Kurt Sanger: The front line to me it's everything that can be affected through cyberspace. And by affected sometimes all that needs to be is connected and touchable so to speak. If you can reach out and touch it you can affect it. Carolyn Ford: My guest today is Kurt Sanger retired US Marine Corps judge advocate former deputy general counsel at US cyber command and now a cyber security and national security attorney at Buchanan Ingersoll and Rooney. So, he's seen this cyber fight inside the Pentagon and now from inside the boardroom. We talk about what he calls the undefended front line.And spoiler alert, it's not just power grids and missile systems. It's airport parking systems. It's small town water utilities, your flight boarding pass, the quiet, boring infrastructure that keeps daily life running.And here's the uncomfortable truth. Our defense model is still structured like cyber is a military problem when most of the battlefield is owned by the private sector by all of us. Kurt is helping lead the commission on US cyber force generation examining whether we need an actual cyber force, a new pipeline, new authorities, new culture to fix a coordination model that was never built for this level of interdependence. Because information sharing is easy to say. We've been saying it for a long time, but Kurt argues the real problem is operational coordination. Who can act at speed with the right authorities alongside the private sector that actually owns most of the battlefield? We get into Iran's cyber posture, AI accountability, compulsory information sharing, and why basic cyber hygiene still matters. It's a serious and important conversation. Let's dive in. Carolyn Ford: We've talked before and when we spoke before you talked about today's cyber landscape and it being the undefended front line. What exactly is the front line today then? And why is it so vulnerable? Kurt Sanger: Front line to me it's everything that can be affected through cyberspace and by affected sometimes all that needs to be is connected and touchable so to speak. If you think of the untouchables, if you can reach out and touch it, you can affect it. And that's a lot of what America depends on these days for the American way of life, for business, for our daily lives. That is the front line.And when we get into conflict as say we have started here with Iran, it's not just about Iran's ability to touch things in cyberspace or in information technology that have a military nexus, but they can get to average everyday Americans and ruin their day, so to speak. They can make things much more difficult for us to live our lives. And that is the front line. The difficulty with the front line is that a lot of the bandwidth for defending it is owned by the US government or could be the Microsofts, Googles, Apples, the very largest information technology organizations. But so much of what America does and has is in the hands of individuals or very small organizations and those things that we own that the rank and file like us own they can be reached out and touched too and that can have a national security impact. The line is undefended in my mind because so much of us are unable to defend it ourselves and the defense for that needs to be scaled somehow. Individuals and organizations are always going to need to be able to protect their own systems, but they're not going to be able to defend it from highly empowered criminals or from nation states, right? Carolyn Ford:Listening to you talk, my mind immediately just drew this web literally this interconnected everything interconnected.There is no front line in my mind. And I'm like, okay, but there has to be higher value targets that maybe that becomes the front line. So maybe I don't want to put words in your mouth, but would a nation state actor like Iran go after? We are all connected, me and you. We wouldn't be necessarily the high target, but maybe our power grid, our water system would that be the focus? Could that be the front line for them? Kurt Sanger: Anything that could change the calculus of the American people. You know, Vietnam demonstrated that the will of the American people, their choices, our choices, that that was a center of gravity, one of the most important things that the North Vietnamese could influence. It's the same thing in any conflict, whether it's a financial conflict, interstate conflict, an actual kinetic conflict. You can change the will of the American people by changing their daily lives. And so, yes, it could be something as large as going after the fuel supplies, making something such as vehicle fuel unavailable or more difficult to get. But it also could be something much smaller. I mean, could you imagine what the uproar would be if TikTok were made unavailable or was interrupted? That would help us? Maybe it would be good.But I know there's a lot of children in America, therefore a lot of parents who, you know, it would just interrupt their lives.What I'm trying to say is that Carolyn Ford: And financially, I mean, let's dig, I'm being facetious, right, with TikTok.A lot of people make their livelihoods off of TikTok. So there would be an economic disruption for sure. Kurt Sanger: Sure. There'd be all types.What I'm saying in cyberspace unlike with say bombs and missiles, you can tinker with them to change what their exact impact is, but you can't modulate them in the same way that you can modulate a cyber operation. You can annoy someone a little or you can destroy things with it. And depending