Hacks, Attacks, and Pushing Back: Herb Lin on Cybersecurity

>> Bill Whalen: It's Tuesday, June 20, 2023, and welcome back to Matters of Policy and Politics, a Hoover Institution podcast devoted to governance and balance of power here in America and around the world. I'm Bill Whelan. I'm the Hoover Institution's Virginia Hobbes Carpenter distinguished policy fellow in journalism. I'm not the only Hoover fellow podcasting these days.

I recommend you go to our site, which is hoover.org click on the tab in the top of the homepage it says commentary head over to where it says multimedia. And up will come a link to podcast audio podcasts. Actually, there are 17 all including this one. My guest today is Doctor Herb Lin.

Doctor Lin is the HR Holland Fellow in cyber policy and security at the Hoover Institution and senior research scholar for cyber policy and security at Stanford University center for International Security and Cooperation. He's also the author of the book Cyber Threats and Nuclear Weapons. Herb Lin's research interests relate broadly to policy related dimensions of cybersecurity and cyberspace.

That includes the use of offensive operations in cyberspace as instruments of national policy. Herb, thanks for coming on the podcast.

>> Herb Lin: Glad to be here.

>> Bill Whalen: So there was news on the cyber front yesterday, Herb. The European Investment Bank's website went down due to a cyber attack. And for those listening who don't know what the European Investment bank, or EIB, is, about 90% of its loans go within the European Union nations, Western Europe, NATO nations, and a culprit quickly emerged.

Herb, it was a pro Russian hacktivist collective called Killnet. How do we know that killnet did it? Well, first of all, Polo said they did it, but also they'd been chirping away in June that something bad was coming along. There were threats that there was gonna be an attack on the swift banking system, the wise international wire transfer system, maybe central banks in Europe, maybe the Federal Reserve.

And the group offered this warning that a cyber attack was meant to, quote, repel the maniacs. According to the formula, no money, no weapons, no Kiev regime. So, Herb, here we seem to have truth of what you research all the time. The use of offensive weapons operations in cyberspace is an instrument of policy.

 

>> Herb Lin: True enough, it has taken. This is the first major attack that I've seen since the outbreak of the Ukraine war that has had apparently had some impact on some major non Ukrainian institution. As you described, the bank is an important institution in the infrastructure of Europe. And for reasons that are pretty clear, Europe is largely supporting Kiev, Ukraine, in its conflict with Russia.

This is a group that has decided to express its solidarity with Russia and are trying to use this to influence European policy. Now, whether they'll succeed or not is another matter. I don't know whether the nature of the attack is one that has crippling effects on the actual transfer of money and so on, banking services and the like.

From what you described it sounds as though they simply attacked the site. They may have defaced it, they may have made it unavailable to the public and so on. Those things are relatively minor activities of consequence. Mostly what they do is they serve to raise public consciousness of what they're doing.

Now, the interesting question here is that while they have expressed solidarity with Moscow on this, apparently the Moscow government, the Kremlin, did not take responsibility for this. It did not say, we're behind this, and so on. And it's highly unlikely that they're going to go prosecute these guys.

This action is probably illegal under Russian law, but that doesn't matter. Russia is not going to go after these guys in any significant way. In fact, they may be encouraging them to do it behind the scenes, but nobody knows whether or not that's true. That's merely speculation on my part.

And in foreign speculation, I would be willing to money if it's true, but I don't have any evidence to suggest that it is true.

>> Bill Whalen: Right, so, Herb, when we talk about cyber attacks there, you mentioned that there are crippling attacks. But then there's also such a thing as a shot across the bow, if you will, and maybe that's what you have here, shot across the bow, a message being sent.

And is that part of the nature of cyber warfare, if you will, that there are really different ways to go after a foe, if you will. One is to actually try to inflict harm upon the foe, but the other is to maybe do more psychological damage and physical damage.

 

>> Herb Lin: Well, the shot across the bow, when the navy does it and it really fires a shot across the bow, the implication is that the next shell will actually hit the ship rather than just a shot across the bow. In this case, we don't know whether or not they can actually hit the ship and actually cause any real damage.

We know that they can do bad things to the website and take it down. But if it's just the website and it doesn't affect any business problems, processes and so on, then it doesn't matter very much. And it's a minor inconvenience at best. So we don't know, I mean, I don't know the capabilities of this group.

