Recently and over the past few years, world events may have included cybersecurity components in their enactment. So, Brian, Erik, and Dan started talking about the role of security in critical infrastructure protection, asking questions about the ethics and thresholds for government and corporate roles in cyber retaliation, whether we as security practitioners have a role (or an obligation, or even a liability) to close vulnerabilities that can be used in primary or retaliatory scenarios. How much of human nature makes cyber retaliation a foregone conclusion, or can we find ways to reduce the need or use or availability of ways in via the technology. From Stuxnet to Iran to Caracas, using cybersecurity is a prevalent vector of retaliation, but does it always have to be that way? Or will it end with WOPR’s recognition that the only way to win the game is not to play at all?

It’s hard to talk about modern cybersecurity and not bring in current events, and even harder to keep it from turning political. We tried very hard to do a good job in the latter as we talked about the former. 

Thanks for being part of the debate!

Show Notes:

• Caracas Invasion - https://abcnews.go.com/International/explosions-heard-venezuelas-capital-city-caracas/story?id=128861598
• Stuxnet Explained - https://www.csoonline.com/article/562691/stuxnet-explained-the-first-known-cyberweapon.html
• Book Recommendation: Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon - https://geni.us/swbN
• San Bernardino vs Apple - https://epic.org/documents/apple-v-fbi-2/
• Movie Recommendation: Real Genius - https://geni.us/abYUYT
• Book Recommendation: The Creature from Jekyll Island: A Second Look at the Federal Reserve - https://geni.us/SL21a
• CIA Triad - https://cybersecuritynews.com/cia-triad-confidentiality-integrity-availability/
• Book Recommendation: Atomic Habits - https://geni.us/Nn2GSYr
• Michigan Council of Women in Technology -https://mcwt.org
• Critical Infrastructure (Sectors) - https://www.cisa.gov/topics/critical-infrastructure-security-and-resilience/critical-infrastructure-sectors
• Shadowbrokers - https://www.theatlantic.com/technology/archive/2017/05/shadow-brokers/527778/
• AI Prescriptions (Utah) - https://www.politico.com/news/2026/01/06/artificial-intelligence-prescribing-medications-utah-00709122 
• Japanese Omoiyari - https://www.linkedin.com/posts/herman-singh-b669357_in-japan-it-is-a-recognized-cultural-practice-activity-7408365447953272834-1op9?utm_source=share&utm_medium=member_desktop&rcm=ACoAAABlrqMBKb13DctlHfhW1OWtb-yWqdfUjnE
• GSD Episode on Japanese Parking Culture - https://distillingsecurity.com/episode-65-signs-signs-everywhere-a-sign/
• Book Recommendation: Plato’s Republic - https://geni.us/vLBu4
• Movie Recommendation: Angela’s Christmas - https://geni.us/Vn9n
• Movie Recommendation: Die Hard - https://geni.us/eMASs
• Movie Recommendation: Wargames - https://geni.us/L2R5Ij
• TV Recommendation: West Wing - Proportional Response - https://geni.us/9mU1k4
• Movie Recommendation: Goldeneye - https://geni.us/0dO0b

Some of the links in the show notes contain affiliate links that may earn a commission should you choose to make a purchase using these links. Using these links supports The Great Security Debate and Distilling Security, so we appreciate it when you use them. We do not make our recommendations based on the availability or benefits of these affiliate links.

Welcome to the great Security debate.

This show has experts taking sides to help broaden understanding of a topic.

Therefore, it's safe to say that the views expressed are not necessarily those of the people we work with or for.

Heck, they may not even represent our own views as we take a position for the sake of the debate.

Our website is greatsecuritydebate.net and you can contact us via email at feedbackreatsecuritydebate.net or on Twitter, Twitter at Security debate.

Now let's join the debate already in progress.

So not to have a political conversation today, but what would you guys think about talking about, like, obviously when the Ukraine war started, there was cyber warfare used.

There's been a lot of learning about drone usage, right?

And like the amount of money we spend been like, you go back to World War II, right, the U.S. you know, turning Willow Run into like, how could we build a bomber a minute, right?

Like the ability to build at scale, but the cost of what it was to build these giant machines and what that cost is today to build a battleship, to build this.

And then you look at how that war has changed using, I mean, and you can see the fiber optic lines, like when they had to switch to fiber and it's got spools and there's these fiber lines all over fields, everywhere, right?

So there is a destruction of habitat that ends up over time.

But this asymmetric warfare and using drones and then all of a sudden the US goes after Maduro and as part of that operation used cyber warfare to black out the city or may have it's.

