Kip Boyle: Welcome to the Cyber Risk Management podcast. Our mission is to help executives become better cyber risk managers. We are your hosts, I'm Kip Boyle, CEO of Cyber Risk Opportunities.

Jake Bernstein: And I'm Jake Bernstein, Cyber Security Counsel at the law firm of Newman DuWors.

Kip Boyle: And this is the show where we help you become a better cyber risk manager.

Jake Bernstein: The show is sponsored by Cyber Risk Opportunities and Newman DuWors LLP. If you have questions about your cyber security related legal responsibilities ...

Kip Boyle: And if you want to manage your cyber risks just as thoughtfully as you manage risks in other areas of your business, that's your sales, accounts receivable and order fulfillment, then you should become a member of our cyber risk managed program, which you can do for a fraction of the cost of hiring a single cybersecurity expert. You can find out more by visiting us cyberriskopportunities.com and Newmanlaw.com.

Jake Bernstein: So, Kip, what are we talking about today?

Kip Boyle: Jake today, what I want to do is I want to share and discuss with you my top book recommendations for cyber risk managers. And so what I've done is I've put together a list of six books and I put them together thinking about our audience, right? So our audience is non-technical people. But even if you are as a listener, as a member of our audience, even if you are a very technical person, I think you're going to get a lot from reading any of these books. And what's interesting about these books is that they're all nonfiction, but some of them read like a novel, some of them read like a spy thriller. And so it's super easy to read all of these books. Anybody I think with a ninth grade reading level or above can handle these books. They're all in print. You can get a soft cover, a Kindle version, and there's audio versions of all these books, except for one. And I'll tell you which one that is.

Jake Bernstein: Got it. So you're going to list off the books in any particular order, or just kind of, how are we going to do this?

Kip Boyle: Yeah. So I figured being the attorney that you are, you would want to know about which one's most important.

Jake Bernstein: Good point, yeah. I do want to know. Which one should I read if I haven't read any of these?

Kip Boyle: Right. Okay. So, of the six, the first one I'm going to tell you about is the one that I would say, if you don't read any of the other ones on here, this is the one you should read, and we'll talk about that one first. And then the others I'll tell you why they're on the list and then you can decide if the reason I have them on the list is interesting to you. And then you can decide which order you want to read them. But what I'll say is that this list of six books is really in two buckets. There's like a cyber crime bucket and then there's sort of a geopolitical espionage spy bucket, okay? So that's kind of how this is all laid out.

All right. So ...

Jake Bernstein: What is the first book then on this list and why is it number one?

Kip Boyle: All right. So the first book, the title of it is called The Perfect Weapon. And it's by a guy named David Sanger, who's a New York times Pulitzer prize winning journalist. This book just was published in June of 2018. So it's very, very new. And the reason why it's the one book more than the others is because I think David Sanger has done a wonderful job of explaining how cyber weapons have become a very prominent feature in the political landscape of the world today. And he does a good job of explaining why crosstalk ...

Jake Bernstein: Right here and ask. I think the question that is on every single listener's mind right now, which is, Kip, what is a cyber weapon?

Kip Boyle: Yeah. A cyber weapon. Right. So my goodness. So, I think a great example of a cyber weapon, actually there's two, and they both kind of burst onto the scene in 2017. One of them was called NotPetya and the other one was called WannaCry. And if you're paying attention to the news at any point in mid year last year, you probably have heard one or maybe both of them. A cyber weapon is a piece of malicious code that exploits networked computers and sometimes not networked computers, because one of the books I'm going to recommend actually pulls that feat off. And the goal of cyber weapons generally speaking, is to disrupt and destroy either the data on the computer systems that they access or to take the computers completely out of commission so that you can't even turn them on anymore, even if you wipe the hard drives clean and put a new operating system on there.

And so WannaCry and NotPetya are two very current examples. And they rely on something called a zero day exploits. And what that means is a flaw. In this case, WannaCry and NotPetya both exploited a previously unknown flaw in the windows operating system, for which there was no software update that you could apply. Or, if there was one, it was so new that people didn't really understand the implication of not applying it. And so these cyber weapons just ran a muck. Both of them did. WannaCry caused tremendous damage, mostly in the UK. And it just ran through the healthcare system of the UK and crashed computers, which resulted in a lot of delayed healthcare appointments. And I don't know, but I wouldn't be surprised if some patients actually died or became ...

