Welcome to CyberFocus from the McCrary Institute, where we explore the people and ideas shaping and defending our digital world. I'm your host, Frank Cilluffo, and have the privilege today to sit down with Tim Starks. Tim is a senior reporter at cyberscoop, has had multiple cyber reporting jobs. Most recently prior to Cyberscoop, was at Washington Post 202, which
was one of my favorite daily reads. Prior to that was at Politico, was also at cyberscoop in a previous life and like many top reporters in dc, cut his teeth at Congressional Quarterly. Tim's been covering the Cyber beat since 2003, so that puts him at over 20 years. Just when we started calling it cyber, it was known as Infosec, Information Assurance and pretty much everything else prior to that. Truly one of the best in the business and comes from Indiana, so basketball is near and dear
to him. And Tim, thank you so much for joining us today. Happy to be
here. I was just on the phone with somebody for a story yesterday and I had not talked to them since 2004. And then because I was about to talk to you, I was like, wait, I've been talking to Frank since the early days.
It's been a while. It's been a while. We were talking about Homeland Security before
you and I were talking about cybersecurity. So explicitly. But yeah, true that. And we
did not talk about basketball, though. We did. So tell me about basketball before we kick this. You know, I, when I, so when I, my growing up, I grew
up in Indiana playing, like basketball, I rebelled against it because I was rebelling against anything that everybody else liked because I was, I was that kind of teenager. But I've come to really like basketball and I, I happened to be fortunate enough to attend the University of Southern Indiana during the tenure of current Auburn Coach Bruce Pearl, BP, and he won a Division 2 championship for us. Well, I'll be. It was a big deal. You would not believe how crazy the campus of USI went about
that. We even, just to give you a sense of how important it was, they started a line of colas that were commemorating various people who were involved in the championship. I think Bruce had one, but certainly our college president had one. And he was also the guy who led our weight training class one of the years I was there. So when you're, I don't know if it's like this at the big schools, but at the small schools, if you're the university basketball coach, you might also
have to teach some classes. So it was, it Was great to see that name and remember that Bruce was a big part of my youth. Well, awesome. There's only
one Bruce Pearl and unique guy. May we win the national championship this year. We got a pretty good recruiting class. Thanks, Tim. So let's start with. You've been doing a lot of reporting of late, as always, and one of the stories that you seem to come back to is around spyware, which I think is a big. Becoming a bigger and bigger issue, both from a national security perspective, also obviously from a privacy perspective. Why don't we start there and if you can maybe paint a picture
to give the landscape what we're dealing with, why it matters and the like. Yeah,
you know, this was when I was coming back to cyberscoop as a full time reporter because the first time I was there I was part editor, part reporter. This time I came back as full reporter and they asked me, what would you like to be covering? And they had their own ideas about the gaps in coverage. But the first words out of my mouth were spyware. And the word doesn't have a strong definition in our field. Sometimes you'll see threat groups, threat researchers say, oh, we're
reporting on this spyware. But the kind of thing I'm talking about is the commercial mercenary kind of spyware. I'm thinking of the NSO group or the group that produces the Predator spyware. There are some other groups as well. These are the groups that, that have just some of the most sophisticated kind of attack capabilities of anything in cyber. It's way up there. I mean, the only thing that might compare is the sort of state level, really elite countries that are really good at this kind of
thing. So you're talking Russia, you're talking China, you're talking us. The only people who have those kind of capabilities are that. And then the next level down, just below that is the spyware level. So there's the sophistication of it. That's interesting. I think the thing that also zero days. We're talking. We're talking zero days and yeah, I
was going to get into that in a second. The other thing that's really compelling to me about it is that it's one where you can really directly show how much this is mattering to people's lives. You can do that sometimes with cyber, but sometimes it's a big number. It's a trillion dollars worth of intellectual property transferred. How much does that relate to the average person? This stuff goes right at harms that