It's hinted towards that it was used.

Yeah, I'm not well enough versed in this, in what's in those actions to speak meaningfully about it in terms of what has just happened.

Everything would just be.

Would be conjecture.

Well, it's.

The idea of this isn't to talk specifically about Venezuela, right.

And the attack, etc, but if cyber was used to do the blackout right before an invasion similar to Ukraine and what they were trying to do with their wipers and so forth in their initial, you know, days leading up to their attack.

And what you saw come out the last two years after the Ukraine war, where critical infrastructure, there's been a big precedent placed on the Purdue model in looking at critical infrastructure when it comes to energy facilities, whether it's gas, electric, nuclear, and what it takes, right, to actually protect that.

You can drive around and see gas pipes coming out of the ground that.

I mean, there's one in like a median in between I think it's in between a jets pizza and a bell tire and most people wouldn't know what that was.

But that's actually a gas pipe that comes up and there's a meter on it.

Right.

And if somebody swerved and ran over that, hit it.

Yes, but it's also openly exposed.

There's no fence around it.

Etc.

So there's all that talk about how do you protect that critical infrastructure, both physically, but now more so from the cyber front because you're not going to get somebody that's going to parachute in to take over that one little gas line in between that bell tire and that jets pizza.

That would be like Red Dawn.

This is more the conversation Wolverines.

I love that movie growing up like the old version, right?

The original was so good.

The original was so cool.

But the idea here though is, you know, if I guess the corollary is, well, two things.

One, all the things we rail on other countries for doing, we're now doing visibly.

Does that put us in the same camp as the countries we rail on?

2, most those countries would argue that.

We actually made the first move without question.

I mean, I guess at least from the person, again, the perception that's out there.

I don't have internal details to know the order of operations, but it has been made believe that, you know, it has been made to believe that that's the case.

Are you stuck specifically going back for.

Well, yeah, I mean I think that's one example.

Probably one of the better, more visible examples.

Yeah, but then the other is the more we do this is a philosophical change, philosophical thing.

The more we do to build stronger infrastructure, the more we do to build it in the right way.

Are we in fact removing the ability for our own government to use it against other countries, build a better, stronger SCADA system?

Do we then, you know, is it our obligation as security professionals to remove it not just from the North Koreans and the Iranians to use it, but also our own government to use it for those purposes?

Because if we do it right, it removes it off, it moves it off the table altogether.

Is that anti patriotic?

Would somebody ever see it as anti patriotic and hold it against you as a practitioner?

I don't know.

Interesting philosophy.

Question.

Answer.

So from an education standpoint and for listeners out there, because Eric, to your point, it's.

It's like chicken or the egg or who, who threw the first punch?

And you're talking to two kids out on the recess, they're like, well he did.

It's like, well, two weeks Ago he did this, and.

Well, a month ago, he did that.

When you go back in time, which.

One of you was born first?

Had their b. Yeah.

Business breached about a year and a half ago.

And within like four or five days after the Incident Response Team, etc, they knew.

Exactly.

Well, apparently it was this group.

We should go after them.

We should be sending the military.

Take these guys out.

I'm like, well, hold on.

I'm like, you do realize that we may have thrown the first grenade, right?

And he's like, what are you talking about?

And I'm trying to explain.

He's like, oh, that doesn't even matter.

But he came after my business.

You know, we need to go attack them, right?

And I was like, hold on.

Let's go back.

So.

And this goes back to history, right?

Like, it's why I love reading old books, right?

And understanding what, like, Iran.

And I go back and say, well, I shouldn't go too far into this because I don't want to make this super political.

But you go back in the day when Mosadak was removed from office, he was a huge ally, right?

Like, Iran was like, at the end of the day, they were kind of like, they didn't think we did it.

They thought the UK did it.

Then when they found out it was us, they're like, but I thought you were my best friend.

I thought you were my neighbor, right?

It's like, you know, your neighbor finds out it was you, and now you're not friends anymore and you're moving, and now you've never talked since, and you're now complete enemies, right?

So history is really, really important.

So, Dan, I think first the question answers historically, right?

Like, it's not who did what or why.

Because even when you talk stuxnet, in the book Sand Worm too, when those guys walked into Idaho National Lab, and we're like, we need to show you guys something.

You had all the top brass from the military, and they're like, look what happens when we press this button and launch this code.

And, like, the generator is shaking out of control.

It's about to blow up.

And he stops it.

And they're all like.

And he goes, I got through to him.

And they're like, can we weaponize this?

He's like, no, that's not what I was coming to show.

Right?

It's a great.

