Riskgaming

The how and why of the most successful supply-chain attack in history

This week, Hezbollah fighters in Lebanon were injured and killed by the thousands across two waves of attacks when their pagers and walkie-talkies exploded. Presumably orchestrated by Israel, it’s one of the most complex and successful supply-chain attacks in world history, and it has mesmerized the global espionage community.

We wanted to go deeper into supply-chain risks, and so we brought ⁠Nick Reese⁠ onto the Riskgaming podcast to talk more. Nick was the inaugural director of emerging technology policy at the US Department of Homeland Security, where he developed policies across cybersecurity, artificial intelligence, quantum computing and more. Today, he’s the CEO and founder of his own business, ⁠Frontier Foundry Corporation⁠, as well as a faculty member at New York University.

Nick and host ⁠Danny Crichton⁠ talk about the attack on Hezbollah and consider the networked challenges of securing supply chains for the United States. The two then swing wider to the national security challenges inherent in emerging technologies and how public-private partnerships are mitigating some of those risks.

Transcript

This is a human-generated transcript, however, it has not been verified for accuracy.

Danny Crichton:
So Nick, when we are recording this episode, we're in the midst of this major international news story coming out of Lebanon. A few days ago. We saw Hezbollah fighters holding their pagers for a couple of seconds looking at a couple of numerals that apparently had been scrolled or sent to these devices and they exploded in their hands, exploded in their faces, thousands of people injured, maimed, in some cases killed. And then just I believe 24 hours later, we saw a similar attack right afterwards. And from the press reports we're getting live as we were recording this, we're identifying how it took place. There was an interception through a manufacturer of these devices, someone implanted a very careful explosive into these ones that were attached to the chip that would allow remote explosive of those devices. You are an expert in all aspects of emerging technology, homeland security, you were the inaugural director there on some of these subjects. What do you think about this attack and the sophistication of it?

Nick Reese:
Supply chain operations like this one are not new, but adding this kinetic aspect into it, that's new. In a lot of previous iterations of supply chain operations, you would see things like implanting malware or intelligence collection or doing it for intelligence collection or surveillance purposes. Now we're seeing it done with a kinetic effect, and I'm saying kinetic effect and not lethal effect because as you alluded to, I think the most recent number is 37 killed and about 3,000 injured. And so we're not talking about necessarily a lethal effect, we're talking about injuring or maiming. And so a very different outcome that you're trying to get from that operation. So the supply chain operations as a whole are definitely not new, but adding this kinetic aspect into it really takes it to a different level.

Danny Crichton:
We just had an episode with Zach Dorfman, a journalist in San Francisco and he got blockbuster report in political magazine a month or two ago that was focused on the 1980s. Now the FBI intercepted chip shipments from the US to the Soviet Union. And then the goal was to of undermine these chips. But you had to do it in a very, very sophisticated way. The chips still had to work, they had to work less well. And there was a huge ethical debate around what if these chips go into a weapon? What if that weapon gets sabotaged and it actually kills more people than less? How do we go do that?
And so there's all these operational considerations on something as basic as a chip. That was not kinetic, that was just designed to undermine the Soviets, undermine their burgeoning computer industry. In this case, you are talking about thousands of devices. You don't know who's holding them, they're all over the place. The Iranian ambassador to Lebanon was one who happened to be holding one. How do we start to understand both how this operation was undertaken and some of the ethical implications that were involved here?

Nick Reese:
So let's start from the very beginning. So if you're going to plan a supply chain operation, the first thing you have to do is understand what makes for a good supply chain operation. And what you want in a good chain operation is a very narrow niche technology that is used in a very narrow niche way, hopefully by a very narrow subset of people. You don't want to have supply chain operations that are very, very wide because then the effects get away from you. And so in this case, we had a specific group of people, Hezbollah fighters using pagers and walkie-talkies. Now both of those are not common items anymore, but even better they are items that within their physical enclosure there's actually space in there that you can add things to it. So already we're looking at an operation that makes sense in terms of it's narrow, it's very targeted, it's a very specific technology. There's the ability to infiltrate it. You know what that's a good target.
You would imagine that the Israeli planners or allegedly Israeli planners would be looking at the Hezbollah fighters moving to what is a more passive communication system in a pager. And they're not going to get as much collection from that because it's not a phone. And so what do you do with that capability? So to do this responsibly, so you're adding a kinetic effect and you would probably have some kind of at least passive tracking capability to develop some kind of pattern of life. So that would be a mitigation to what you mentioned about you don't know who's holding it. Well, what you would do is you would watch the pattern of life and you would have an indication of, okay, I think this person takes this to work every day. And that pattern of life would allow you to identify, okay, I'm pretty sure the fighters have it, or at least a majority of the fighters are actually have it on their purse.