you can show. You can say that this repressive government spied on this particular person and then put them in jail or something worse. So there's that level up. But to go back to the technical side of things, the number 0 is often associated with these guys because they're using the zero day attacks and that's, you know, just. I'm assuming your audience knows what a zero day attack is, but I'm going to explain anyway. Sure, please. Is, you know, an attack that has not yet been publicly
identified or called out. There are things that they've discovered, they found or bought vulnerabilities that just have not been exploited at a level that anybody has seen yet. And then they're also really. The other zero that they're associated with is zero clicks. Where most of the time, as you know, if you get hacked, you have to have done something. You had to click on a thing, click on a URL and go, oops, I got Social engineered. They found me and now I'm downloading something and I
didn't mean to. This stuff just goes on your phone. It's just there, which is
disconcerting. And it's been utilized and used against dissidents and others and an executive order was promulgated last year on the issue. And, and I know there have been sanctions levied against individuals and companies. So this is becoming a bigger issue. You wrote a really interesting piece around Poland and some of the steps they are taking to address this. Yeah, I'm happy to get back to what the US has been doing because
I think if you're looking at who's doing the most on this, I think you probably can still say, at least policy wise, it's the United States. If you're looking at the reckoning internally, if you're looking at, okay, what have we done? What should we not be doing? Poland is the sort of unexpected place. And why, why is
that? Just out of curiosity? Because if you look at the reckoning that's happened in
Europe, there have been a number of countries in Europe that have been accused credibly of using this spyware. Poland was one of them. Some of them cooperated with the so called Pegasus Committee that was, you know, the European Parliament Committee that was really trying to find out what happened and do something about it. Poland was not one of the countries that cooperated. They were the countries that gave a stiff arm to
the people who were investigating this and said, we're fine, don't worry about us. And something remarkable has happened there because there's been a change in the leadership and the people who have come in were people who had reputations before they came in of
leading the country that were very focused on civil liberties and human rights. And if you want to be slightly cynical about it, and I'm not saying you should, if you want to question the motives as the outgoing party did and has and is continuing to do, you can say, well, they say they were spied on by the outgoing, by the previous administration. So of course they have every reason to get revenge. Certainly they have a motivation from the standpoint of they can say, look, it happened
to us. And courts have evaluated and said that's the case. And now increasingly, with this investigation that really just started a few months ago, there have been a lot of big revelations about what Poland was doing that we didn't know before. Interesting. And
do you think it has momentum with some of the cause? I mean, you also look at examples like Estonia who become cyber powers in part because they are the antithesis of everything Soviet, as anti communist and as transparent as one can be. Do you see it having momentum among other European nations? Anything the US can glean? Yeah.
Perchance. I mean, you might have seen this because you follow the UN Group of governmental experts stuff. You know, Russia was just badmouthing the US In a document that came out like just a couple days ago, I think, saying that we have been using it too much. I think the US has more dabbled with it than that. They've used it on the scale that we're talking about with something like Poland. They've
explored it, they have used some elements of it. But so if the US wants to go back and look at what they've been doing, yes, I think they could follow what Poland's doing. But I think what's hard about, about what Poland is doing is this is the confluence of circumstances that led them to be willing to do this. And the most comparable previous example was Mexico. And they had an opportunity to
explore this further and they really didn't. So the people who are the activists and the people who are the researchers on this who say, yeah, actually this could be a model say what we like about this and we think that is replicable, is that they're not just saying all spyware, all bad all the time. If you're using spyware in the way that the organizations that sell it talk about wanting it to be used, you're talking about going after terrorists, you're talking about going after drug dealers,
you're talking about going after human kidnappers or human traffickers, if that's the case. And other Countries can say, okay, we can do an evaluation of this that doesn't just demonize us, then, yeah, that's the upside. That's the potential upside. And there is a
