EP 97: Killware

Our bi-weekly Inflection Point bulletin will help you keep up with the fast-paced evolution of cyber risk management.

Sign Up Now!

About this episode

January 18, 2022
What’s happening at the convergence of cyber-attacks and the loss of human life? Let’s find out with your hosts Kip Boyle, vCISO with Cyber Risk Opportunities, and Jake Bernstein, Partner with K&L Gates.

Episode Transcript

Speaker 1: Welcome to the Cyber Risk Management Podcast. Our mission is to help executives thrive as cyber risk managers. Your hosts are, Kip Boyle, virtual chief information security officer at Cyber Risk Opportunities, and Jake Bernstein, partner at the law firm of K&L Gates. Visit them at cr-map.com, and klgates.com.

Jake Bernstein: So, Kip, what are we going to talk about today?

Kip Boyle: Jake, hey there? Well, it's a gloomy topic, to be honest with you, but we need to do this. We need to explore it, and what we're going to talk about today is the convergence of cyber attacks, and the loss of human life.

Jake Bernstein: Well, that is dismal.

Kip Boyle: Yes, it is, but, this is a time when I'm trying to actually take some of my own medicine, because, in my book, Fire Doesn't Innovate, I talk about these kinds of exercises, and they're called negative visualization. And the idea is, you can't just go around thinking about happy path all the time. Sometimes, you have to stop and you have to think about the threats that could be coming at you, and you want to get your arms around them be before they become what I would call existential threats. So that's what today's podcast is about; it's about negative visualization.

Jake Bernstein: Okay. Well, I tell you what? You'll have to explain to me how this is different than threat modeling, but, in the meantime, I shall reserve the right to call you Eeyore the excessively pessimistic donkey, if you go to for bar with gloom and doom.

Kip Boyle: Nice Eeyore reference. That is the character that pops up into my mind whenever I think about doing this kind of work. There's another character too, which I don't want to ever be confused of being, which is Cassandra. I don't know you if you know Cassandra, but that's an ancient Greek mythology. She's somebody who does prophecy, and she tangles with one of the gods, and it doesn't come out better for the experience. She gets cursed, so that she can see the future, but that nobody will believe her prophecies, and she gets quite shrill in this story.

Jake Bernstein: That would be frustrating, to know that you're correct, but no one will listen to you. Those are very different characters we don't want to be either.

Kip Boyle: Anyway, thanks for keeping an eye on me. I don't want to be Eeyore either.

Jake Bernstein: I don't think we are. I think that we tend to be pretty measured in our pessimism, which, I think, sometimes, as they say, if they're actually out to get you, you're not paranoid.

Kip Boyle: That's right.

Jake Bernstein: And I think, similarly here, I don't think we're being pessimistic, I think we're being realistic, and I think it's important to draw a distinction between, there's the rose colored glasses of excessive optimism, which definitely I have worn from time to time, and you can be Eeyore, but I think in this case, we are unfortunately being realistic.

Kip Boyle: I think so too. But it's funny, I can tell you that in my attempts to be realistic, and to practice negative visualization in a responsible way, I have, on the job, in the past, been accused of being Eeyore and Cassandra at different times.

Jake Bernstein: I can see that.

Kip Boyle: I mean, there's just some people who just don't want to hear any kind of negative talk at all. So, listeners, if you're working in the cybersecurity industry already, I got to think that you've had this experience before. And if you haven't, hang on, because, I think it's inevitable. I think it's a rite of passage.

Jake Bernstein: Well, that's worrisome in some ways, because I think, being a Cassandra is no good, being Eeyore is not great, but being a yes man is almost worse.

Kip Boyle: Yeah. Sometimes, though, you have to do that to keep your job, and... I don't know. I mean, the politics of the workplace is what's creeping into our conversation here, but that's not what I want the episode to be about.

Jake Bernstein: Of course not. I agree. So, what will we be discussing then?

Kip Boyle: So, listen, we're going to talk about, again, this intersection between cyber attack and human death. Now, originally, when I was preparing this episode, I was thinking that we would talk specifically about ransomware attacks on hospitals, and how that has contributed to patient mortality, because there's actually some studies out there, and a couple of news stories, which, we'll look at the news stories in a minute, but as I started doing the research, and unpacking this, I actually found out that the situation is way more serious than I realized. And it wasn't because I didn't know about the other information that I was retrieving, I just hadn't connected the dots. So, we're going to connect those dots, I'm going to share with you the dots that I connected as I was doing the research, and then towards the end of the episode, we'll talk about, how bad could this get?

And so, I think the title of this episode is going to be Killware, believe it or not. That's the new turn of phrase. Have you heard that before?

