Rob Hargis of Crux Advisory Warns on Indo-Pacific cyber risks

Now we'd like to welcome one of our very special conference partners

Please put your hands together and help me warmly welcome to the stage the great Rob Hargis

He is president of Crux Advisory. All right, Rob, thanks for joining us

Let's start with a bit of an introduction to yourself and your rather remarkable background in this space for anyone a bit unfamiliar

Sure, thanks. Thanks for having me. My name is Rob Hargis. I'm the president and founder of Crux Advisory

We're a small boutique advisory firm, largely crisis management, lots of focus on critical infrastructure, and lots of focus on Indopaycom

So you put all that together, and I think truth in advertising here, I was a guest up until a couple minutes ago, and good crisis management

I think we had some scheduling issues here, and as they say about good journalists, never become part of the news

my advice to all of you, and it's early in the day yet, but as a conference attendee

never become part of the program. So I appreciate the opportunity to fill in, and hopefully we can

address the Venn diagram overlap of some cyber and some Indo-Paycom topics here today

Yeah, so let's start a bit more broadly, 50,000-foot view. When you look at the broader

challenges in Indo-PACOM, what are some of the most distinct and important realities that you

would want more Americans to know about or pay closer attention to? Sure. Sure. I think we're

as many of you probably spent time in Iraq and Afghanistan and elsewhere, what you would always tell the new folks coming into country is don't get complacent, right

Complacency is what kills. Looking at your telephone while you're at a stoplight, not having

situational awareness, those are the types of things that end up hurting us. And when it comes

to Indo-PACOM, I think we're very focused on our daily life, day to day, not just in

the national security community, in the economic community, in the public policy community

but also in our daily life. And are we prepared for contingencies that emanate from the Indo-PACOM region

If we're not thinking about that, it's the equivalent of not preparing for hurricane

season if you live in the Gulf states as we get into that time of year

You know it's coming. You're not quite sure when. You're not quite sure what the intensity is

But it's going to happen, whether it's this year or next year. So what I would urge people to do and what I would urge professionals in this room to do is be a little bit of a disciple on having critical awareness of those types of threats to infrastructure and to the dynamics of how we live, regardless of the country you're from

I see some unfamiliar uniforms, so I'm going to presume we haven't changed the Army's pinks again right here in the front

So it's not just an American thing. It's an Australian, it's a U.K., it's a U.S., it's a Canadian. It's anybody that might get in the middle, most particularly, between China and Taiwan

And I think what we're not fully aware of are the non-kinetic threats and the non-kinetic preemption that will likely occur before a straits crossing or an incremental blockade of Taiwan

And those are the things that I would do as a red team participant, and I spent a lot of time on red teams in a past life at the Pentagon, where Sun Tzu said it best, I think, over 2,000 years ago, the greatest generals that ever lived, you've never heard of because they never had to go to war

They defeated their enemies through political, economic, and social means. And so a lot of what I do, a lot of what we do at Crux Advisory

is work with companies on critical infrastructure protection. We work with small and medium-sized cities, municipalities, and towns in the U.S., the U.K., and Australia

And we look at the threat vectors, the non-kinetic threat vectors, that we already see appearing and emanating out of the PRC

And what I mean by that is you can go back over the course of the last two years

There's plenty of public testimony on Capitol Hill from the FBI, from SISA, about threat

vectors and APTs adaptive persistent threats that are already inside of our critical infrastructure And that would include what we call the Typhoon series of adaptive persistent threats or threat actors Volt Typhoon Flax Typhoon Silk Typhoon pick a Typhoon

Some are inside of our ISPs, our Internet Service Providers. Some are inside of our critical public works

some are inside a lot of our SCADA and OT technologies and IoT, Internet of Things

And what's occurring is, and as we're looking at these threat actors

that are inside our critical infrastructure, they're not doing anything. It's a very unusual behavior

They are what we consider L-O-T-L, living off the land. So think about that crazy survivalist with the cabin up in the woods

he's completely disconnected, and you go, what's he prepping for? We have the equivalent of those threat actors already inside and proven

confirmed, there's lots of public testimony on it. It just hasn't really hit the general public yet

Now, at the same time, you probably don't want to panic the general public yet, right? But again

you do want to prepare for those types of things. And the overriding construct is that this becomes

a ransomware-like national-level leverage point. So prior to a cross-strait incursion into Taiwan sovereignty

or a blockade of Taiwan's outer islands closer to Hainan or Taiwan itself

is that you may have a national-level critical infrastructure ransomware act from the Chinese that essentially says all of your ATM machines are turned off

or GPS is no longer available. Think about GPS. We use GPS for banking, not just for navigation