Jake Bernstein: Probably, yeah.

Kip Boyle: ... more seriously ill because they were denied timely treatment. NotPetya first was exploded in the Ukraine and then ran a muck across Europe and the rest of the world and caused over a trillion dollars in damage to various companies. And this has all been documented. So cyber weapons are just like bombs, except they don't generally destroy physical objects. They don't kill people outright. But, they cause tremendous harm in terms of denying people's abilities to use computers. And since we're all dependent on computers these days, you're talking about a lot of damage,

Jake Bernstein: It's interesting the way we describe these. I was having a conversation with a new colleague who comes to the law firm from the military about cyber weapons. And within the military there's a specific definition of weapon. And it turns out that in order to get the weapon definition, you need to be able to describe with particularly and predictability the effects of a weapon. So the Air Force is really good at this. They make a bomb or missile and they can tell you to within feet, how far shrapnel's going to fly, how much energy is released, how much damage it's going to cause. It's fairly obvious with rifles and machine guns. The problem with cyber weapons is that you don't necessarily, it's more like a virus. We use the term virus oftentimes, but you can't necessarily predict where it's going to go, how much damage is going to do. You don't necessarily have control over it. And I think that makes cyber weapons, I would think, extraordinarily frightening. Because, the US could develop one and fire it off in retaliation for an attack, if we did such things, and accidentally hit allies. You don't know.

Kip Boyle: Right. And so that kind of, yeah, when you destroy or hurt more than you intended, that's called collateral damage.

Jake Bernstein: Collateral damage.

Kip Boyle: Right. And so these days we have so called smart weapons, right? These are kinetic weapons, right? In other words, they exist in the real world and when you use them, real things in the world blow up and become destroyed. And so that's been a big innovation lately is the smart weapons, these so-called surgical strikes. Now, smart weapons have done a lot to decrease the amount of unnecessary death and destruction. Of course, if you still choose the wrong target, it's still going to cause more death and destruction than you meant to cause. But you're right. Cyber weapons, we really don't have that kind of control. So they're smart, but they're also dumb because they're not surgical in any way, at least not yet. And there's so many problems with cyber weapons.

But, that's one of the reasons why I like David Sanger's book is because he talks about these issues, right? Even though it's the so-called perfect weapon, but it has has a lot of downsides. There's a lot of difficulties. And I would say that it's a huge paradigm shift. It's just like going from a world without nuclear weapons, to a world with nuclear weapons. There's all these questions, like when is it okay to drop a nuclear bomb or launch a nuclear missile? What are the rules? How do we know when we're supposed to use these things? Is it okay to put a nuclear warhead in a suitcase sized bag and carry it around and set it off? Can I put a nuclear warhead in a shell and fire it out of a cannon? Is that OK? Can I position nuclear bombs orbiting the earth and just drop them whenever I think they need to be dropped?

I mean, all this stuff was not figured out right away. And it took from 1945 until, somebody would probably argue that we still don't really have it all sorted out. But, it took decades to figure out how to control nuclear weapons and what are the rules around them. And I think David Sanger is describing that same paradigm shift when it comes to cyber weapons because we don't know the answers to any of those things.

Jake Bernstein: Yeah. Well, that sounds like a great book and most definitely going to be one that I pick up and read here soon. How about the next book?

Kip Boyle: Okay. So the next book is not what I would call geopolitical in nature, although there are some geopolitical implications. But, the next book is called Spam Nation, and it was written by a journalist named Brian Krebs. And some of you may know that he writes regularly for his own website and it's called Krebsonsecurity.com. And Brian is a really great author. And his book is really interesting because what he's trying to do is explain for us mere mortals, where does all this spam email come from and why in the world does it keep coming? And so he really does a nice job of going underground. So he actually taught himself Russian so that he could visit underground websites where spam authors talk to each other and he's dissected the whole spam economy.