Jake Bernstein: Only in our discussion planning for this episode. It reminds me... I mean, I think one thing that is not is, if you ever read William Gibson, Neuromancer, you may have heard of black ice. That's Killware of a different style. We're not there yet, but this is... You know what? I almost would call this murder ware.

Kip Boyle: Yeah. Possibly, or manslaughter-ware. I mean, it just depends. I mean, there's a legal dimension to this, which I'll touch on, but then there's just the practical, getting through life aspect of it here, but let's go ahead and start digging in. So, I was just looking at the past two years, I was just looking at cyber attacks and I started with ransomware. And so, let's go ahead and just start with a big cyber attack that happened in 2019, and that was the city of Baltimore in the state of Maryland here in the United States. I'm not going to unpack all the details, but it was a pretty typical, although large scale ransomware attack. This is when ransomware really started to get large scale, and the city of Baltimore was really hung up in it-

Jake Bernstein: I remember that.

Kip Boyle: And I thought about it, I was like, "All right, what was the goal of the attack?" Well, I think it was because the cyber attackers are trying to gain, they wanted money, and they were hoping that the ransom would be paid. "All right. So then how were they threatening the city?" Well, really, it was the denial of service attack in a way, not the way we think of as far as taking down websites and stuff, but really mass inconvenience for citizens; they can't access routine city services. So I was thinking, well, all right, the idea's we're going to lock out the citizens, keep the city from doing business, and then they'll pay us money. And I think that's a good summation of what was going on there

Jake Bernstein: It is, and I think it's... I mean, it feels like a good summation of, in many cases, all forms of ransomware. The very, very basic goal is, we're going to stop you from doing business by denying you access and service until you pay to unlock things. And, there's lots of different ways, I think, to parse the mechanism that ransomware functions, but that's as good of a summary as any.

Kip Boyle: Okay. And I think that's an important data point, because, notice in there, nowhere did I say Killware, I didn't say anything about death. That's-

Jake Bernstein: Nope. That's pretty standard ransomware is what I would say.

Kip Boyle: Pedestrian almost.

Jake Bernstein: Almost.

Kip Boyle: As we look back on it, although at the time, I was aghast at the audacity to attack an American city of that size. I just thought, "Wow, that's really brazen." And it says a lot about how comfortable these people feel that they could do this. Okay. So now, let's also look now at another data point. So there was attack also in 2019, it was a ransomware attack, and we just found out about it, because there was a lawsuit filed downstream from the attack. And the lawsuit was from a private party against Springhill Medical Center, which is located, now, Alabama. Now, what happened was, and I think we have to unpack this one a little bit, because this is something that's just been recently revealed, but the medical center had a ransomware attack, and that did, in fact, impair their system, and the hospital continued to operate. Inside the hospital, inside the neonatal intensive care unit, there was a child that was born that was in distress, and the baby was being monitored... Neonatal intensive care unit, if you've never been in there, that is, that is like a little heaven on earth. People in there are just angels, amazing, amazing people that just care for these very sick infants.

And, unfortunately, the child died, and the lawsuit says that it was... They were alleging that it was due to a lack of vital signs monitoring, that would typically be in place and would be monitored by the NICU nurses, but that system was one of the systems that was actually disabled by the ransomware. Now, in this case, whether it can be legally proven or not, that the ransomware attack resulted in the death of this child, I don't know, and we won't know until things run their course, but I think it's fair to say that the goal was, cyber attack a medical center, because the attackers wanted money, same as Baltimore, and the threat was, hey, massive inconvenience for staff and patients, create some chaos and mayhem, and I don't know that the cyber attackers were trying to cause death, but I think it's reasonable that there was a death, and I think it certainly had something to do with the ransomware attack.

I don't know the causal relationship in the legal setting, I'll leave that for you and the other attorneys to sort that out in court, but my point is, now we're starting to see ransomware attacks that have this byproduct of human harm.

Jake Bernstein: I think with this one, I don't want to presume to ascribe motive, or downstream thinking to the attackers, but I'm just going to... If I was betting man, which I am not, but if I was, I would bet that the attackers in that situation, in the traditional layman's terminology, probably didn't intend to kill anybody.

Kip Boyle: Probably not.

Jake Bernstein: I think what they were thinking was, a medical center is going to want to get its systems back online as soon as possible, because it's important, so if we lock it down, they should pay us quick. Right?

Kip Boyle: Right.