You know, in and around our cars are trying to figure out how do I get to the metro from the Waldorf

but a lot of other critical things we use GPS and GPS timing for

If you take those systems out and down and say, okay, we are going to open up your GPS

open up your banking, open up your critical infrastructure, open up your air traffic management

after we're done with our action in Taiwan, you create a social pressure in the United States

or Australia or the UK or anybody else who would intervene onto their political decision makers

And you have a population that then looks to their leaders and says, hey, we don't really care that much about Taiwan, do we

We don't have a dog in that fight or willing to let it go, but I need to cash my check or I need to pay my rent or I need to get groceries

or I need to drive my vehicle. And so that's a very, very elegant way to say elegant

That sounds like an odd thing to say, but it's a very elegant way to leverage a nation state

to not get involved and not incur? And you have to ask that question

What, at a national level and politically, is a government willing to do in order to defend an ally

And that's a challenge we will have. So having that awareness is really quite important

And then having a risk mitigation and a threat mitigation plan, which starts with identification and then containment

and then response and then recovery. So, you know, we advise oftentimes to look at our systems, and our systems I look at kind of a three-legged milk stool, people, process, and technology, right

When I think of a system, you really need to have all three of those working well. You know, one of them can degrade if the other two are well-worn

You may be able to survive a crisis if you're clever enough. But we look at both durability and resilience

So do we have constructs in place where we are durable enough to prevent that risk from becoming a crisis that we have to respond to

And then if we do have some leakage, are we resilient enough to contain it and recover from it

What does the mitigation of risks, evolving risks, conversation look like? I think in terms of mitigation, it really starts first and foremost with awareness

If you're not aware and you don't proselytize to some degree to those targeted communities

they, one, won't understand that they're a target and that there's a threat out there

So they won't recognize that you don't have any early warning. It would be as if the hurricane showed up like an Amazon package as opposed to how most of us look at a hurricane

What do they say Watching a hurricane is like being tracked by a turtle You know it coming it slow you staring at it you know it going to get there We work a lot with small and medium cities municipalities sometimes

across those three countries I mentioned, US, UK, and Australia. And in doing so

educate a lot of local small town mayors, leaders, boards of little things. Like when

you're looking at purchasing a system, a water treatment system, a pump, a generator

inside your critical infrastructure do you understand the source of that? Do you understand the software that's running

on that? Do you understand the critical risks and will that be shut down in an emergency? And what

most municipalities do is they go low price, technically acceptable. Right? And there's probably some

government acquisition people in here. I know that's a dirty word. I know no one's supposed to

acquire things. as someone's waving their hand. I can't believe you waved your hand as a government acquisition person

I was making sure acquisition's the dirty word, not government. Good point

Clarifying. See, first crisis. I've created it today, right? But that's a scary thing

Low price technically acceptable. And don't dress that pig up with something that says best value trade-off

We all know what that means. It's the same thing, right? But local leaders, right

I'm talking to a mayor outside of Chicago not that long ago, and he said, Rob, I know I need to spend

$140,000 on this generator for our town hall, which is where everybody would come together

in the event of an emergency. But I have the soccer mom mafia that wants me to spend $140,000 on a little splash park

And I won't be mayor next year if I don't do the splash park. So I may be a mayor with a splash park in the middle of a crisis

That isn't going to help me like a generator would. So having again that level of education to help us mitigate at the lowest possible level, because the clever threat vectors aren't going to come over the top

They're not going to be obvious. If I want to disrupt American society, it's not going to be Chicago, New York, LA

It's not going to be three cities with five million people in it each. It's going to be 2,000 cities with 1,000 people in them each

And it's going to be across the heartland and to the edges, and it's going to be everywhere from Chandler, Arizona, to Nashua

And what are the threat vectors that concern you for those smaller communities? You mentioned kinetic versus non-kinetic

You mentioned cybersecurity. Do you have a, God forbid, like a worst-case scenario that kind of keeps you up at night with regards to those scale communities you mentioned

Yeah, it is simply shutting down critical services and creating a groundswell of support against intervention

and we've seen a tremendous amount of reporting and planning on that

and frankly, I would tell you that I would hope, I'm going to use the word hope

that the U.S. government has plans along those same lines as well. If we can avoid a shooting war, great

but if you can freeze an opponent out without having to fire a shot

then again, it goes back to that kind of elegant solution. And again, durability and resiliency