If you think about it, go back to real genius.

Real genius.

Great movie.

You know, they're developing an interesting laser system, and at the end, it gets disappeared to be.

To become a weapon does that mean that people should innovate?

Jerry.

Jerry.

To the cleaner.

To the cleaners.

Exactly.

And to the popcorn vendor.

So does that, you know, does that in turn, you know, the threat of that risk quashing innovation?

I don't think so.

I think that many people are, you know, people are doing innovation because they want to do innovation, but human nature will always find a way to use it for nefarious or weaponized purposes.

So I guess I don't think that's the case.

But the.

It's human.

The problem's human nature here, Dan.

Right?

Like, Plato's Republic shows this beautiful utopia.

And, like, if you're the person in college that only read 75 of the book, you still believe that utopia is.

It's possible.

And then you get to the last.

That last quarter, and it's like, yeah, but because of humans and human nature, this is why it all fails and falls apart and we suck.

Right?

And you're like, oh, I was about to write my paper and how we could have a utopia and we could all be good.

Right?

It's the human nature part.

And to your point, like, if we could build, like, the better system, we know what needs to be done or how it could be done.

Right.

But even going back in the last five years, 10 years, and there's been people arrested that worked for software companies or production equipment companies who were traveling abroad selling their equipment and then were arrested by a.

A group or a country because they're like, oh, you know what you're doing?

And come to find out their software had those back doors built into it, and those back doors were agreed upon by a U.S. government.

Or like, we don't talk about that here.

CFO that might have been asset.

And now we talk about Huawei, but we were doing the same thing.

It's like, well, everyone's like, well, China, you can't buy anything from China because they're putting back doors in it.

Well, where did they learn that from?

Because all the software they originally bought was coming from here, and you had backdoors built into.

It's like, well, that was different because back then everything had backdoors.

But I. I don't think that's changed today.

There's a move toward, you know, just think about this in the.

In the.

In the communication space, the, you know, chat control, which is currently being debated in.

In the EU with regard to, under the guise of child protection, being able to look into all chats, all conversations, break in encryption, look back to moves in the US to try to do that for.

Excuse me, for.

For imessage and such, again, under the guise of child protection, which again, and I've said this in episodes before, do not ever think for a minute that the children aren't worth protecting.

But I think that the moniker is used in the wrong ways in many of these cases.

It's used as a cover because.

And, and even if you take the politics out of it, any back door you put in that's used for a legitimate purpose, let's assume these are legitimate, will also be used, found out, used and exploited for illegitimate purposes.

You're back to.

And I know we talked about it at one point about the.

Back when Apple was getting a lot of pressure from the FBI to build in the back door.

Yeah, exactly.

Same thing.

And all of these things are pathways in.

And, and they, I mean, it's evident now, but they were using that one incident out west in California and that one attack as a reason.

San Bernardino to poster child, Apple to the community, to create ruckus, to be like, they're not letting us in and there might be another attack.

They need to let us in.

You must let us in.

What owned it, right?

It's like, yes, you.

Once you got in, what else were.

You going to do?

What else could you look for, right?

And not.

We've already done these conversations on AI, right.

And where we're at today.

But they needed these data models, they needed access to data, lots of it, right?

It's why all these terms and conditions, nobody reads them at the bottom of their application, at the bottom of the app when they download, it's like, yes, yes, more, more app, more app.

You get an app, you get an app.

Everyone gets an app.

But again, human nature, leadership, right?

Not every country, I mean, this goes back to even like on some of the banking laws and why Panama was some of the reasons why MOSAC F was able to exist and why somebody then breaching out the Panama Papers for everybody to read and was like, wow.

And there was a lot of, if you want to call them good people, whatever that means from a lot of countries, from a lot of very powerful positions that had shell companies set up all over the world, right?

Even Lionel Messi, his father had set up a massive shell company.

I think the only reason, like, he was kind of aware something's weird is he actually got a paycheck back after he made $100 million.

But the government's like, oh, you didn't make enough money this year, so you get money back in taxes.

Like, oh, no, that's weird.

Well, yeah, because your father set up a bunch of shell companies, right?

It's how they found FIFA, right?

The Panama Papers, right?

So wherever, you know, if, if there's countries that are going to allow back doors or loopholes and if the infrastructure is not going to be set up, right, there's always like, why does security, cyber security, always going to exist, right?

And the first is wherever there's communication, right?

There's the oldest tradecraft in the world, which is cyber espionage.

So people are going to try to get to that communication, right?

I didn't think that was the oldest.

I didn't think that was the oldest trade in the world.

