Caveat 5.26.21
Ep 79 | 5.26.21

To pay or not to pay? Ransomware negotiation.


Leeann Nicolo: Right now, the two biggest factors are still remote access and phishing emails.

Dave Bittner: Hello, everyone, and welcome to "Caveat," the CyberWire's policy (ph) surveillance, law and policy podcast. I'm Dave Bittner, and joining me is my co-host, Ben Yelin from the University of Maryland Center for Health and Homeland Security. Hello, Ben. 

Ben Yelin: Hello, Dave. 

Dave Bittner: On this week's show, Ben takes a look at President Biden's executive order on cybersecurity. I share news of a bipartisan bill that would ban warrantless location data purchases. And later in the show, my conversation with Leeann Nicolo. She's a ransomware negotiation expert from a company called Coalition. We're going to be discussing how they determine how to pay out a ransomware gang. 

Dave Bittner: While this show covers legal topics and Ben is a lawyer, the views expressed do not constitute legal advice. For official legal advice on any of the topics we cover, please contact your attorney. 

Dave Bittner: All right, Ben, we've got some good stories to share. But before we do (laughter), you know how you always think of the perfect joke on the way home in your car? 

Ben Yelin: Yes. 

Dave Bittner: You know (laughter)? So in the last show, we were talking about - I was trying to think of things that the government supplies, but that you can also upgrade, you know, if you want to purchase a better version of that, right? And I think we talked about - public education is one. 

Ben Yelin: Yup. 

Dave Bittner: But an obvious one came to mind, which is water. 

Ben Yelin: Yup. 

Dave Bittner: Water (laughter), right? 

Ben Yelin: So true. I believe the comedian Jim Gaffigan once said, like, yes, you can get water free from any faucet, but, you know, I'd like to pay for it. 

Dave Bittner: Right (laughter). 

Ben Yelin: This is more watery than water. 

Dave Bittner: (Laughter) Right. Right. Exactly. And so I think that's something that is generally provided for the public good, and it is inexpensive enough that if someone were to come to you and say, may I have a glass of water? Pretty much any of us would say, why, of course, and simply provide that for free. Most restaurants would do that, fast food places. I guess unless you live in Flint, Mich.,.... 

Ben Yelin: Ooh. 

Dave Bittner: ...You have - well (laughter), I point that out just... 

Ben Yelin: It's true. It's true. Yeah. 

Dave Bittner: It's - well, I think it's the shameful exception to the rule that, overall, providing clean water is something that our government does extraordinarily well... 

Ben Yelin: Yep. 

Dave Bittner: ...To the point where, when you have exceptions, like Flint, Mich., it really stands out as a shameful example of how we need to do better. But... 

Ben Yelin: Absolutely 

Dave Bittner: But I guess my point is, if government-provided water is not good enough for you - and I make the case there's no reason why it shouldn't be - you can install your own filters or even go buy bottled water if that floats your boat. Anyway... 

Ben Yelin: We've all done it. 

Dave Bittner: (Laughter). 

Ben Yelin: It does taste a little bit better, perhaps. Although... 

Dave Bittner: (Laughter) Nice. 

Ben Yelin: ...Some tap waters - everybody is always talking about how New York City tap water is amazing. 

Dave Bittner: Yeah. 

Ben Yelin: I think Maryland tap water is quite good. So if you're in our home state, enjoy that delicious tap water. 

Dave Bittner: Yeah. All right. Well (laughter), enough about that. Let's dig into some real stories this week. Why don't you start things off for us, Ben? You've got what I would consider to be the big one. 

Ben Yelin: Yup. I stole the big one for us today. So the article I took was from CSO. But this is a broad story about the new cybersecurity executive order released by the Biden administration. We've been anticipating that this order would be released over the past several months, and they did finally release it last week, as we're recording. 