Danny Crichton:
So when you say pattern of life, you're talking of things like it's paying the cell tower and these regular locations and we know that that is there. There are text messages that are going on the beeper or pager and those are either being distributed by the right people or going back and they're the right messages we would expect for the people we're talking.

Nick Reese:
Correct. And in order to do that, you would have to have what they call blended operations. And so a blended operation means that you have an operation underway, but you also have other operations that are collecting to understand its effectiveness. And so you would have sources on the ground, electronic surveillance, something like that, that would tell you the pattern of life, this person drives this route every Wednesday or whatever that looks like. And once you start to see that over time, you understand that this person has this routine and you can understand what would be a better time of day to execute some kind of attack. So that would be how you would do that. At least that would be the responsible way to do it because that would at least give you some ability to understand how the devices are moving.

Danny Crichton:
And when you think about the sophistication here, these are not devices that are made in Israel, they're made overseas by multiple companies. The components of those are presumably is probably not vertically integrated, but part of the normal global supply chain. How do you begin to unravel that supply chain knowing that, I mean you had to know that Hezbollah is going to buy these devices and so there's a very limited window of time when you have the intelligence, you're going to make a purchase to the time when you're able to intercept the shipment and actually do something to these devices to make the kinetic effect happen.

Nick Reese:
That would have to start at the realization that they are moving from phones to pagers. So that piece of collection is the most important one to have first. And so once that is done, there's going to be an internal calculation that says, okay, we can't get very much on collection anymore. So what can we do in response? In this case, the decision was undertaken that we would intercept the supply chain and we would create some kind of effect. So in order to do that, you would have to have sources on the ground penetrations of Hezbollah who could tell you these are the beepers that, or these are the pagers that we buy and we buy them from these three retailers. That would be the first step in the supply chain is to understand that retailer. Where does that point of sale where they're buying them?
And then you work backwards. And so then it's, okay, well what is the fulfillment to that retailer? Okay, what is the transportation to that fulfillment center? And then you keep walking back. And so in this case, it would be pretty hard to imagine that the manufacturer was involved here because of what will already be an impact to their business. You have to imagine that they got access at the transportation wholesaler or retailer. What you would do at that point is once you've identified that, you would pay someone off, in effect, you would create a relationship, pay someone off to give you access. And then from there, this is where the complexity really comes in. So identifying the supply chain, that part isn't as hard, but the hard part is that you basically have to set up your own supply or your own assembly line at this point.
I mean this is maybe a little dramatized, but you can imagine somebody in the back room of the warehouse, so to speak, who opens the boxes, opens the enclosure, implants the implant, close everything back up, puts it back in the box, has a shrink wrap machine to put the plastic back on the box, all of that stuff, and then it goes on the back of the truck and it goes to the retailer. But even before that, you have to invent the technology that goes in there. So the explosive, the charge that can be detonated remotely, that all has to be invented and then produced at scale and then integrated into these beepers.

Danny Crichton:
And it's a lot. And when I think about not only all the different steps, but the speed at which you had to do this because presumably this didn't take five years. I hate to say Hezbollah is a little bit faster than the Pentagon, but probably in terms of procurement is able to procure its phones a little bit faster than a traditional defense or homeland security appropriation. And so when you're able to do that, I mean my guess is the window of opportunity was maybe weeks, maybe a couple of months. So to me it's like one aspect is where they just lucky. They said, of the five things maybe on the market they'd go to, it's likely to be this one. Did they do all the above? And how did they build enough of an infrastructure to say, hey, we're going to have an order for 4,000 of these devices or whatever the number was in total.
How do we get enough people to where that we have to assemble these? Because I mean you mentioned as one example, you could have intercepted the retail, but the retailer have been in Lebanon and Israel probably cannot have an assembly line of multiple people opening and resealing up thousands of devices without being discovered in a reasonable basis. And so to me, that window of opportunity is what makes this so complex. If you had five years and you could have all the time in the world and you had a bunch of intel, it's all that plus concentrating then a very specific period of time.