Jake Bernstein: And, should they have maybe... I think, could they have reasonably foreseen that a death could result from a hospital ransomware attack? I think yes, but I think at this time in particular, my guess is that you are correct, and that this was intended to be along the same lines as the Baltimore ransomware attack, and really any other ransomware attack. And, one could even argue that the hospital should never have had these critical NICU monitors hooked up to a vulnerable data network. Ultimately, that may be the key to liability here, because it's not like the hospital asked to be hit with a ransomware attack, and it's not like the people are able to sue the ransomware attackers. So, that's the legal question there, but in any event, I think it's clear that this... And it's clear that it was a foreseeable byproduct of a ransomware attack.

Kip Boyle: I think so. I think so

Jake Bernstein: I'm curious-

Kip Boyle: It's also showing that there's a convergence that's beginning here, cyber attacks and human harm, and human death.

Jake Bernstein: I mean, what it is, is it's a... The convergence, or I would say that the cyber is beginning to bleed into the real world, is what this is doing. So, still though, I'm not sure that I would... And I'm not sure where we're going to go exactly yet, because that's the fun of this podcast, but I'm going to say, at least, that I'm not quite ready to proclaim that that ransomware was actually Killware. Doesn't seem quite to fit.

Kip Boyle: I'd say that's true. I'd say that's true, but again, I'm connecting dot. So, let me crosstalk-

Jake Bernstein: No, no, I got it. And I'm drawing the map.

Kip Boyle: So, let me give you the next dot. So, in 2020, just about a year ago, in Dusseldorf, Germany, Helios University Hospital suffers a ransomware attack, and it's very similar in concept, I think, to the Springhill Medical Center, and in countless other hospitals and medical centers that have had ransomware attacks directed at them. The difference here, though, which I think lines up with Springhill, is that there was a human casualty. Again, cause an effect and legality, I have to set that aside, because I'm not involved in that, but I think here again in this university hospital, their systems were impaired, because of this ransomware attack, the motivation was clearly financial gain for the attackers. I mean, there were ransom notes and negotiations, just like in Springhill, just like in city of Baltimore. So it really fit the pattern, but there was also a patient death. So there was a woman who was en route to the university hospital for a emergency treatment, and the hospital told the ambulance that their emergency room was unavailable due to the system's failures, and so they advised the ambulance to route to another hospital, and the patient died en route.

So, the local government in Germany... Actually, the prosecutors investigated this as a potential homicide. Ultimately, they declined to prosecute, because... And I don't know all the details of this, but they felt like they could not put together enough evidence to meet the legal standard in order to be able to prove murder, or manslaughter, or what have you. So, I'll be interested to hear your comment on this one, but, again, it's just another data point, and there's all kinds of other researches here that shows that patient outcomes related to ransomware attacks are worse, because of the attack, than not, but here somebody died again.

Jake Bernstein: And again, I think... First of all, my caveat here is that, I'm not much of a criminal lawyer. I took criminal law in law school, which is required, and that's about it. I'm not really familiar with the ins and outs of criminal law, but what I do know, at least in the US, is the concept of mens rea, which is the guilty mind, or the appropriate motive needs to be involved, because... Just to take a classic, if you look down at the wrong moment and get into a car accident and somebody dies as a result, we don't call that murder, there's other words for it. It's manslaughter, or it's negligent homicide and things like that, but the difference between murder one and murder two, and everyone watches those shows, is intent, the malice of forethought, so to speak. And, there's other terms out there like reckless endangerment. I think if you direct a ransomware attack at a hospital, at a minimum, there's not much doubt in my mind that you're recklessly endangering the lives of others. Is it murder? I mean, whether I think it should be or not is irrelevant, I think the reality is that it's unclear at this point.

And again, I'm really curious to hear what you say, because even this one, which really is not that different at all from the Springhill Medical one, where we just said, we probably wouldn't label that Killware, I'm still not sure that I'm ready to label this Killware. It's a, I could call it recklessly endangerment ware, but that's a mouthful. And, I think, again, the direct connection is a little tenuous, and that may be what the prosecutors in Germany were contending with. And still, all of this, of course, is tragic, it feels avoidable, and it definitely feels as though the ransomware has played a part. We're not really saying that, but I guess what frightens me is that, there's still dots to connect, and that there is an escalation that we're seeing. So, what's next?