Some people call one of the oldest trade crafts in the world one of the oldest, the gathering of information.

Two is the idea of where money's transacted, right?

So crime, right?

Most crime is done for the purpose of money.

So where money's transacted.

So unless you can eradicate crime 100%, and if money flows through technology today, then cyber security is always going to exist and the last is command and control.

So unless we can get rid of war 100%, then there's always going to be need for command and control.

And going back to kind of the circular part of this was using cyber, right?

Like improving your systems, your scada, your infrastructure, right?

Is really, really important to protect people's interests, protect communities, protect your technology.

But as long as there's command and control and cyber warfare is going to exist too, and the ability to try to like, hey, if we're going to attack, can we black out the entire communications?

Can we black out all the lights?

Can we do this?

Right?

And it's the idea of preparedness, right?

That's the same reason why people like, we've had the conversations about DFIR and being prepared and why you do tabletops and run through them, constantly running through them, you won't find an entire city today outside of Ukraine that prepares on an ongoing basis for blackouts and everything else, right?

They're just not ready for that.

And so from a cyber warfare standpoint, or from a warfare standpoint, I think you're going to see more of cyber because of the connective tissue for the way communities are put together, the way communication's done, etc.

And it goes to the other point of communications, and that is false communication.

The ability to put out rhetoric in advance to get people to, you know, fight, right?

To get minds thinking this might.

Yeah, I don't like it.

So, thoughts, Eric?

A whole Lot of thoughts.

It's.

I mean, there's.

There's a million different directions that we could take this.

Right.

Because I, I mean, it's interesting if you're talking about the social influence of cyber.

If we would make the argument that social influence in a direction that we would generally agree is not realistic or is against.

Against one's best interests.

Right.

It's.

That whole realm is fascinating.

I remember sitting through a talk at one point where they were going through.

So if you recall, Russia is heavily predicated on natural gas.

Right.

That's one of their big exports.

But they have a pretty high floor for the cost that they need because of where they're getting it out of.

It's super expensive to get it out of there.

So if you actually go back to.

If you remember when there was all of a sudden this huge movement against fracking, somebody did a presentation on the connected shell companies, on the messaging that was going into Facebook that propagated the idea that fracking was so harmful to the, the environment, to the people around them and everything.

But it all tied back to Russia, right.

That Russia had to create the sediment that fracking is bad, to get people to rise up against it, to keep their prices high enough where they were competitive on the world scale.

And it becomes interesting.

Like, do we deem that.

Is that a cyber attack?

I think anything.

Well, go ahead.

Oh, I was gonna say not to go into fracking is good or bad.

But I'm, I'm not making an argument on that.

Some of the areas where you do fracking isn't good for the environment where, where Russia's pulling a lot of that out.

It doesn't really.

Like, we opened up a lot of parks, US Parks, and started fracking.

And when you frack that liquid material, you create these giant ponds and then you suck the water up into sprayers into the air to get it evaporate.

And there is a silica and a chemical and everything else that ends up airborne.

So in the areas we were doing it.

And I think to.

What Russia was playing into was we know how bad it can be for the environment.

We know.

They don't know.

Let's make sure they know because this will impact everything.

Right?

Like, yeah.

And so to your point, yes.

Just because it wasn't necessarily misinformation, it was just accelerated information much faster.

But I think that that's the.

Yeah, the.

All of these topics follow.

Yeah.

People say that the.

The CIA triad is out, is outdated.

The idea of confidentiality, integrity and availability.

I think it Is it is still absolutely apropos.

They can be extended.

There's other things like resilience and you know, immutability and things like that that are more, you know, more in a cloud based lifestyle.

But I mean that's the integrity component of, of, of, of CIA.

Is the content you're seeing accurate?

Is it remain accurate?

Is it, you know all of these kinds of things play in.

But I come back to my original question which is is it potentially a, I guess a selling point?

We, we talk a lot on this show about getting people to listen to the why of information security is one of those reasons if we do it right it can stop wars.

I would, I, I, I'm going to take the argument that the answer is no.

Right.

Because I don't think that we can actually design anything that is going to stand the test of time and as we evolve, go back what, six years did anybody have chat GPT on their bingo card?

And now look at what's happening.

I still don't have chat GPT on my bingo card but look at, look.

At the evolution of that.

And that's completely changed our discussions and what we're thinking about that if you compare power consumption over time, build out of data centers and all that, it's vastly changed and we didn't see that coming.

Right.

So I think if we spend too much time trying to create this utopian architecture that is supposed to stop world wars or this fundamental way of going about it, I think it's a utopian idea.

