all these x hackers from

Israel unit 8200 or for the NSA or CIA or what not companies and individuals for that part in terms of building up a resume really want to trumpet their connections to these sorts of communities as a means of instilling some sense of maybe not legitimacy, but certainly technical proficiency and technical talent. And it's not just us. You know,

you see the same sort of crossover. Just look at Mr. Kaspersky, you get a Eugene, I call him Eugene. You know, the same sort of thing. He's a notionally ex FSB or certainly Russian military intelligence connected. And now as a founder of one of the largest and certainly a very effective AB engine companies in the world. So what we look at

this in terms of sources of talent and people on the ground is that you have a combination of, you know, military intelligence communities as your primary only not primary, but very much one of the leading sources of talent. You know, whether it's enlisted servicemen and women getting out of the military and then tripling their paychecks as they go work for a private security company or a

private company in their security department, or people former intelligence community, intelligence community contractors, etc. But then as they move into these private sector, and in often cases with clients that are multi or transnational in origin, origin, you start getting a lot of potential concerns and conflicts of interests. Well, one thing

that's important to note, you know, from the perspective of the US system, at least in most of the five I general system is that the obligations taken on by accepting a security clearance essentially last a lifetime, you don't disclose that information, you have to protect that information, etc. You may no longer have access to that, but you still need to make sure that you no longer, you know, use it or another

sort of ways. Well, okay, so there's a lifetime obligation that an individual is entered into with a body that has its own purposes, interests and directives. And now that individuals also entered into a series of obligations as part of their employment where they have at least a fiduciary like duty to the companies that they're providing security for

providing security services for that their clients best interest is in heart. So in cases where say the duty of you know, lifetime protection of secrets and you know, etc. conflict with a now duty to a specific client, what do you do? My answer to that is I quite frankly don't know, this really gets you into the area

like well, in a hierarchy of duties, what wins out. But as I hinted before, so we've talked about like a potential fiduciary duty to clients and whatnot. So from a client's perspective, what do you do? Again, governments all they're trying to muscle their way into this space for good or for ill for effectiveness or lack of

effectiveness. At the end of the day, most especially major companies are relying on private corporations to provide this level of protection from them against both criminal and state sponsored activity. So from a private company's perspective, like what sort of questions should they have? And what worries should be on their mind when entering into an agreement with another organization, in this

case, a security company of some sort? You know, simplest one is does the company have my best interests in mind? You know, that's a fairly obvious one. But as we see statements like Mr. Mandias, Mr. Kaspersky, etc, that are out there, that there seems to be a desire to have it both ways that we have these government connections and support and whatnot.

But at the same time, we also want to make sure that we put our clients, you know, overall else, and really making sure like, okay, when you have a question where you have individuals that are still in some capacity working for or have government obligations, or have a background in that field, how are their potential requirements and duties balanced against the requirements and duties for

properly serving that private company that they have now entered into an agreement to protect? So that leads us into goals and missions, you know, how do those personal or legacy missions that some of us, including myself, have signed up for mesh with the things that we're trying to do now in terms of protecting infrastructure, like, for example, if I am now notionally responsible for protecting civilian

power infrastructure in, I don't know, pick a semi adversarial country, maybe Ukraine, or something along those lines, and Ukraine ends up, you know, falling completely under Russian influence and whatnot. Now there's sort of a conflict between, you know, US centric interests and what's going on there. And maybe

for all we know, someone's starting to get into their network that has a five eyes connection. I would certainly say I have an obligation on behalf of my client to do something about that. But I'm pretty sure people I worked with in the past to be pretty pissed off with me that I was doing such a thing. So really, how do those balance out? And then finally, it takes us to this sort of ethics, ethics and motivation item. You know, one thing I like to say, all

generalizations are stupid. Based upon that comment, are all intrusions bad or some okay. So looking back at that slingshot malware that Kaspersky publicly released, counter terrorism mission, trying to take bad guys off the street, so to speak, seems like it might not be a terrible idea how they actually execute that might lead to some

qualms. But again, there's, you know, you can work out several explanations for how that's not necessarily a bad thing. But that's also an intrusion and you know, compromise other organizations in route to delivering that effect. So really trying to figure out when if ever our duties to clients overcome by duties to country or maybe even perhaps wider duties overall. So for example, a

scenario I hinted at this already, is that say we get a state utility company somewhere. I'm sorry, I have an ICS background right now. So most of my examples are going to be industrial control focused. But we have a state utility company that gets breached. Bad guys are in a civilian power infrastructure network. Right now the model that I operate under like that is never okay. Investigation, though, reveals

that you have a fairly advanced adversary in question. The state in question where the intrusion takes place is one that's not my country, maybe not even one that's necessarily friendly to where I live. And continued investigation reveals that well, actually, the people who broke in there happen to work within the same country I do for the same government that my taxes go to. There's no clear

indication of intent or purpose yet could just be probing, running around seeing what's there, you know, establishing some initial access. So what do you do in that scenario? Now for myself personally, and you know, again, this goes back to what sort of ethical framework you've designed for yourself and try to adhere to, I look at this as a clear, you know, sense of, you know, what

are my obligations and duties in this perspective, like, nope, based upon no intrusions and civilian power infrastructure, chop this off the knees, kick them out of there, it doesn't matter. But I can definitely see the counter argument that well, this might be the prelude say to armed conflict in one sense or another, and perhaps by virtue of being able to, you know,

manipulate what is ostensibly civilian power infrastructure that you also have follow on effects, intended follow on effects for military systems of some sort, such as say, a missile defense system or early warning radars and things of those lines. And by virtue of doing this, the country or nation that is executing the attacking question on civilian power infrastructure may end up saving more

lives by being able to deliver a more precision strike with fewer weapons as an example. And so from a purely utilitarian or consequentialist argument, you've ended up with something that looks ethically permissible. I don't buy that argument, but I could at least understand how someone could make that. So what do we have here? So we've got many victims and strategic targets are

private organizations, you know, that's kind of where we're fitting in in terms of things. And we're in the really weird situation where private resources are expected to protect what is private infrastructure, but with very heavy public general goods sorts of implications. That's not just the constant ICS examples I'm citing, but for example, you know, economic pillars of the local economy, like

it's not good for the US when a lot of intellectual property walks out the door and winds up in another country for state sponsored industries to just take up and start producing things. That seems bad about any way that you can possibly slice or dice that one. So there's lots of consequences that come about these actions, and certainly lots of people who are either state directed or state

sponsored that are engaged in this field. So given that public infrastructure, private infrastructure has public consequences, but public resources either can't, because it's illegal for, say, the US Army or, you know, Cyber Command to operate domestically, that's going to be a really weird conversation over the next several years, by the way, that's one to keep an eye on. So you're left

with the FBI, DHS for the USA, or you're left with something like BSI in Germany, SSGI, DI or whatever in France, etc. You know, domestic, theoretically, non military agencies that have responsibility for this, but in many cases, they don't have the talent, sorry, all all the talent tends to go out the door after they get a little bit of experience

and get a bigger paycheck elsewhere. Or they don't have the tools, don't have the access, etc. They might have access to certain sorts of secret information, but not a lot of the tools that then you find migrating into that private environment. As a result, you have these obligations or responsibilities to protect falling to private companies, which are often staffed with lots of former public officials of one

sort or another, either because it's start up the founded after they retired as a four star general. And so they're doing double dipping into their pension and their VC money. Or you're talking about private first class Jimmy, who was a really sweet Python programmer when he was in the army, got out and decided to quadruple his salary and working for McAfee or something. So this is a really