Who's sending it, who's buying it, what kind of stuff can you get from spam? And some of it's really compelling. I mean, some of it's actually kind of dumb. You're like, "Oh my God, I can't believe people are buying pharmaceuticals from spammers, right?" It's like, how do you know that this stuff is legit? But he interviews people and does, I think, a good job of explaining what is the motivation of somebody to purchase drugs that could or couldn't be knockoffs on the basis of a spam message. And I think the big takeaway for me is, spam works and it generates a ton of money. And so it's not going to stop anytime soon.

Jake Bernstein: No. And you know, it's interesting, anyone who cares to look and can find that I have represented and done a lot of cases involving spam. And it's really interesting. There's a lot of, first of all, that that word has no legal meaning in the various, even canned spam, it's actually all referred to as commercial email, sometimes unsolicited commercial email.

Kip Boyle: Yeah. That's the term I know.

Jake Bernstein: The problem is, is that spam is also a vector for a lot of security issues. Obviously there's a lot of anti-spam software out there. There's whole areas dedicated to that. But, the harm from spam really it's difficult to ... phishing right? Phishing is a form of spam. I mean, it is, right? I mean, most people don't necessarily think of it that way, but it really is the same problem. It's emails going through that are not what you actually, you don't want them.

Kip Boyle: Right. You never requested them.

Jake Bernstein: But, you're getting them anyway. Interestingly enough, most legal spam, at least at some level, has been requested, at least that's the claim. So I'd be curious to know how this Spam Nation book ties into executive cyber risk management.

Kip Boyle: Well, so all these books really tie in, in the same way, which is if somebody's going to be a good cyber risk manager, right?If they're going to thrive at cyber risk management, in addition to whatever their other job might be. So you might be general counsel for a corporation, or maybe you're the CIO, the vice president of IT. If you're going to be a good cyber risk manager, you've got to understand what's motivating the people who are messing with us. We have these adversaries, all right? And the open question here is, why are these people doing this? Why do I have to spend money on a spam control system? What's happening here? And I could trot out Sun Tzu and The Art of War and make all kinds of references to war fighting doctrine and that sort of thing because I think it's applicable. But, let's just simplify it and say you need to know your enemy. If you're going to fight your enemy, you need to know your enemy. And so all these books are meant to give you an opportunity, the reader, an insight into why is this stuff even happening?

Jake Bernstein: Interesting. I think that's a really important thing. Let's, move on to the next book. So we do have six books.

Kip Boyle: Yeah. Okay, look. So the next book is related to Spam Nation in the sense that we're continuing to look at modern criminal activities on the internet. So this next book is called Kingpin and is written by another reporter named Kevin Paulsen. Kevin's an investigative reporter. And this book really reads like a novel. And what Kevin's doing is he's telling the story of credit card hacking gangs. So he's actually describing how is it that credit cards are getting stolen. How does that actually work? And he actually describes the mechanics of how you can go about stealing credit cards. And a lot of the big credit card hacks that end up in the newspapers are Target the retailer, Home Depot the retailer, PF Chang's. I mean, these are national brands. Most people would in the United States anyway, would recognize them.

But interestingly enough, Kevin takes us into what I would call small time credit card theft. So this is gangs that are breaking into pizzerias, like corner store mom and pop places. And he describes in detail how these gangs operate, how they can get in unnoticed and silently siphon off all these credit cards. And in many times completely get away with it. How they use the credit card numbers that they obtain, whether they resell them or whether they actually use them to purchase whatever supplies they need. Anything from fresh clothing to hotel rooms, where they can actually set up their attack platforms. It's just a really amazing closeup, intimate picture of the modern criminal underworld. So that's why that's on the list.

Jake Bernstein: I think it's important to understand that because so much of cyber security thinking is driven by the threat actors, right? The bad guys who are out there. Who are they? And we've talked about it before multiple times about who the adversary is not. It's not Mr. Robot, hoodie wearing teenager in the bottom his parent's basement. Nation States aside, it's criminal gangs. And so, yeah, I think a book like that is very helpful in kind of getting insight into that world.

Kip Boyle: Yeah. And if you run a mom and pop store or you're somebody who advises small business, right? The common narrative from a small business owner is, "Why would they want me? I don't have anything to offer them." And you read a book like Kingpin and you realize, "Oh, you do have something that they want." You just have to recognize it. And then as we've talked on previous episodes, maybe you as the retailer aren't hurt very much because these gangs are siphoning off credit cards that you're processing in order to take money from your customers. But, the reasonable cybersecurity doctrine says that you have a duty to safeguard these transactions. So you can't just turn the other way and pretend like it's not happening.