Indeed, have quite potent capabilities. For example, if the Russian government were supplying them with intelligence or with weapons, cyber weapons and so on. About vulnerabilities that they know about in the bank's infrastructure, then the next shot could be or subsequent shots could be very damaging. But we don't know that.

And it's a matter of speculation at this time. Right now, I think we have to assume that this is what it is. It's a warning. They haven't said anything. They haven't survived any further consequences yet. I don't think what you told me. And so we just have to see, surely the bank is security.

People are more spinning up their defenses if they hadn't already. They're doing even more now to bolster their defensive posture. And so we'll see what happens.

>> Bill Whalen: Today is June 20. Two days from now, Herb, will be the 16 month anniversary of the Russian invasion of Ukraine. Are you surprised something like this hasn't already happened?

Because, again, we are now 16 months into this war.

>> Herb Lin: Well, it's not for lack of trying, certainly Russia has been trying to do cyber attacks against Ukraine and so on. As I said, this is the move, and they have not been, Russian cyber operations have not had the effect that many people had predicted that they would have.

But they have, I am somewhat surprised that they haven't inflicted, they haven't gone after the west. And this may have been deliberate on Moscow's part to keep the conflict relatively restrained. Maybe they, so here's the speculation again. It's a speculation. Moscow may have calculated up until this point that they didn't want to particularly antagonize the west in cyberspace because they had.

They were afraid that the West might go after it, and the west may have a bunch of abilities against Moscow and Russia that they wouldn't like to see exploited. So they said, hey, don't do this, it's government to do it. But also told the proxies not to do anything.

So that's a speculation, all right? And maybe now the gloves have come off.

>> Bill Whalen: Right?

>> Herb Lin: I don't know. That's a possibility. What would a reprisal look like, Herb? And how would the European Union respond in terms of cyberattack? Because the European Union. It's not NATO. I think no one knows the answer to that.

It is clear that NATO has a policy that says that it is willing to. It does regard certain kinds of cyberattack as attacks that would trigger the collective defense provision. So an attack on one country in NATO would certainly qualify as an attack on NATO. Now, the European Bank that you described is, in fact, not formally, it's not part of any nation, okay?

And so what the status of that is. I mean, it's an interesting observation, all right? They could have gone after a German bank or a British bank, okay? Those are two of the big players that are giving. They could have got on their Polish bank. They could have gone after the American bank.

And I said they did. I think you said that they threatened Swift, which is something that the US maintains, and I think the US maintains, but it's an international organization. It's largely US centered, and maybe we'll see what happens there. But it's not clear that you would consider that.

I mean, I don't know what the status of an attack on Swift would be under international law. Would that be an attack on the United States or any. I don't know the answer to that. Yeah, I think.

>> Bill Whalen: Yeah, what I'm getting at here is if there were a military attack upon a NATO nation, there would be a response under the NATO charter.

There'd be response and probably an airstrike or something like that. We can quickly visualize, having mental image what a military attack would look like. I'm trying to figure, though, Herb, what a cyber counterattack would look like and who, if it's not done against NATO, if it says done against an investment bank that's part of the EU?

Again, just how mechanically that would work. Would one country take the lead in the cyberattack? Did the countries talk to each other about cyber? How would they decide? Okay, we're gonna do something in response to this Russian entity. So who would take the lead?

>> Herb Lin: It's unclear. NATO has some coordination among the cyber activities of partners.

I mean, they certainly talked about the question that you've raised. It's an interesting question. I'm not sure where the physical facility is that was attacked, okay? I'm going to assume that it's on the territory of some NATO state. Let's say that is the case, okay? I'll just assume that it's the case.

And let's say they had sent the cruise missile there and it exploded. I think that that would probably count as an attack on the state in which the building was resident or where it was constructed in Belgium. It probably would also count as an attack on Belgium, and therefore, it would trigger the collective defense clause.

But in cyberspace. I don't know the answer to that. I don't know whether that would be whether this is regarded as an attack on a NATO country.

>> Bill Whalen: Right.

>> Herb Lin: So it's not the nature of the damage that's under the cyber part. It's not clear which nation has been attacked.

 

>> Bill Whalen: Right.

>> Herb Lin: I don't know. This is a good question. I don't know. And I haven't. I will look at it. I will try to do some research on this later on. I have no idea what the answer is.

>> Bill Whalen: Well, that's so the question would be then, is a cyberattack considered an act of war?

 

>> Herb Lin: If it's a cyberattack against a NATO member, it could be.

>> Bill Whalen: Mm-hm.