on the level of impact that a nation wants to have, that's something that they can work towards that they never had the opportunity to do before. Carolyn Ford:Just even social engineering.See, now you've got my mind going down all these nefarious paths just in TikTok. So, okay. Let's just scare the s**t out of me today. Let's start my day that way. With your experience in US Cyber Command, what's the biggest mismatch between how cyber defense is structured and where the real risk actually lives? Let's approach it this way. Kurt Sanger: Sure. So I'd say just what we were just talking about is the very many things that are important to everyday Americans as well as local, state and federal government agencies and departments that we depend on, that they depend on, and the ability to affect them and where the actual strength for defense and security is. That strength mostly lives with more sophisticated technical actors, but most of us are not sophisticated and most of us are not protecting our devices and our systems all that well. I can definitely say that at the small and medium business level that organizations just don't have the expertise to create another full-time job or take on another full-time job to defend their systems even though those systems are so valuable to us that they wouldn't disconnect from them just to make themselves more safe.Right? So yeah, the number of things that can be affected in relation to the number of individuals and organizations that can protect those things is just disproportionate and much more difficult to defend than other types of things that we were able to protect before there was cyberspace. The ability of adversaries to reach out and touch each other from across the world and from safety. Carolyn Ford: Yeah. So, I went straight to where probably our national cyber defense is more focused, right? Like those crown jewels, the operational technology, the infrastructure of the nation. But you're talking about the soft underbelly of me and you, of our small businesses, that could do just as much harm, that could disrupt us just as easily as going after the power grid. Because of course, that's what we all think about. I mean, that's what's in the movies, right? Kurt Sanger: Right. Carolyn Ford: But you're pointing out that there are easier targets that could do just as much. Kurt Sanger: Sure, or it could be much subtler. I mean, the example I use from time to time is, you know, are you printing out your boarding pass for your flights these days? I don't anymore. Sometimes I do every now and then, but I think, you know, if your phone doesn't work when you show up for the plane, you're not getting on the plane. And that not only impacts your day, it impacts your family, your business, you know, everyone you're going to see. And so it's a very minor thing that could be done to one person. But when you scale those things up across an entire society, it doesn't mean the entire set of boarding passes for a certain airline. It could be just a number of different types of things across many different types of industries. And you add those all up and you've significantly changed the American way of life for that day or business for that day. And yes, most of those things are fairly vulnerable and if some bad actor decided to put some time into it, they can find a way to impact them. Carolyn Ford: Yeah. It makes me think of like it wasn't even two years ago, maybe a year and a half ago, the point of sales systems for hotels and planes. Do you remember this? Like we couldn't access them and it the planes were fine, everything was fine, but we couldn't get to our boarding passes and we couldn't check into hotels and everything shut down just because of the point of sales systems. Kurt Sanger: So, we—I hate to give the adversary any ideas, but we were looking at airport and air travel cyber security and we were thinking, "All right, what's the bare minimum we could do to really mess things up?" We decided to go after the parking systems in the exercise we were conducting because if you impact the parking systems and people coming to the airport can't park, the pilots can't park, people working at the airport can't park, you're having a significant impact. And if they decide, "Well, getting people in and out is more important than making the money," that's only—there's only so long that an airport can do that for, can forego the money in order to keep travel moving because parking is a big money maker for airports. And so there would be cascading impacts just from that one small thing alone. You don't have to take the airplanes down necessarily. You need to do what?Okay, find the smallest thing that's going to have a critical impact. Those things are not as well protected as our obviously most valuable targets. Carolyn Ford: Well, and when that point of sales—and I'm probably using the wrong term for that software—but when it went down, I believe Southwest was the only airline flying because their systems were so outdated. They didn't use the latest software so they could essentially get the boarding passes. And so in your scenario with the parking, how long did it take in the scenario before you could shut the airports down? Kurt Sanger: Oh, it was a matter of hours before there were significant impacts. You know, it was an exercise situation. And so it was more about the continuing functioning of travel as much as anything else. So that's what we focused on. It wasn't about getting the parking back together. So we