Well, I'm not talking about, I, I, I think at a macro level I agree with you but I think at a micro level atomic changes, we make small changes that improve the security of this and prevent them from being exploited in, in you know, in ways that are, they're known and it therefore helps the, you know, has a greater good output.

If you take and extend what you just said, you know, $20 to MCWT shouldn't be there because we can't solve the problem at a macro level being given appropriate opportunities in the workplace.

You know, MCWT for those who don't know, take a look at them, they're great.

The Michigan Council, Women in Technology, you know, just these are, there are macro challenges that are largely insurmountable or at the, at the epoch, epoch level of time it will take to truly change.

But in the meantime does that mean we don't put any investment or any interest in solving it at a micro level?

It's not binary.

You can't, we can't sit here with a defeatist attitude and go, ah, well, we can't win, so we might as well.

Exactly.

And that's what I wanted to warn because on the surface your, your response gave a little bit of that.

I did not want people to think that that was the case.

I'm an optimist.

We go do something else, we're screwed.

Just pack it up and go.

I mean, could I make the argument what you're really getting at is really accountability for.

Are we having the conversation about accountability for organizations and the quality of the code, the quality of what they're actually.

Producing, and an understanding of the role that part too.

But before your question though, some of this is pushed by regulation, right?

So like when, when the government came out to say, okay, critical infrastructure falls into this, and within critical infrastructure, some of our largest manufacturing falls into this, they have to do these things.

In doing that, does your government.

So let's say that we're talking the United States or you live in the UK or wherever you live.

If your government puts those regulations in place, then it causes someone to make investment, right?

Which causes a maturity which says a, their infrastructure gets better, their protections get better.

But it makes it even more difficult on your own government to get access into those things.

Because the back doors or everything else that they had, had discovered or built, you know, go back to the shadow brokers and all the things that they were able to pull out of the nsa.

Little tools that the NSA and CIA said we would share these after such time.

Well, this one was a really good one.

So we can still use that really cool stuff, right?

And if your own government's doing that and other governments are too, I mean, let's look at China as an example.

So now if you're out there doing bug bounties and you find something useful, now, first you have to report it to the government before you publicly disclose it to get your claim.

And the government decides whether or not you can.

Why would that be?

Right?

Like, and there was a time period in place where the US was very similar, right?

It was, hey, I found this.

I'm highest bidder.

If the company only wants to give me a thousand bucks, here's this organization that's willing to give me a hundred thousand because this one's cool, right?

Like, so, Eric.

Yes.

The code and everything else needs to get better.

There needs to be a point where.

Don'T worry, AI is writing the code now.

It's going to be pristine.

Oh my gosh, you're right.

Their next episode is going to be on the fact that we don't have to worry about coding.

AI's got that figured out for us.

That's right.

Well, now it can write prescriptions on its own, so clearly it's trustworthy.

I'll put a link in the show Notes, if you haven't seen that from Utah.

This is, this is.

But, but Eric, does that mean that governments would be less likely to put in regulation around it because they want access to their own people's information?

Right.

So, like, I'm not saying that's the US but there's some countries out there like, yeah, but if we start putting those regulations in, we're going to have to spend more money on our own to get more information on our own people or to get access to this or when it comes to bugging someone's house or breaking into their phone or all those things that we do from an investigation standpoint are going to be hampered and there's FTEs involved in that.

From a government standpoint, does money spent.

By a government actually matter?

You're talking about an entity that can print more anytime they want.

That's pre, an economy that's predicated on the existence of debt and has to be growing debt for the economy to actually sustain.

So now we're talking the creature of Jekyll Island.

But it might be, but I don't think, I don't think the monetary aspect comes in.

I, I think part of the problem is that we continually take the wrong approach with this because I think our natural inclination is we go, well, there's got to be regulation.

All right, well, in the us.

Dan shaking his head so, all right, so we do, maybe we do agree on this.

No, I, I agree.

I think there's a, there's a trend away from regulation for right or wrong should be.

I think the only, I think morality.

I have a, I have a problem with modern levels of morality, doing, driving people the right thing and therefore regulation is the balance to it.

But we can't deny there is a trend away from regulation at the moment.

Whether we like it or not.

It's a truism.

Right, well, then it's particularly tough in the U.S. right, because we are not a comp.

We are not a country where there is a right to privacy.

Right.

So if that's the basis where you're starting from creating regulation on top of that, you still miss the mark.

Right, because what are we actually doing it for?

What, what is our end goal?

Totally different in the eu.

Yeah, get some of that.

But part of this Philosophical, even that's evolving is that we do not have a society that bands together.

