C (13:19)

It was clear that at that moment in time, the Chinese government was a fan of big data, that they were after all of it. And we suddenly realized that no one was safe.

A (13:31)

The Chinese were burrowing deep into some of our most sensitive critical infrastructure. Water unavailable, trains derailed, comms severed, power going down.

C (13:44)

Every single day. There's a war going on in cyberspace.

B (13:48)

Cyber attacks aren't just taking offline.

C (13:50)

Computers you can take out power grids.

B (13:52)

Poisoning water, food supply chains. This war has been going on a long time. Countries like North Korea that are so.

C (14:00)

Poor they have to feed their people with grass can build a nuclear weapons program based on stolen bitcoin infrastructure. Russia In China, their goal is to stay just below the threshold of kinetic war. In a dictatorship you target the dictator. In a democracy you target the people. Cuz you don't know anymore who is calling you. You don't know who's emailing you because all of these things can be spoofed or faked.

B (14:24)

When you think you're the safest, that's.

C (14:26)

Usually when something is going to go wrong. People are going to die and they'll do it without ever firing a shot. You're in the war room at midnight. Something's gone wrong.

B (14:39)

But we're not going to stop fighting. Chris Inglis was the first national cyber director here in the U.S. i recently caught up with him to discuss cybercrime and the upcoming documentary on Midnight in the War Room, presented by Sempras. So today we're talking about the new documentary, Midnight in the War Room. I'd love to start off with some high level stuff. What originally attracted you to this documentary and made you want to participate?

C (15:11)

Well, when the documentaries producers came to me and said that they wanted to tell the story about what was going on in digital infrastructure, what we all call cyberspace, and to address the complacency that the society and others has about what's going on, I thought it was a wonderful opportunity to actually shed some light into that space. Because I think that while there are many threats that are coursing through cyberspace, from criminals to rogue nation states, the greatest threat is complacency. Either a lack of understanding or a willful ignorance of what's going on.

B (15:45)

Can we dig into that? I mean, in this current moment, where do you suppose we find ourselves as a society?

C (15:51)

I think we're on our back foot. We are massively dependent on digital infrastructure for all the right reasons. It delivers efficiency, effectiveness, and so many things that we couldn't otherwise accomplish in a physical day. But at the same time, that dependence is something that criminals and rogue nation states are taking advantage of, holding us at risk. Because of that dependence, we can have our cake and eat it too, if we make the necessary investments in digital infrastructure, cyberspace. But we haven't not made those investments in terms of the inherent resilience of the technology and the skills of the people. Not just IT and cyberspecialists, but everybody who uses that space and in the doctrine or the allocation of roles, responsibilities, understanding who's responsible for what.

B (16:39)

What do you suppose is holding us back now from the proper investment in those areas?

C (16:45)

Several things hold us back, not least of which is the technology is moving so fast, it's hard enough to figure out what the next innovation is, to then deploy that at scale so that it has some efficiency in the marketplace without worrying about the third leg under the stool, which is inherent resilience and robustness. For 50 years of the Internet, we've always promised ourselves that once we innovate the next iteration of the technology and deploy it, we'll then put an overlay on it that makes it safe, resilient and robust. But we never come back because we keep going forward. The second thing that makes it hard to get our arms around this is that the weaknesses are in cities. I don't mean by that that they're always malevolent, but they come on so slowly or they're so subtle that we just don't recognize them for what they are. It's not the kind of physical reality of an automobile crash or a bomb sitting at your street corner. However fantastic that may seem, if you saw it, you would immediately react to it. The sorts of things that are hazards in cyberspace are hard to see until you experience them. And even then they emerged so slowly. Perhaps the third and most pernicious issue is that there's a broad expectation that people who have IT or cyber in their job title are going to take care of this for us, that they will remove the risk before we encounter it. Many of the risks are established by the people who use the technology. Clicking on links and emails is still a very unpopular form of ransomware attacks. And that's not something that an IT or cyber specialist can step in and manage by restricting you from doing that at the moment you touch the keyboard. And so the skills and the complacency on the part of the ordinary garden variety users, of which I'm one, is oftentimes the biggest weakness in this space.

B (18:33)

Well, how do we balance the necessity to educate and empower people with the technical backdrop that they need to protect them as well?