skipped parts just because it was an exercise. But yeah, I mean you can think about it. All right. If I wanted to take down organization X, Y, or Z, what's the thing that they depend on that's probably the least well protected?We realized after COVID how interconnected things were and if one person didn't show up to babysit that everything flowed from the family that was—yeah, there's a doctor who can't go to work then that's going to affect a lot of people. Carolyn Ford: So what do we do Kurt? Kurt Sanger: We need to pay better attention at the individual and organizational level to protecting ourselves because there are things—it's amazing to me. I'm in the business and so I think about this stuff every day and it's amazing when people don't know the 101 level stuff. I don't blame them though because most people are not in this business but things like complex passwords, changing passwords and multi-factor authentication, that can solve a lot of problems. It won't solve all of them, but it will make it much more difficult for criminals and adversaries to get into systems without authorization.Just that basic blocking and tackling of cyber security would, if it was done across the board, if every user was able to do that for themselves, paid attention to it, had firewalls, had some sort of safety on their phones and laptops and everything that they used, it would take a lot of time for a lot of organizations to—criminal organizations to do the work that they're doing very easily right now. Carolyn Ford: Okay. Let's talk about information sharing. So, we all agree that we need more of it. You've argued that the problem is deeper than that, that it's operational coordination. How can information sharing be improved and how is operational coordination different than information sharing? Kurt Sanger: So again, going back to what we talked about at the beginning with the common front line that the private sector and the government owns and not just our government, but multiple allied governments own and the private sectors that stand behind them, they need to be able to share information and the right type of information. That usually means at least some sort of classified intelligence in order to help each other fully. There needs to be people at each of these larger organizations, at least at private sector organizations, who have the clearances necessary, but also the background and education necessary to understand what a piece of intelligence means to their organization, what it means to their collaborative organizations, government and other private sector. See how they can help. See how they can use that intelligence to defend themselves and be able to share it at a speed that it's relevant to the defense of their cyber systems. Operational coordination takes that a step further and again it's about taking the bandwidth of all America has—private sector and public—to defend US interests. Sometimes that's going to mean that Microsoft is in a position to take a certain action or forebear from a certain action that's going to be helpful to the intelligence community or the military community or law enforcement for example. Sometimes they're going to be in a better position to actually take action.These organizations need to be able to work together. I know they do to a certain extent but that needs to reach deeper because there have been situations where relatively small organizations, private organizations, have had the piece of information or have had the capability, you know, have had the opportunity to take the shot or issue protective measures at scale across systems if only they had the right information. So that is operational to me more than just informational. Carolyn Ford: What do you think the biggest challenge is that's impeding the operational coordination and the information sharing? Kurt Sanger: So one of the things—so there are legal issues, intelligence issues, you know, classified information sharing those sorts of things. But one thing I think that could be changed rather easily is something that I was guilty of perpetuating and a victim of myself when I was in the military on active duty is that we were always reluctant to work with the private sector because there were these ethical rules that are very important. But the joint ethics regulation basically puts a natural divide between the public sector and private organizations. Some of that is healthy. It will prevent corruption and other types of self-dealing. But from a cultural standpoint, they are them and we were us, right? And so when there were opportunities to work together, it was just something that we threw the brakes on initially. As I was at Cyber Command—I was there for eight years between the Marine Corps component and then Cyber Command itself. Carolyn Ford: What—when did you leave Cyber Command? Kurt Sanger: So for Cyber Marine Corps forces—Cyber Command 2014 to '17 and then Cyber Command 2017 to 2022. Carolyn Ford: Okay. So it's pretty recent that you've been there. Kurt Sanger: Yeah. Feels like a lifetime ago, but yes, had time to grow my hair out and get a little softer in the abs. But the longer I was there, the more I realized that these issues come up in cyberspace, they are intermeshed with the private sector and the private sector needs to be part of the overall strategy to protect the United States and themselves and the US government. So we needed to be able to work with them in a way that we weren't worried about violating an ethical—not a