The whole idea of the free market was that we were supposed to vote into existence and out of existence companies that didn't meet the social norms of what we wanted by how we spend our money.

That doesn't happen.

No, no.

Well, no.

Because individuals now that just exist on our own and don't band together.

Yeah, exactly.

And are.

And only live in the edges.

Only live in the perimeter of.

It is all me or what I agree with or it is none and I will never come off those polls.

And therefore I can't find middle ground and band with somebody who's 85 like me.

And we can't find that also somewhat culture, right.

It's Plato's Republic and the idea of human nature.

But human nature is different, right.

Culturally, like this goes back to the Omiyari, right?

And the idea, like I was having that same conversation with someone like, you show up to work late, do you.

Or you show up to work early, do you park in the first spot or do you park in the back so that someone that's arriving late can park in the front.

They're like, oh, first spot.

I'm like, but why that co worker who's a running late would need that spot so they can get into the office.

He's like, well, that's their problem.

I'll put the link to the article that came out shortly after our own discussion about this on the podcast.

We like to think that the article was written because they listened to the podcast and therefore felt it was necessary to write about.

But we'll put the link in the show notes.

But like, that's the human culture, Dan.

Like, I know.

Well, no, it is the American culture.

It is not all humans.

I think that local cultures do vary.

From that which going back to not to harp on Plato's Republic.

It's a very interesting read in the sense that American culture wasn't even around when that book was written.

But it dove into the aspect of how important culture is.

And like, people talk about that all the time.

But using that one example of parking in the back versus the front, you could use that same example across security.

And now we talk about modern warfare and everything else from a culture standpoint, making the decision, right, should we use this or should we not?

I can use this, right?

Is that the right thing to do?

And you set a precedent as a country when you decide to do those things, right?

And regardless of recent events or going back in time, right.

At some Point.

A decision's made to use it.

And as part.

Part of this, in the absence of a generally accepted ethical compass, that we.

We allow ethics to come back to each individual to make those decisions.

Right.

That if you go to the Socrates comment that, no, no man knowingly does evil.

Right.

Which is talking about the, the ability of the, of the human mind to rationalize whatever we're doing.

I can steal because I'm hungry and can't pay my bills.

I.

It's for the greater good.

I am going to attack these people because they're going to attack us at some point.

Point.

Right.

That oil price is just too high.

Yeah.

And I'm.

I mean, we can talk about it.

What's.

What's the fix?

I don't.

That I struggle with.

Well, when it comes.

When it comes to economics, there's no single answer because everything, Everything in economics takes a decade to play out.

And there's all sorts of other factors that play into it and really don't.

We could slap tariffs on something today, apparently, and change.

Oh, sorry.

So Angela's Christmas.

Yeah, Angela's Christmas.

I. I love that one.

The little girl steals the baby Jesus.

Right?

It's this.

It's.

It's a great little cartoon.

I think it was Angela a cousin in your family or something?

No, no, it's a.

It's a little nut.

One day was walking down a rash of Jesus.

The little girl thought the baby Jesus was cold because the baby was sitting in the little manger with no clothes on.

So she took the baby Jesus home because she wanted to put a sweater on it.

She's like, I'll make you warm baby Jesus.

And in doing so, reflects on a story that the mom tells the children.

Everyone sit down.

I want to tell you the day.

And she dives into the story of when she was born and how it should have been the happiest day of her life.

But it was the saddest day of her life.

Life.

Because her husband wasn't there.

Because the house was heated with coal and it was frigid and the baby was about to come, and they didn't have any coal, and he went out to try to get some coal, and he took a few lumps of coal off the back of a truck and didn't pay for him to come home to try to heat the house for the baby and was arrested.

Right.

Whether or not this is a true.

Story, is this a parable about what happens when the new data center takes all the electricity in the area?

Yeah, we're Gonna need.

We're gonna need coal.

So, yeah, Eric, to your point, right, like, you know, I didn't have heat.

Baby was coming.

Is it okay to steal?

But there was a law, there was a rule that said, I will not do this.

Right?

And you broke the law.

He went to jail.

And the mom's at home by herself with the baby.

Right?

There's that moral compass part, right?

And then the.

The movie ends also with, you know, them, the family going back and the little girl returning the baby Jesus.

Right?

And I keep using that.

You got to hear the way they say it in there, right?

Because they're like, but mom to baby Jesus.

And, you know, they return the baby Jesus and into the manger.

And the priest comes out and catches him.

He's like, there she is.

Arrest that girl.

Right?

And, you know, the officer sees this little girl and he's like, you're right, I need to arrest her.