Kip Boyle: Okay. So the next one really isn't a ransomware attack per se, but it was a cyber attack, and it happened in early 2021, and it was against a water treatment facility in the town or city of Oldsmar, which is located on the West Coast of Florida. It's a little North of the Tampa St. Petersburg metro area there. So this was not a ransomware attack, but it was a cyber attack. What was interesting about this is that, somebody, person's unknown, gained remote access to the critical controls, I'll say that, at the water treatment facility, and they actually was in the process of raising the levels of the amount of lye that was being introduced into the water supply. All right. So lye is commonly used to treat water to make it safe for drinking. So the presence of lye itself is not extraordinary, it's quite common, but it's got to be used at the right level. Too little lye, and the water doesn't get sufficiently clean, but too much lye can actually cause skin burns, and if you drink water with too much lye in it, you're going to get severe internal injuries, you're going to burn, basically, your insides.

And, I can't imagine what it would be like. It would probably be very painful for an adult to do this, but for a child or an infant to drink water with high concentrations of lye, I don't know, could be fatal, but however you want to classify this, I mean, I just don't see how you could interpret this cyber attack as anything less than an attempt to hurt people, and there was no evidence of any desire for financial gain. I mean, this was just, how many people can we hurt? And the only reason that it failed is because, this attack was attempted in broad daylight. It was done during working hours in the city of Oldsmar, and a technician saw the attack in process, and stopped it. So, I thought this was fascinating.

Jake Bernstein: It sounds like a live fire test to me.

Kip Boyle: Yeah. And, by the way, not a very sophisticated one either, because I think that this could have easily have been done in the dead of night, much more silently. To me, this almost, not only seems like a test, but it almost seems like a warning shot.

Jake Bernstein: So, I mean, this feels like terrorism, or an act of war almost. It's hard to classify this one as anything other than that. I mean, look, attacking a hospital with ransomware and shutting down its systems, I think, is... I think once you know that somebody could die from that, doing it again is attempted murder. I mean, I think that it could rise to that level. I mean, if you want to inconvenience people, go after the city infrastructure where it's super annoying, but the chance of somebody dying is quite low, and it's going to be random chance almost. Attacking a hospital, I mean, come on, I think, at this point, you should know that that's a realistic outcome.

Attacking a water treatment facility with the express intent and action of increasing a caustic chemical level is nothing other than assault, and truly, attempted murder. So, I think, this, even though nobody died, and even though it was caught, I think I would begin to classify this as a Killware, as an early attempt at Killware.

Kip Boyle: Maybe a prototype.

Jake Bernstein: Maybe a prototype. It almost doesn't matter. It's deeply distressing, because you know that there's... I mean, when the critical infrastructure is so connected, and these types of things can be done remotely, I mean, for all the reasons that we have repeatedly mentioned on this podcast over nearly a hundred episodes, how many times have we talked about the differences between the old style bank robbers who, at a minimum, have to put themselves in harm's way to physically enter a bank, you think about the equivalent, certainly poisoning a water supply is an ancient concept of attack.

Kip Boyle: It's a crosstalk-

Jake Bernstein: But it's hard, you have to physically gain entrance, you have to contaminate, it has to go unnoticed, but this-

Kip Boyle: And you have to get out.

Jake Bernstein: And you have to get out. This, on the other hand, it is, for all the reasons that all the cyber attacks that we talk about are so difficult to stop, this is the same thing. And, I think this is nothing other than a deliberate attempt to create chaos, damage to society, and, at minimum, hurt people. So, the fact that there was no detected financial component, I think, makes this worse.

Kip Boyle: I think so too. And I think that it probably wasn't automated, or maybe it was semi-automated, because when I think of Killware, just like I think of ransomware, or whatever, I think of a piece of software that does most of the heavy lifting for the attackers. And I don't think that what we saw here in the Oldsmar attack was automated very much. I think of it as a prototype, because it could have been automated. I see no reason why it could not have been automated. Okay. So there you go. So those are the dots that I found myself connecting, but it went on from there. Once I started seeing this term Killware, and I started reflect on the Oldsmar attack, well, then I put Killware in as a search term, and lo and behold, in October of 2021, which is only a few weeks prior to us recording this episode right now, the department of Homeland Security in the United States actually came out and said that Killware is a real thing, and they actually did a press release, and in interview, and they're actively promoting this idea that Killware is in our midst.

And, they characterize it as the next line to be crossed in the cyber security threat landscape, and they're saying, "Look, there are some bold people out there who are willing to cause death and destruction, either to get money, or simply to make a political statement."

Jake Bernstein: That's terrorism. crosstalk That's the definition of terrorism.

Kip Boyle: And it's funny, because I don't remember them using terrorism, that label, in what I read, but I have no problem. I have no problem with that label.

Jake Bernstein: Well, I mean, it's either terrorism, or an act of war. And I think, speaking of an act of war, one thing that we have not discussed, and certainly, we don't have nearly that much information, but I do remember hearing about... Well, I mean, we've talked about it before, I believe it was NotPetya. That was the... I mean, I don't want to even call it ransomware, because it really wasn't. It was just destruction-ware.