Jake Bernstein: Yeah, no, you really can't.

Kip Boyle: Okay. So, those are the ...

Jake Bernstein: Next book.

Kip Boyle: Yeah. So those are the first three books, so we're halfway through. Now, the next book is called Future Crimes and it's by a guy named Marc Goodman. Now, full disclosure; I worked with Marc Goodman. He's a friend of mine. We've done projects together. We've served customers together, so I know Marc really well. But the reason his book is on the list is because if you want an opportunity to sort of gaze into the crystal ball and get some idea about what does the future hold in terms of the kinds of crimes that we can expect to see hitting the headlines in the next five to 10 years, then you're going to want to read this book. He's looking at really the cutting edge, and sometimes I even say the bleeding edge ...

Jake Bernstein: Bleeding edge, yeah.

Kip Boyle: Yeah. Of how technology is being used to commit various crimes. And, the anticipation of the kinds of crimes that Marc thinks is maybe just beyond the fingertips of criminals today, but probably won't be out of their grasp some time in the near future. So, if you're a kind of person who loves to think about the future, if you're trying to skate where the puck's going to be, as opposed to skate where the puck is, I love that metaphor from ice hockey, then this a good book for you to get.

Now, interesting thing about Marc, and he talks about this story in the beginning of his book. But, Marc was actually a Los Angeles beat cop early in his career, right? So he went to the police Academy, came out, road in a police car in patrol and all that. And one day, apparently he was in the headquarters and his supervisor yelled his name across the room, "Goodman get over here." And so he thinks he's going to get his butt chewed out. And he goes over and his supervisor says, "How do you do a spell check in Word, perfect?" And then Marc says, "Oh, that's a control F4 boss." And he goes, "Great. I knew you knew the answer. You are now a member of our newly formed high-tech crimes unit. Here's your first piece."

Jake Bernstein: Wow. That's pretty cool.

Kip Boyle: Yeah. And I don't know if that's how they recruited these guys crosstalk ...

Jake Bernstein: One of my good friends also went through LAPD and ended up on their cyber crimes task force. So interesting.

Kip Boyle: Yeah. It's a great story. But, I also think it's kind of illustrative of law enforcement and how law enforcement kind of got into this situation. And I think if you read Marc's book and you kind of watch the arc of his professional development, I think it's a way for you to appreciate just how far we've come in terms of members of law enforcement who can actually understand the nature of the crime that's actually being committed.

Jake Bernstein: Yep. No, very true. Very interesting.

Kip Boyle: Okay. So that's ...

Jake Bernstein: Book number five. What do we have?

Kip Boyle: Okay. This is one of my all time favorite books and I made it number five on the list because it's really fun to read, but it's old. So it's called The Cuckoo's Egg by Cliff Stoll. I read this a long, long time ago. But, what's fascinating about this book, and by the way, this is like a spy thriller. This is how it reads. Cliff wrote it, and it's his first person account of an experience that he had. So check it out. So way back in 1989, he was an out of work astronomer, all right? So he's working at a university and he's working on an astronomy research project, and he runs out of funding. And all of a sudden he has no funding for any more astronomy based research. So he's like, "Well, I don't want to go get a real job." So he goes over to the universities computing center and says, "Hey, do you have anything for me to do?" And they put him to work.

So, one of the things that he did in this job that he dabbled in was, they had a shared computer and everybody who used it had to pay for the time that they spent using it, right? I mean, I don't even know if this sort of thing exists anymore, where you've got to pay for your computer time. But way back when this was a common thing. And so he was going through the accounting logs and doing some reconciliations to make sure that the money was being charged back appropriately. And he found a 75 cent error in the accounting that he was reconciling. And, I don't know if this is because this is what astronomers do or because this is just who Cliff Stoll is, but he decided he needed to know what's going on with the 75 cent error. That doesn't make any sense. They had checks and balances in this accounting system and so it didn't make sense that this error would exist. So, he starts scratching into this. And what he inevitably uncovers is a massive cyber spying operation in 1989.

