In this Chats on the Road episode as part of the On Location with Sean and Marco series, Harvard research fellow Fred Heiding discusses his groundbreaking work on evaluating national cybersecurity strategies, emphasizing the crucial intersection of technology, policy, and economics. Tune in to gain fresh insights into how countries can effectively balance security and usability while preparing for emerging threats like AI.
Guest: Fred Heiding, Research Fellow, Harvard
On LinkedIn | https://www.linkedin.com/in/fheiding/
On Twitter | https://twitter.com/fredheiding
On Mastodon | https://mastodon.social/@fredheiding
On Instagram | https://www.instagram.com/fheiding/
____________________________
Hosts:
Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]
On ITSPmagazine | https://www.itspmagazine.com/sean-martin
Marco Ciappelli, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining Society Podcast
On ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/marco-ciappelli
____________________________
Episode Notes
In this Chats on the Road episode as part of the On Location with Sean and Marco series, hosts Sean Martin and Marco Ciappelli invite listeners into an engaging dialogue with Fred Heiding, a research fellow in computer science at Harvard. The episode dives into the intricacies of national cybersecurity strategies, exploring the intersection of technology, policy, and economics in safeguarding nations against cyber threats.
Fred opens up about his journey from a technical background to a more policy-focused role at Harvard’s Kennedy School, driving home the importance of a multidisciplinary approach to cybersecurity. This sets the stage for a captivating discussion on the collaborative research project he's leading, which aims to evaluate and enhance national cybersecurity strategies worldwide.
Listeners are treated to an insightful narrative on how the project originated from an insightful question Fred posed at a Harvard conference, leading to a fruitful partnership with national security researcher Alex O'Neill and Lachlan Price, a pivotal figure in crafting Australia's renowned cybersecurity strategy. Together, they've been investigating the effectiveness of various national strategies, emphasizing the need for context-specific evaluations.
A major highlight of the episode is the discussion on the inclusion of emerging technologies, particularly AI, in these cybersecurity policies. Fred provides an optimistic update on how even slightly older documents are proactively addressing future-proof strategies against new technological threats. This is paired with a deep dive into the concepts of resilience and the importance of creating detailed, actionable policy documents that can be evaluated for effectiveness over time.
Sean and Marco steer the conversation towards the practical implications of these strategies, questioning how economic factors influence cybersecurity policy and the trade-offs between system security and usability. Fred’s insights into the economic dimensions of cybersecurity, including the balance between investment in protection and the potential costs of cyber attacks, add a valuable perspective to the discussion.
The episode promises to inspire listeners with Fred’s forward-thinking approach and the practical applications of his research. As Fred previews his upcoming presentation at Black Hat, excitement builds for those interested in the detailed findings and innovative strategies he will share.
Tune in to this episode for a thought-provoking exploration of national cybersecurity strategies, enriched by Fred Heiding’s expert insights and the dynamic interaction between the hosts and their guest. Whether you're a policymaker, technologist, or cybersecurity enthusiast, this conversation offers valuable takeaways and a fresh perspective on the ever-evolving cyber landscape.
Be sure to follow our Coverage Journey and subscribe to our podcasts!
____________________________
Contributors to A Multilateral Framework for Evaluating National Cybersecurity Strategies (BlackHat Session):
Fred Heiding | Research Fellow, Harvard
Alex O'Neill | Independet
Lachlan Price | Research Assistant, Harvard
Eric Rosenbach | Senior Lecturer in Public Policy, Harvard
____________________________
This Episode’s Sponsors
LevelBlue: https://itspm.ag/levelblue266f6c
Coro: https://itspm.ag/coronet-30de
SquareX: https://itspm.ag/sqrx-l91
Britive: https://itspm.ag/britive-3fa6
AppDome: https://itspm.ag/appdome-neuv
____________________________
Follow our Black Hat USA 2024 coverage: https://www.itspmagazine.com/black-hat-usa-2024-hacker-summer-camp-2024-event-coverage-in-las-vegas
On YouTube: 📺 https://www.youtube.com/playlist?list=PLnYu0psdcllRo9DcHmre_45ha-ru7cZMQ
Be sure to share and subscribe!
____________________________
Resources
A Multilateral Framework for Evaluating National Cybersecurity Strategies: https://www.blackhat.com/us-24/briefings/schedule/#a-multilateral-framework-for-evaluating-national-cybersecurity-strategies-40879
Learn more about Black Hat USA 2024: https://www.blackhat.com/us-24/
____________________________
Catch all of our event coverage: https://www.itspmagazine.com/technology-cybersecurity-society-humanity-conference-and-event-coverage
To see and hear more Redefining CyberSecurity content on ITSPmagazine, visit: https://www.itspmagazine.com/redefining-cybersecurity-podcast
To see and hear more Redefining Society stories on ITSPmagazine, visit:
https://www.itspmagazine.com/redefining-society-podcast
Are you interested in sponsoring our event coverage with an ad placement in the podcast?