Kip Boyle: Well, but it did present a false flag. It did actually drop ransom notices, but there was no way crosstalk to actually take action on that.

Jake Bernstein: I remember that.

Kip Boyle: The information provided was incomplete, erroneous, and so it was just this cover, this very thin cover.

Jake Bernstein: But, was it not NotPetya that targeted Ukrainian crosstalk heating, or at least I'm not sure if it targeted it, but it affected the ability of the Ukraine to provide heat in the dead of Ukrainian winter, which... I mean, if that's not lethal, I'm not sure what is.

Kip Boyle: Well, that's another great example of this idea of Killware, because-

Jake Bernstein: That's years ago.

Kip Boyle: Right. That was in 2017, but it happened in another country. And so, "Sorry, can't help it, but we're very US centric." And now it's come to the shores of the United States. Something that's happened in Ukraine, which was, "Hey, it's the dead of the winter, let's pull people's heat." Of course, people are going to freeze to death, some of the more vulnerable population is probably going to die, and now it's here. Now it's here in Oldsmar, Florida, and who knows how many other attempts have been made that didn't make it into the media. I mean, for every... And we've talked about this; for every exploit that we hear about, it's the tip of the iceberg situation. 90% of what's really going on, we can't even see. So I've got to imagine that there's been other cases just like Oldsmar, but we just don't know about them. They're in the X-files somewhere in a dusty warehouse.

Jake Bernstein: Well, I think, one, this is probably one of our most depressing episodes of all times...

Kip Boyle: We said it was gloomy.

Jake Bernstein: But we need to be realistic, and I think that one of the components of this is, there are cyber weapons out there, that have the exact same design intention as a big old bomb, and they are developed by nation states, and the same concern that I think has always existed about nuclear proliferation is, what happens if criminals or terrorists get their hands on a nuclear weapon? For so many reasons, it is so much easier to obtain a cyber weapon. You're talking about some code, you're not talking about a radioactive hunk of metal with an incredibly sophisticated and complicated piece of machinery around it, and the need to deliver that. You're talking about computer code. And-

Kip Boyle: Well, you're talking about Stuxnet.

Jake Bernstein: Stuxnet.

Kip Boyle: Let's go back to the Iranian nuclear uranium enrichment sabotage. I mean, crosstalk-

Jake Bernstein: That was a cyber weapon as well, but I'm... We don't need to necessarily dig too deep into this, but I think there's a important difference between a cyber weapon like Stuxnet, which had a incredibly specific target... I mean, this was a thing that literally was designed to make centrifuges go too fast, so they broke. That was the goal of Stuxnet. That's a laser scalpel level of cyber weapon, and that's crosstalk-

Kip Boyle: Although it could've easily have been worse than that, because, crosstalk-

Jake Bernstein: It could have.

Kip Boyle: It could have been designed to cause the centrifuges to explode.

Jake Bernstein: It could have.

Kip Boyle: crosstalk people.

Jake Bernstein: It could have. I think that's where I'm going, is that... That was, I believe years ago.

Kip Boyle: 2017

Jake Bernstein: Stuxnet was also 2017?

Kip Boyle: Mm-hmm (affirmative).

Jake Bernstein: Interesting.

Kip Boyle: 2017 was a big year.

Jake Bernstein: Was a big year.

Kip Boyle: crosstalk massive cyber attacks.

Jake Bernstein: I think what we're saying is that, you've said it before where we're all... What's one of your phrases? We're all foot soldiers in the cyber war. We've been saying that for years now, but it's becoming distressingly real.

Kip Boyle: It is.

Jake Bernstein: To the point where-

Kip Boyle: And I have to... I'm sorry, I have to correct myself. Stuxnet was actually 2010, not 2017.

Jake Bernstein: Okay. That's what I thought. I thought it was much longer ago.

Kip Boyle: It was, it was, 2010, which makes it even worse.

Jake Bernstein: Yes. It was much longer ago. I mean, you had talked about a prototype, that was one of the original, "Let's see if this is even possible," and they proved that it was, and now-

Kip Boyle: Well, even before Stuxnet, there was actually a publicly released experiment called Aurora, where they had this big diesel generator out in Idaho, and they remote attacked it, and they actually, through remote means only, actually caused the generator to run out of spec and self destruct. I mean, that was just a proof of concept.