>> Herb Lin: There's no question about that in NATO's mind. There are some cyberattacks that of some sufficient magnitude and intensity and consequence that would constitute an armed attack. There's no question about that. Certainly, the level of this that you described doesn't count as that.

If it got worse, if it came to disrupting critical bank functions and so on, then maybe it would. There are two questions in all this. Is it an armed attack? Yes or no? And is it against a NATO nation? Yes or no? And what you've been focusing on is the first, and I've been.

This conversation, for me, raises all of the ambiguities of the second. I don't know whether it's that attacking an international institution is an attack on the holding the facility. I don't know the answer to that.

>> Bill Whalen: All right, plus there'd be a third factor here, Herb, which is that of a collective like Killnet doing something to help the Russian government.

But is it working in cooperation in conjunction with the Russian government?

>> Herb Lin: That's also true. And I suspect that the answer to. Again, we don't know the answer to that. I suspect that the answer there among NATO lawyers.

>> Bill Whalen: Very good. All right, so this wasn't the only hacking news of late last week, we had news of a hacking spree.

Hackers exploiting a flaw in the popular transfer file known as MOVEit. That's capital M O V E, lowercase i t. Herb, this impacted the US Department of Energy, the Office of Personnel Management, the BBC, British Airways were hit. Universities, like the University of Georgia, were struck. Also, Back in the US, DNVs were hit.

A lot of Americans having their driver's license numbers and Social Security numbers compromised. Herb, this was done by a group called Clop, spelled C L O P, a ransomware attack. So now we have maybe a different kind of attack where you're not doing something to promote a war, promote a government, but you are collecting data and going after different operations that way.

So let's describe a bit about how ransomware attack works and really what the end goal of that would be.

>> Herb Lin: Well, ransomware is a relatively new. Now, by relatively new, I mean in the last five or ten years versus the original attacks 30 years ago, okay? What happens in a ransomware attack is that let's make you the victim of a ransomware attack.

 

>> Bill Whalen: No.

>> Herb Lin: What happens is me. You make me the victim of a ransomware attack. The bad guy comes in and invades my computer and what he does is he encrypts all of my files so that I can't read them, and now I can't do my work. And then he sends me a note that says that, Lynn, if you want your files unencrypted, that is back to what they were before, send me $1,000 in bitcoin, okay?

And when you do that, I will decrypt it. Show good faith I will show you that I can decrypt, that I have the capability to do it. I'll send you back one of the files that you want that has been encrypted for you, show you that I can do it, okay?

And then I look at this and say, shit, I didn't back up my files. Nuts, I'm in trouble now. And so I can't. I have to pay. I have a choice of either paying this money in ransom or never getting my files back again. And so I pay.

Now, that's the most basic kind of ransomware attack. Now, there are many nuances to this, okay? For example, you said that this was not done by states. This is the focusing on money. Well, that's probably true, except that we know that North Koreans do this. Koreans do this as a way of funding some of their operations.

I think I heard some number that said that the cost of their nuclear operation has been largely, if not completely funded by various kinds of cybercrime, including ransomware. So governments also engage in cyber crime. North korean government is an example of that. So that's one thing. Second thing is, if I pay out the money, there's no guarantee that you'll decrypt the rest of my files.

Give me the key for it, dump digit key that will take to unlock the the files. And so I have no guarantee that you'll do it even if I pay you the money. That's also a problem. And now in the case, let's say, my files aren't useful to anybody except me, okay?

But let's say I were a customer facing organization, that I had lots of sensitive information. Let's say I work at a hospital and I had medical records that people wanted to really keep their medical record confidential. Now I still have your data, and now I can threaten to release it.

Yes, I'm willing to decrypt it for you, but I have a copy of it. The bad guy has a copy of it. And now I can set up a subscription for extortion. That is, you have to give me X dollars a month or I'm going to release these to the public.

Now have a continuing stream of income. These kinds of things are well known. All these kinds of things can happen. And that's the nature of this kind of threat. You're living under the threat of further data disclosure, even though you have your.

>> Bill Whalen: Why don't we see more larger scale attacks like this?

Cuz this was a pretty ambitious operation, considering you're going after the US government, you're going after the private sector entities, you're going after academic institutions as well. That's a pretty broad shot. Why don't we see this more often?

>> Herb Lin: Why do we not, or why do we not see it more often?

 

>> Bill Whalen: Yeah, why do we not see this more often? Why does this happen every week? Or is it happening in just it's for lack of success?