awesome tweet. He is he in the room? It's unfortunate. I don't think I've ever met him in person. I want to someday. But really excellent tweet by hostile spectrum here that this assumption has crept into policy. I don't know if it's an assumption as much as it is a fait accompli at this point, based upon just how the market has shifted out, that private

firms should be accepted to absorb and take responsibility for at their cost, protecting against and mitigating a potential cyber attack that would have dire public consequences, either of an economic sort or going all the way into the sort of scary sensational ICS power plants going to explode sorts of scenarios. You know, when you

catch this within the scope of you know, the Westphalian compact of non interference and other state borders, you know, one of the items behind that to sort of mix analogies and mix sources on this is the Max Weber in concept of a monopoly monopoly on legitimate violence. So we're not talking like classical violence here, we're talking about cyber violence. So anyone use that

term before? I don't think so. So we can get that one built up, we can push back against that other AOL area definition of cyber. But in looking at this, though, it's almost like the state has been forced to or is willingly exceeded the role of having a monopoly on cyber impacts or influence, at least, on very vital

infrastructure. You can look at this that, you know, the horse left the barn back in the 70s, especially when you look at a lot of the, you know, sort of Anglo American style Western countries through Thatcherism and Reaganism and Nixonianism for that matter of deregulating economies where lots of previously public goods were privatized in the scope of, you know, liberal

ish liberal in the classical sense capitalism. So as a result, we've, you know, somewhat deliberately pushed these obligations outside the bounds of the state and into private hands. And I don't think there's any stomach in most of the Western world in order to take that back in. If you look at some other countries for though, you know, Russia, China, India, even to a certain extent, you know, a lot of this infrastructure

still lies in somewhat state hands. So you have much more state intervention into those realms and arguably much better state resources and efficacy applied towards protecting these. But I think most of us are US European or something like that. So we'll stick with that framework for now, just as a point of focus. The main thing being is that

you've got this responsibility for protecting public or public influencing goods resting almost primarily on private entities, which leads us into the idea of duties hinted at this multiple times. I'm going to try and hit this both from the individual standpoint, as well as from the notional person that is the corporation perspective. I

hate that idea. And it's based upon a really crappy legal opinion. But it seems to, you know, garnered some following or whatever, at this country. So we can look at conflicting duties, putting yourself in the analyst's shoes, my shoes, for example, not what I work with in the private sector, that I've got duties to my organization, you know, Dragos wants me to do a good job to fulfill my obligations to the company so that we make money and

continue to exist. We all pay our mortgages and maybe someday I get to send my kids to college. Although at this rate, that's probably not going to happen. As part of that, though, in order to make sure that actually happens, we have duties to client. So someone, some entity, whether it's a financial services firm, a oil and gas producer, or a large retail corporation, you

know, it says like, Hey, you know, we have a security problem that we cannot solve internally. Therefore, I will pay enter into a contract with you give you money in order to step in and take over this vital service for me and protect that. That's, you know, a pretty heavy duty that's being, you know, seeded out to an external party and then taken on by that third

party. So should not be taken very trivially when you say that, oh, I'm going to sell a product to someone that's more than just saying, I'm going to ship a blinky box, they put it in their server rack and I walk away. I at least like to think that you means that you have now taken upon yourself that for whatever you sold a, you know, intrusion defense system, detection system, antivirus system, some big

fancy SIM product or whatever, that within the scope of what that's supposed to do, you've told your client that, yeah, I'm going to make sure that we got you there. Hopefully that's not the case. If you went to black hat last week, there's probably lots of people that don't have that conception of things, unfortunately. But lastly, there's also this sort of communitarian idea that, well, I just don't exist in isolation. You know, I live

someplace, I have neighbors, those neighbors have neighbors, I pay taxes towards something to make sure that I live in a nice, comfortable, safe, secure place with clean water, power, etc. You know, presumably in entering into this framework, I accept or you know, now have taken upon duties to that community. And when you look at community more wider, you could simply

define that as a country, the US government make sure that the borders are secure, you know, through various machinations of how funding is passed along, the streets get paved, my kids go to school, etc. So, you know, there are non trivial things in question here. It's like, yeah, the United States has been good to me. They do really crappy stuff sometimes, but you know, balance of payments and whatnot, from my

perspective, they've been pretty good to me and therefore it's almost like I at least tacitly owe them something at the end of the day. But what wins then if you have all of these three things that are out there and sort of in latent, if not outright conflict with one another, depending upon what you're doing. So, for example, you have a monetizing intrusion. Ransomware hits a network. That's easy. Nuke it from

orbit, kick it out of there. Criminals, you know, pass the information on the FBI, Interpol or whatever. End of story. We're not going to talk about that anymore. Industrial espionage, this can get a little more interesting. Still say this is fairly clear cut. You know, someone's trying to steal secrets from someone that you are trying to protect, but all right, kick you out of the network. We're done. End of story. But like, what

if we're talking about a situation of, you know, to throw you a very interesting, you know, thought experiments were always the most fun thing as a philosophy student, because you end up with situations that don't seem really plausible, but as a result of how you construct them lead to ways where it's like, do it. Yeah, that might happen. It probably won't, but shit. No, like my way of thinking about this is needs to change a little. So for

example, say you have a country that has some latent cyber capability and state sponsored industry and research and development, and they steal secrets related to say, clean electricity generation. Said developing or middle income country relies almost exclusively on coal for electricity generation right now. And as a result is contributing significantly to global warming,

which I hear is not just a theory. It is not something that you can believe in, that it is a real thing. And you know, you could tell a very easy story where stealing clean power tech and then applying it within domestic industry can lead to, again, a consequentialist overall good in that you reduce harm effects from having, you know, reduced coal generation, reduction in admissions, all of

humanity, and especially unnamed middle income country, which maybe it starts with a C and ends with an INA, is better off with that. You know, I'm not saying that, well, this has actually happened. But you know, from an intellectual property, individual duty standpoint, it seems like it's a clear click wrong. But if you start, you know, being a little more flexible with how

you're approaching your viewing the problem, you can at least tell a story or make an argument that is cogent and sound that makes it sound like, well, that might not be a worse idea. And maybe there's actually an obligation to share that. It's not the place for that debate. We can have that over drinks later. Political interference, also something that I hear that happens and may not just be a story that one finds or whatever on the

Twitters and whatnot. This seems to start getting a little bit more clear cut. But what's interesting about this is that political interference isn't just a question of like, haha, I'm going to hack party XYZ and do stuff. Rather, it's been interference by manipulating channels of communication and other sorts of venues in order to pass a message on. Well, in that case, that seems pretty damn obvious that like, nope, that

take them out of the network. But again, you know, we look at this mostly from the standpoint of Russia influence on US or other elections. They're not the only ones who try to influence elections, though. So what if you're trying to influence, say, for example, look at Montenegro for, you know, who? Everyone here know where Montenegro is? Okay, cool. So a little country in the Balkans,

you know, there's a traditional Russian sphere of influence sort of thing there recently voted to join NATO, but there was a lot of back and forth over whether or not that was a good idea. And so there was a lot of manipulation into how their political process was going about. Well, if, say, a Five Eyes Country, NATO or whatever started surreptitiously inserting fake stories and whatnot about the other side, you

know, presumably, we like to think like, well, joining NATO can be a good thing. You know, there's commitments to human rights and whatnot. And it's a easy stepping stone to the EU. It's probably in the best interest of the Montenegrins in the long term. But is it really ethical to, say, start seeding, you know, dicey information into the public sphere in

order to make that come about? And if I'm a security company and I catch that, what should I do? There might be a good result of doing this, but the way in which it's being executed is not indefensible, but rather much more touchy to try and defend. So again, not as clear. Let me get to this. I'm going to say that short of some very, very, very narrow examples, this is just,

no, you're not allowed to do that. Everyone says like, but Stuxnet, drink. Stuxnet is not a very good example for this, because if you look at how it was designed and deployed, it was a software that was designed to take a very specific effect in only a very specific environment

to cause centrifuges to spin a little faster, a little slower, and make sure that people couldn't really see what was going on. If you weren't running a Siemens Step 7 PLC of a specific version, and especially not in an environment that was enriching nuclear fuel, you didn't really have much to worry about with Stuxnet. It did spread a little bit further, so everyone got a sample of it and could do things like fancy TED talks and whatnot.