C (18:44)

I think first we need to meet the people who need to make the changes where they are. We should no longer kind of bang on about, we need to get serious about cyber or cybersecurity. We should talk more plainly about what they already care about. I care about following my grandchildren on social media. I care about banking online. I care about in my business accessing markets that I can't get to in a physical day. All of that then motivates me to understand and to make the necessary investments in the assets that make make that possible. Digital infrastructure, cyberspace, the Internet, that's a very critical asset to all of that. So we need to flip the script. There's a great question that's often asked at this moment and it's a little bit wolf fog and also the line of flow of our discussion, but it's why do race cars have bigger brakes? They have bigger brakes so they can go faster. It's about the performance of the car. We shouldn't focus on the brakes, we should focus on the performance of the car. That's what motivates us to then keep the car in good condition, put the right brakes on it, maybe to put seat belts in it, their safety bags in it. But let's focus for a change on what it is people already care about and Then help them understand what they can do to actually ensure that digital infrastructure meets their expectations. We talk about password management, we've talked about understanding what happens when we click on a link in an email. But we need to make that more personal, more real to them by never talking about cybersecurity for its own sake, but rather for the conduct of the things they want to do in cyberspace, for the reasons they already care.

B (20:18)

In your estimation, how vulnerable is our critical national infrastructure?

C (20:23)

In a word, very. I would just take something called Volt Typhoon. It's a term that's been applied to a Chinese government initiative that has inserted malware into our critical infrastructure. And that malware has one purpose, in the case of Volt Typhoon, that particular actor within the Chinese government, and that is to hold that critical infrastructure at risk. There's a great dependence of critical infrastructure. The water flows, the electrical flows, telecommunications. There's a great dependence of that on digital infrastructure. If the software, the hardware and the data stores work well, then critical infrastructure meets our expectations. If they don't, then critical infrastructure doesn't meet our expectations. We're recording this just a couple of days after Amazon Web Services had a global problem where massively customers are used that would not access that. Now, I don't think that that's going to be found to be attributable to a particular actor, a malicious actor, but it shows the kind of dependence we have on critical infrastructure, that when it works, it's an out of sight, out of mind. We never complain about it. When it doesn't work, we suddenly wonder what is the nature of our dependence on that and what made that fit. We need to think about that beforehand. So I think that our critical infrastructure, being so dependent upon digital infrastructure, the Internet plus, is something that we need to think through and get it into the right place. Now, I would offer that we've done this before. If you think about the automobile transportation system, which is not without its risks, we've done a lot of investment to make sure that the cars, the devices that we use, have safety features built in. We've done a lot of work to make sure that the road systems have safety features built in, in terms of the width of the road, the signage on the road, even the kind of the surface of that road. We've done a lot of work to govern those spaces by making sure that we find and pull off scooters or drunk drivers or people who text while they drive. And we've levied some degree of responsibility on the drivers themselves so that they Understand what their role is, to get safely from place A to place B. And it's possible to do that such that you don't obsess about what the risks are. As you drive your car down the highway, you think about what your role is alongside all the other roles that have been accounted for, so that you can have every expectation that if you do the right thing, that you've got a very, very, very high probability of getting no safer. We don't have that same confidence in cyberspace. We've done none of that foundational work.

B (22:55)

We're seeing significant cuts to cybersecurity related agencies in the federal government these days. What's your reaction to that?

C (23:05)

I think it's an own goal. It's an unfortunate issue at the moment. I would give the administration credit for this, which is it is recognized that cyber cybersecurity, again, if I were to flip that script, it's recognized that our dependence on digital infrastructure means that we have to have serious people in the roles that are applying government efforts to help make that a better thing. So when you look at the US National Cyber Directorate, the nominated director of the Cybersecurity Infrastructure Security Agency, the serving director of the FBI component, all of those are serious people who, when I listen to them, understand the nature of this and fully intend to apply the resources they do have to helping the private sector get this right. So give the administration credit in that regard. But the downsizing, which is not focused on downsizing cyber or cybersecurity, it's focused on a broad range of other issues, has the collateral effect, the unfortunate collateral effect of taking some of these resources out at the very moment that we should be investing in them and upsizing them. So it's a mixed bag, I would say, in the main, with the resources that are there, I have every confidence that they will make a difference that matters. But we need more.

B (24:18)

Getting back to the documentary Midnight in the War Room, what do you hope viewers take away from it?