Ben Yelin: I think the backdrop of it is, this comes in the wake of some crippling cyberattacks. Obviously, in the very recent past, we had the Colonial Pipeline hack cause some panic-buying at gasoline stations and certainly, at least temporarily, increase the price of gasoline and cause some supply issues. So that had... 

Dave Bittner: Right. 

Ben Yelin: ...Some pretty severe effects. And then, of course, SolarWinds and the Microsoft Exchange hacks before that. So that's sort of the context that the administration explicitly lays out as to why they're putting this executive order together. 

Ben Yelin: So it's a very ambitious order. It does a number of things. And this article lays it out really well in a nice little list. And I'll just kind of go through them quickly and give my limited commentary on them. 

Ben Yelin: The first is about sharing threat information between government and the private sector so that if you're an IT service provider, there is an easy way for you to share breach information with public authorities. And I think that's good for coordinating resources, in particular, modernizing and implementing stronger cybersecurity standards in the federal government. 

Ben Yelin: One thing you frequently see among these types of executive orders is the chance to kind of control what you are able to control. So the federal government is big, but it still only has limited purchasing power compared to the economy writ large. 

Dave Bittner: Yeah. 

Ben Yelin: But what the federal government can do is implement changes within the federal government's own system. And sometimes that ends up being an example for the rest of the country. 

Dave Bittner: Right. 

Ben Yelin: So that's what's happening here. They're moving to cloud services, zero-trust architectures, multifactor authentication for all of their devices and encryption mandates. There's a step to improve software supply chain security, including establishing baseline security standards for any software that's sold to the government. So, again, the government using the authority they have to set that standard. 

Ben Yelin: One really interesting one - I know you've mentioned this in the past as an idea, establishing the Cybersecurity Safety Review Board. It's going to be made up... 

Dave Bittner: Right. The NTSB for cyber, right (laughter)? 

Ben Yelin: That's exactly what it is. 

Dave Bittner: (Laughter) Right. Right. 

Ben Yelin: So you get a bunch of people together from the public and private sectors after a major cyberattack and you figure out what happened, just the way, if there's a train accident, let's do an after action report. How did this happen? How can we prevent it from happening in the future? What sort of vulnerabilities does this reveal about our system, our critical infrastructure, et cetera? They're going to create a standard playbook for responding to incidents so there's a - kind of a set script that agencies can follow if there's some sort of cyber incident. And that, again, is just a baseline, but it's something that private organizations can build off of. 

Ben Yelin: Improving detection of cybersecurity incidents on federal government networks with a government-wide endpoint detection and response system and improving investigative and remediation capabilities by creating a cybersecurity event log for federal agencies - so a couple of more items where they're focusing on the area for which they have jurisdiction, which is federal agencies. 

Ben Yelin: Another one that's not mentioned in here that I think is crucially important is - you know how we talked about the Energy Star-type ratings we'd like to see on IoT devices? 

Dave Bittner: Right. Yeah. 

Ben Yelin: This executive order includes a pilot program to try and test that out. You know, they purchased that smart refrigerator - this pilot program will see if it makes a difference whether there is some sort of cybersecurity stamp of approval on that product. 

Ben Yelin: So this is very comprehensive. It was well received. Members of Congress of both parties praised the executive order, saying it was bold. The skepticism I see is that a lot of the minutia is going to be left up to individual agencies. So, you know, we're still kind of at step one here. A lot of the executive order - the legal language is, NIST will provide standards for X, or, you know, another government agency will be tasked with coming up with the membership of the NTSB for cybersecurity incidents. So that work still has to be done. I think this is a really good start. And I think it's particularly timely because we've suffered some pretty significant cyber incidents over the past several months. 

Dave Bittner: Have they put any timelines on any of this stuff? Are they mandating that these things must be done by a certain date or time? 

Ben Yelin: Yeah, there are timelines on a lot of the different provisions. You kind of go section-by-section. We talked about the minimum standards for the SBOM. That has to be done within 60 days of the order. Within 30 days of the order, the secretary of commerce, acting through NIST, has to solicit input from a bunch of stakeholders - private sector, academia - we're finally getting noticed in academia... 