Learn More 👉 https://itspm.ag/podadplc
Want to tell your Brand Story as part of our event coverage?
Learn More 👉 https://itspm.ag/evtcovbrf
A Framework for Evaluating National Cybersecurity Strategies | A Black Hat USA 2024 Conversation with Fred Heiding | On Location Coverage with Sean Martin and Marco Ciappelli
Please note that this transcript was created using AI technology and may contain inaccuracies or deviations from the original audio file. The transcript is provided for informational purposes only and should not be relied upon as a substitute for the original recording, as errors may exist. At this time, we provide it “as it is,” and we hope it can be helpful for our audience.
_________________________________________
Marco Ciappelli: [00:00:00] Vroom vroom.
Sean Martin: Vroom vroom. Usually you do that. I know. I do. I do the motor sound when we're actually driving. I miss driving, actually.
Marco Ciappelli: Yeah, you are see you there
Sean Martin: No, i'm not driving. I'm not going to do
Marco Ciappelli: four hours in this hit in the desert. No, no the hot desert,
Sean Martin: uh, Driving. Yeah, it can be fun. It can be fun. I miss hanging out with you in the car.
Maybe that's pretty
Marco Ciappelli: I know That's why they're called shots on the road The original the original thing was to actually record in the in the car and I remember And then we're going to introduce the guest one time we recorded an entire thing You But we put the mic, if you remember, very close to the floor of the car and it picked up all the vibes of the car.
We couldn't hear anything. So you learn, you learn as you go. We would probably record different now with the lapel and everything. Anyway, we're not driving. But we're still going.
Sean Martin: We spend a [00:01:00] ton on tech. The tech's better now. But anyway, we won't go there. But we're still
Marco Ciappelli: going. We're still going
Sean Martin: and we're going to see friends we've made over the years, including our guest.
I'm just going to get to it because we're punishing him for doing nothing bad. He's actually doing a lot of good. And we're making him sit through our rambling here. Fred, how are you? It's good to see you again. You were on last year with us.
Fred Heiding: Yeah, thank you so much for having me back. Last year was a lot of fun.
I'm excited to be back at BlackHat, also for DEF CON and B Sides this year. It's going to be a good week, and I'm super excited about this speech about cyber strategies and more of a policy angle on this problem. Because I've learned a lot in the past year. Um, quite a lot of new, new lessons to share.
Sean Martin: I love it.
And just, just to shout out to the last one, it was hacking humans using LLMs, uh, devising and detecting phishing. So, uh, and I'm not going to read the whole line, uh, [00:02:00] the whole title of that, but I encourage everybody to listen to that. It was really cool, really cool chat. And I'm glad to have you back. And as you noted, uh, you're speaking again with a group of folks, a multilateral framework for evaluating national cybersecurity strategies.
Um, you want to, uh, Well, let's introduce you first, but who, who's Fred, what are you up to these days? And then we'll go to some of your other panelists and shout out to them.
Fred Heiding: Yeah, that sounds great. I'm a, I'm a research fellow in computer science over at Harvard, and I'm, I'm just changing this fall to, uh, to a more policy oriented side from the engineering school to the, to the Kennedy school, which is the political school.
But I'll do more or less the same research as I do now, but I research cybersecurity. Primarily from a technical perspective, uh, my, my last five years, I've been heavily focused on computer science and that's, that's my background as well. But I'm more and more turning towards a business side this spring.
I was, uh, partially teaching the generative AI course. We were [00:03:00] at the business school here and, um, more and more on the policy side now as well. And the reason for that is that after a while in tech research, you realize that cybersecurity is truly a cross disciplinary problem and it's, it's It's not enough to just come up with fantastic, um, technical solution.
I can't, can't tell you how many times we, uh, we interviewed, um, people, pretty high up people for this project, leaders for, you know, cybersecurity agencies and so forth who said it. These technical solutions are fantastic, but in the end we need to convert cybersecurity to growth and profitability because that's what it all comes down to.
And that's sort of my life these days, I'm trying to find this intersection of, you know, Technological means that also works with the business that makes sense from policy perspective in the context of cyber security. So that's kind of what I'm researching,
Marco Ciappelli: you know, that's cool because I did political science and that was way before.