C (24:25)

A sense that this matters to them. Not because we're getting them to care about a problem that belongs to somebody else, but we're getting them to care about an issue, a strategic resource that they already value. They just didn't know that it was chucked inside things that they care about. So if there's one issue that I worry about more than any other at this moment in time with respect to our lives, US and nations of like mind, is that our reliance on critical functions which are in turn reliant on digital infrastructure, that reliance is not, well, understood and it's not well defended. And so my hope in this picture, this full length motion picture, which is a documentary, is that we shed some light on this, such that people begin to realize what hangs in the balance and what they might do to make a difference to it. Kind of on the far side of that. One of my favorite quotes is from a guy named Edmund Burke who lived two centuries ago. He was a British or an Irish statesman in the British Parliament. One of the great tragedies in life is doing nothing when you can only do a little. Each of us can do a little. Some of us might do more than a little, but each of us can do a little. And that can, in sum, add up to where each of us makes a contribution to the defense of all of us. Because we're not all addressing similar challenges or similar issues in our use of digital infrastructure. We're all addressing the exact same challenge, often challenged by the exact same adversary, whether that's a criminal or a rogue nation. And so my hope is that this picture can help people understand what the nature of that is and mobilize them to make that small contribution, however small, that will make a positive difference in the collective defense of something valuable to all of us.

B (26:10)

Our thanks to Chris Inglis for joining us. The documentary is titled Midnight in the War Room. It's presented by Sempras. We'll have a link in the show. Notes.

A (26:33)

When did making plans get this complicated? It's time to streamline with WhatsApp, the secure messaging app that brings the whole group together. Use polls to settle dinner plans, send event invites and pin messages so no one forgets mom's 60th and never miss a meme or milestone. All protected with end to end encryption. It's time for WhatsApp message privately with everyone.

B (26:57)

Learn more@WhatsApp.com this episode is brought to you by Indeed. When your computer breaks, you don't wait for it to magically start working again. You fixed the problem, so why wait to hire the people your company desperately needs? Use Indeed sponsored jobs to hire top talent fast and even better. You only pay for results. There's no need to wait. Speed up your hiring with a $75 sponsored job credit@ Indeed.com podcast terms and conditions.

C (27:28)

Appreciate.

B (27:36)

And finally PWN to own. Ireland 2025 had everything. Record payouts, routers laid bare and printers brought to their digital knees. But what really got the crowd talking was what didn't happen. A researcher known only as Eugene poised to unveil a million dollar zero click. WhatsApp exploit pulled out at the last minute. Officially, it was due to travel complications. Unofficially, folks wonder if the exploit just wasn't ready for its close up. Trend Micro's Zero Day initiative said Meta will still get a private peak, while everyone else is left with only 73 other zero days, a million dollars in payouts, and a lingering sense of what might have been Sometimes, in cybersecurity, as in show business, the biggest headline is the one that never hits the stage. And that's the Cyberwire. For links to all of today's stories, check out our daily briefing at the cyber cyberwire.com be sure to check out this weekend's Research Saturday and my conversation with Noah Moshe, Clarity's Vulnerability Research Team lead. We're discussing their work turning camera surveillance on its axis. That's Research Saturday. Check it out. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music by Elliot Peltzman. Our executive producer is Jennifer Ivan. Peter Kilpe is our publisher and I die Dave Bittner. Thanks for listening. We'll see you back here next week. And Doug, here we have the Limu Emu in its natural habitat, helping people customize their car insurance and save hundreds with Liberty Mutual. Fascinating. It's accompanied by his natural ally, Doug. Limu is that guy with the binoculars watching us.

C (30:28)

Cut the camera.

B (30:29)

They see us. Only pay for what you need@liberty mutual.com Liberty Liberty Liberty Liberty Savings Fairy underwritten by Liberty Mutual Insurance company and affiliates excludes Massachusetts Cyber Innovation Day is the premier event for cyber startups, researchers and top VC firms, firms building trust into tomorrow's digital world. Kick off the day with unfiltered insights and panels on securing tomorrow's technology. In the afternoon, the 8th annual DataTribe Challenge takes center stage as elite startups pitch for exposure, acceleration and funding. The Innovation Expo runs all day, connecting founders, investors and researchers around breakthroughs in cybersecurity. It all happens November 4th in Washington, D.C. discover the startups building the future of cyber. Learn more at CID datatribe.com.