Dave Bittner: (Laughter) 

Ben Yelin: ...To develop standards, best practices, procedures for identifying practices that enhance the security of the software supply chain. 

Dave Bittner: Hmm. 

Ben Yelin: Yeah. And then there's a whole bunch of different deadlines that are laid out in the executive order. So it's not... 

Dave Bittner: Yeah. 

Ben Yelin: ...Something that's indefinite. It's something where there are specific deadlines. Now, the natural question is, what happens if they don't meet these deadlines? Really nothing. They're aspirational. But I think it does give agencies, you know, a reminder of what their responsibilities are and when they need to carry out those responsibilities. 

Dave Bittner: So when an executive order like this comes down, the question is - and I suppose the question folks on the other side of the aisle are asking - how are we going to pay for all of this? How does that happen, Ben? 

Ben Yelin: It's generally going to be done with existing funds. So some of this is what we call an unfunded mandate, where we're forcing agencies to do things that they don't necessarily have funding to do or they aren't authorized to do. I think that... 

Dave Bittner: I see. 

Ben Yelin: ...In the vast majority of cases here, the general funds that go to the Commerce Department, the staffing resources that go to NIST - the executive branch, through this executive order, can mandate that those already existing dollars can be used for these purposes because appropriations can lay out priorities. But the administration has some leeway in some circumstances as to exactly how money is going to be spent. So I don't anticipate the how we're going to pay for it question to be particularly significant here. Although I do wonder if, as we start the annual appropriations process in the next couple of months, we'll see a little bump up to the Department of Commerce to NIST to try and act on some of the provisions of this order. The executive order does say that the Office of Management and Budget under its director is going to work with the agency heads to make sure that these agencies have adequate funding to fulfill the requirements of this order. And if they don't, you know, I don't see much resistance in Congress to putting some money in there to effectuate the requirements here. 

Dave Bittner: Yeah, I think it is really remarkable how well received this is. I mean, among cybersecurity professionals, it seems, like, remarkably well received, very little of the kind of nitpicking that you normally see with these sorts of things, which I think points to the fact that this was well thought out. They took their time. They consulted with the right folks throughout government and elsewhere to make sure that what they released was fully baked. 

Ben Yelin: Yeah. I generally have, like, three or four go-to sources to see what they think about something because there's opinions that I trust. And when I saw that Christopher Krebs was effusively praising this order and saying it was appropriately ambitious, that gave me a good feeling that they had done their homework. 

Dave Bittner: Yeah. Yeah, absolutely. All right. Well, we'll see how it plays out over time, but certainly an important development, I suppose we could say that it's bipartisanship day here on the "Caveat" podcast because... 

Ben Yelin: Woo-hoo. 

Dave Bittner: (Laughter) I know, right? Let's take the win. My story this week comes from Motherboard by a friend of the show who doesn't know he's a friend of the show, Joseph Cox. 


Ben Yelin: Another - one of our unrequited loves, yep. 

Dave Bittner: That's right. The article is titled "'Fourth Amendment is Not for Sale Act' Would Ban Clearview and Warrantless Location Data Purchases." The sweeping bill has support from both Democrats and Republicans and will address multiple forms of surveillance. So what Joseph Cox is outlining here is this piece of legislation that has broad bipartisan support, and as he says it's called the Fourth Amendment is Not for Sale Act. It's pretty straightforward. 

Ben Yelin: It sure is. 


Dave Bittner: But the sponsors of the bill - I mean, it's pretty much a who's-who from both sides of the aisle. And basically what it's doing is saying that government agencies can't do this sort of end-around that they've been found doing recently, where in cases where a warrant would be required to gather information, they go and purchase that information on the - from the private sector, on the free market, from other companies who are gathering up and aggregating that data. So this act would say if you - basically, if you needed a warrant to get that information, you still need a warrant to get that information, even if it's available elsewhere. 