But otherwise, like, you know, from a harm reduction standpoint, you could say that it did a pretty good job in trying to minimize its impact, even if the reason for doing so was to try not get caught as opposed to, you know, trying to be nice and ethical about it. But then you start moving over into some other things like take sort of a combination of something like a Shamoon event. So wiping a bunch of computers

at Saudi Aramco several times over several years and also like look at something like Olympic Destroyer, which gets us into wearable malware in this case, targeting the opening ceremony of the South Korean Pyeongchang Olympic Games. Well, in that case, you know, you're getting potential physical destruction, certainly cyber destruction for all those poor systems

that needed to be wiped and rebuilt at Aramco. But if you start tying those into industrial control systems of some sort, well, now you start getting something that is less targeted, far more virulent and with the potential to do a lot of damage. That just doesn't seem cool ever. So in this case, I would say it's fairly clear that if you catch this, like you should kick it out, but again,

like in the Stuxnet case, like is Iran having nuclear weapons a good thing? I don't know. It doesn't seem like a good thing. You can make an argument, though, that, well, it kind of introduces the potentiality for, you know, a nuclear parody in the greater Middle East with another country that doesn't actually have nuclear weapons, but really does have nuclear weapons. That's a little further west of them. So again, you can make a potential case

where this might make sense. But for the most part, I'd say this one is fairly obvious. Now, from a security practitioner standpoint, you can try and take a stance once, like, OK, nothing else. Do no harm. This is a very nicely illuminated copy of the Hippocratic Oath. It seems like a very nice idea. It's like, OK, you know, I don't have to be part of any of this offensive shit or whatnot or whatever. I'm going to step away from this

and I'm just going to make sure you're like, yeah, but do no harm. I should be fine, right? Well, problem is, like when you say do no harm, what the hell do you mean? So there's the idea like, well, don't deliberately inflict harm. So, no, I won't do offense. OK, that's pretty easy and cool. But then, like, do not allow harm to be inflicted. Well, that starts getting a little tougher and looking at some of the examples

I cited that you can, again, tell stories. Some of them might seem a little more far fetched than others, but certainly make arguments that this is a little harder to achieve because you can get into instances where you're, you know, very rapidly coming up with counterfactuals or counterexamples to your general idea that tie you in knots like they do for me. And, you know, the last thing and this is sort of a see no evil,

hear no evil, do no evil standpoint. Just don't allow harm that you really know of or actively are investigating to occur. So it's like, I don't see it. I'm like carrot or, you know, try to ignore it, look away, whatever. That seems to be sort of the cop out approach. If you're doing this, you're engaging in wheeliness of some sort. Doesn't mean that it's, you know,

not a choice, but it's just not the best choice. But really, there's an entire continuum of things that underlie, you know, the otherwise seemingly simple, seductively simple idea of just do no harm. And this gets us into the distinction between what is a positive and what is a negative duty. I don't know if this was an ethics track, so I'm expecting everyone to have a somewhat idea,

but positive, like I need to do something negative. I need to refrain from doing something to some other entity, which leads us into the idea of a hierarchy of obligations. So especially when I'm talking about something that is, you know, the sense that I have an obligation to do something on behalf of another party, a positive duty. You know, when those start conflicting, how do those rack and stack against each other

so that when there is a conflict, I know which ones to do. So this is where you get into an idea. And this is a very much oversimplification. You know, what is my driving goal underpinning those duties? Like, am I saying that, hey, a communitarian approach, that what's good for my society, that I live in, the people that I know that are close to me, you know, my fundamental

duties are to them, and that's going to define my ethical worldview and shape my decision making. Or am I saying, you know, this is really like a sort of Aristotelian ethics and versus a more Kantian framework. And these days I kind of lie right in here personally. Or am I taking a universalist approach that that which I cannot will into a universal law is not ethical. That is the rephrasing

of the Kantian categorical imperative. That means that you're entering into something that, as the name says, universal. Your flexibility in there is dramatically limited. There's ways of reading that or whatever for like situationality and whatnot that make it a little more flexible than that is. And you can read things like Christine Korsgaard and whatnot in order to get into that. But, you know, overall, you're talking about some very universal,

hard and fast obligations here. Lastly, you can get into some sort of Ayn Rand bullshit and start going like completely YOLO. I'm going to do my own fucking thing or whatever my way or the highway. And this could be the mercenary capitalism approach to doing network security. I'm just in it to make money. Everyone else probably is, too. They got to protect their shit. I'm going to protect mine.

And, you know, through some magic of, you know, natural selection, bullcrap or whatever society as a whole advances. As you can tell, I don't think there's much to be said for this idea, but people adhere to it. So we'll talk about it. And, you know, some very smart people adhere to this and we'll talk about it. So you can see that there's different ways of framing this that results in how you construct the duties

under which you find yourself or rather the obligations under which you operate that then frame your subsequent decision making. So what is a conscientious, neurotic, overthinking security professional to do about this? I'm not 100 percent sure. So there's a clean hands approach.

This is where, you know, kind of like the weaseling way out or whatever. It's like, I'm just not going to actively do anything. You know, focus on the personal repercussions, like, you know what? Jim and the cubicle next door, he can go work this target or, you know, work this mission. But I'm going to stay away from it. I'm going to do something that's a little more amenable to my interest or whatnot.

Call this, you know, to inject a little Judeo-Christianity into this, the pilot approach. Wash my hands of the matter and walk away. Again, there's, you know, it's it's an answer. I don't think it's a very good one. But, you know, it's certainly one way of at least making sure that, you know, I am not dirtying my soul in the process of, you know, participating in a certain action.

Another idea is, you know, very careful selection. So don't put yourself into compromising situations in the first place where you have to make that decision. Do I do something or walk away? That might sound similar to this, but really what I'm looking for is, you know, things like very exceptionally discrete selection of who you work for. So this is something that I've kind of done.

You know, Dragos is kind of a weird company and that we're full of expos and whatnot. But at the same day, none of us ever want to go back there. And we've had some really, you know, touchy relationships with those organizations and very much adhere to the no one in civilian power in this infrastructure, full stop. So that's one way of doing it. Find a company that fits your values, so to speak. And so you were less likely

to find yourself in a situation of compromise. But the problem is that not be practical or probable, especially like, you know, you're just starting out in this industry and you want to like go into something like, you know, I'm going to be like the best white hat blue teamer ever. And I want to go save the world and whatnot. You might not have much in the way of selection on who you go work for unless you feel like, you know, being a barista

in your spare time in order to try and make ends rate and get health care. So, you know, as a result of how at least we've structured society in the United States, you might not have very much scope in order to make that careful selection. So it's not possible for everyone. The last thing, and you can try and doing this, although it might not last very long, is you can actively work for change within the organization.