Right?

And he goes.

And he doesn't arrest her.

He.

He jokes with her and he's like, but I don't see this as a laughing matter.

And he's like, it is no laughing matter.

Nobody should take a little girl away from her parents on Christmas Eve.

That's.

So we'll be back.

We'll be back on Wednesday then to get the girl.

Yeah.

So it's that moral logic part, right?

And Right.

Yeah, yeah.

There's.

Go to the movie theater and, you know, the previews before the movie.

You're like, wow, that was so long.

I now feel like I've seen the movie.

You're welcome.

But right.

So for everyone that's on.

The ones with.

The ones with too much information in the preview generally are not the ones you want to go pay to see because they gave you all the good stuff already.

Right?

So, I mean, my point to that and the whole movie and everything else is trying to justify when it's right to break a law and why was the law created?

Right.

And you're trying to keep the masses in line from doing things.

And same thing when it comes to, like, when's it the right time to use cyber.

Right.

It say whether it's in warfare, whether it's to gather information.

Right.

On groups in your own country and so forth.

Right.

And we were predicated on the idea of freedom of speech, but also on the right to privacy.

Right.

And.

And.

Or were we.

And what rights do you actually have?

And when can those rights be invaded?

Right.

And I just think it's such a unique topic because of the way we're connected.

And the way that cyber is connected and the way that our infrastructure was originally built and will change over time.

And you guys said that you don't agree on regulation and not on regulation.

That that should.

More regulation is better because in this case in point in the movie, more laws put into place.

There's.

There's gray area.

I mean, I'd prefer, to be clear, I'd prefer that we don't need regulations because everybody does the right thing all the time.

But the right thing according to who?

Me?

Because we're in an individual society and I'm the only one that matters.

No, of course.

I mean, having societal norms is important.

But now.

But, but Brian, to the thing you just.

To what you just said then.

Are we also entering a time of corporate retaliation using security attacks?

No.

No.

The answer.

The answer is no.

Sorry, that was a. Brian.

Sorry, Brian.

It was based on what Brian said.

I'm taking him.

Okay.

I want to make sure I didn't confuse you because I've known to do that.

I'm taking a hard stance on that one.

Erica stepped in and said, no, although.

Recently, although if you steal the baby Jesus, you might have to get retaliated against.

I, I don't think corporations should enter into that.

That realm.

And I think the person that makes that decision would have to be the most informed person on how technology works.

So if that's your CEO or your board and you guys say, you know what, let's retaliate, let's go do something.

But why is that line different than national?

Why is that line, both of you and myself included, it's a hard line, and no company should never do that.

We're all in agreement.

But what changes between that and a little bit further left in the left, not politically left, but just further back in the, in the chain.

What.

Where do we draw that line?

And does it mean that we need to come back to a more parochial definition of yes and no?

Laws are.

Laws are tricky like that.

Laws are binary.

You cannot do this.

And unless you have a list of exceptions, and then the exceptions are the only way out.

The way I look at this, and I.

And by the way, I'm purposely poking here, but yeah, yeah.

Well, that's.

It is.

It is a debate show.

We purposely take positions that may not reflect our own.

Exactly.

I think, I think we talked about this in a really early episode, right.

And the comment was made that if we take.

Let's play out in terms of a physical invasion, what happened in a cyber invasion.

Right.

That if we look At a.

Maybe a group of terrorists that happened to invade Nakatomi Plaza.

Whose right is it to go up and invade?

Right?

Greatest Christmas movie ever.

I love that we're doing Christmas movies.

Angela's now we got Die Hard.

Yeah, but if you look at it, if you look at it, that's where I see the law is very clear.

Right.

And who reserves the right to step in and put down that.

Insurgents.

I look at it the same way from a cyber perspective.

That is not the company.

Bruce Willis.

Yes, absolutely.

Yippee ki yay.

But, but that, but now philosophically, you take that one step back.

That.

Okay, fine.

In a direct response.

But again, why not?

Why can I not do that as a company?

If somebody attacks my company, why can I not blow them out of the water?

Technologically wise.

Technologically, technically you can because you can go hire an offensive security team.

Our own government is hiring offensive security teams to go do retaliatory acts.

Right?

You could hire an officer.

Three minutes ago all three of us said that's out of bounds.

I see that as a right reservedist.

Reserved for the government.

Government.

But that is a law enforcement.

You should.

But oh it again, culturally in leadership you screw with.

Like you can even look at that from our own president, right?

If a leader of a business gets pissed off enough, right.

He's going to say let's go do something.

Right?