double edge to that sword, as we know. But can you also delineate the difference between and, again, I'm not very well versed on these issues, but between adware and spyware. So, I mean, a lot of us are concerned. Our phone seems to be always. Anytime I talk about the New York Mets, I'm suddenly getting tickets at discounted prices. Yeah, I think they're quite different. You're talking about malware that's embedded in ads
versus if you're seeing this and. They have to advertise, they have to. They do have to click on the advertisement. And if you look at what with spyware, you're going to find it. When they do find it, they find it in weird places. They find it in, like, your Google Calendar. They find it in places that you wouldn't think, oh, I'm using this thing a lot for this, and therefore, I'm going to be spied on in this place. They're kind of finding these pockets of your
phone where you wouldn't normally be thinking, I'm gonna be spied on here. You know, I think a certain amount of consumer awareness exists that, you know, my mom is just turned 70 last weekend. Happy birthday. Happy birthday. Yeah, she, you know, she's smart enough to know, even though, you know, we don't talk about cybersecurity that much, she and I, she's smart enough to know that if she gets a text message from somebody and it's got a link in it, she probably shouldn't click on it. And
she's also. She's got that next level. So she reads your work. She says. She does. She does. She says, I don't understand it all that well. I was like, oh, that's what I'm trying to do, though. I'm trying to reach you. But she's also smart enough to. That next level of like, I got a message from my brother, and my brother, this looks like it's part of a different chain. It's someone imitating him. So I think there's a level of awareness out there at a very.
At a sort of basic understanding level that's not denigrating my mom at all, or intelligence. But she is not someone who focuses on this the way others or the way you do that when you're out there on the Internet, you're at risk. You might be doing something that causes you harm. And adware's in that category. Even though you're the one, you know, you're the victim, the thing you do leads to helping
become victimized. Unfortunately, with spyware, you just have to have a phone. Absolutely. And I think that's what makes it so much more dangerous and insidious, potentially when it's used incorrectly. You wanted to bring us back to the U.S. anything on the policy side
there that you'd like to share? Yeah, you, you mentioned the sanctions, you mentioned the
executive order. I think from the standpoint of the US the, you know, the executive order is much more focused internally. If you're talking about comparing it to Poland, the executive order is saying this is what, this is how we're going to use or not use by word. Yep. So that's, that's a level, that's another way of comparing it, the sanctions. You know, I, you know, we, I think about this a lot. I'm guessing you do too, that people are constantly questioning whether sanctions are making a
difference. And they're constantly trying to evaluate, if you look at what's happening in Ukraine, are the sanctions made a difference there. It's a constant evaluation of what's making a difference. The other, the second biggest, most attention getting family of spyware is the Predator spyware. There's Uniso Pegasus, which is where the company is named after. The Predator spyware has gone a little dark of late. And by that I mean researchers just aren't
seeing it doing as much. And when I asked them what was happening, when I talked to a senior U.S. administration official about what was happening, there was a consensus
that it looked like most likely sanctions, the sanctions had made a difference here. If you look, follow the timeline of when Predator was claiming more victims and when these researchers were calling out the infrastructure and saying, that's Predator, they're not able to do that as much going back to last summer, but especially last fall and then continuing especially into March of this year, which is when the administration sanctions got more specific
on the intellectual family, which is the alliance or group is what people even call it, that is the producer of the Predator spyware. And, you know, we recently had
Tom Conklin on to talk about OFAC and some of the tools that can be applied there. I think we're right to be questioning, but I also think we need to be looking at all the tools that we have available. And, you know, I
think the spyware story is not a good or pleasant story overall. Is it one
you think you're going to be writing about for a long time? I think so,
yeah. Because even if you, you know, even the researchers who were saying we're not seeing them as much anymore were allowing for the possibility, even the US Administration I talked to was allowing for the possibility that they've just found a way to hide themselves more. And there's this cops and robbers game that we've had in cyber all the time. This is the variation of it. And if you look at the way things have been going, we've been hearing the arc of the spyware story has been.