And again, if you're, you know, junior sock analyst Timmy, you're going to be looking for a job probably within about six months, which it sucks, you know, quite frankly, because we sort of stamp out that's like, no organizational ethos, boom, you know, sit down. The nail that sticks up shall be pounded down. But not only that, you know, in terms of agency and the possibility for actually executing within,

you know, the idea of this, what direction do you actually push the organization into, which still allows the organization to actually still fulfill some mission and remain solvent because it's, you know, one thing to say, like, for example, like we won't do any business with oil and gas companies because they pollute the environment. OK, so does that mean that it's OK then if someone hacks into an oil

and gas plant causes an explosion? Because that sounds pretty bad. They might pollute the environment, but I think we all have a general interest in not seeing, you know, gas pipelines over pressurizing and blowing the hell up. OK, OK, OK, oil and gas is fine. We're not actively contributing to their operations, just making sure that they're reasonably safe. We won't secure the manufacturing networks of firearms providers.

OK, that's probably a little easier, but then you start doing like some really strict salami slicing, like, OK, so General Electric, they make engines that go on warplanes. Does that mean they're out, too? You know, how do you actually start breaking this down and where do you really get to a line that's both actionable, feasible and, you know, sustainable across time

within the scope of trying to run an organization? So one answer to this is, again, you can go the complete, you know, like, woo, B versus everyone else, state of nature, Hobbesian, whatever. You know, everyone's a mercenary. It's actually a very interesting conflict to read about if you're not familiar with it. The Rhodesian Civil War.

No. Well, anyway. But what security companies have tried to do is, you know, sort of mishmash their way through it through highfaluting sounding documents like the tech accord that Microsoft is pushing. If you printed this out, you would not be short of toilet paper for a little while. But at the same time, you also don't end up with anything that's especially meaningful, in my opinion. Sort of a completely pseudo voluntary thing where,

you know, we'll protect customers no matter who they are or why they're attacked. That is bullshit. And they should know that because what if your customer happens to be, you know, a customer in another country for which there are exports controls in question or sanctions applied or is using that technology for criminal purposes? You can try doing this,

but very soon someone is going to knock on your door and tell you that, no, you're going to stop doing that now, because guess what? You still are physically located and, you know, subject to the laws of this country. So that is a in actionable course of action, to say it lightly. All right. This is the idea, like are all customers equal and if not, who decides?

So that goes back to the idea, like in cases of clear criminality and whatnot, it's like, yeah, they probably don't deserve protection. They're criminals. They're assholes. Fuck them. Put them in jail. But when we start getting into the question, like, you know, the export controls argument, like, you know, it's probably a good thing for, you know, a factory environment in Iran or not North Korea, Iran to operate

in a safe environment. And so to have access to, say, software updates for the machines that are running their equipment. But that's not allowed by sanctions control. And if you observe that that technology is being transferred in some way, what do you do? Well, that's a dicey one or whatever, because again, I can see a conflict of duties there. There are some very clear legal obligations, though,

and so it's really become very hard, very fast to decide just exactly how to approach that. And that really gets into who decides. So if we're approaching this from that classic Westphalian sense of sovereignty, of noninterference coupled with the Weberian concept of monopoly on legitimized violence and in this case, cyber violence, you know, it's very clear

who decides whoever's passing laws where you happen to be based. But since we've already talked that the sort of Westphalian compact in the cyberspace. Oh, God, I just said that in the network security space has basically fallen away or is eroding as we see it. It's not very clear who's deciding at that point, because if you're saying Microsoft,

you know, yeah, I've got research and development centers in Israel, China, Europe, et cetera, whatever. And so it's not just U.S. law that, you know, overall it triumphs. But I've got a lot of other sort of things that I'm also tacitly tying into. Certainly, you know, where your company is listed has some influence on that. But again, that gets pretty dicey very quickly. Yeah, this gets into the idea

that, you know, if you have this question of, you know, duties to, you know, especially from a communitarian perspective or just a law abiding perspective. Yeah, I'm going to protect all my customers equally. Well, OK, you get a legal subpoena that the FBI wants to put a little implant on that device in order to interrupt, say, an international child trafficking ring, which is something I think we can all say is not cool.

OK, all those duties then go away because of that. Well, you've just made this breaching overall statement, which is why I said it's bullshit earlier. It goes completely against that, which again goes to the point that all generalizations are stupid going faster than I thought. So where are we right now? Where we are is very confused.

At least I am. And I'm giving the damn talk, so I'm very sorry. You know, we found ourselves in a situation where we have private companies that are entrusted with protecting what are ultimately public goods, things that are in the general interest. And as a result of that situation, you have individual analysts that are placed in positions with conflicting duties, whether it's to varying degrees

of obligations, because they either used to be a government employee or they have some sense of patriotism, for example. Versus who they are when on the clock trying to defend. There are some attempts at norm creation like that tech compact accord, whatever we talked about. But they're bullshit. So there's nothing really good there. And there's nothing binding anyway. There's nothing like a hard

and fast rule, especially when you're talking cross-border between places that really don't like each other that work here. Like you talk about U.S. to EU, U.S. to Japan, Australia or something. Yeah, that's pretty cool. There's stuff in place, but like U.S. to China, YOLO. You know, really, it's just whatever goes. So the thing is, is that is this an impossible problem to solve? I had a conversation

last night with Mara Tom about this at a small event, even smaller than this one. You know, it's like, well, what would you do about this? And my answer to her, you know, approaching situations like this is like the fuck if I know. All I know is that it kind of bothers me. So really, you know, we have companies have the greatest responsibility, in my opinion, in this space, because they kind of sit

in that middle ground between the poor individuals that are just trying to get by and make sure that they can put food on the table, pay their mortgages and have health insurance. If you're in the U.S., you know, so they are sitting in a position of particular power relative to the analysts and relative to governments who lack, unfortunately, the skills, expertise and some of the technology

to do this very effectively. The problem is that that their incentives are not really allowing to take action because at the end of the day, any company worth its salt is going to work from a profit maximizing perspective and as a result, make a lot of compromising decisions in route to doing that. That's saying that everyone does that in a complete mercenary fashion. Again, like when I spoke earlier, like trying to find a company that aligns to your interest.

I think we do a reasonably good job of this, but we're also very young. So it's only a matter of time before something like this happens. And then it's a question of like, do I really belong here or not? I hope my boss doesn't watch this later. Anyway, you know, we've talked about individuals being most significantly impacted, especially at an ethical level,

because at the end of the day, who's hands on keyboard? Who is the one or whatever that is actually having agency over how this is applied? Even if they're, you know, the sort of good Nazi argument or whatever it's like. But I was only following orders like that. Every order is as good as another order. You know, how do you put yourself in a position where you can sleep at night, where you don't end up compromising personal values

and items of importance? But just the fact of life requires that individuals are going to have to make compromises because they're in a position of less power than the other entities around them. So as a result, the problem is we situated really is not solvable because you've got, you know, on the one hand, the entities that seem like they're most concerned with this are also the ones with the least amount of power.

People like us in this room, whereas those that have the most capacity for potential action on this are in a position where their incentives are misaligned towards really resolving it. And on top of that, they legitimately have to worry about things like, oh, crap. Like, you know, to Kaspersky's credit, they don't really have a choice for cooperating with the Russian government,

because there are laws in place that as long as they're operating there and have infrastructure, they're all all maybe, depending on how you want to look at it, of their traffic has to be accessible to domestic security organizations. They just lost the, you know, the game of life through letter, whatever, for where Mr. Kaspersky was born and where they happened to start the company.