So it starts with education, it starts with our acquisition process, not just for large capital equipment and systems inside the U.S. government, but down at the local level as well

I wonder, have your own views on these threats, the threat vectors, you call them

have your views on how to approach them evolved over the course of your career? And if so, how so

Interesting, yeah. So I started my career in foreign military sales, nod to the gentleman in large acquisition

So I was on the Navy's F-18 program. so I maintained regional balances of power, as we like to say, as opposed to saying we were arms dealers

But we sold the FAA-18 around the world. It was great. It was a great place to start

I ended up in the intelligence community. I spent time as the deputy defense intelligence officer for global trends and projections

so lots of time looking at technology and emerging trends. And then from a crisis management standpoint and avoiding surprise

I happened to spend two years in the White House Situation Room as the senior duty officer there

And during that time, I was the senior duty officer on shift in the White House on 9-11

So we come up on the 24-year anniversary, you know, just around the corner, I think, next Thursday, right

So that literally being in the middle of a hundred year crisis where we had plenty of opportunity to plan for things but we didn imagine that type of asymmetric attack

So when I look at threat vectors and challenges and risks, the question always is, what are we not thinking about

And there's a data quad in crisis management where we talk about, and I will say this

Don Rumsfeld, Secretary Rumsfeld, once attempted to do this in a press conference

and it did not go well for him. But we have known-knowns, known-unknowns

unknown-knowns, and unknown-unknowns. And I won't bore you on what each of them are

but the biggest challenge, strategic surprise, happens in the unknown-unknown quadrant, the things we don't have time to even contemplate

And if you spend your time focused on... We love facts. Facts are known-knowns, things I know I know

Known-unknowns are questions. Things I know I don't know, so I've put a query out

Things I'm interested in. What are the threat vectors? Who are the threat actors? What do my systems look like

How would I respond? Unknown knowns are things I'm unaware that somebody else in my organization already knows

That's inefficiency. I may be looking, I may be searching for an answer, but you've got it

We just haven't connected. And that's a silo issue or a stovepipe issue

Lots of terms that everyone in this room is probably very familiar with. While we're working on known knowns and unknown knowns

We don't have time to think about those unknown unknowns, right? That's strategic surprise

That's the creative thinking. That's the take 10 minutes every day and figure out how something bad might happen

Those are what your red teams do. Those are your risk mitigation folks. And so when I look back at 9-11 and the things we did right out of the White House situation that day

and the things we had to do because people hadn't had creative thoughts prior to that

and a lot of those, most of those, if not all of those holes have been plugged by now

we would have looked at things very differently. And an example of that is the president on 9-11 was on Air Force One, was on the aircraft

The vice president and Dr. Rice, the national security advisor, were in the bunker in the White House

When they built the communication systems for the White House Situation Room, going all the way back to the 60s

They had exquisite communications between the White House Situation Room and the aircraft

And they had very robust communications between the White House Situation Room and the bunker

You know what they didn't have connection between? The bunker and the aircraft

Because the President was never going to be in both places at once. They hadn't imagined a situation where someone in the aircraft and folks in the bunker would need to talk to each other

So when they evacuated the White House Situation Room, or when they evacuated the White House

They kept asking the Situation Room to evacuate, and we couldn't and we didn't

because the president would have been out of communications then with his vice president

The Secretary of Transportation, Norma Mineta, happened to be in the bunker that day as well, and Dr. Rice

So we hung in there to mitigate a problem that would have occurred had we left

So, again, I go back to crisis mitigation, crisis response, really being a three-legged milk stool of people, process, and technology

That was technology kind of working against us. It was process telling us to leave, and we had to override that process because we had people in a situation that made a decision in order to fill that gap

I got about a minute left with you, and I'm very grateful for your time for relatively unexpectedly popping up to share your expertise and your history with us

What are your expectations or what are your hopes for how a lot of these really crucial conflicts play themselves out, even over just the course of the next few years, Rob

Yeah, I think nothing's off the table. Be creative. If you're a supervisor, a boss, a commanding officer, what have you, challenge your people to, I hate the term think outside the box, but think

Give them time to think. Challenge them to think. If your people don't have intellectual curiosity and they don't practice ytic rigor, find new people

If you're in crisis management, if you're in Indo-Paycom, if you're trying to avoid strategic surprise, those are the folks you want

intellectual curiosity, ytic rigor. That's awesome. Rob Hargis, very grateful for your time and perspective today

One more time here for our special guest. Thanks. Robert, it's great to have you. Appreciate it

Thanks a lot for being here. You can head off that way