We're hearing more and more and more. We're seeing more and more and more. We're uncovering more and more. These two stories that we're talking about are examples of where it actually might be going decently. And when you're a reporter, you're thinking, sometimes they say that the dogs are getting caught. They're the ones that are getting caught. Exactly. What's new? The story is bad all the time. So what's new? Well, there's some
of these glimmers of. Of a difference being made. And that's newsworthy, too. And that
is newsworthy. And talk about another big story that many in your field have been covering. But you in particular have been doing some really interesting work, the CSRB and CISA and some of the findings vis a vis Microsoft. So I know that that is a big story, a lot to unpack, that we won't have time to get into great detail here, but. But paint the picture for us. Were you surprised that a government, a quasi government entity, came out with such a strong report? I, and
everyone else I know was a little taken aback by how harsh the report was in describing Microsoft's flaws. And, you know, if you're just talking about the Cyber Safety Review Board, this is this new board that's a fascinating creation of the Cyber Solarium Commission that came up with one of the ideas that was pushing this. And the
report was pretty blazing hot. And if you've watched the House hearing where Brad Smith was called onto the carpet, one of the issues that came up, and I think this is something I just want to bring up because I was thinking about it, that board does have people on it that are Microsoft competitors, but they all recuse themselves. And it came up at the hearing that this might have been the product of companies going after their competitor. I don't think that's the case. I've been fascinated
by Microsoft in the cyberspace for so long. I wrote a story several years back that I'm Sort of bragging here a little bit, but presaged to a certain degree the way that Microsoft has had an influence in this world. They have capabilities that are, you know, in terms of understanding the threat landscape, in terms of responding to the threats, in terms of producing products that can respond to the threat, they're in
that sort of next level of just below the state. You know, some people were saying they've got nation state level capabilities to mean that for that story that came out many years ago. But as much as they're part of the solution and have been a part of the solution, they've also been a massive part of the problem. Their threat, what's the word I'm looking for? Not landscape, but their Surface attack. Surface
Attack. Surface is so massive, they're everywhere. Microsoft isn't everything. Even though I use an Apple computer at home, I'm using Microsoft products. They're everywhere. They are ubiquitous. They're ubiquitous and they are so big that they're going to get attacked no matter what and they're going to be big targets no matter what. But what has been notable is that the tenor of the response from government and people who are not competitors is
they need to do a lot better than they've been doing a lot better. And
in your stories, what surprised you since you have been covering this issue for a long time and they really are ubiquitous within the US Government, American society and more broadly. So understandably they're going to have a big target on their backs. Yeah. And
one of the, you know, one of the stories credit to my colleagues, I think Rebecca Highweil and AJ Vincenz were in a story that I did about this attack, the midnight Blizzard attack, and about it affecting the government in ways that had not
been previously known. That what I think has been the biggest change since I, you know, have been following Microsoft is that before there was, there just weren't very many people and there certainly wasn't a crescendo of it the way there is now of people suggesting that maybe the federal government doesn't need to be relying on Microsoft to the degree that it does. Perhaps they need to be thinking about different ways of
approaching this problem and breaking apart to what degree. They use Microsoft products for one thing and use it for another. The stack, if you will. That is something that I had not heard the kind of calls for that we're hearing now. Maybe there have been glimmers of it, but not the level of it. That's a big shift in what's going on with Microsoft. And compare and contrast Midnight Blizzard with solar winds.