Nick Reese:
My guess here is that this was a multi-year operation just because that's the amount of time that it takes to be able to do this. So I would be less inclined to believe that it was a bulk order versus they probably were filtering these things in for a while and they had intel that these were being used. And so they did some work upfront and there might have been a little bit of luck involved. I mean truthfully, it might have been we're going to target their non-smartphone technologies and we're going to build this in. But in order to do that, the opportunity also has to be right in that if you were going to open up a smartphone enclosure, there's not a lot of room to add additional gear and certainly not additional explosives that would cause any level of injury inside a smartphone enclosure.
But there is in a pager or walkie-talkie. You created the technology, you've identified the opportunity. And so I would guess that all of that together had to have taken probably something on the order of two to three years. And the question that I think is interesting that I'm really following the news to try and understand better is why they decided to use it now? Because this is a one-shot thing and once you use it, you're never going to be able to do this again or something similar to it. So why they decided to use it now is the part that I think is really interesting as well.

Danny Crichton:
I agree 100% with you. And obviously, we don't know why, but some of the speculation is there's about to be discovered or a few of them had been opened up. And so the opportunity window is just closing is either to now or never to, there could be an act of conflict coming. And not only are you creating physical and kinetic damage to the fighters here, but in addition you are knocking out a key communications channel. It has this double effect, which is actually really interesting. And even if you want to go to war, say this week, it's really hard without the channels to be able to direct, optimize, get communications to where they need to go, that you have to take some time to rebuild those channels. And the fact that they did it to both pagers and walkie-talkies makes much more sense to me because as you said, it's one shot, but people are going to open up all their devices now. And so you get that kind of communications effect as well. We talked a little bit about at the beginning of the show, the ethics piece of here.
And I wanted to zoom in on a specific piece which is we talked about pattern of life and trying to identify the people who are holding this, but the reality is people have families, they have close friends, et cetera. I'm holding the device, I put it in my backpack, I give it to my child, I give it to my wife or husband or whatever the case may be. You don't necessarily know it just because in the house that someone is near it. How do you figure out, because when I look at specifically Israeli operations, even in the last two years, we had a very famous case of top Iranian nuclear scientist who was assassinated. It was very, very precise, very complicated, targeted exactly one person in a single moving vehicle and not others in that same moving car. This one was thousands of people simultaneously, which the effort required to track all this in real time is quite frankly mind-blowing to me. How do you start to identify so many targets simultaneously to try to minimize the collateral damage here?

Nick Reese:
Well, so we're talking about something on the order of 3,000 devices and 3,000 individuals. And so to have real-time tracking on all of those, I mean, sure, it's technically possible you could technically do that. I mean, yes, the question is did they do that? But the bigger question is did they try to do that? And so that's the question that I'm curious about is was this a, Israel allegedly was willing to just execute as a means to knock out the communications. Was that the thought process and then the rest of it was collateral or was this intended as for military effectiveness?
And I think that if you look at the results, I think you see an operation where you wouldn't call it particularly militarily effective, but you would say right now if you live in Lebanon and you're not taking batteries out of everything you own, I don't know what you're doing. But what that ultimately does is creates this moment of a real fog. And today, they came across the wire that Israel launched several airstrikes and hit 52 rocket sites. So now we're seeing what looks like a more coordinated operation where this happened. Now the rocket sites have been hit and it feels like it's a part of a bigger effort at this point.

Danny Crichton:
So you think this was coordinated from start to finish. This was the first step. There's a second step, there's maybe ongoing steps rather than let's say it was being discovered, you have 24-hour window, you decided to hit the button and now that you have this moment of opportunity, we're all scrambling around in Tel Aviv trying to figure out, okay, what else can we do right now while everyone's on their back heels?

Nick Reese:
I think so because particularly with the pager operation, if I was in operations planner that and I had a live operation that I spent multiple years and multiple millions of dollars on that was one-time use, to me, I need a really good reason to use that. And the vision that I had was all of these people with their pagers on are coming toward the border with rifles. That would be the moment. That's the moment to do it. But we at least so far haven't seen something like that. So it makes me believe that there has to be a larger reason here. And if not, then it's just the timing is very odd if that's not what's going on.