Ben Yelin: Right. 

Dave Bittner: Does it sound like I have that right? 

Ben Yelin: It does, yeah. And this is a response to a real problem out there where - we've talked about this - this company called Venntel has been selling location data harvested from applications that we all use to government agencies - so the FBI, Customs and Border Protection, Immigration and Customs Enforcement. And Venntel has served as this data broker. The government purchases this data without any prior judicial authorization, and this ends up being an end-around on things like the Carpenter decision, which says that you need a warrant at least to collect historical cell site location information. So this is not just something that's theoretical; it's something that's actually happening, which is - you know, it's good to see Congress reacting to that fact. 

Dave Bittner: Help me understand the other part of this. I want to kind of try to unpack the reality that these agencies have been buying up data that we, as citizens, have been freely giving up to these companies that are gathering up this data. Now, you and I, I think, are in agreement that we're not always fully aware of the information we're sharing... 

Ben Yelin: Right. 

Dave Bittner: ...When we click through that EULA that says, you know, we're going to gather everything, including what you had for breakfast this morning. So I suppose that's part of it. But when the information is out there - do you see where I'm going with this? 

Ben Yelin: I do see where you're going with it. 

Dave Bittner: We've already said, hey, you can have this information. Why would it be subject to Fourth Amendment restrictions if we've already said, hey, information-gathering companies, have at it? 

Ben Yelin: So a couple of responses here. Generally, we've talked about the third-party doctrine, which says that any information you've willingly shared with third parties is exempt from Fourth Amendment protection. You voluntarily shared that information. You have forfeited your reasonable expectation of privacy... 

Dave Bittner: Right. 

Ben Yelin: ...In that information. There are a lot of exceptions to the third-party doctrine that have been carved out in various judicial decisions. Most relevant here is the aforementioned Carpenter decision, where cell site location information requires a warrant, at least historical cell site location information. 

Dave Bittner: Yeah. 

Ben Yelin: But even things like the content of stored communications - there is an appeals court case, now about 10 years old, saying that you needed a warrant to collect that. I mean, that's information you've voluntarily conveyed to a third party. So there are instances, certain types of data, that even if you have forfeited them to a third party, you still maintain some sort of constitutional protection in that data. That constitutional protection isn't there when the government can simply purchase the data without any judicial authorization from one of these data brokers. So, you know, we're not talking about all sharing of third-party data; we're talking about when a warrant would otherwise be required, like cell site location information - that type of thing. 

Ben Yelin: So I think it is an important step to take because courts have already identified areas where there's Fourth Amendment-protected information, where the private sector is happy to provide that at a cost to the federal government and various federal government agencies. So I do think this is an adequate response to what's happening. 

Dave Bittner: Yeah, this strikes me as one of those, you know, spirit of the law versus letter of the law - like, the - you know, the data aggregators may be following the letter of the law, but the legislators are trying to sort of lock down - now, this is what we really mean when we have a Fourth Amendment. 

Ben Yelin: Right. Right, exactly. Because to the consumer, to the user, it doesn't matter whether law enforcement obtains the data by directly contacting the service provider or whether that data is sold by a broker. It has the same impact. You know, that evidence is going to be used at your trial if you've been committing crimes. So it is the responsibility of Congress to come in and clarify that what merits Fourth Amendment protection is the type of information that's being collected, the severity of the surveillance, how personal that information is. And it shouldn't matter, even though this is not what the letter of the law currently says - but it shouldn't matter that that data was sold by a data broker, that this was a private transaction. That shouldn't be the dividing line between whether the collection of that data was or was not constitutional. So I think you're right. I think they're trying to align the language of the law with what they see as the spirit of the law. 

Dave Bittner: Yeah. All right. Well, we will see how that one plays out, as it makes its way through the machine that is Congress. But... 

Ben Yelin: The sausage-making, yeah. 