Interesting question. I think solar winds may have been a little craftier, that they might have been able to hide themselves a lot longer. They might have been much, much more targeted. Feels like Midnight Blizzard was much more broad and kind of going after everybody. Then one of the groups happen to be the federal government. I think those are the big differences. You know, there's. And then there's always the China versus Russia
approach and the whole idea about who's noisier versus who's not. I do think it's interesting that sometimes. It'S just who gets caught when. Right. I do think we've seen it. You know this. I think it's Rob Joyce who used the metaphor. I can't remember who used it first, but he uses it a lot. About the, about the, you know, if cyber is climate change, China is climate, China's climate change and Russia is a hurricane. I might have terminology just a little bit there. That one is
very, very obviously destructive and isn't, you know, it's not. It doesn't have that kind of creeping effect that climate change has had on our government, on our world. That's changed a little bit too. It used to be that China was where the people were really good at hiding and waiting and picking out the things for espionage and not and using it selectively. Russia was very messy. I think that's changed. It feels like China's been willing to be a bit more scattershot and this might be an
example of that. Yeah. And Vault Typhoon I think is also indicative of intentions that
could be different than purely computer network exploit or espionage to much more mapping. Going beyond mapping and pre positioning assets. Yeah. Volt Typhoon is definitely one of the big
scary ones that if you're worried about cyber attacks in our world, you should be worried about them way up there. You know, we haven't discussed this and obviously the
findings are still very early. Not even the first inning. But what do you think of overturning of Chevron doctrine? Do you think that will have any implications to at least the way this administration has been addressing cybersecurity? Yeah, I do think it will.
I don't think, you know, everybody I've talked to is saying, yes, it's going to. But the how, that's what's interesting. Still early. You know, I was watching a congressional hearing with the EPA administrator the other day and he, you know, he was getting back and forth with Republicans about does this mean you're going to have to overturn? And he's like, that's not what this. That's not what the ruling says. You know,
it's a fourth. Neither of us are lawyers, so. Well, it's a forthcoming interview with somebody who. I mean, you'll see it when the story publishes. But I asked them about Chevron and they were like, this is really all to be determined. This person is very involved in the administration's approach to regulation, which has been one of the most remarkable things about this administration, I think. And they were saying, we're going to
have to wait and see. I wonder if I'm speculating a little bit, which is what I'm doing. I'm wondering how much people will be being a little more cautious about moving forward with new stuff. I think that's where the impact comes. I think, you know, I, you know. So not so much rolling back existing. It's more not
right yet. But I do think this is what, you know, you and I were
like right. Right here on this thought we were just about to arrive at the same exact point, which is that I have been asking people, you know, the SEC's rules on cybersecurity disclosure have been the most controversial. Other than perhaps the EPA's rules, which were actually rolled back, they've been the most controversial. If you're talking about people being upset about them, there's bipartisan on the Hill, you know, disappointment or frustration or
even rage sometimes about that, about those rules. The industry certainly hasn't liked them. And I keep asking everyone why. Has anybody challenged it yet? And Chevron seems like an opening, but people are still playing wait and see. I think. I think they want to see. The rules have only been out for a little while. I had a story that came out very recently about how these rules are. The SEC rules are being interpreted that some people. We had the CDK hack, which all the automobile dealers
who used the CDK software went to the SEC and disclosed it. The company that owns CDK said, this is not going to have any material. Impact on our work,
which is fascinating. And it's just a gigantic company. And there's all these. Why is.
How would someone determine what kind of impact something has such that they need to report it to the sec? And it varies depending on the company. It varies depending on how you define materiality and how you. After you make the idea, this is the definition of it. How do we then interpret it and say, well, what about reputational harm to our company? What about how much money we pay to ransomware dealer groups? There's all these areas that are extremely unsettled that makes the. If you go
back to my very. Own feeling that it's subjective. Right. That precedents still haven't been
fully set. Right. We have not moved from objective to objective and it might not.
It'll take some court rulings on this before we, I think we get to that. If we go back to the early days of why I cared about covering, about cybersecurity and why I cared about covering it, I always thought. And you really have
been at it from the beginning, the get go, as we were calling it, cyber.