Danny Crichton:
And when I think about, I want to go a little bit broader because you talked about this, the smartphone is not possible. And I've actually had friends who are like, "I'm worried about my own iPhone. I'm worried about supply chain." I'm like, actually, you have no idea how thin that phone is and how much technology is into play. Your camera wouldn't work, something would have to break. And frankly, so much of this is interconnected that there's really nothing you can cut out. Apple is down to the grain of sand level of space in these phones, so there's really no space where you can do that. Your battery life would have 10%, you would know. Nonetheless, obviously there's huge concerns around supply chain security across the US, across western countries. Many of our devices are not made locally but are made overseas in some cases by foreign adversaries like China.
And there's been more and more concern in DC circles and foreign policy of saying like, look, this is a vector for attack. This is a place where because we don't know, we can evaluate, we can try to understand, that could be a hack in the firmware, that could be something in the kernel, that could be sending at a chip, that could be something as large as an explosive, presumably we would be able to find that out. When you think about securing the US supply chain and taking the lessons learned here of what's going on, what were your highlights there?

Nick Reese:
When I was at DHS during COVID, and so I remember very well when we had the supply chain collapses and things like that that happened during the pandemic and then there was a lot of work that went into these new executive orders and things like that to try and start to think about supply chain in a different way. And I think that that's really, to me what it is we have to consider supply chains any different way. And supply chains for decades had been thought of as how do we get to ultra optimization such that if I use this supplier instead of this one, I save two and a half cents per unit. And I understand that, I do, and as someone who owns a small business, I very much understand the need to optimize. But we've shifted that now to an idea of the top priority should not be optimization as much as resilience because we saw shocks and then we had the supply chains that really crumbled as a result of a shock. And so we're talking about something different here. It's not a shock that we're talking about.
We're talking about the actual physical security of the physical devices and the components that go into those devices that we are the end users for. And so when we think about that, I use an analogy of it's like a sterile environment in a hospital or a medical setting, anything outside of that sterile environment is considered contaminated. And that's maybe an extreme example, but I think that's the next evolution in how we have to think about supply chain is we're thinking about it from a resilience perspective, but then we also should think about it almost from a sterilization perspective where we're looking at anything that enters the supply chain outside of the defined bounds. We have to then consider what's inside that potentially compromised. Because to me, the hardest part about what Israel allegedly did to Hezbollah was not the identification or penetration of the supply chain. That part's not hard. One of the things that you learn in working in intelligence is actually one of the cheapest things you can do is buy off a person.

Danny Crichton:
Right. Yes.

Nick Reese:
It's true. People are cheap. And so buying off a person somewhere along that supply chain is going to let you come in the back door. That part's not hard. The harder part is the ability to set up that operation at scale and integrate that technology in. That part's hard. So we can set up risk frameworks and security measures and things like that to detect those things. It's the humans inside that I think I would be the most worried about because that part is not that hard.

Danny Crichton:
Well, I remember a little bit of early tradecraft and the line was always in Hollywood, every CIA agent is going through the front door, guns blazing, knocking down, James Bond, Jason Bourne or whatever the case may be. And it's like in real life, we go out the back door, we go get the janitor, 7:00 PM, he's tired, had a couple of shots of alcohol. Here's 300 bucks. Can I walk through the place? Sure, of course you can. I want $300. And before you know it, you get what exactly what you want. No one even knows you're there. And the key piece that I think outside of some of the... I see in these walls is the whole goal is that no one even knows you were there in the first place. You go in the front door, you have guns blazing, everyone is there, people are attracted.
There's now a diplomatic crisis. You don't have a crisis if no one even knows it happened. So your second point. To me, the challenge with a lot of modern devices is the black box problem. And it's the nested Russian dolls, both literally and figuratively of look, you have a phone, there are subcomponents, the chip, the modem, the display, the storage, the ram, those pieces are also outsourced. Those pieces are outsourced to a point that you have large companies like Intel, Boeing that it can't even confirm that all the parts are made in the countries that they think they're made because there are just layers and layers of subcontractors. And to me, I'm actually very empathetic to that. You're a large company, you don't want to figure out where did this molecule of silicon come from. But the reality is at some point you just lose your ability to observe.
We have a company here in the Lux portfolio, Lumafield that is a CT scanners designed to be really fast. It uses software and hardware to scan a device. So in their context, they mostly use it for product development. You can make a device, see if it actually worked. It's a quality control. They can also be used for security applications. You can take a device, scan it. Is there any part that you don't recognize as a match to schematic, et cetera? Unfortunately with the software-driven role that we're in, so many of the hacks, the things that you can do to these devices can't be seen at the molecular level. It's actually really, really hard. And so to double down on what you just said, I think provenance is really important. You call it sterilization, I call it provenance. But this ability to understand, look, this is from some unclean source in the same way that if you're in a BSL-4 facility, you want everything to be sterile. You have to recognize those vectors of attack and be able to account for them.