regulation but just a custom. Carolyn Ford: The private sector. You guys at Cyber Command working with the private sector. Was there ever a time that you saw it work really well? Kurt Sanger: Yes. Yes. The event that I am most proud of in my military career depended on basically an assist from the private sector which was probably 1% of the entire enterprise but without it the other 99% didn't matter. We needed something and the private sector organization realized what position they were in. Cyber Command realized what position the private sector organization was in and we were able to collaborate and with each other's assistance we were able to accomplish something fairly significant that unfortunately I can't share the details of but enough that I'd say, you know, 23 years of doing a lot of things that I was happy I got to be part of or even proud of, this is the one I was most excited about and it wouldn't have happened had it not been for a collaboration program called "Under Advisement" that was run by the Cyber National Mission Force that involved sharing of information between Cyber Command and the private Carolyn Ford: The program was in place that's how—because I was just going to say, "How did you navigate the bureaucracy of, you know, the 'us and them' culture?" But so you had a program that was already in place. Is that program still going? Kurt Sanger: As far as I know it is. Might have a different name now. The NSA had a counterpart which was an institution. It was the Cyber Collaboration Center. What we had was a program, wasn't a separate organization. Uh, and if you don't mind me name-checking a couple people, but Pete Reynolds and Jason Ka—Jason a fellow Marine, Pete in another service—but both championed this program and I believe it was General Hartman who ran the CNMF at the time and later became the acting commander of Cyber Command. They basically championed this effort and it paid off. I would imagine it's still paying it off. Carolyn Ford: Okay. All right. Well, we're going to take a quick break. Pause right now to thank our sponsor, Owl Cyber Defense, for making this episode possible.And we are back. So, Kurt, you're an adviser to the Center for Strategic and International Studies Commission on US Cyber Force Generation. Did I get that title right? Kurt Sanger: You did. Carolyn Ford: Okay. Who's on the commission and what is its focus? Kurt Sanger: So the commission is made up of leaders who have worked with Congress, who are in the military, the intelligence community, as well as the private sector. What we're doing is we're looking at a way of building a cyber organization that will populate, train, and equip the individuals—the service members or the civilians—to conduct cyber operations on behalf of the United States. Doesn't mean the military cyber operations would cease, but there would be this other organization that would basically put the people together, get them the equipment they need, give them the training they need, and then conduct those operations. Because right now, Cyber Command is made up of parts of the Marine Corps, Army, Navy, Air Force, Coast Guard, and Space Force, right? We all have our own ways. Each service has its own way of training its cyber personnel and then we end up at Cyber Command to conduct the actual operations and it's effective but in my mind—and there are so many equities involved here in terms of having the right authorities, the right mission, you know whether it's going to include law enforcement activities, purely military activities, intelligence activities on behalf of the United States or solely in support of cyber operations. There's a lot of decisions to be made much less how to pay for it and where to build the building and all the administrative and, you know, tangible things that need to be done in order to put an organization together. But what to me is the most important piece is are we getting the right people? Is the United States able to take advantage of the people who would want to be part of the mission, that would want to be part of this force, and make them available to defend the United States? Because right now, to be a Marine, you got to do a certain amount of sleeping in the woods and crawling through the mud and firing weapons and such. Not everyone who is able to and may want to be in cyber operations wants to do those things. But right now the only pipeline is through the services, right? Be a soldier first. Carolyn Ford: Yep. Right. Yeah. Kurt Sanger: Okay. Yeah. And there are certain drawbacks to that too. Like say, you know, if you go over to Cyber Command for an extended period, you may not be as well prepared to lead infantry units, artillery units, go back to flying again, those sorts of things. So what we want to do is find an organization that can get the people who want to participate, maximize their skills, and have them stick around for as long as we can get them to stay in order to have the best operational force to conduct operations on behalf of the nation. Carolyn Ford: I don't want to use a dirty word, but is this a foreshadowing to a Cyber Force? Kurt Sanger: That's essentially what it is.And this would come up when I was at Cyber Command, say when I got there in 2017. I was like, "Oh, that's ridiculous. We're doing this right now. We're putting a force together. Here's the command. We're doing it." But then when I realized what that pipeline looks like to take advantage of, you know, the same people who go and populate the Marine