Is that their fault necessarily? In which case, can you look at this again from the standpoint of intentionality? Are they deliberately doing this or it just happens a matter that they have to comply with the law of the land of where they're based? So the only thing I can offer in terms of guidance is that, you know, we can look at this for a couple of different angles. So for an individual perspective, recognize what your situation is.

Like, keep an eye on what your company does, what your organization does, and be aware of what's going on so that this doesn't blindside you out of left field one day. It's like, oh, crap, I can't live with this anymore. But as part of that, like I said earlier, if Timmy, the junior stock analyst, starts raising hell about like, why are we supporting this or whatever, and then finds himself without a job, kind of need to keep your head down.

Trying to be pragmatic in terms of presenting this, which is not always the like the most glorious ethical position to take. But it's really hard to say die on this hill when dying on that hill might mean that you end up you know, grossly in debt because you got sick or something like along those lines. But really, the idea would be pick a mission and stick with it. So from my perspective, I picked a mission. You know, I don't do offense.

I want to kick bad guys out of important networks. And I won't compromise on that because I'd like to think that noncombatants and whatnot all have equal all have an equal interest and right to clean water, reliable power, et cetera, and stick with it. You know, again, try to find places that align with those values as much as possible, but realizing that it might not be

actionable or reasonable in all situations. InfoSec companies, you know, their days of having it both ways, I think, are going to be over soon, whether because of things like, you know, all the press and attention for Kaspersky. I was really surprised that the Mandia comments, some work by CyberScoop News, notwithstanding who did a good job of covering this,

that that didn't garner more attention because it was just very strange that he very willingly just kind of said, like, yeah, you know, we give these guys a heads up or whatever and on the down low or whatever once in a while, you know, while taking having cleared analysts sitting in watch floors in the greater D.C. area, et cetera. You know, I think people will eventually get pissed off with this and there will be market signals or whatever saying that we can't do it.

You know, and that will lead to I hope that eventually it's not going to happen tomorrow and not going to happen next year, but maybe five years from now that will start moving away from the like, we've got all these guys from 80200 who are sitting in our knock right now or whatever. They're going to protect you and hack the bad guys. And they certainly don't have any obligations to Israel anymore. Trust me, you know, trying to play that game

from both sides is not going to work going forward. And, you know, they really need to just pick a mission and stick with it. So from the Dragos perspective, safeguarding civilization, it's a goofy little term, but at the same time, so far, we're following it pretty well. This is where something like the Google Don't Be Evil thing for a while, they actually followed it. I mean, good on them.

Like that lasted for longer than I ever expected. And then it went away. So when those sorts of things happen, that results in, you know, things going off the rails and then you have a lot of people that happen to work for said company or whatever. It's like, well, fuck, what am I going to do now? I got stock options. I've invested for whatever benefits. And I got the 20 days

of vacation and whatnot. I don't want to leave for another job. So that makes it harder. It really ends up when you start shifting gears along those lines or leaving that sort of mission amorphous puts again individuals who are the least powerful in these transactions in a bad spot. But one other interesting thing from the infosec consumer perspective, there's some level of power there.

You know, they can try from a contractual standpoint, legalistic standpoint, formulate expectations and requirements in writing. It doesn't mean that they'll always be followed. But at the very least, that if you find out later on, it's like you let the frickin NSA in my network for six months and didn't tell me about it. Well, that could be an interesting lawsuit, if nothing else. I don't know how realistic that is, but at least it seems like an avenue worth pursuing.

I'm not a lawyer and never want to become one. So that's for someone else to decide. But yet really looking into like sort of doing the due diligence work of, OK, what are your obligations? Who do your people work for? You have people with active clearances. Do you do government sponsored work? And as a result, what are your obligations in terms of the protection of my data? How you handle my data? How you handle discovered intrusions?

How does that work? Really asking those hard questions and putting private companies on the spot to, you know, show their hand, like, all right, you know what you got? If you're in a situation where some of these conflicting situations erupt, whose side you got in this scenario? One of the problems that I see in this space is a sort of balkanization of security,

like as we've transitioned away from the, you know, post-Soviet moment of like, oh, liberal democracy, democracy everywhere, free markets and, you know, globalization or whatnot. And the return, well, not the return, but the rise of illiberal democracy and autocracy on the march again and really getting into a closed market standpoint

where it's becoming really hard to be an international company operating in this space anymore because you've got lots of people that want to get their hands on the information, expertise and what results from this. So in a situation like that, do you just make sure that you pick the home team for your security company? So if I'm target, that means that, OK, semantic, good.

Kaspersky, not. If I'm Rose Neft, well, I don't think they have much of a choice, but, you know, Kaspersky-A, everyone else, boo. Some Chinese company, the MSS, I'm sorry, 360 safe or whatever, yay. And everyone else, boo. But then what if you're Germany? As far as I know, there is no like real major endpoint security provider or major security company that's domiciled in Germany.

You could say, well, ESET's in the EU, aren't they? Yeah, OK, they're so lucky. And that's close enough, maybe. But still, you know, if you don't have a home team to pick, what do you do then? And then you really have to start asking these questions to figure this shit out, you know, fairly quickly, because you'll wind up in a bad spot. I think sooner than you really realize. So that's all I've got.

And I can leave that up, because we're not staring at a big blank screen. I talked at you for 50 minutes. Now you have the opportunity to ask me questions and I might have things to say. Yeah, I mean, I hope that was at least interesting. Only a few people left. OK, that's cool.

Wow, really? OK. I just don't know what the point would be, to be honest with you.

So this is where like getting somewhat away from the ethical dimensions of it, but just to be, you know, very practical, like, well, what do you achieve? Like, dammit, someone stole all my shit. What do you do? Are you going to get it back? No, they may have copies of it. You're not getting it back. Once it's gone, it's gone. You can make yourself feel better. Oh, I'm sorry. So the question was, yes, I got that signal. The question was, you know,

does the circumstances under which we find ourselves really legitimize or incentivize the move towards companies hacking back? And my answer is that even just from a sort of consequence driven standpoint, I don't know what it achieves in terms of it doesn't enhance security, whether because you're going to hit the wrong people as a result of like, yeah, I took out all those

all those C2 points, like all your C2 points are just some poorly secured WordPress instances and you just blow away Samantha's cat blog. What the hell, man? So there's that part of it. But also, it's like you can't put Pandora back in the box once it's been gone. And even if you're the victim of a cyber physical attack, like you can go

after getting pwned a couple of times and the lights going out and give. Yeah, they can try and hack back. It doesn't mean the lights go back on. And I would say from the standpoint, especially from the adversaries that are most capable and most likely to commit some of the more egregious sorts of actions in this space. It's not going to deter them either, because, you know, the end of the day, it's like arms race, motherfucker. We got this arms,

this offensive shit down. Whereas private companies, I think, you know, while on the defensive side, a lot of the technical talent and whatnot, except for some of your really shady pen testing firms and whatnot and companies that do software development, software development and research that are headquartered along the I-95 corridor between like Northern Virginia and Southern Maryland.

Yeah, they probably have a lot of offensive talent, but for the most part, you know, Wells Fargo doesn't. And even if they didn't have it, I don't know what they do with it. But lastly, from an ethical perspective, it also gets to the idea like what have you achieved in terms of, you know, improving the ecosystem overall. And while you can go back into like, you know, eye for an eye, tooth for a tooth. OK, that's bullshit argument. You know, I just don't see there being a way,

especially given the extreme likelihood of unintentional consequences like poor Samantha's cat blog, where you don't end up whacking the wrong thing as a result, because no sane adversary, at least no one hacks from their own infrastructure. No good, you know, good or capable actor does that. There are three or four hot points, but maybe not.