Nick Reese:
Yeah, so well said. And I think that we also, as we're looking at security of our supply chains and looking at especially the software supply chain, which I think again is extremely important piece here, I think one of the things we also need to do within our supply chain conversation is understand our interdependencies. And this is something that when I was at DHS, we did a lot of work on for critical infrastructure and national critical functions is understanding this particular energy generation plant goes down. Well, what that really means is all these other things happen. And so I think in a supply chain we need to do the same thing and it's a different scale thinking about each node in a supply chain as its own risk portfolio, so to speak. And then the next node has a different risk score, risk portfolio.
And I think this is a place where it's actually really right for artificial intelligence because this is the kind of thing where we can get data out of these supply chains, which some of these companies have data that goes back decades on some of these supply chains and these specific nodes. And you're right that these big companies maybe lose the granularity at some level on where these pieces come from, but maybe we have an artificial intelligence that can do that. And that's something that my company, Frontier Foundry that we look at with regarding other problems. And so we have actually have some work underway with Department of Homeland Security where we're doing some things along the border regarding fentanyl trafficking, and we're looking at a similar thing. And so you can take those supply nodes and understand them as individual risk portfolios and then taken as a whole, now you have a better view of your supply chain risk.

Danny Crichton:
I think there's a couple of things I highlight. One is I do think technology, specifically artificial intelligence, give you a better sense of the graph, the network of parts that are going in, being aggregated, putting into a subcomponent, those subcomponents going up to components, components into devices, into the hands of consumers, whatever the case may be in a specific supply chain. I also think that you have to complement that with a level of trust. And that goes back to the provenance question of you got to know your business, you got to know who you're buying from. You got to, in the same way that you have KYC, know your customer laws and finance, you have to have KYC and supply chains. And just because a chip shows up at the, just in time factory door and that works really great for your business, doesn't mean that those chips don't have threats associated with them or risks getting more involved in that. But the other thing here, and I think this is where you are particularly interesting is your work at DHS was really improving critical supply chains, getting people to understand this.
And I do think it's gotten a lot better over the last few years. I looked 10 years ago, I looked at today, people have a sense of, look, software is coming from a couple of different sources, critical minerals, our power grid, where does that transformer come? And you click the... And it's like, well, it comes from places that are actually very irreplaceable. In the event of war, our grid could be completely annihilated very quickly and not be replaced. On the other hand, you also had this function around emerging technologies, areas like cybersecurity, quantum, et cetera, where we don't even understand how the chain, the network, that graph even exists because we're inventing the new technologies. We're just getting started. It's very easy to look retrospectively. It's very hard to look prospectively. And so when you start to think about these new technologies, emerging innovations, how do you start to consider the risks there as opposed to something like a power grid where we know what we're getting?

Nick Reese:
Well, and I think you do it in two ways. And so one is in a sense we've learned a lot of lessons already from some of these other supply chains that we can build in as we're creating the supply chains for let's say quantum computers. And so I think on one sense we have a little bit of knowledge that we've gained that we can apply and I would hope, improve the supply chain conversation, risk profile, things like that as we've are just starting it from the beginning. The other part is especially quantum computers are a particularly good example of this where we don't even know what flavor of quantum computer is going to be the one that is either dominant or even used for specific use cases. And so because of that, we don't actually know the specific part fabrications or cryogenic setups that we need and all these different very specific parts that we have to have to have successful quantum computing.
And so I think, but we have to start somewhere. That doesn't mean we just get to say, well, it's too hard and we all just go home. What we have to do is at least start at some kind of first principles where we can say, okay, listen, we know that we can't do quantum computing at room temperature. We know that we need a fraction of a degree above absolute zero, so we know we have to have cryogenics. And from there, we can build a risk profile around that foundational component. And then we do the same for others. And then as the technology continues to evolve, you do the same as breakthroughs happen. And this is not easy. This is certainly not a just nice easy push button way to do things, but it's the responsible way to do things, especially with these technologies.
And I would also put outer space technologies in that category. And so there are so many space technologies that are evolving really, really quickly because of the commercial space economy that soon we're going to be seeing things not just in low earth orbit, but in cislunar space and in planetary space. And so there's so many things that are going to have to be developed and innovated around that. And so we have to really pay attention to those supply chains because in that case there's life support systems and all these things involved as well. But just to put a bow on that, I think what it is that what have to prioritize supply chain from the very beginning, that has to be a first principle itself and not just optimized, but resilient and secure or provenance forward, sterile, however you want to say it.