Corps and the Army and Navy, you know, there's a recruiting system for them. The people who get attracted to it—we know that they're out there. We've got a track record of successful recruiting. We know how to do this. But to become a cyber operator, maybe we don't want to have folks go through the same types of experiences.Don't need to have them run three miles or, you know, go through the other things that service members go through to make it onto the team, make it into the military, and to stick around and to succeed. We want them doing something else. Carolyn Ford: That's right. Listen, Kurt, nerds rule, okay? We don't all have to be badasses like the Marines. Kurt Sanger: Well, there's a, you know, to use the term that the president used, I think maybe in his first presidential campaign, is it could be some 400-pound guy in his basement. That 400-pound guy, he probably is not going to make it into the Marine Corps, but he might be very useful to cyber operations. So I'd like those people—nerds or not—to be able to have the chance to contribute if this is what they want to do. You know, technology offers very lucrative rewards and I think meaningful work as well. If you're going to go do it for the government, you may be making sacrifices in terms of pay, in terms of lifestyle, but you get to do the coolest things that were hard to do in technology. Whether you're building something or you're operating or you're conducting intelligence activities, fighting things out from people who don't want you to know them. They're very cool missions and those cool missions make up the delta between what I get paid at Amazon and what I get paid here at Cyber Command. * Carolyn Ford: Right. I mean, I'm thinking of a cyber force made up from 007. You got a cyber force of Q's, right? And that's awesome. So, let's talk about the wrench that AI throws into things. With AI, a system that acts with autonomy but can't be held legally responsible from a legal standpoint, what is the impact? Kurt Sanger: So, it's all about accountability. You can essentially outsource decision making and eventually action to artificial intelligence systems and then it becomes a question when something goes wrong, who's responsible for it? Is it the one who gave the final direction to the AI agent? Is it the person who designed it? Is it the person who ran into it, who helped make the catastrophe possible? It's going to be very difficult to determine that and it's going to be easy for folks to wash their hands and I think it's probably in the industry's interest to have that accountability outsourced or not exactly easily able to be pinned down. And so the way that we assign accountability from civil and criminal perspectives, it's going to be challenged by these—ultimately that these things have made decisions and they can't be punished. And—well, individual accountability is really where punishment starts and we may not have a clear way of doing that the way we traditionally have. Carolyn Ford: Oh my goodness. So, I'm just thinking about the ramifications of this because you just said, "Okay, well, do we punish the person who programmed it?"But we're so close to general AI and we're already using autonomous systems, but we know AI is learning. If you believe what Geoffrey Hinton, the godfather of AI, thinks, he thinks that it's already thinking on its own. AI is already thinking on its own. So, how can you hold the person, you know, a year ago that started this program, how do you hold them accountable for this autonomous system that arguably is thinking on its own? Kurt Sanger: Yeah, I don't think you can.And I think it's going to be difficult to hold me, the end product user, who gives a very basic instruction, but because of the way that instruction interfaces with the way this thing learned to do business—that may have been programmed years ago. Carolyn Ford: That's right. Kurt Sanger: Maybe I'm not at fault either. So, I focus on these things from a private sector perspective now, but when I was in the Marine Corps, what they would say to you when you were leading a unit is that you were responsible for everything your unit and your Marines do or fail to do.Everything. If a Marine gets struck by a bolt of lightning, still your fault. Why was that Marine there? I know you didn't cause the lightning, right? But you're still responsible for what happened. I wish there was a way to do that with these AI agents, but really doesn't seem fair to the programmer or to the user, right? So, who takes responsibility? Carolyn Ford: Well, let's talk about AI rights.We're going there, right? I mean, is it fair to the AI? Oh my goodness, there's so many ramifications. Are you dealing with these issues as part of the cyber force generation committee that you're on or this is separate? Kurt Sanger: Yeah, this is something I look at more from my work perspective—at my law firm where we do mostly cyber security and data privacy related stuff but we also do anything connected to technology. Much in the same way at Cyber Command we were dealing with unprecedented and potentially underregulated environments and situations, that's where we are right now.And what we do is, when there's no rule on how to govern this new technology, we look at values and traditions and business focuses and try to shape what is done with these technologies—especially the AI technologies that are unprecedented—and say, "All right, what are the potential issues this is going to cause years down the road? What could it