Jake Bernstein: Well, I think what we need to be wary of, and I think... Well, let's use the phrase "cyber risk management" here on the Cyber Risk Management Podcast, is, what we all need to be aware of is that, next time there's a geopolitical, call it what you will, I'm just going to say a war, the being across... Having two oceans on either side of the US is no longer enough to necessarily insulate us from direct attack, and that's a sobering thought that I think must be considered by everybody who touches upon infrastructure in this country. And, that means that's cities, that's states, but that's also a lot of private industry. And if we think about... I mean, the pandemic, I think, has, in many ways, done us all a type of weird service, insofar as, really laid to bear the risks posed by supply chain disruption. We all remember, there's places that couldn't... It was hard to find food, because the supply chains were all out of whack.

And, I don't think it's requires much imagination to imagine how even a so-called regional conflict could result in the launch of cyber weapons that are designed to severely disrupt civilian life. And, that's a sobering thought.

Kip Boyle: It's awful. It's awful. I mean, I think about this new battlefield, which you're describing. I mean, in the 1960s and 1970s, the greatest threat was nuclear annihilation from intercontinental ballistic missiles. And, it took roughly 30 minutes from the time that a missile was launched on one side of the earth, until it could actually strike its target on the other side, and so we built all these early warning launch detectors, satellites, and radar, and back scatter over the horizon things. Well, now, that same distance can be traversed with electrons in the form of packets on the network, in milliseconds. Milliseconds. There is no early warning for this kind of stuff. I don't see how it's possible.

Jake Bernstein: There's not.

Kip Boyle: It's really different. It absolutely has transformed the speed at which weapons can be delivered, and weapons of destruction, as it turns out, not just weapons of mass irritation.

Jake Bernstein: There is one difference, though, that I think is critical, that I want to really highlight in this episode, which is, when that nuclear missile is launched, there's not much that can be done about it at that point. Maybe you could intercept it, maybe-

Kip Boyle: Star Wars, right?

Jake Bernstein: Right. Star Wars. But when it detonates, you're dealing with irreducible laws of physics there. I think what's different about what we're talking about now, the cyber weapons, the cyber attacks, is that, in fact, we have the ability now, before they are launched, to blunt their effectiveness, in a way that is not possible with...

Kip Boyle: That's a good point.

Jake Bernstein: ... Nuclear or conventional weapons. We have to choose to be vulnerable by our inaction. And, I think that... Look at the hospitals, is a good example. It's awful what happens there, but I think that there should also be outrage directed at those institutions for allowing themselves to be in that position in the first place, because it didn't need-

Kip Boyle: I don't like-

Jake Bernstein: I don't want to victim blame, I don't want to shame the victim.

Kip Boyle: I don't either, but they do have a responsibility. I mean, they're not just individuals who are only looking after themselves, they're entrusted with the care of citizens. They have a duty, and that's really what we're trying to focus on. They have a duty of due care. Isn't there a legal standard here around that?

Jake Bernstein: There are many legal standards, and the thing about it too, is that, so many of these network vulnerabilities are things that we've created because it made something slightly easier on someone; a gain of a small convenience. And I think about that, and I think about the risk that it creates, and it just begins to feel less and less...

Kip Boyle: Worth it.

Jake Bernstein: ... Justifiable in the long run, to not correct these mistakes.

Kip Boyle: So, let's-

Jake Bernstein: And I'm not about blaming...

Kip Boyle: I want to springboard off that, because you just said something really important, which is, we're trading off convenience for these increased risks. And I want to now turn our discussion, as we wrap up the episode, towards the future. So, if Killware is a thing, what does that say about our future? And so, I think the first thing we need to do is, I need to bow to your legal need to define everything, because that's really important. If we're going to talk about the future, I think we need to be really clear on what the definition of Killware is. So I'm going to offer a definition.

I think it's the malicious targeting and exploitation of the interconnectedness of critical aspects of everyday life, for the express purpose of causing individuals serious physical harm, or death. What do you think about that?

Jake Bernstein: I think that's a good definition. I might rephrase the ending as death or severe bodily harm, because that's tends to be what the statutes always say when they talk about these things.

Kip Boyle: Bodily harm.

Jake Bernstein: Death or severe bodily harm tends to be the phrase, but it's the same thing, and we're talking about electronic medical devices, obviously, infrastructure, transportation networks. I mean, look, there is literally no other purpose for messing around with the stoplights than to cause an accident, and snarl traffic with people's... You don't have to be even the slightly imaginative to understand how that could cause a death. Right?