Or what can we do?

And everyone's going to explain why you can't.

And he's still going to be.

It's like my buddy, the owner of the business that I was telling you about, he was so upset and emotional, right?

And it's those emotions.

If you could remove the emotional side.

So emotional was like we should be going and attacking.

I'd rather pay this money not to this IR team.

I'd rather pay someone to go get them.

Right?

And like this.

That was a dead serious conversation.

This was like pre having a beer.

This wasn't like six beers deep thinking a ration.

This was like emotional.

Should companies do it?

I think the fallout would be way more massive.

Global thermonuclear war.

Yeah, because the one fires, then another fires, then more fire because the result of it and now you've destroyed everything.

We're just playing a game.

I just want to play a game.

By the way, all of these will be linked in the show notes and if you click and link to buy a book, buy a movie, it helps support this show and the distilling security network.

So please do.

They are referral links.

I just Figured I'd say that because apparently that's what people do on YouTube.

We should.

So we should have done this as a Christmas episode, man.

All the people downloading Die Hard.

Black Friday Episode of the Shopping episode.

But any.

But I mean, but I mean, but to come back to.

You're right, I think the.

Yeah, it does create.

If you, if you come out with vigilante justice like that, you're on that scale, you're gonna end up in a bat in a mutually globally bad place.

It is the digital reversion back to the wild, wild west that now I get to be the judge, the jury, the executioner.

And the vast majority of organizations are not equipped to make those type of decisions or even understand the broader ramifications of what they're actually getting into.

But was there a jury and a warrant for a cyber attack against a city by a government, state or against a government Against a government?

I mean, from a government against government.

To take.

To take.

At the risk of taking an analogy too far, there was no jury.

There was no.

You're talking about the originating attack.

There was no warrant.

No, I'm talking.

Even in the response, was it justified?

How do you determine it was justified?

How do you determine it's a proportional response, which is a, you know, a term in this space?

All of those kinds of things important.

There it is.

Yeah.

And well, like you could use the Venezuela case.

There was an indictment, was a sealed indictment.

This, the city of New York had issued X, Y and Z a year and a half ago, right.

On double secret probation.

But there was no warrant to say, but now we got to go in and get him.

But I'm not talking about the what.

Yeah, again, it's the how.

In every case, the vehicle of enforcement either comes through a law that says this is how it's allowed to be done, it comes through a constitutional amendment.

Again, I'm talking in the US that says these things.

These things are in and out of bounds.

It comes through a warrant or a subpoena that says, this is the way you execute on this.

And those are the kind of things that I think in this space, in the cyberspace, in the cyber retaliation space are still missing.

I would agree.

And the infrastructure is.

The infrastructure.

It's old.

The.

The idea of the stuff that we can do and in a warfare, in a command and control situation, cyber is going to be part of warfare moving forward.

And the people that make those decisions are going to be the leaders of war.

Right.

And the idea though, if it's proportional, is going to fall to the leaders that are not part of that to decide is this the right thing to do in the aspect of understanding of what that fallout is, I think is better understood today than it was understood 10 years ago.

Like if we do this, nobody will know.

Well, at some point they're going to know.

When they find out, then they're going to believe that they can use those same tactics.

Right.

So, you know, for lack of history repeating itself, when you looked at Stuxnet and the world, you know, figured out that these were government organizations who won't say 100% but with 99 point oh, with a pretty good sense of clarity, these were man made.

And if your company wants 99% and if your company wants 99% assurance, this SIM our sponsor today.

Now, we don't have a sponsor, but this would be a great lead into a SIM ad read.

And for those watching, I do give cyber security advice for tacos.

Yes, I do have some favorites.

Feel free to reach out, but they're.

In round hundreds of thousands of tacos.

The all of this comes together to say that it's an evolving space.

I watched, I watched goldeneye rewatched goldeneye over the nice.

So I kind of prefer the idea of just of just taking out all the tech and making sure power goes out without having to touch a computer.

It just all of it, all of it dies because of a. I'd rather not have a nuclear pulse in the atmosphere, but it means you don't have to go in and hack.

You just take care of it from above.

Unfortunately, on that note, we're out of time.

Thanks, Brian.

Thanks, Eric.

Thanks, Eric.

Thanks, Brian.

Whichever one of you decides you want to be Eric and which one decides to want to be Brian?

And thanks to the listener, we are so glad you're here.

We hope you enjoyed our not a political episode and we hope you'll join us again.

Don't hit that unsubscribe button.

We promise we'll be back in two weeks with another episode of the Great Security Debate.

We'll see you again on the next one.

It.