do? How's it going to be handled?" And even in the absence of a law, you've got the market that regulates certain business outcomes and you want to make sure that you're doing what's best for your organization. So that's kind of how we did it at Cyber Command as well where there were no rules on—or we didn't understand the complete transposing of law of armed conflict rules for kinetic operations to cyber operations. We looked really at values like, "All right, what interests are we trying to protect and what ultimately are we trying to achieve?" And I think largely in the private sector you can say the same. In the absence of a hard and fast rule, law, regulation, contractual term, you just have to agree on whose values you're going to hold yourself to. Carolyn Ford: Right, and that seems like a—I don't know, maybe a stupid statement, but think about our bifurcated nation right now with the political system, right?There's a different set of values and both sides of the aisle think that their values are right. So whose values are you going to use? Kurt Sanger: I think the values that you're obligated to use are the ones that you use first. And for a business that means the values of the organization until one US state where you're operating tells you what your values should be or the federal government issues guidance or rules for the executive branch that affect the private sector or regulations that affect the private sector or statutes that affect everyone. At that point you change what those values are. But I mean as I've learned what—almost four years in the private sector now—is that every organization, even the small ones, they have their own mission, right? And they have what they need in order to continue their business and they will make choices in order to stay in business and to win customers and to succeed. And I would imagine that that's where they're going to start. And so if the market starts rewarding certain types of behaviors or choices with regard to artificial intelligence, then we'll all be better off. But I don't think that that's happened for cyber security, and I just—I'm not optimistic that it's going to happen with AI with any greater speed. Carolyn Ford: Yeah. Well, and then you have your unforeseen consequences that you mentioned earlier, right? Are you familiar with the paperclip dilemma? It's basically the unforeseen consequences. So you tell the program, "Make paperclips. This is your objective no matter what." So it makes the paperclips, but then it starts to run out of resources and eventually it wipes out the human race in order to make paperclips because—that's basically the paperclip dilemma. Kurt Sanger: Yeah. Carolyn Ford: Um, so you've got those things that you can't even predict that you're trying to address. Kurt Sanger: I heard a scenario—I can't remember where, otherwise I'd give them credit—but someone said, "All right, there could be an AI agent that you tell for travel purposes, 'I want to stay in this level of accommodation on a luxury trip in Thailand.'" And all the rooms are booked.And the agent tries to intimidate the people who already have it booked, try to get them to cancel and then eventually takes it further, threatens them, and then eventually—thinking it's going to be a while before there's a possibility—it goes in and makes it impossible for them to get to their accommodation. So yeah, these are things we need to be thinking about. Carolyn Ford: Yeah, I mean that's the paperclip dilemma. Yep. A little more realistic. But all right, before we run out of time—I can't believe we're already close to the end of our episode because I feel like we could just keep talking about these things all day, but I do want to go back to Iran a little bit and talk about—I mean, I don't want to be scary, but let's talk about given this situation over the past week. We know that Iran's cyber operations over the past decade, they've been disruptive attacks on critical infrastructure to influence campaigns. They have been willing to go after critical infrastructure from banks to water. So, what has it revealed about the gaps in US cyber coordination—well, let me stop there.What has it revealed? Kurt Sanger: Well, shortly after Hamas attacked Israel, Iran started targeting infrastructure not only that wasn't associated with Israel, but really had nothing to do with any connection—distant connection other than the fact that Israeli companies might have built the infrastructure. Israeli components were targeted. The one that leaps to mind was in Aliquippa, Pennsylvania, not far from Pittsburgh, where a water utility that was relatively small and no one would think would be a target—Iranian cyber actors targeted it. Didn't do anything. I think they were taking intelligence from it for perhaps future use, perhaps for a leak like this one, and just learning what they could about it. And they've done this in a lot of other types of utilities. Carolyn Ford: And so were they able to gather intelligence because of the Israeli components or they just chose that water facility because it had Israeli components? Kurt Sanger: So in that case, I think what they wanted to do was make it, you know, impact the Israeli brand and make it evident that— Carolyn Ford: So there wasn't a vulnerability necessarily in the Israeli component. They were just making a statement that anything Israeli is a target for us. Kurt Sanger: Yeah. But also that it was vulnerable. Okay. So if they could get in there, then there were things that they