Danny Crichton:
Exactly. Let me ask you, I mean obviously in some ways the definition of civilization is all these layers of complexity we add up. We start with rocks and fire and wood and all this stuff. And now you're talking about interstellar travel and the level of technologies, life support systems, and we've had a couple of folks who have talked about living on Mars and how that we will need genetic technologies to adapt humans. That was Christopher Mason of Columbia, I think two years ago in the show. And earlier on the program, we had Zach Weinersmith earlier this year who wrote a book called A City on Mars, basically showing the level of technology you would need to actually adapt to life on the Martian planet and how impossible that was going to be. But either way, we're adding all these layers in the black box, black box over black box over black box, and there's no human who can figure that all out.
But I'm asking you, you were in government, you've also run a small business, private sector, you're also in academia. So you have the trifecta lens to look at all these different organizations and all these different institutions. Who is in charge here? Who should ultimately understand the supply chain? Is it the business building these products? Is it government as a regulatory authority who's trying to protect this? Is it the people? Is it a private sector or non-profit like a DOC for the wine industry in France or Italy, who's ultimately in charge of figuring this out?

Nick Reese:
When I was at DHS, I had to always be really careful to not say the R word out loud, which is regulation. So I'll be careful.

Danny Crichton:
A very American thing. Yes.

Nick Reese:
You're absolute right, it's very American thing. And at NYU where I teach, I often have students that aren't from the United States and they're very confused by that aversion to regulation. But no. So without going down that path, I mean truthfully, I think that government doesn't need to be in charge of it in a regulatory sense, but I do think that government has to lay out a framework that others can follow. So as an example, I'll give the 16 critical infrastructure sectors in the United States are defined by the US government in statute and in National Security Memorandum 22. And so they said, these are the 16 sectors that are critical to the functionality of our society, economy, national security, everything else. But they stop there because they said, "These are what's important, but we're stopping there." Now, a couple of those sectors are regulated, financial, nuclear, aviation for example. But by and large, there's not a stick version.
There's no teeth behind what the federal government can really do because a lot of critical infrastructure is owned privately. And so I would actually take a similar model here where I think that the government needs to say, okay, listen, here are the priorities that we see for successful supply chains. Here's guidance on how to do security. Here's guidance on how to do resilience. And that will give industry the vectoring that it needs to start to move toward a more broadly accepted version of supply chain resilience and security. And then it also gives, and well for academia in here as well, it gives academia a vector do research and to figure out different technologies that can help to do this, to figure out best practices and things like that. And so we can build it from there. So I think the government should absolutely have a role, but I think the role is building the framework of priorities and vectoring and then from there, allowing the resilience and things like that to build naturally.

Danny Crichton:
So I'll list a couple of the sectors. You got financial services, food and agriculture, information technology, water and wastewater systems. So a lot of infrastructure and obviously critical components of making basically American capitalism and function. Those are really large and they're huge spaces. And one of the things we really focus on of risk gaming in the scenarios that we build is incentives. One of the biggest complaints we hear from, like I say, a chief risk officer is like, look, I identify all these risks. They're real risks. They're real risks to the company. They're risk to shareholders who own the company's stock. We have a 10% risk that our supply chain might be broken, in which case our stock should go down, if people understood that. In some cases we're seeing, let's say the SEC trying to put in rules around climate change or resilience that have to be reported in a 10-K, 10-Q or an S-1 form. But in other cases, there's really no incentive to do something about it, change anything. In fact, in some ways you could argue there's a disincentive.
I want PR say I'm very resilient without spending the money to actually do so. So I'm curious because it's one thing and I think it's great foundational work to say, these are the sectors, these are the vectors, this is what to look for, these are the risks. Maybe there's some information sharing or industry public-private partnerships that get involved here to show best practices. But how do you actually change incentives to say, look, I'm a medical device manufacturer. I make something that's really critical, a respirator, as we saw in COVID-19, I could make more money today doing this overseas in places where it's very cheap labor. The manufacturing's not that hard, but in the event of an emergency when I will most have demand, I'm not going to be there. I'm not going to be able to do that. It's over there and there's no way to get it to the people who want to pay for it. How do you change those incentives at a more fundamental level? I feel like the more reports and text or whatever is not going to be enough.