Kip Boyle: Mm-hmm (affirmative). I did a presentation recently... That's actually a couple of years ago, for a bunch of insurance professionals, because they were wondering like, "Self-driving cars, oh my gosh, that's going to decimate the automobile insurance industry, because, if it takes off, then the number of private vehicles needing insurance is going to drop." And so they invited me to come and talk to them about, what would be the impact of self-driving cars to their industry? And so, as I started unpacking it, one of the things that I realized is that, part of the visioning for self-driving cars isn't just that they'll drive themselves using their own sensors and that sort of thing, but that they'll actually talk to big city transportation infrastructures, and will receive commands from them. So, if you've ever driven down an interstate during a high traffic, high congestion, here in Seattle, we actually have smart signs that will change the legal speed limit depending on the congestion. So, that's one example of something we have in place now, but in the future, the vision is, is that big city transportation infrastructure would actually issue those commands to the cars directly.

So, in other words, they wouldn't just change a sign and depend on a driver observing that new reduced speed limit, it would actually tell the self-driving car, "Hey, reduce your speed to 35 miles an hour, because there's a big traffic jam coming up." Well, what if, instead of saying, "Reduce your speed to 35 miles an hour," that message gets hacked, and the self-driving car, it receives a message that says, "Increase your speed to 65 miles an hour, because the road ahead is clear?" What do you get? And you haven't even hacked the car, you've hacked the transportation infrastructure. And, why do we do all this? Because we want the convenience of not driving ourselves around. And I just think it's a great example of what you were talking about. And by the way, episode 22 of the Cyber Risk Management Podcast, I looked this up, March 19th, 2019, we talked about the cyber risks of autonomous vehicles. So if that sounded familiar to some of our longtime listeners, it's because I actually dipped my hand into the archive.

Jake Bernstein: To me, this is actually critical risk management, this discussion. And, the fact that it's uncomfortable and maybe depressing, is really... Maybe it's beside the point, or maybe that is the point, but we cannot shy away from these types of discussions. If we're going to seriously consider these new technologies, and these new... We have to understand that they come with new vulnerabilities and new risks. And, do we want to take those risks?

Kip Boyle: Senior decision makers have an aversion, I have noticed, to participating in this gloomy type of exercise that we're conducting right now, but I agree with you, it's absolutely critical that some amount of the energy being focused towards doing these things, needs to be allocated to these kinds of negative visualizations. And it's really not all that different from threat modeling, Jake, which you asked me about in the beginning of the episode. It's really not all that different from it. I think, the basic idea is the same. We don't really have the same kinds of frameworks, that software threat modeling has, like stride and so forth, but we certainly do need them. We're continuing to wrap up the episode. This has been a great, great conversation, but I think we're in danger of going long. So, one other question that I want to pose and then try to answer, which is, how bad will this get? I think that's a very, very reasonable thing for us to ask.

So, as I did that research, guess what? Gartner, the IT research firm, which is widely respected, and considered to be an authority on its ability to make predictions, in fact, when they make a prediction, they will almost always qualify it with a percentage. They'll say, "60% chance that this is going to happen," and so forth. And Gartner projects that within the next four years, cyber attackers will be weaponizing operational environments, specifically for the purpose of harming and killing people.

They're estimating that Killware attacks will cause fatalities that will reach $50 billion per year in the next four years, and they also are predicting that government and public reaction to these crimes, and I think it's reasonable to call them crimes, will lead to CEOs being held personally accountable for cyber attacks in which physical harm or death occur. So, that is not some fringe blogger here making those predictions.

Jake Bernstein: No, it's not. I mean, I don't know that we're going to... I mean, I think a lot of people have been saying for quite a long time. I mean, there's books, Click Here to Kill Everybody by Bruce Schneier. There's many, many books that have talked about this. We discuss with the author of, By The Time You Read This, It Will Be Too Late. This is not... inaudible just read science fiction. I mean, none of this is... You don't even need a Terminator and Skynet to go bad to fear these types of things, and to be aware of them, but the thing is, is that, we need to take them seriously, because they're preventable. None of this is destiny. We can make choices now.

Kip Boyle: The fate is what you make. How's that go, John Connor? The fate is what you make, or something like that, anyway. That's what I'm hearing right now in my brain, as I hear you talk. So it is preventable, unlike ballistic missiles. I like that. That's a key insight, I think, for our listeners,

Jake Bernstein: But it's a bit of... I mean, I always have to inject a bit of optimism to go along with pessimism, but again, I want to be clear, this is not pessimism, this is realism. These are things that have happened, and will happen, and we have to decide whether or not... Look, let me rephrase the-

Kip Boyle: crosstalk about it.