could do with it. Carolyn Ford: But did they get in because of the Israeli component or did they find another way in? Kurt Sanger: No, they found the target. I think they were going after specifically these components and that's what they were focused on. Okay. So I think that was the way in. But the way they make statements through their operations, it's a way of signaling to the world—both in the market and in the defense industry, the national security community—of what needs to be protected and what they will go after. Carolyn Ford: Who owns the protection of those targets? Because you're talking about the private sector. So, is this a national defense problem? Is this a US problem? Kurt Sanger: So, think about any small water utility serving a few thousand instead of hundreds of thousands, right?For any size organization, it's on you. It's on your organization. It's on me to defend my device. There are other resources out there that you can go to: the internet service providers for my home computer, managed service and security providers, firewall providers—the different technical tools. You can reach out and get those, but ultimately you're responsible for operating them or outsourcing their operations to the MSP or hiring the person that will handle it for your organization internally or externally. But you can't tell me that the water system for my community that Iran may now start targeting because they want to influence the American people or anything from, "We just want you to know that we're here and we can get to you." And so I start thinking about, "Hmm, maybe supporting our operations in Iran isn't really that important to me." Maybe we should be calling our Congresspeople or the White House and saying we should cut this out because they're coming after my water.Also, changing the chemicals that are going into the water filtration systems, right? Those chemicals are controlled through technology, right? Kurt Sanger: Exactly. So again, that's the modulation, right? You can have a very low impact or you can have a major impact.It's up to those organizations to protect them. But these are now national security issues. And there's no organization that's going to be able to defend itself from empowered, well-resourced, and experienced nation-state actors. You know, I could say the same about some criminals as well, but definitely when it comes to nation states that have vast resources and the ability to gather resources globally. So, meaning it's not necessarily going to be just Iranians conducting cyber operations on Iran's behalf. For anyone to defend themselves—from the most well-resourced private sector organization, the largest private sector organizations in the United States to the much smaller ones that do have an impact. You know the quality of their products could immediately impact the lives of a great number of Americans. It's very difficult to defend yourself against that, right? We come back to this undefended front line. And the federal government doesn't have the authority to look throughout those systems. We don't do intelligence operations within our own nation for the most part and even if we could, we aren't able to be on every water system in the country, right? They can't see what's coming for reasons of law and for reasons of scale. Carolyn Ford: So is this a problem Cyber Force is going to tackle, going to address? Kurt Sanger: I hope so. And I hope because it will be a separate organization and may have a different type of culture and different types of authorities and may be able to bridge law enforcement, intelligence, and military activities that they would be able to have better relationships with the private sector and understand their equities better and be able to empower the private sector better than the current construct does. Carolyn Ford: Yeah. Well, I'm glad that it's something that you're focusing on. And also I want to go back to something that you said at the very beginning and that's—you talked about "us and them" and it really—we got to stop the "us and them."It's all of us need to have the cyber hygiene, to your point at the beginning: the small businesses, us personally, to use a DoD term, have that defense in depth and get it right down to the individual, to me, and to you. So, all right, this has been kind of a heavy episode, Kurt. Kurt Sanger: Well, sorry about that. This is like every conversation I have. Keep losing friends left and right. It's always like this. Carolyn Ford: Well, you know what? I'm going to take us to our tech talk questions because these are fun, just from-the-gut kind of questions. So AI and cyber security. Is it more the Iron Man suit or is it a Jurassic Park situation—we didn't think about whether we should, we just did? Kurt Sanger: Yeah. So, you sent that question in advance and I gave it some thought and I think there's good answers on both sides, but I think that the problem isn't that we're not thinking about whether we should—I think we're asking all these questions. It's just we can't answer them fast enough to keep up with the progress.So, I would tend to say Jurassic Park, but I do think we're at least asking and there's a lot of different communities asking.Whether general AI—I know you mentioned someone earlier thinks that we're getting close. I don't know that that's true, but I know that the questions aren't being answered fast enough to keep up with that development. Carolyn Ford: Yeah, man. Even without general AI, the speed of change. I mean, it's