Yeah, I took a little bit of a break here and there to cover Veterans affairs or, or foreign policy. But I always kept coming back to cyber. And what I found so compelling about it was that it was this wild west of us not knowing what to do with any of this. Exactly. And trying to find that area. Trying to find that, okay, this is the way we really should approach this,
the way we approach, say, nuclear weaponry. You know, not to say that the scale of the damage is the same or anything like that, but it's just this new thing that is influencing so much and so much that's happening in the world. How do we deal with it? And I've been covering how policymakers have been trying to do this all the way since back then. And what's the most wild west right
now? I think, other than, you know, we talked about spyware, I think that's one of them is this regulatory approach of this administration and how they've been going about it and how is it going to play out? How is it going to, you know, some of these rules are very new and some of them haven't been implemented yet. And Tim, in a way, you can't cover cyber and not. You can't divorce
cyber from geopolitics, from foreign policy, from economic policy and pretty much everything else. It's almost like oxygen. That's, you know, that's. I was, I was talking to, I found,
I found this person who told me this back. I think it's about 2007, 2008, but no later than 2009, when Capitol Hill was first saying we were going to pass comprehensive cybersecurity legislation. And I finally remembered what aide it was that I was talking to about this. That aide said, and I asked him, how are you going to pass comprehensive cybersecurity legislation? What's going to be in it? And he said, well, that's kind of the problem. It's like trying to pass a comprehensive air bill. It
touches everything. And that was one of the first big moments where I said, oh,
I think I need to be covering cybersecurity all the time instead of just as part of some of the other things I'm doing. Well, I'm really happy you chose
that path. Thank you. Which is great. So you also have written recently around BGP and some of the fcc. So to stick with sort of that regulatory sets of issues, any, anything. And for transparency, this was a priority recommendation of the Solarium Commission, one that we didn't get fully over the goal line, but it looks like we got some traction. So, yeah, you know, it's been, it's been remarkable that there was,
you know, again, talking to someone in the administration who was laying out the. This is the way we want to go with this. Can you help our viewers and
listeners understand the significance of bgp? Yeah, I mean, it's anything you do on the
Internet, BGP is involved, all Internet. It's a set of technical standards for how the Internet is routed. So if you're on a website, your BGP is in your world. So we've seen that initial batch of rules about TSA and oil pipelines, which is obviously related to the Colonial pipeline attack from 2021. We're now seeing some of these areas that are not considered as big in terms of critical infrastructure, but are really,
really important that are starting to get some attention. And the BGP is one that the FCC and CISA have been talking about for a while as the most important part of the Internet. You haven't heard of. It's fundamental to everything. If you get hijacked, they can just steal everything they want. These were the kind of threats that they were talking about and worried about. And the FCC has been signaling since the
net neutrality rules were first getting talked about, being revised. And they finally have in the last recent months, actually started to put in place a rule about this. Now we're still in the notice of. Proposed rule actually also named and shamed China in
particular here for hijacking traffic. Exactly. Yeah. They use that, which is a big deal. I mean, five years ago that would never have been public discussion even if they knew about it. I don't know if you remember, but I certainly remember when, you
know, when the, when the Obama administration named North Korea for the Sony attack, it was such a big deal. Big deal. Yeah. Everybody was like, are you sure about that? How do you know? Are you sure you want to talk about that? That's always. The attribution problem has always been a big problem. So it feels like it's more endemic now to everything that comes out. They're saying we're doing this because these
people are causing us this harm. And I think cyber threat intelligence companies have been
helpful in terms of shedding light on the perpetrators. So we can actually start naming. I think that is part of it. So the government couldn't be stuck way behind in that decision. Exactly. No, I completely agree with you. But back to bgp. I'm sorry. No, it's okay. So the FCC has a rule that they are asking people
to talk about. It involves if you're an Internet service provider, you have to say, these are my rules for safe routing. And if you're one of the biggest, of the biggest, you have to get quarterly updates about how it's going. There were some groups that were industry groups were worried about this. One of the common threads of anything that in times there's a regulation, the industry groups are not going to like