Dave Bittner: (Laughter) That's - absolutely, absolutely. All right. Well, we would love to hear from you. If you have a question for us, you can call in. Our number is 410-618-3720. Or you can send us a message to 

Dave Bittner: Ben, I recently had the pleasure of speaking with Leeann Nicolo. She is a ransomware negotiation expert from a company called Coalition. And our conversation focuses on what she goes through when she's working with these ransomware gangs and figuring out how much or even if they're going to pay the ransom. Here's my conversation with Leeann Nicolo. 

Ben Yelin: At what point do you and your team usually get brought into something like this? Where is a company - what mindset are they in when they reach out to you all? 

Leeann Nicolo: Mindset? Usually hair on fire. It's usually not a fun time for them. The earlier the better for us to be brought in on these engagements. So we advise our customers to call us the second they know something's wrong. Unfortunately, that's not always the case. So sometimes we'll get brought in after they try to restore or potentially make contact with a threat actor, which makes our job a bit more difficult. But yeah, I would say most commonly we're brought in as soon as they realize something's wrong, which is much easier for us to handle from the beginning. 

Dave Bittner: Well, give us some insights as to what happens then. When you get notified that there's an issue, where do you begin? 

Leeann Nicolo: We make sure that we are dealing with ransomware. So we ask to see some sample files that they say - that are inaccessible, as well as we have them check their systems for what we call a ransom note. So usually a text or an HTML file that advises them kind of what they're dealing with and how to contact the threat actor. Once we confirm that it is, in fact, ransomware, we go ahead and figure out what variant they're dealing with. So there's 60, 70 types of ransomware variants out there. So that gives us information about the characteristics of the attack - so how they got in, what potentially we're dealing with in terms of demand amount, just really any information we have on the threat group, whether they perform as an individual group or they're ransomware as a service. 

Leeann Nicolo: Once we confirm the variant, we do two different things. We have the conversation with them about payment and negotiation to see if that's even an option. And at the same time, we perform a forensic investigation to make sure that, A, they're currently secured and, B, confirm what happened and what the attacker did while in the network to see if data access and exfiltration is relevant. 

Dave Bittner: What are the conversations typically like with the ransomware gangs? Is it a different conversation because professionals like yourselves have been brought in? 

Leeann Nicolo: It is, but often we try to mimic the conversation as it would be if it was the client. So we want to use words like I and me, make us, you know, appear small and inexperienced. We've had threat actors in the past tell our clients, you know, do not use any IR firms. Do not bring in any third parties. Just because they know them, they're probably open to professional experience and/or negotiations. 

Leeann Nicolo: So in these cases, if we are brought in from Day One, we start the communications before the client does, which is best case. Like I said, we try to make ourselves appear small and inexperienced. This year has proven difficult for all of us anyway, so it's been great in the negotiation phase to be able to say, you know, we don't have those funds; how do we get Bitcoin? - you know, really pretend like this is our first time doing it. That way, it buys us some time to, you know, obtain the Bitcoin and/or have those conversations if we do need to even move forward. 

Dave Bittner: So take us through the decision process, then, in terms of - you know, do you or do you not pay the ransom? And how do you go about those negotiations? 

Leeann Nicolo: Sure, absolutely. So the first question we say to all of our clients are, where is your business right now? So are you, you know, a hundred percent down? Are you hobbling along? Do you have backups? If you have backups, have they been tested? Are they recent? Can they rebuild without too much of a business impact? The answers to all of that question obviously change our decision. The best-case scenario is they have full backups. They don't house any sensitive data that would kick off a notification obligation. So the legality of notifying data has been accessed or exfiltrated, and then we can help them rebuild, restore, protect their systems and move on. 

Leeann Nicolo: The worst case scenario is that their business is a hundred percent down. They do not have any viable backups, or they're unable to rebuild from scratch. It's just the business interruption is too great. And then so we start having the conversation of, OK, what does this look like in terms of what is your data worth? Should we open up negotiations? Should we make contact? 