Maybe at least two between their stuff and others, unless they forget to turn the damn VPN on, which has happened. But otherwise, you're typically not hitting something where it's actually going to matter. So it just seems like it's a wrong path to go down in general. There is a cable start with gentlemen. What's the obligation to, let's say,

if you're a citizen of one country. Doing it for a second, doing that work for that company, but your company that you belong to is ordered in a different way? I don't know. That's where it comes down to. Like, you know, really, what's driving you? Like, for example, I could see I know of Canadian citizens,

for example, that are working in the Gulf region that are very nervous right now considering what's going on between Saudi Arabia and Canada on a diplomatic level. It's having a lot of very immediate economic repercussions as a result of some, you know, not very I think it'll be pretty clear or whatever that human rights stuff is pretty important.

There's not really much of a leg to stand on in terms of the other side of this argument. But, you know, like, well, what do I do? I like took on an obligation with this organization or whatnot. Maybe I'm not in Saudi or, you know, maybe I'm sitting in Dubai or whatever, but these are germane issues throughout the region and I find myself in an uncomfortable spot. You know, do I stick with I signed an obligation and therefore I'm required to complete it.

Or it's like, no, this violates a universal set of ideas that I have in my mind. Therefore, I can no longer in good conscience, conscience support what's going on. I'm going to pack up and leave and hopefully I can find a new job or from a communitarian sort of sense. I've either willingly adopted a new community and therefore I'm part of that company or whatever entity I'm with right now.

Or, you know, can it all the way? I will continue to abide by what I think is useful there. So it really comes down to, in my opinion, a personal choice for where your values lie and making sure that you're clear on that yourself going forward and then articulate your decisions around that. So again, all generalizations are stupid. Now everyone's answer is going to be the same on that one.

I certainly personally have, you know, my own view on that would be a blend of that universalist and communitarian approach. So very much a virtue driven way of looking at these sorts of ethical quandaries. But it will likely be different from everyone else and I am OK accepting that. Gentlemen.

What is the effect on the nation state of publishers of official policy that a cyber intrusion or, let's say, a cyber attack would be followed by a connected attack? That would be justification for that. How does that affect the decision-making? So the question was, and I didn't repeat the last question, so I'm sorry.

I hope the gentleman in the back doesn't throw something heavy at me. The question was for states that sponsor, or it's not sponsor, but that publicize and create guidance that, in response to a cyber physical or cyber event, that we reserve the right to retaliate in kinetic fashion. On the one hand, from a private industry standpoint,

makes me not want to tell the government what happened, potentially, depending on what I'm thinking. It's like, oh, crap. I don't want the Russians are in the grid to mean that it's like, oh, shit, the Baltics just got invaded because things went off the rails or whatever really fast and things got kinetic. But for the most part, though, that decision-making

and where a lot of the agency lies seems to be within those government spaces. My only hiccup on that is the transition from virtual to physical, or especially where there's a blend between the two, is it's very much consequence-driven in this standpoint of that saying

that, oh, the financial system went down. Therefore, we're nuking Tehran, which, well, the financial system didn't go down. It was slowed a few years ago during Ababil, or however you pronounce that. A physical response to that would have been disproportionate, and in your classic Augustinian sense of laws of war, like, eh, it's probably not a good idea. But when you start talking about, like, for example,

what's happened in Ukraine several times, I would say that they're probably well within their rights to say it's like, you know what? What you did could have had more dire repercussions than what actually happened, and you didn't really know that going in. Therefore, it seems reasonable that we could retaliate. Now, they would lose that fight, but at the same time, though, it seems from a,

you know, just if you want to justify a potentially stupid action following that, it would have been something reasonable. So again, it depends. But in looking for it, it's one of those spaces where the private sector should just try and, like, keep its head down and stay way the fuck far away from those sorts of debates, because they get very uncomfortable very quickly. So earlier, you talked about fiduciary duty

compared, like, in the United States. Medical doctors, fiduciary, lawyers of fiduciary duty, financial advisors, you know. And then when you talk about states, and if you wanted the infrastructure, like roads, you need to be a professional engineer registered for the state. How do you feel about enforcing, like, professional engineering licenses

upon, like, software engineers and, like, cybersecurity engineers to kind of bring up that level with respect to those individuals building and supporting infrastructure with respect to the US? Okay, so the question was, mentioning fiduciary duties earlier

as one way of phrasing how a private company enters into an arrangement with another private company to provide security services is that just like we have the idea of, you know, doctors, lawyers have fiduciary duties to clients, or just as we require civil engineers to be licensed and certified and continually monitored to make sure

that they fit within professional standards, can we adopt such a framework for practitioners in the security space and software engineering, et cetera? I think we can. There was a talk in an event last night that I really wanted to go to by Tom Miller, who's at DHS, that touched on this subject that I did not get to attend it. And I think he's a big proponent of it. And I can definitely see there being space for it.

Part of the problem that I have with the idea is it gets very, you know, licensing, like, for example, with legal licensing or whatever, that's pretty, the way in which it's framed is that you pass a state bar and that governs actions within a certain, you know, location or whatever where you're practicing law. And that seems to link up fairly well

if you're doing something internationally or across state boundaries, you get licensed in both locations. Given the way that the security, security and the organizations requiring security don't neatly fit into little boxes in terms of location, it gets very hard very quickly in order to enforce or require that out of the box.

But just because something is hard doesn't mean that it's bad. So as much as I like malign, just because it's a stupid idea, you know, this thing, it's hearts in the right place. So the idea of the tech accord is like, yeah, you know, we'll try and set up like just a ethos around which we will, you know, rally that, you know,

like we will protect everyone anywhere or whatever. Having something along the lines of at least a minimally, a minimal professional ethic, something almost approaching that Hippocratic Oath might be reasonable. The only problem with that is that you get into scenarios where, you know, how are you defining harm

or how are you defining those obligations? So I think it's certainly something worth exploring. The problem is if that you are, have a real attention to detail issue and are very neurotic and overthink things that you very quickly wind up with lots of exceptions and ways in which it falls apart. So again, I can see there being something for it, but I think that any implementation

is going to be difficult. And if nothing else, it'll only be extremely localized.

So the question was, if my current organization was approached that, hey, in order to do business here, that, you know, the home team for where here is requires that, hey, you have to insert this thing into your product for reasons,

those could be various reasons, but certainly, you know, something along the lines of data gathering or something along those lines would probably be most likely. Or they don't tell you what those reasons are, which is also scary. I would say, given what I know about our organization right now, that the answer would be no. I certainly don't know what that answer would be moving forward, but that ties back into the idea or ethos

that we've adopted as a organization that we've all sort of bought into, which is easy when you're a small company. It's not so easy when you become a much larger company, which I can appreciate. But yeah, right now it's like, no, we can do things elsewhere. It doesn't sound good. And if the answer was yes, that's a resume generating event for me, because that's just not cool. But I'm also in a position where I'm pretty confident

I could find another job without a problem. And that's not the case for everyone. So again, going back to that idea of the clean hands, see no evil, do no evil, hear no evil, or active intervention or whatever, what do you do, an individual's options in that framework might be constrained. But overall, I'd say just that approach of doing things,

which ties into, again, I forget the name of the Russian legislation that goes back to the 90s for, well, really goes back to the telco wave, the 70s or something, really provides for lots of potentials for abuse. Although it also can, depending on what sort of communications that you're capturing or data that you're capturing

or analyzing as a result, could lead to law enforcement things. Like for example, when I wanna make sure that I'm analyzing all of the classified ads that get posted to your portal or whatever, despite anonymity and whatnot in order to fight human trafficking. Well, that's a really, really good goal that access could be abused really easily though, so what do I do there?