Jake Bernstein: Crazy.

Kip Boyle: Yeah. And when you read the book, you realize that the narrative that he's telling is really no different from the bot net take downs that are going on today. And why is it no different? Well, because he had to court, first of all, he had to figure out where is this spy coming from? So there's a whole ton of work that he puts into just trying to figure out, who is on my system, how did they get here, and where did they come from? So he had the whole attribution problem that he had to unravel, right? Who is this? Where are they coming from? And this is when he realizes that he's being attacked by somebody who's hopping through multiple computers before he shows up on his computer.

And then it turns out that Cliff's computer is just sort of a throughway that the hacker is then using it as a launch point to go after even more computers. And so ...

Jake Bernstein: Wow.

Kip Boyle: Yeah. So he identifies this guy and then he involves local police and then finally the FBI, and then he gets the FBI to contact the national police in Germany. And then it turns out that the hacker's coming from an East German spy ring. Anyway, it's a fantastic story. And one of the things in there in particular that I continue to remind myself of is that many of the techniques that Cliff Stoll used to slow the hacker down so that he could trace the origin of the attacker are things that we are debating today, this active defense measures.

So, one of the things he did to slow him down is he created a whole bunch of false, but highly enticing documents.

Jake Bernstein: Like the first honey pot.

Kip Boyle: He did the first honey pot. That's right. And it worked. So, the spy was rummaging around the file system, found this directory called, I can't remember what he called it, but it was this super supposed secret project that they were working on. And he put all kinds of really interesting letters and memos and reports in there, and the guy just fell for it, hook, line, and sinker. And today, we would put beacons in documents like that, so that if a cyber attacker stole the document, brought it back to their computer, opened up the document, there would be a little piece of Java code in there that would fire off silently and send a kind of homing signal back to me as the cyber defender. And I would know where in the world, geographically, the attacker was attacking me, even if they were going through Tor or a whole bunch of other computer systems to anonymize themselves. So, it's a fantastic book.

Jake Bernstein: Very cool. That one I'm excited to read. I've actually owned it, so I'll be reading that one soon.

Kip Boyle: Oh, and it's so easy to read. Cliff is a really great writer. Of all the books on here, I would say that one is kind of like munching on a Snickers bar. It's just fun.

Jake Bernstein: Excellent. All right. So number six. What is the last book on this list?

Kip Boyle: Okay. Number six is called Countdown To Zero Day. And it's by another reporter named Kim Zetter, Z-E-T-T-E-R. Countdown To Zero Day. And you remember earlier in our episode here, I talked about zero day exploits, and that's kind of what Kim talks about. And specifically, she's talking about a piece of malicious code, a cyber weapon called Stuxnet. I think you know about Stuxnet, right?

Jake Bernstein: I do, yeah. Stuxnet is basically the cyber attack that disrupted significantly Iran's nuclear enrichment program.

Kip Boyle: That's right. Yeah. So, Stuxnet is still, nobody has really claimed responsibility. The world thinks that it was a joint effort between the United States and Israel. But, no matter where it came from, the effect of it, I think is now better understood than ever. And Kim's book is I think the definitive public account of Stuxnet; how it spread, what it did, how it was discovered. And by the way, Stuxnet, we talked about NotPetya and WannaCry. Stuxnet is similar to them in the sense that it's a cyber weapon and it caused real damage. But, it's a wildly more sophisticated cyber weapon because the Natanz uranium enrichment operation in Iran was actually air gapped. In other words, none of the computers inside there were directly connected to the internet. And so, one of the big hurdles that the authors of Stuxnet had to overcome was, how in the world do we get a piece of malicious code onto a computer that's not connected to the internet? And they did it. And one of the ways they did it was by putting Stuxnet onto thumb drives and dropping thumb drives in parking lots and everywhere they thought that people who worked at the Natanz facility visited. And sooner or later, somebody picked one up, brought it in there and connect it to the system. And the thing ran a muck.

Jake Bernstein: Now, here's an interesting question, and hopefully I won't be spoiling anything, but did Stuxnet do anything else?

Kip Boyle: Oh yeah. So the purpose of Stuxnet was to specifically find and mess with centrifuges.

Jake Bernstein: That's my understanding was that it basically, it sent commands that simply causes centrifuges to break themselves.