>> Herb Lin: Well, there are these attempts all the time, and some of them are thwarted and so on. And sometimes people pay up, okay?

But keep it all quiet. And by the way, you should note that the incentives for paying up are completely different from the standpoint of the victim versus the standpoint of law enforcement. Law enforcement would never, ever pay the ransom because that's just encouraging them. But your CEO will say it's highly motivated to pay for it because that's needed to get yourself back in business, okay?

And as far as I know, there's no law that ensures that there's no law preventing you from paying it. So that's one thing. There are people who talk about passing such a law to reduce this, but there's right now, there's no law against paying the ransom. And in some cases, even better insurance will cover some of the costs of paying the ransom, okay?

And so there are people who say that cyber insurance should be forbidden from covering the cost of ransom. This is to reduce the value to the bad guy. Of course, that goes against the individual incentives for doing it from the guy, by the guy who actually needs to get a system up and running again.

 

>> Bill Whalen: Yeah, so this leads her to a question of how prepared governments are for these situations. There's a group in the UK, Herb, called Taxpayers alliance, and they have looked at the British government servers and databases and particularly looked at three departments, Herb. They looked at the Department of Health and Social Care, they looked at the UK atomic Energy Authority, and they also looked at the UK's revenue and customs.

And what they found was outdated and very vulnerable systems. In the words of one whistleblower, and I quote, the problem is so bad that some of these systems could be taken down by an enthusiastic child.

>> Herb Lin: Not entirely surprised. Cybersecurity gets very little attention until it's really needed and after it's really needed.

I mean, that's not a surprise at all. That would probably be true for large parts of the US government as well.

>> Bill Whalen: All right, so let's talk about the US government, Herb. We have what is called a US national cybersecurity strategy. But I would note that's not a national cyber strategy, is it?

 

>> Herb Lin: That's correct. It doesn't cover how we would use cyber operations, for example, to spy on other nations. Many things it doesn't cover. So let's talk about the us government cyber approach, then. Are we prepared in this day and age, in your estimation, are we where we should be?

No, but we've never been. And the fundamental problem is that if you want cybersecurity, you have to be prepared for a lot of inconvenience and difficulty in doing your work. And the work of government is so hard to do is how hard to manage and so on, that adding cybersecurity to it just simply adds to the burden.

But people don't want to do it. They know that they have to. But it's like eating your vegetables. And for somebody who doesn't like vegetables, they don't want to. They would really, really rather not. And they may do it because they have to, but you won't get enthusiasm for it.

 

>> Bill Whalen: So when the cybersecurity strategy report was released, Herb, had included this passage, and it said that cybersecurity, and I quote. Must be the responsibility of the owners and operators of the systems that hold our data and make our society function, as well as the technology providers that build and service these systems.

Okay, fine, responsibility. But then the question is, who holds the owners responsible, Herb? In other words, what is the oversight of here?

>> Herb Lin: So this is a very good question here. So let's say I am operating. I as an individual end user, and operating or using a system, and now it asks me to make some cybersecurity decisions, and I make the wrong one, and I get hacked as a result of that.

So that's a bad situation. What the strategy is trying to say is, you shouldn't put the end user in the situation of having to know a lot of technical detail, okay? This is to the maximum extent possible. You gotta shift that burden to the people who are best able to shoulder it.

That is the technology providers and also the operators of the technology, the guys who provide you the service, not the end user. So I'm all for, and you should be all for anything relieves you from a cybersecurity burden, right? You don't want have to do this, and it just gets in your way, and you really want this stuff to be taken care of by somebody else.

So that's good in principle. So now you're asking the question, how do we make them, the providers and the operators, responsible? Well, their answer to that in the cybersecurity strategy is that they're going to try to impose liability requirements for screwing up on cybersecurity and also Propose regulation that will make the operators and so on operate their systems in a more secure way.

Now, but these are very controversial ideas because in, because there are a lot of people that are skeptical about the importance and the value of regulation and about imposing additional burdens on liability in this. Is should a product provider, a technology product provider be able to disclaim liability for security flaws that they have inadvertently built into a product.

You say, well, why would they do that? Why can't you make them take out those vulnerabilities? Well, the problem with that, is that every piece of software has problems and has difficulties, has bugs in it, and the bad guy can come along and exploit those bugs. So, how bug-free do you want your software to be?

Well, you'd like it to be completely bug-free, but you can't have that. And their argument is of the vendor, on the vendor side is that if you insist that it be more bug-free, you're gonna slow down the pace of innovation, and because you're gonna put more people taking the bugs out rather than giving.