it. I'm going to say we don't like this part for the most part. They occasionally will come to a certain level of peace with it, but you know, they're going to. We prefer you don't do this, but there were some groups that were while, you know, industry affiliated to a certain degree because they were sponsored by some of those groups. They're think tank type groups or more groups that are more like activist groups in the Internet world, like the Internet Society, the Global Cyber alliance, who
were saying, wait a minute, this is a little scary. This is not great. If you come up with this, these rules and another country comes up with these rules, that's going to be bad news. The thing was that some of them were put at ease by what they finally came out with, which was much less. This is exactly how we want you to. These are the things we want you to do to make your Internet routing secure. They're saying, we want to report from you on
it, we want to hear from you on it. You need to make it public, that kind of thing. Which may serve as a roadmap back to the broader discussion
around regulate, not regulate, because it does seem to be the go to solution that maybe hasn't had the impact we want. But the flip side is, is market forces don't take us that last mile. And that last mile is important. So I think we're still struggling with defining and building the business case around cybersecurity. Big time. Big
time. I couldn't agree with you more. You know, there's been this long little thread I've been following of you go back to Bruce Schneier, like many years ago in the early aughts saying nobody's going to do anything about this until you regulate them. And he was mainly talking about the software makers, which we still haven't figured that out. But now there's at least this little bit of a push. Like it's not quite regulation, but there's this push to do the secure by design stuff that the
system's been talking. About, the administration's been talking about and cyber informed engineering. I got
to get that in there. Okay, you got to. Yep. We have that memory safe
language and. Stuff like that, right? Yep, yep. Definitely those things are finally starting to get to go from this. Not going to happen. You know, we need to keep our hands off of it at all times. If you start regulating in this space, you're going to stifle innovation. You're going to make people have checkboxes. There's still those concerns about the regulation. There are still some legitimate concerns around that. There absolutely are.
But we're still. We're at least now moving to a discussion. We're at least now moving to a moment where I say we. The United States is doing something. They're exploring it, they're seeing what they can do and there are still people even. I just had conversations as recently as yesterday saying these rules aren't going far enough. They're not doing enough. Nothing's changing. Tim. The tyranny of time. Because I know you've got
a hard stop for your day job, but what questions didn't ask. This is part
of my day job, Frank. Exactly what questions didn't I ask that I should have?
And not to scratch scoop, cyber scoop, but what's front of mind Sort of looking forward for you right now. Yeah, yeah. How do I do that without scooping myself? Mini scoop. I mean I think we were talking about this internally. My company doesn't
just have a journalistic outlet, it has an admits business. And they're talking about doing. We're talking about doing events all the time and maybe we bounce off of each other. Like who should we pick? And one of the things I said was, well, we just don't. It's kind of tough to say who you should be having on stage given that we have an election in November. And I think one of the storylines I'm looking at, not just me, but other people in my organization are looking
at is what would a change mean? What have we got? What has been done?
And you saw some RNC platform language around cyber that sounded a little consistent with where we are, actually. Yeah. You know, it's one of those things where it used
to be a thing where if you saw that in there at all, that was a big headline. Now it's kind of like, oh, good. It'S breathing, it's oxygen. It
should be there. It should be there. So that's. I mean, that's an area of
upcoming exploration for us, certainly. And I wouldn't be surprised if I'm not alone in that. But I think if I wasn't doing the kind of reporting I want to be doing right now, I wouldn't be exploring all of this stuff. The things that we've talked about today are the things I wanted to get into because they are the things that are next or the things that are on the perimeter or on the edge of what is still being sorted out. So in a way, I've defined
my job description such that I don't have a good answer for your question. That's
actually a great answer and more importantly, a great outcome. Tim, thank you for continuing to break news but also provide essential context around issues that, whether we know it or not, affect all of us and will affect all of us going forward. So thank you for joining us today and thank you for doing what you do. Point
of pride for me on the context thing. Thank you. I don't want to be scaring people just to scare people. I want to say let's have a fair estimation of what this threat is, what the issues are, what the landscape is. And thanks to you for doing this program and having me on. Thank you, Tim.