Nick Reese:
You're hitting on something that's very fundamental here because we very much, we don't want to say the R word too loud, but we also will look at things like executive orders or things like that and we'll complain because there's not enough teeth behind it for anybody to do anything. But really there's not a middle ground. So we either have to pass a law, which was where regulation comes from. We either have to pass a law that compels someone to do something which is the stick version, or we have to build partnerships and incentivize cooperation through that means, which is the caret version. So back to the critical infrastructure example, that's exactly what CISA does. So the Cybersecurity and Infrastructure Security Agency inside DHS, they have a very much a partnership model for the cybersecurity and physical security of critical infrastructure under their charge. And in some ways that can be frustrating, but what's the alternative?
The alternative is there's a regulatory body for various different infrastructures. And again, in some cases there is, but in some cases there's not. And so we really, I think we have to make a choice here, and we can compel more action through law, through statute, or we can lean into a partnership model. And that's a little bit odd with what you just said, which is, "Hey, I'm a medical device manufacturer and I can make more money overseas." And in a capitalist society, you are not only encouraged to do that, but you are praised for doing that. You raised your stock and you've done a good job, but we can't have both. We can't have, hey, go out and make as much money as you like, but also, I need you to do these things out of your own goodwill. Unless we, the royal we, the collective we, decide that security and resilience is not just a nice to have. It's something that is critical to your value proposition as a company. But it's also you as that company have some role in homeland security and in national security.
And I say this to a lot of small companies all the time, if you think that you're not a target, think again. Because even if you're a small startup, you have intellectual property sitting on your devices, that is of geostrategic value. And we already know that, we've seen intellectual property theft in person and cyber that is state sponsored by China. We know this is happening. There was even a disruptive technologies strike force that was stood up at the Department of Justice specifically for this. So we already know that these companies are targets. So no longer can you say, well, I just sell rubber duckies and that's it. I don't do anything else. With the complexity of global supply chains, globalization, intellectual property theft, emphasis on emerging technologies, these companies are not just engaging in security of the goodness of their hearts. They're doing it because one, it's a central part of the value proposition of their business. And two, because they actually have a role like it or not, know it or not, in national security in an era that is increasingly defined by emerging technology.

Danny Crichton:
Well, I want to highlight, because I mean, Lux, just as a firm works with a lot of these agencies. We've worked with CISA, we've worked with Jen Easterly, they have been a really good partner with us, and obviously we are happy to give back to the government to make these supply chains secure given how many of our companies are in them. And one of the things that has been interesting to me is there is a risk adjusted notion of, look, if you're an early stage company, they do have IP. So I mean, industrial espionage is a whole other thing, and we work with the FBI and DOJ and others on that issue as well.
But going back to the supply chain risks, look, if you're an early stage company, you're only available to a couple devices, you're just getting going. I do think DHS and CISA has been among the best around this idea of, look, if five of your devices aren't working, it's not a big deal. It's different when you are a multi-trillion dollar company and you have a monopoly on an entire industry. And that spectrum is super helpful because you don't see that in necessarily every, you keep calling it the R word. I'm going to keep calling it regulation, if it's okay, at least safe regulation, happy regulation, put a nice adjective on it, smiley face or something on it.

Nick Reese:
Put some emojis in the title.

Danny Crichton:
Put some emojis. Yeah, those updated iOS 18 emojis, assuming you didn't download it to your iPad and it bricked it last night as everyone was downloading it, that could have been a supply chain attack. But I think what you're getting at is these partnerships. And it's interesting because I do think startups, and I don't know if it just transitions later stage or as they grow and there's pressure from the public markets, whatever the case may be, but at least the private startups that are still in our portfolio really want to get this right. They want to be local, they want to know their supply chains. In most cases, they think it's a competitive advantage. They're not exporting, they're not drop shipping. Everything is local. And so they're able to work faster, they're able to iterate faster, their product speed and velocity is better. But nonetheless, there is that translation point where now you're publicly traded, you have quarterly earnings, there's this focus on the stock price. And I do think, I would imagine it changes for folks at that point.