And so, and you wanna make them liable for having. So this is the, for having those bugs that some bad guy exploits. Now, on the other hand, right now they're not subject to any liability at all. And so, the difference between, you have to ask yourself, is that the right balance?

We certainly have liability for faulty production of cars. For example, if you put out a car with a design flaw in it and it kills people and so on, the manufacturer is liable. And so, why should software be any different than that? That's the question, and how far can you go in that?

And, what would be a safe harbor that would prevent you from having to being subject to liability? The thought would be that you get a safe harbor if you do x, y and z, that are pro-security. Well, okay, fine. What are those x, y and z? And now, that's the nature of a big argument that's coming because the administration hasn't yet specified what x, y and z are, and it's working on that.

As far as regulation is concerned. The fear is that regulation will impose a one size fits all on various players, various important factors here, and it won't change fast enough to be responsive to new threat levels. On the other hand, the thought is also that regulation does help you establish a minimum level of security.

And so, the question is, what's the right level of security that you want to hold everybody to, recognizing that everybody will do some place, will have to do more than that? Well, that's part of the public policy debate. And we're about to see the start of a very, very interesting debate.

 

>> Bill Whalen: Okay, we have not talked about China yet in this podcast. So, let's do a few minutes on China. News reports the other day that a suspected Chinese-backed hackers used a hole in Microsoft Exchange to launch a global strike beginning last fall. Herb emails, these were emails with malicious file attachments.

Their targets, I found this particularly interesting. 55% of their targets were entities located within the Americas. 22% came from Asia Pacific countries, 24% from Europe, Middle East, and Africa. Foreign ministries in Southeast Asia were hit. Foreign trade offices were hit academic organizations in Taiwan or Hong Kong. So, here's kinda interesting.

Maybe this is just kinda where China is right now. You're going after entities all around the globe right now. And the question again is, what are they doing here? Is this economic, is this geopolitical? Or is this again? Or is this maybe just in like with the Chinese spy balloon?

Maybe this is just poking and prodding and kind of finding out what, what the Chinese are actually capable of doing here.

>> Herb Lin: One could imagine from the Chinese perspective, it is in Chinese interest to be siphoning off information from as many sources as possible, where the universe of sources is those groups of influential institutions that helped shape China policy, or policies that affect China.

And so, for example, if there is a think tank in Singapore that wants to, that is particularly influential in formulating Singaporean policy, or in fact, in just informing the rest of the world about China, you'd want to know about it. And China information technology storage, storage of information is cheap.

And, they are certainly of the mindset of let's collect everything and see what you know and see what we can find. Now, does that mean they're not doing targeted collections, absolutely not. They are doing targeted collections, too. But in terms of this general vacuuming up of everything that is possibly, that they could possibly, could possibly be relevant, well, that's what every intelligence agency wants to do, get all the information it can possibly can, and because everything that they collect might be relevant.

So, it's not a surprise that a nation that wants to find out about what's going on in the world in ways that it might affect it are going to spread its tentacles widely. By the way, we do this, too. And in fact, every intelligence agency does this to the maximum degree possible.

If you're a poor intelligence agency, you have to target more. If you're richer, you have a greater ability to spread the aperture and collect from more sources. But every intelligence agency wants to get as much information as possible, and we do a mighty good job at that, too.

That's not a criticism. That's not a criticism, but we're the good guys, of course, and so it's okay for us to be doing it because we see China as a potential competitor. Adverse ship wealth. That, of course, that raises many more concerns because we don't like what they do.

 

>> Bill Whalen: So, you mentioned North Korea using cyber hacking to get cash. It's a cash-starved nation. China would not be looking for cash, though. Wouldn't China would be doing this?

>> Herb Lin: They're looking for information that they could use.

>> Bill Whalen: Right. So, that's what great powers do. They want information, plain and simple.

 

>> Herb Lin: That's right. That's what they, that's right. Now, all great powers spy on each other, except, by agreement. We don't spy on Britain, for example.

>> Bill Whalen: So, here we are, Herbert, in the summer of 2023. What is the next big issue when we talk about cyber attacks, cyber warfare, and cybersecurity?

 

>> Herb Lin: Well, the thing that's on everybody's mind these days is chat GPT, and it's worth saying a few bits about that.

>> Bill Whalen: Which you've been writing about lately.