Kip Boyle: That's right. Or to operate in very unpredictable ways, so that the enrichment process, the centrifuges were designed to enrich uranium to become weapons grade. So Stuxnet would greatly affect or impair the ability of the centrifuges to do their job and so so they wouldn't work properly. But at the same time, Stuxnet also fed bogus information to the control panels of the centrifuge operators. In other words, I'm operating a centrifuge and my control panel shows green lights. Everything's operating the way it should, but that's false. And in fact, Stuxnet is telling the centrifuge, "Okay, speed up now. Okay. Now quickly slow down. Okay. Now speed up again. Okay. Now, speed at 150 times your rated revolution rate. Okay. Now vary your speed by 50% every two minutes." And so what happens was sometimes these centrifuges would spin out of control and would actually break. And sometimes they would just produce uranium that was not sufficiently enriched. And they could not figure out what was going on because their control panels were lying to them all the time.

Jake Bernstein: Mm-hmm (affirmative). Interesting.

Kip Boyle: And this is what we call industrial security.

Jake Bernstein: Did it do any damage outside of Natanz?

Kip Boyle: Well, I'm not positive that it did, but I know that we've found samples of Stuxnet outside of Natanz in different places, different computer systems around the world. But, Stuxnet was programmed to specifically seek out and mess with a very specific model of programmable logic controller. And so if it ended up on a computer system that didn't have that PLC, it wouldn't do anything. So there's no reason [crosstalk 00:32:32] ...

Jake Bernstein: The reason I was kind of prying for that specific piece of information was to point out that cyber weapons can be very highly targeted. It is possible to do that. The difference between NotPetya and Stuxnet is that Stuxnet was written to effect, as you said, a single type of programmable logic board or circuit. That's real smart. I mean, in the scheme of things, right? So ...

Kip Boyle: That's an attempt to create a surgical strike.

Jake Bernstein: Yeah. It's interesting to point that out and notice that, hey, look, that's clearly a cyber weapon. That's just not a random virus, right?

Kip Boyle: Right.

Jake Bernstein: And it was very surgical.

Kip Boyle: Yeah. It was very surgical. So, you think about Stuxnet and they think back on NotPetya. And you look at NotPetya and you ask yourself, "Well, wait a minute." NotPetya was probably created by a nation state, which implies lots of expertise, lots of time, lots of money. And so you wonder like, "Well, so why wasn't it more surgical?" And actually some people think that NotPetya was deliberately not surgical.

Jake Bernstein: That would be my guess.

Kip Boyle: Right. In other words, the message of NotPetya could be, "Yeah. We are going to attack the Ukraine, but know that if you do business in Ukraine, you're not safe." So if you're an international company and you have an office in Ukraine, well, you might get hurt far beyond your operation in that one country. And that's exactly what happened.

Jake Bernstein: Yep. So, these six books, our goal here is always to educate our listeners about cyber risk management. And these six books provide, I think, very good real life examples and stories of exactly what it is that the industry is, industry, not the industry, industry in general is up against. And I think that perspective is very helpful. I definitely would recommend these books to clients who have questions and I think there'll be good with that. It's always good to have a reading list.

Kip Boyle: Well, so I'm glad I can provide that. There's many other books, of course, that potentially could have come on this list. But, I think these are probably the highest return for the effort spent. And so I'm glad I had a chance to share it today. And that actually wraps up the episode. So, we're going to call it a wrap. Today we shared and discussed my top book recommendations to help people thrive as cyber risk managers. We'll see you next time.

Jake Bernstein: See you next time.

Kip Boyle: Thanks everybody for joining us today on the Cyber Risk Management Podcast.

Jake Bernstein: Remember that cyber risk management is a team sport and needs to incorporate management, your legal department, HR, and IT for full effectiveness.

Kip Boyle: And management's goal should be to create an environment where practicing good cyber hygiene is supported and encouraged by every employee. So if you want to manage your cyber risks and ensure that your company enjoys the benefits of good cyber hygiene, then please contact us and consider becoming a member of our cyber risk managed program.

Jake Bernstein: You can find out more by visiting us at cyberriskopportunities.com and newmanlaw.com. Thanks for tuning in. See you next time.