Leeann Nicolo: A few years ago, the biggest concern was that the data was locked, and it's definitely moving towards the data was taken. So we have to have the legal conversation of the types of data they store and whether or not it sparks any notification obligation. I wouldn't say above data being locked because that's still ultimately the most inconvenient for a business. But in almost all of these cases, we have to have the conversation of exfiltration and then paying so that the attacker will delete their data. You know, although we are dealing with criminals here, they say they're... 

Dave Bittner: Right. 

Leeann Nicolo: ...Deleting the data. So it's the best effort. 

Dave Bittner: Where do we find ourselves these days in terms of organizations having insurance to protect themselves against these sorts of things? 

Leeann Nicolo: Of course, Coalition ultimately is an insurance and insurtech provider. So we as Coalition incident response are only handling cases as of right now on behalf of our insureds. So we are only handling cases to where our clients have insurance. Prior to working here, I worked at two firms where I was a vendor, so we would deal with clients either through counsel direct or through insurance. I would say probably 10 to 15% of those clients had no cyber insurance. So it was pretty rare, although it does happen. And then these events absolutely spark that conversation to, like, should we be protecting ourselves? Should we talk about insurance? And then, you know, at that point, I was like, probably, but now it's a much different conversation. 

Dave Bittner: In terms of ultimately the decision whether or not to pay the ransomware, how does that play out? 

Leeann Nicolo: So like I stated, the first thing is backups. Do you have to pay to get your business up and going? If the answer is yes, then we start to have that conversation with the threat actor, just get a feel on what the demand is, if they're open to negotiations, what the timeframe looks like. If the answer is no, then we move to the conversation of, what types of data do you store? You know, are you regulated? Do you have any PHI, PII, PCI data? Where is it stored? We'll kick off the forensic investigation to be able to give any details if we can find evidence of access or exfiltration based on a forensic case. So often we have luck of telling them, OK, this is where we see the threat actor. This is the archive they created. These are the files they accessed. This is what we see leaving your network. Of course, there are cases where an attacker utilizes, like, a backdoor, which makes forensics a bit more difficult. But we do everything we can to kind of create that story of where they were on the network and provide counsel with feedback on kind of the legal process. 

Dave Bittner: How often does this end up being sort of a catastrophic thing for a business? Does it happen that businesses don't recover from this? 

Leeann Nicolo: Yes. So in my experience - so this will be my eighth year in the space. Two times we've had companies that have had to completely shut their doors. And that's just myself, so I'm sure it's, you know, a bit more than that kind of open statistics. But we've had two. They were both actually small law firms that could not recover. Their data was - you know, the ransom was too big, or they couldn't restore - they didn't have any backup, or their notification obligation, you know, ended up costing them a lot, or they got sued from that, which happens, and so they had to shut their doors. So, obviously, that's horrible to see. In most cases, we can either help the client get back to a functional state or negotiate on their behalf and ultimately pay a ransom. Obviously, that's not preferred, but if we have to to get them back up and running, that does happen. 

Dave Bittner: Are we seeing a shift or development from the insurance companies themselves to sort of, you know, driving some of the innovation here? I guess I'm thinking about how, you know, if I have a building and I want to insure it against burning down, you know, my insurance company is going to come back to me and say, OK, but you have to have sprinklers. You have to have fire escapes. You know... 

Leeann Nicolo: Absolutely. 

Dave Bittner: ...You have to have exit signs and those sorts of things. Are we seeing similar things from the insurers saying, we'll insure you, but you have to put these - these protections have to be in place? 

Leeann Nicolo: Yeah, absolutely. That's a great question. And the answer is absolutely. We have - on our platform, we have a whole threat intel team that kind of acts like, you know, ethical hackers. And they will be able to see from the outside the same things that the threat actors are looking for and scanning. And so we perform that on every company that applies for insurance through us. And if we see things like remote desktop - so RDP, you know, wide open from the outside - if we can see it, guess who else is going to see it and attack you? 