>> Herb Lin: Right, what chat GPT does, just as an exemplar of what's possible, is that it makes possible the production of information.

And disinformation possible on a much more voluminous basis than previously in the past. And so ChatGPT is a wonderful thing to do, if you want to have if you want this information that you can spread around. And now it can be targeted, it's unique, so that it's it can be uniquely, you know, it can be unique to you or me.

So I could get a targeted misinformation that's tailored to my personal circumstances.

>> Bill Whalen: Right, so actually, there's a tv commercial on right now, Herb it's for a travel service, and it shows this woman and her dog walking through some marble, she's in a wheelchair, actually, they're in the middle of a storm in some horrible cold city.

And she gets back to her apartment and she goes on to the website of this travel service, and you you see up in the corner, it says, ChatGPT. And she asked it, find me a warm place to go and next thing you see, she's in a warm resort.

Yay, ChatGPT, wonderful things but so we're talking, though, the dark side here of artificial intelligence, and that's what you're getting at here, that actually artificial intelligence, AI can do wonderful things. It can help you find a nice, warm resort but AI also has a negative component to it.

 

>> Herb Lin: Absolutely right, I couldn't have said it better, it does have a downside to it. And borrowing the policy debate is whether the downside, whether the downside outweighs the upside.

>> Bill Whalen: All right, but to use the cliche here, is the horse already out of the bar when it comes to AI?

 

>> Herb Lin: That's an interesting question. Yes, in the sense that you're probably not going to be able to stop it. Why would any company stop it, you'd have to force them to stop it and then, of course, there are those players that you couldn't force to stop it. It's an interesting question as to whether or not now can you establish guidelines for how to use Amazon?

There's lots of people talking about that, I'm skeptical that it can be done easily. I have doubts as to whether it's not going to be done at all.

>> Bill Whalen: Final question, Herb, when we talk about terrorism, we talk about international terrorism, we talk about domestic terrorism. When we talk about cyber is there such a thing as domestic cyber and international cyber attacks?

And if so, if the United States of America is the biggest threat from hackers within, or is it hackers abroad?

>> Herb Lin: If somebody's in the United States and they're working for the Russian government is that a hacker from the US or a hacker from abroad, I don't know how to answer that question.

I think that they emanate that the threats, the major threats emanate from nation states. I'm not particularly worried about them.

>> Bill Whalen: Okay, and a final question, Herb, I always like to ask this to fellows on topics. If you had five minutes or ten minutes with the president, the Oval Office, and got the chance to talk cybersecurity with him, what would you tell the president?

 

>> Herb Lin: I'd say that I salute the administration for the very new cybersecurity strategy that is a major step forward. Please involve us with the formulation of the implementation plan, and don't delay on that, because a lot of the issues of it, and we got to get that right if we're goinna make your very good strategy work properly.

 

>> Bill Whalen: Well, the good news, Herb, is that you and I talked for the better part of about 45 minutes, and nobody hacked our conversation. You're in Europe right now, I'm in California the technology worked. I enjoyed the podcast, thanks for coming on today.

>> Herb Lin: Okay, great, thanks so much.

 

>> Bill Whalen: Okay, Herb, you take care. You've been listening to matters of policy and politics, the Hoover Institution podcast devoted to governance and balance of power here in America and around the globe. If you've been enjoying this podcast, please don't forget to rate, review, and subscribe to our show.

If you wouldn't mind, please spread the word tell your friends about us. The Hoover Institution has Facebook, Instagram, and Twitter feeds, our Twitter handle is hooverinst, that's spelled H-O-O-V-E-R-I-N-S-T. Doctor Herb Lin is on Twitter, is Twitter handle is @hermlincyber. Let me spell that for you. H-E-R-B-L-I-N-C-Y-B-E-R @herblincyber, I mentioned our website beginning of the podcast that is hoover.org while you're there, sign up for the Hoover Daily Report, which keeps you updated on what Doctor Herb Lin and his Hoover colleagues are up to, that's emailed to you weekdays.

Also, sign up for Hoover's pod blast, which delivers the best of our podcast each month. Your inbox for the Hoover Institution, this is Bill Whelan. We'll be back soon with a new installment in matters of podcast policy and politics, we're going to be talking Iran in the Middle east.

Until then, take care thanks for listening.

>> Speaker 3: This podcast is a production of the Hoover Institution, where we advance ideas that define a free society and improve the human condition. For more information about our work or to listen to more of our podcasts or watch our videos please visit hoover.org.