Yeah, it gets tough, but at least from the standpoint of the right now, I would say it comes down to our organization, like hell no, not interested at the moment, but I can see other places where that's not the case. I was gonna say, we're past two. We don't have anything else till three.

Okay. We don't have all the topics, but you're welcome to answer your questions and we've got some swag there. Ooh, who's my favorite audience member? I don't know, that's gonna be tough. We've got some good questions so far. I gotta remember all of them too, but the gentleman over here,

or I hope someone was about to speak, I thought, or okay. Yes. I mean, like with Israel too, it's not just 8,200. You've got the people who are in doing Shin Bet stuff and everyone has tech talent sort of everywhere,

just the same as you've got GCHQ along with other sorts of organizations in the UK, go to France, who I don't think get anywhere near enough credit for their tech talent overall, let alone the tech talent that they have within military and government circles. They have a few organizations. So everyone, everyone,

lots of places have numbers of organizations involved in sort of statecraft and especially in the intelligence and military space that are doing these sorts of things and lo and behold, they often seem to be the ones that you find later on who have founded successful or certainly very significant security companies of one form or another. In the back.

Cool, so the question, which I forgot in the last question, I blame this guy for saying that I had my time back. You distracted me. The question concerns whistleblowing

in the context of what I've talked about right now and I'd say whistleblowing is an important idea and it gets into that sort of actionable approach. Certainly, I could see a cascading series of obligations like my organization is doing something blatantly illegal and harmful, like, okay, if they won't stop, I need to tell someone about that,

go to the authorities and they will take care of it. Hopefully, yeah, but then it gets a little dicier after that point where it's less clear cut. So as probably the most prominent example, Eddie Snowboy, who is holed up in that beacon of democracy and freedom

known as Russia, some of the things that he released, I can definitely see the argument and accept the logic under which it came about that, yeah, similar domestic surveillance stuff, like, yeah, that was really weird. There might not have been the sufficient conversation about it. But a lot of the other stuff that came out of that were unrelated and really tied back

and he was like, you know, hackers gonna hack and intelligence agencies are gonna do their thing and I expect NSA to spy on China, Brazil. I expect the Russians to spy on the US. I'm gonna try and catch them. I'm gonna try and kick them out, but that's kind of what they're there for. And to really start revealing all those other stuff

goes beyond mere whistleblowing to almost like score settling. So it's very easy to wrap oneself in the flag or the mantle of like, ha ha, I am doing good by revealing evil. And by the way, look at all this other shady shit. It's like, no, actually that other shit's not that shady. It's kind of cool, but it's yeah, kind of goes above and beyond. Then so really when it comes to the whistleblower idea,

it's an identification of, what am I really blowing the whistle on? What are my motivations for blowing the whistle in this case? And does that pass muster as being a ethical act or a morally justified, morally praiseworthy sort of action? And if you look at some of the cases of whistleblowing in the last few years,

you see a lot of other motivations that might be in play in addition to the presumably altruistic one.

Well, so the question here, this is a very interesting point from the perspective of,

goes to align yourself with the mission that you're doing and coming from the perspective of someone who's new in the field and trying to find a place that fits within one's ethical framework. And are there any organizations that, presumably fit a more altruistic framework? In some cases, government work is actually really good. Like some of the things that go on in DOE

are pretty sketchy, but end of the day, making sure that a nuclear weapons laboratory doesn't have someone probing around their network, like that's a pretty good one. I don't want anyone stealing that kind of shit. So depending upon your sense of obligations there or whatever, there are actually legitimate options. I'm sure that no one wants the department of interior to have a bad day. They don't seem to do anything too bad.

So like looking for options there, but also you get into organizations like the Electronic Frontier Foundation, although they do some things that are kind of weird sometimes. Trying to think of, like I know the names of them, now they're all escaping me because I'm standing up here in front of all of you. But there are a number of organizations, like really vital ones from a civil society standpoint,

from like NGOs and whatnot, that have found themselves in the cross hair of some very bad actors that actually operate in my opinion. So like Bellingcat is one that just popped in my mind, thank God. Yeah, that not only are you talking about a good mission, but like there are some serious adversaries that are trying to get into those networks. So that could be a fun job too. But again, it's one of those like,

they can't exactly pay all that well, usually. So it's very much mission must trump paycheck, and especially if you want to live in the Bay Area, you might find yourself or whatever at least sharing a house with four people. But yeah, that's it. Yeah, I'm sorry, a house? I'm in a studio, so enjoy your closet. But no, I mean, there are possibilities

and really it's just investigating. And that's where like having a broader view of what it's like to operate in the security space is important, because it's not just a question of, I'm going to work for a fire eye, a crowd strike or an ESET or whatever. It's like, you know what, I want to work for this hospital system, for example.

You can say many things, especially for private healthcare within the United States, that there are certainly many things to take issue with there. But end of the day, I don't want the nurses stations to get ransomware on them. So that's could be an altruistic mission to have, and they don't pay all that badly either. So there are options once you go beyond like I have to work for a top tier cybersecurity company into the actual organizations that need security

and aligning mission in that respect. So there are a couple of hands over here. You guys can fight. Right. Thank you. I happen to know people from Kaspersky and also people from Shmon Emataima,

2000, whatever, 8200, yeah. And basically, that's kind of one loose big team, which is have no legions, absolutely none. Not to Israel, not to Russia, not to anything. And that during the war between Russia and Ukraine,

that was actually people from Kaspersky that help Ukrainians. And obviously people from Ukrainian, which was clearly Russian spies. So, I mean, all of the definition it's really like in real life, it's little bit make believe

that it exists. In fact, it's not because the coder from Kaspersky lab can be hired from wherever Russian FSB or something or obligated to threaten or whatever and do something. But in fact, coming home and taking your computer and work for, I don't know, Kharkovsky

or for freedom for Russia or something. So it's again, and it's extend to UK and extend to Europe. So for me, it's little bit I understand like philosophical point of view, it's very good questions. But in practical, I don't believe it's really,

it's really big, big, big community, which is you belong to also. Yes, yeah, exactly. And that's why I made sure that I highlighted exactly where I'm coming from and continuing to come from to a certain extent. So I know some of that was on microphone, but to distill, at least what I think the question

and really more comment was that, you look at the example of Kaspersky, for example, or any of the underlying agencies, there's lots of people there and a lot of them are diligent, hard workers that are trying to fight the good fight or are fighting the good fight and pushing back against evil, so to speak. And I don't dispute that for one minute. I don't have friends necessarily, holy shit.