days to hours now to what used to be years. So, all right. What's one cyber myth you'd retire immediately? Kurt Sanger: So, thought about this one, too. And what I'd like to retire—I don't know if it could fall under a myth, but it's definitely a cyber saying that I've been hearing for 15 years and I really don't want to hear it again because it's been said too many times, but folks still go to a conference and talk about cyber incidents, they say, "It's not a matter of if, it's a matter of when." And its corollary: "There's two types of organizations: those who have been hacked and those who are going to be hacked." We all should know that by now. So it disappoints me that it still needs to be said. On the other hand, they're not entirely true. Some organizations will not be hacked. However, no one knows who those organizations are. No one knows who will be and who won't be. And acting as if it won't happen to your organization does you no good.You are playing a form of roulette where you may not get hit, but if you do, it could mean your entire organization. That's true of large organizations, but it's definitely true of small and medium-sized businesses because those who are not insured for cyber incidents and those who don't have resources to make up for what happens during these incidents, they could lose their organization pretty quickly. I mean, you miss payroll once, that could be the end of your organization. It costs more than a month or two's worth of payroll to deal with these incidents. Carolyn Ford: Right. Okay. Well, I've been guilty of saying that, so I'm so glad I didn't say it on this episode. All right, last question. Kurt Sanger: We need to spice it up a little, I guess. Carolyn Ford: That's right. Um, if you could redesign one cyber law with a blank sheet of paper, what would you tackle first? Kurt Sanger: Absolutely. And to repeat things we've been saying throughout the discussion: we would have a compulsory information sharing program where if you know something would be valuable to the protection of an organization that you would be compelled to share that. The mechanics of that we'd need to work through. I'm not saying we can do it just like that. It would be expensive and it would take a lot more people to make that happen. I think the under advising program like I was talking about at Cyber Command, there's not enough people for it. You could take the entire Cyber Command and devote it just to information sharing and may still not be enough people. But I would make that compulsory.The other thing is I'm not a big fan of regulation generally, but PW Singer of New America—you familiar with his work? Carolyn Ford: I know him well. Yeah. Kurt Sanger: Yeah. So, he pointed something out probably close to 15 years ago—I know the times have changed a little bit, so I'll put it back to 2010—that you can't even send a kid to school unless they get their shots first. That's right. This is changing a little bit now, but you know and yet you can connect to the internet with no type of protection, no guarantee to the recipients of your emails or your attachments, those sorts of things that you share, that you're not going to hand them something that's malicious. Anyone can basically connect and operate recklessly. And so one of the laws that I would look into is mandating some sort of minimal cyber security. The problem is with billions of users and devices, it's going to be a little bit difficult to enforce.So I would find a way to do that at the ISP level or some other organizational level, right, in order to scale it. Carolyn Ford: It reminds me of a quote from a very old movie, Parenthood. Keanu Reeves says to his—I guess—to-be father-in-law, I think Steve Martin, he says, "You know, you have to get a driver's license to drive a car, but anybody can become a parent." And just like the weight of the two things, right? You're responsible—what you just said—being able to access the internet, the power of it, and yet we require no credentials. Carolyn Ford: All right. Well, thank you for joining me today. Where can our listeners connect with you to learn more about your work? Kurt Sanger: So, LinkedIn is the easiest way. There's not too many Kurt Sangers out there, especially—start with a K. Kurt Sanger. Carolyn Ford: Okay. K as in Krzyzewski, as I always say. Kurt Sanger: But that is one place. And then at the Buchanan Ingersoll and Rooney website, we've got a bio on there that talks about me and then talks about the organization and what my practice group does for cyber security, data privacy, government relations, and technology. Carolyn Ford: All right. Well, and we'll put all of that in the show notes, too, so our listeners can link to them. So, thanks again for joining us. Thank you listeners for joining us and tuning in. If you found this episode valuable, be sure to share it and give us a review. Smash that like button to help us reach more people that these conversations could benefit. Tech Transforms is produced by Show and Tell, sponsored by Owl Cyber Defense. Until next time, stay curious and keep imagining the future. Kurt Sanger: Thanks, Carolyn Carolyn Ford: Thank you. Thanks for tuning in. If you found this episode valuable, be sure to share it, leave a review, and smash that like button to help us reach more people who could benefit from the conversation. I'm Carolyn Ford. Tech Transforms is produced by Show and Tell and sponsored by Owl Cyber Defense.Until next time, stay curious and keep imagining the future.