Nick Reese:
I am sure it will. And if someday my company gets to that IPO publicly traded, if we get there someday, maybe I'll change my tune. But no, I mean, I'm glad to hear that a lot of your portfolio companies are... want to get this right. And I think a lot of companies do. And I also agree that there are a lot of really great resources available, supply chains, specific resources, cybersecurity resources that are available through CISA. And CISA can be a really fantastic partner even to these small companies where you can reach out, you can get support, you can get folks to help you design some of your security frameworks and things like that. And so I think it's just a matter of putting the emphasis behind it from the proper level to really push forward and say, the supply chain of our particular product, software, hardware, whatever, is a priority for us and we want to know it to the level of granularity that we can.
And then I think there were a lot of other really exciting things going on, like the idea of thinking about individual nodes as risk portfolios and understanding what's in those risk portfolios, and then doing the same for a specific component. What is the risk portfolio here? If someone did disrupt it, what would happen? So I think there's a lot of really great things that can be done through red teaming, tabletop exercises, things like that to understand that. And I mean, it would be hard in an entire iPhone or Android phone, but you could absolutely do it for some products, even some software products. And once you red team it, you have a much better idea on where your gaps are, how you communicate, what you've missed, maybe policy, strategies, things like that you need to put in place or actual hard security measures depending on the application we're talking about.

Danny Crichton:
I mean, on that last point, I mean obviously we designed risk gaming scenarios. We dubbed risk gaming scenarios. There were war games and red teaming and all the above. And the most common request we get from partners, government agencies, both US and overseas, is supply chain risk. We get this a lot. But the interesting thing is we don't just get it from government agencies, which is obvious and people want to understand the security. We also get it from investors. We get it from a ROPs, a lot of pensions, a lot of big asset allocators who say, look, I have a basket of 50 companies that I'm invested in. What would happen if this particular, the Panama Canal gets shut down as we saw because of drought? What would happen if the Red Sea with the Houthis knocks gets knocked out? What if my companies are even affected?
Am I actually hedged in a way where if that either geopolitical risk or supply chain risk were to suddenly strike, I would suddenly be out of a lot of money more than I was expecting. And so I do think it's interesting that it can actually align pretty well from both the mission-oriented on the government side to the more adverse-oriented on the private and capitalist side. And I think that's really interesting. But I know we're almost up on time. So I do want to ask you one final question. Obviously, you're in DHS, you're spending a lot of time in national security in the emergency technology space, quantum cybersecurity, AI, bunch of issues. What keeps you up at night? Because obviously we have a lot of tools to solve, complex challenges. We're working on it, but there must be something that is your nightmare scenario, the thing that wakes you up at 2:00 A.M. and that late night phone call we see in the campaign ads. What is it for you?

Nick Reese:
For me, it's the transition to post-quantum cryptographic algorithms and not doing it quickly enough. And this is something that my team worked on when I was still at DHS. We actually produced the DHS post-quantum cryptographic transition roadmap. Still available online, dhs.gov/quantum. And what we said at the time was we're still a couple of years away from the publication of the standards. So you have to do your inventory now, you have to be ready to go so that when that date happens, you will be able to be to transition. Well, NIST published those standards on August 13th, I remember because it was my anniversary. And that is the day that we had been looking at for a couple of years. And not only are we not making the transition, but we don't... A lot of people still don't understand what the threat is.
And so we're really behind here, at least by the marker that we put down at DHS. So that is what scares me, because if we're not first to a cryptographically relevant quantum computer, if we're not first or an ally and let's say China's first, the scary part is we won't know it because if they get there, they're not going to hold a press conference about it. They're going to use it and they're going to use it quietly. And that's the thing that worries me is some people say we're five, 10 years away, but really, we're one big breakthrough away. If that breakthrough has happened in China, they could, I don't think it's now to be very clear, but in the very near future, they could have a quantum computer that could decrypt our communications and we wouldn't know it.

Danny Crichton:
Well, that is a scary scenario, hopefully one that we're working on. And I know there's been an executive order around quantum statecraft and a bunch of efforts to try to stay ahead of that. And we obviously have invested in quantum computing and a bunch of other categories, but you're right, if you're able to decrypt and the same way the Enigma machine and Bletchley Park was doing this in the 1940s during World War 2, the Germans never knew throughout that entire period that they're... And you can be very subtle, particularly if it's in the intelligence community where you're not revealing the fact that you have information that you shouldn't otherwise have. Well, that's a nightmare scenario, and it is worth, I think, a good risk getting podcast episode to end on. But Nick Reese, thank you so much for joining us.

Nick Reese:
Thank you, Danny. It was really a pleasure.

continue
reading