Hey. Hey. I don't have friends necessarily at Kaspersky, but I certainly have people who continue to work there or have worked there that I've had positive interactions with. Anton Shapulin, I'd say, is very close to a friend who works in their ICS practice. And I know there's great people there who do good work

and which is why it would have been deceptively easy in constructing a straw man argument to have left that as the only example, which is why I went to the fire I won as well as some of the other things that, from the perception equals reality standpoint and whether or not some of these things are ground truth exists, that there is at least the continuing perception

and the building perception of their having some conflict of interest in terms of what obligations you face based upon what country that your company is based in and who your people are and where they come from in their background. So even though in many cases where I don't think it's, you can look at, I believe it was The Hill quoted me a few months ago on the Kaspersky issue,

I think the US government's perfectly with its rights to say, is like, yeah, we're not gonna use your product. The way in which that was communicated that was really weird because it cast aspersions without evidence in a way that I didn't think was helpful. And that one leads to the perception that's like, well, what's really going on? But this work goes to it. I think Mr. Kaspersky has tried to do a very good job of communicating this for his own company

that, nope, we'll protect anyone, anywhere, anytime. Although with that statement, it's like, I don't think you really can do that. But I understand what he's trying to say. They are really trying to drive that message in with the, was it a libel suit in the Netherlands or some other legal action against what was a very bad news story. So yeah, I mean, part of this too is that as, even if it's not just one of the companies

that have used it as an example, there are others like Mandia's comment that have resulted in just cementing this impression that there is a problem and then making others like my company, for example, having to answer the same thing. It would not surprise me whatsoever if there is a non-trivial proportion of the overall security community and especially the ICS security community

that just thinks that we're an NSA spinoff because we have so many damn people that used to work there. And so from our perspective, I can definitely appreciate the problem where it's like, no, not really, but fuck, how do I actually prove that? And it's hard to prove a negative in this case because like saying like, no, we have no connections to this. Well, you talk to DHS, well, hell, we have to. We don't have much of a choice,

like both law of the land and like, you know, we wanna make sure that they're getting some good info as well. So yeah, I mean, I definitely appreciate the point. Thank you for making it. And again, it gets very fuzzy, very fast, too, so. I don't know, there we go. I'm afraid I can't really add much more than I recognize that the answer to this is more or less, yeah, it's complicated. But so with a lot of the larger engineering firms

will say your FLORAs, GEs, et cetera, that are going out of their way and building up stronger network defense capabilities, but also say have military contracting, also civilian infrastructure and engineering contracting,

also civilian infrastructure contracting in like mostly friendly countries, and then also majority but non-controlling stakes in countries that are mostly friendly, but they don't own the company, but still oversee their operations to an extent. I don't, where do you see all of that kind of blending in

when it comes into the conflicting loyalties and obligations because, again, they don't necessarily control them, but they have, yeah, sorry. My answer is it depends. But no, I mean, that highlights the conflict quite nicely is that very rarely, just like, you know,

we can construct very interesting thought experiments involving trolleys and babies and whatnot, like one does in ethical research, but even the examples provided in real life get very complicated very fast, especially in spaces where you're talking about different systems, different requirements and different levels of connectivity

and just what sort of approach you're taking. And so really not, going back to the idea that all generalizations are stupid, that coming up with one definitive right answer, and I used to be very much a universalist in scope or whatever, where it's like, there are right answers to these problems that apply universally at all times.

And then I grew up and realized that that actually doesn't work. And so it's really about applying contextuality around individual events and having the awareness, self-awareness as well as an individual agent of what's in play, what are repercussions of a specific action and what sort of hierarchies of obligations and needs

hold at any given time. And then, you know, based upon that knowledge, both of what's around you and self-knowledge, acting in a way that you can then at least defend. And I'm gonna say that there are cases where there are no right answers, or it's just a question of like, where do I do the least harm? And those are the ones that suck. But even then, that goes back down to like, well, what sort of a situation am I in

and how does this play out? Gentlemen wants to get in. Yeah, one extra question to this, because this is something that it seems like, to me, we also have a bit of a self-fulfilling prophecy here. Labor really hard to a number of companies get brought on by, let's say, Northrop. Yep.

The minute you're done with a year experience with Northrop, you can kind of tone LinkedIn on the security thing. Like, it's kind of like, you have recruiters, you basically have recruiters, not you. But what I'm wondering is, is maybe that issue more of a thing. Like, basically you're kind of encouraging people to get into these organizations because they can see the right on the wall

where it's moving. And maybe that needs to be where that approach is dealt with, but maybe there has to be maybe a little less focus on these companies that are doing this type of work to maybe get the industry to spread out a little bit more and have less of this infiltration by the security apparatus.

Okay, that's an excellent question. So, or really more, not a question so much as a comment, but no, it was a good comment that, you know, the idea being, we've incentivized individuals to go work for organizations that end up being in murky situations or whatever, like your defense contractors or butler bandit sort of organizations, and thus sort of driving people

if they want to be successful in this field towards places where they might be, not necessarily be in the most pleasant of environments in terms of how they feel, what they're doing reflects some broader society. I'm going back to the point I made earlier for the question for, you know, for someone new in this environment. I think we've done a very poor job as a community in appreciating and articulating the value that security practitioners bring

to smaller organizations that are not traditionally associated with the security field. I know some individuals who are really good at this job that work for like power co-ops in Mississippi or healthcare networks in Kentucky. And the problem is that they do a good job. They like what they're doing. They're not looking to go anywhere else right now, but if they wanted to,

they're experienced by just by virtue that it's like, oh, what could they have really have done here? Doesn't look as good as the person that's like, well, I worked for Lockheed Martin for five years or whatever and did penetration testing, was behind the fence for part of that time. Like that guy or girl is probably gonna get a hell of a lot more return phone calls than the power co-op dude in Mississippi, which is unfortunate because, you know,

it also comes back to how do you start expressing this and appreciating how those different missions contribute. And, you know, for those of us who are in, you know, HR-ish decision-making chains and whatnot, just really having a broader scope when looking at resumes, for example, or, you know, trying to reach out into the community of making sure that we're, you know, recognizing these people, understanding their contributions

and making sure that we're mentoring junior people to appreciate that, hey, you don't need to work for the big, you know, flashy company with the offices in DC, London, Singapore, and Dubai or whatever, you can go work for Adventist Health System or for, you know, something else or whatever and you can get a hell of a lot of experience there and maybe you're aligning yourself to a mission

that you can better, you know, support personally as a result and it's not gonna hurt you professionally. We're not there yet, unfortunately. We have a weird question. What's your opinion on the ethics of an international company working for a government developing a security solution for that government? But under contract, I'm not allowed to leverage

that solution depending on how the client's held. Even though they know, if they did it, their product would be far more secure globally. That's a dick move. Anyway, the question was, yeah, that company X developed security solution Y for country A but as a result of the contract under which company X is working with country Y,

they cannot transfer the intellectual property behind that solution to any other entity and it just so happens that intellectual property could be very useful in helping a lot of people out. It depends. But from the way that I approach the problem,

I look at that as being a very much suboptimal solution in terms of making the world a better place for everyone. Having said that, I could see that, well, you know, there's also the case that not all networks are equal. So maybe we wanna make sure that, you know, the network environment that's holding weapons design and test results for the nuclear arsenal has this really special security solution

making it unhackable. That's a word of metal in the hallway and get some attention. It's not a Bitcoin wallet, trust me, or whatever cryptocurrency wallet. But, you know, maybe from that case of, again, depending on how you wanna frame the problem that, well, some networks are more important than others and making sure that one, that level of protection is there

and then is not revealed for others to muck around with might actually have something to be said for it. So, again, it really does, you know, go back to the case where it's like, oh, there is no one size fits all answer to that. It really sort of depends. But overall, I would say that the burden is on the entity asking for that restriction to prove why that restriction is necessary

and more beneficial than the opposite. So we have. Yes.

Yeah, I mean, and again, it depends on, like, not only who are you, but which way are you approaching the problem that there are different ways of, you know, where do my obligations lie?

But, yeah, I know, time, you wanna kick me out? Yeah, we have time for one more question. Does anybody have one more burning question? We've got a long one. Yeah. Sorry, can you hold that up? Oh, yeah, I'm sorry. And as a heads up, these talks will be online. Contact information for our speakers will also be online. Yeah, yeah. So we have time for one more question. Everybody here, give it up.

Thank you.