Jake Bernstein: Let me rephrase the point here, is that, avoidance of death and severe bodily harm throughout the business world, is a... It's a key concept. And you want to know why? Is interestingly enough, is that, if you go through international law, and even US law, and you look at all these different contracts, what you'll find is that, almost without fail, you cannot avoid liability for death or severe bodily harm via contract. It's just one of those things that, for either public policy or common law, has been found to be untenable. And that's good, we don't want someone to be able to wave your right to recovery on these types of real serious issues. And, what's going to really change the scope of awareness around cybersecurity, which, still to this day...

Look, you and I can gnash our teeth and stamp our feet all we want about how obvious and how important this is, but there are still a lot of people who see it as an IT problem that's an inconvenience at best. That-

Kip Boyle: Or don't even see it at all.

Jake Bernstein: Or don't even see it. That will not hold when people die from cyber attacks. It will not.

Kip Boyle: It's awful. And it's awful that people have to die in order to create the kind of care, but you know what? I've seen it happen before in other disciplines having nothing to do with IT, so it wouldn't be the first time.

Jake Bernstein: No, it would not.

Kip Boyle: Okay. I think I'm convinced that Killware is a thing, which is awful, but are you?

Jake Bernstein: Oh, absolutely. I mean, not only is it a thing, it's a thing that I think the awareness of it creates... The seeds of liability are being planted now, you have to take action now.

Kip Boyle: Okay. So let's end on a positive note. What can we do about this? Well, we've talked a little bit about the fact that it is preventable, but let me just give a synopsis. Okay? Now, listen, Killware, even though the intent is to harm people, at the end of the day, Killware is like ransomware, in the sense that, it depends on a successful phishing attack in order to gain a foothold, or it depends on the exploitation of a missing patch, because there's a vulnerability, or a compromised account, or whatever. It pretty much all starts the same way, so the best defense, I think, is good cyber hygiene. We've talked about that on the podcast, I talk about that in my book, and I specifically continue to believe in the power of the Essential Eight, which is, it's just a very recently published framework of eight controls that are designed specifically to stop account stealing, and to stop malicious code infections, or to render them inert, to think about a bomb going off.

What I also love about the Essential Eight is that they modify those eight controls every time they feel like the landscape has changed, and they need to keep up with it, which I really appreciate, and that contrasts tremendously with a lot of other things that people use to be proactive. There's lots of other frameworks and things that you can use, that are not changing nearly as often to keep up. So I like the Essential Eight. It's from the Australian Signals Directorate, and I think they've transferred control of it over to another Australian government entity, but I really believe in them, and I think, if you don't know what those are, members of our audience, I think you should go out there and do a little bit of research, and they're incredibly practical.

And, I think, if you want to get ready for Killware, I think this is something that you should be doing.

Jake Bernstein: And I think we'll see a surge in the use of ASICs, application specific integrated circuits, an older idea. In a way, it's the opposite of general computers, general purpose computers, and they are... But when something crosstalk does one thing, and that's literally all it can do, it's a lot harder to hack it.

Kip Boyle: That's absolutely true, and the Essential Eight talks about that when they start talking about application control, or application allow listing, which, I think, that's the future. I know a lot of IT people think that, we used to call this application white listing, was an administrative nightmare that they wanted no part of. I get that, but, man, the stakes are just going too high, I think, to continue to have that kind of an aversion. All right, Jake, any other comments before we wrap it?

Jake Bernstein: No, I think we're good.

Kip Boyle: I think we've talked this one to death.

Jake Bernstein: So to speak. Bad pun there, Kip.

Kip Boyle: Oh my gosh. Well, listen, folks in the audience, if you think we have missed anything, let us know, send us an email, drop us a note. We hang out on LinkedIn, and you can send us messages through the Cyber Risk Opportunities website, but, for now, that wraps up our episode, and today, we went into the gloomy and depressing talk about Killware, although we see it as an absolutely necessary exercise in negative visualization, so that we don't get caught up in a existential crisis. And we're glad you were here, and we'll see you next time.

Jake Bernstein: See you next time.

Speaker 1: Thanks for joining us today on the Cyber Risk Management Podcast. If you need to overcome a cyber security hurdle, that's keeping you from growing your business profitably, then please visit us at cr-map.com. Thanks for tuning in. See you next time.

Headshot of Kip BoyleYOUR HOST:

Kip Boyle
Cyber Risk Opportunities

Kip Boyle is a 20-year information security expert and is the founder and CEO of Cyber Risk Opportunities. He is a former Chief Information Security Officer for both technology and financial services companies and was a cyber-security consultant at Stanford Research Institute (SRI).


Jake Bernstein
K&L Gates LLC

Jake Bernstein, an attorney and Certified Information Systems Security Professional (CISSP) who practices extensively in cybersecurity and privacy as both a counselor and litigator.