Dave Bittner: (Laughter) Right. Right, right. 

Leeann Nicolo: So absolutely. We have a kind of a checklist of if you have open RDP, you have to close it. And then, you have a certain amount of time to keep it closed before we will, you know, insure you. Obviously, that list is always changing and updating just relevant to best practice and what we see on the threat intelligence side of things. Right now, the two biggest factors are still remote access and phishing emails. So phishing emails is a lot more difficult to advise a client to protect against because a lot of it is just employee training that ultimately comes down to the human. But RDP's a big one, and it's very easy to turn off and kind of talk about what you can do to access your data remotely safely. 

Dave Bittner: What are your recommendations ultimately? I mean, in terms of - you know, you've seen the organizations who prevent the ransomware. You know, the ransomware operators pass them by to pick on easier targets. What's the difference there? What makes the difference for folks avoiding this? 

Leeann Nicolo: We talk about a lot of these cases as, like, targeted or opportunistic. You just kind of alluded to the opportunistic attack. The best way I can describe it, and I describe it to our clients a lot is, if you have a home and your neighbor has a home, and your front door is locked, absolutely they can break down the door and get in anyway. But if they go to your neighbor's and the front door is open, it's a lot easier for them to get into that house. Now, if they break down your front door and you have three doors behind that, it's a lot easier for them to move on. So although if somebody does want to get in, ultimately, it's not if, it's when the opportunists attack, the more security measures you have in place, you know, the more of a target you are going to be, and the attackers are going to move on (ph). So really, just knowing your environment, protecting your data. You know, where is your sensitive data? Is it mixed in with all of your information on your file share or is it in a third party kind of protected tool in the cloud? Do you have backups? Are they recent? Have you tested them? You know, do you have an endpoint detection and remediation tool to note suspicious behaviors? Have you walked your employees through what a phishing email looks like and what not to click? You know, all of these things are kind of the best practice that we advise all of our clients, and we, you know, help them put all of this stuff in place so that they're less of an opportunistic attack target. 

Dave Bittner: All right. Ben, what do you think? 

Benjamin Yelin: That was so cool. I mean, I know I say this a lot, but that really, I think, is one of the most interesting conversations with a guest we've had on this podcast. 

Dave Bittner: Yeah. Wasn't she great? 

Benjamin Yelin: She was, and what a fascinating job. You know... 

Dave Bittner: Right, right (laughter). 

Benjamin Yelin: ...You have to have technical expertise for sure... 

Dave Bittner: Yeah. 

Benjamin Yelin: ...To do what she does. But I think more importantly, you have to have a lot of other skills that we might not associate with somebody in this field, like negotiating with hostage takers. 

Dave Bittner: Right, right. 

Benjamin Yelin: I mean, that's something that law enforcement officials and the U.S. military probably go through years of significant training to figure out those skills. And this work requires not just that you know how to rebuild somebody's system, but that you're able to have these human interactions and engage in these types of negotiations. So I just thought it was fascinating. It's a fascinating job. Every so often, we get one of those interviews where I regret my career choices, and... 

Dave Bittner: (Laughter). 

Benjamin Yelin: ...This might be one of them. I mean, how interesting would that type of work... 

Dave Bittner: (Laughter) Right, right. 

Benjamin Yelin: ...Have been? 

Dave Bittner: Well, maybe Leeann is taking on interns, Ben. You never know (laughter). 

Benjamin Yelin: That would be awesome. Yeah. 

Dave Bittner: Right, right. Yeah. Well, again, our thanks to Leeann Nicolo from Coalition for joining us. Really interesting stuff, so we do appreciate her taking the time. That is our show. We want to thank all of you for listening. The Caveat podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our senior producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner 

Benjamin Yelin: And I'm Ben Yelin. 

Dave Bittner: Thanks for listening.