We even talk much about cyber security and I'm [00:04:00] wondering, uh, how I would have, it would have affect my choices, um, at the time if we had cyber security and, you know, political relationship, international relationship and all this kind of stuff. So I'm glad to hear you're actually jumping the other way around.
And, uh, and I want to know what made you decide you and and your other person that did the research with you with these other professionals to actually tackle this. I mean, you kind of said it, you know, it's going that direction is a multidisciplinary approach, but it seems very, very relevant right now.
A multilateral framework for evaluating national cyber security strategies. So you sit around the table and said, let's do this. It's a great question. It's
Fred Heiding: actually a quite fun story. So it's over a year ago, we started working on this. It was about April last year. It was a conference here at Harvard, and then I, I was attending, [00:05:00] I asked a question.
It was a conference primarily on South Korean security strategies and so forth, but I asked the questions of random hacking stuff, as I usually ask. One of the co organizers of that conference was Alex O'Neill, who is a fantastic national security researcher who's my collaborator on this project, and he reached out to me after the conference, Again, this was April last year.
I said, Hey, I like your question. I like your profile. I would like to work with more tech oriented people. Should we start a project? And then we started, you know, we really, really hit up a good collaboration. We liked each other. We had some really complimentary skills and we pivoted a lot of times. We started working on analyzing North Korea, malwares on the dark net.
And we did some other security stuff and we went back and forth. After a while, at another conference, we met Lachlan, Lachlan Price is the third collaborator, who was part of, Lachlan was part of creating the Australian National Cyber Security Strategy, which is [00:06:00] an incredible achievement, because that's a fantastic National Cyber Security Strategy, and we will talk more about what these strategies are, but when we met them, which was a couple of months after we met Alex and I, and we already started to realize we want to go broader, we want to analyze, Policies, we can't just talk about tech.
We can't just talk about malware. What is our bigger picture? So by now we have interviewed quite a lot of folks who are senior in try to get an idea of what's happening in cyber, what's, what's most important from a national security perspective. What do we need as US, as other countries and somehow we started landing on these national cyber security strategies and it was really interesting and especially when we met LACLAM.
We've been talking about this then eventually we We got involved into Eric Rosenbosch, who is a fantastic lecturer at Harvard, got tons of experience from different security gigs in the government and other places and incredibly wise person. And we just talked and talked and over the past year, we realized that this [00:07:00] project that we're doing now is exactly what we need to do.
And that means trying to define how countries tackle cybersecurity strategies or cybersecurity to start with. Well, all of them, most of the countries, especially in the western world, they have some strategy that's sort of, um, implemented as an official document and just trying to define, well, what are these documents and are they actually useful in practice?
Me, as a tech person, I was quite, uh, you know, Quite biased as to enter this, I thought that these documents are just bad. You know, no one uses them in practice. They're just some policy people trying to play cybersecurity basically. And that's actually not true. The documents are very good. I was happy to be proven wrong, but we just really wanted to know, well, how do you start this?
Because cybersecurity, as you said, Mark, it's a quite new problem. It's not a new problem. That's a lie, but this is quite new. There's a lot of countries who haven't already done an established cybersecurity strategy. Just in the past couple of years, a lot of. Things happen, a lot of strategies were improved.
So we went to investigate a bunch of [00:08:00] things, sort of, are these strategies good? What are they targeting? Because they're trying to encapsulate all of cyber security into one document. What does that mean? Well, what, what, what should a account create focus on in the context of cyber security? And that's, that's what we did.
All of these questions just snowballed, and the more of them we got, the more we worked down and sort of chipped away on this project. And over a lot of discussions, we interviewed over 25 people from higher positions on various cyber related government and industry and gigs. And through all these discussions, conversations, uh, RMU things, this project sort of organically grew over the past year from a side project to a relatively large project to be the main focus on my research.
It's quite a beautiful progression actually. And yeah, now, now this is most of what I do.
Sean Martin: It's incredible. And, uh, uh, I'm curious because you talked about your shift to business and economics and those connections as well. [00:09:00] And I'm, I'm curious, did the documents or the conversations you have the people that you interviewed, did they make those connections as well from a nation state perspective?
Fred Heiding: Or
Sean Martin: are they purely tech driven cyber docs?
Fred Heiding: No, that's a great question. There are a lot of different documents, but the sort of strategy documents are not very technical usually. There are other fairly technical documents, but there's a lot of people mentioning, especially the sort of economic aspects, and for me that's been a complete game changer over this past one, two years.
Because for me, we always talk about the sort of security operational. Trade off, you can't just have a completely secure system because then you can't use it, right? But even if I tried to think about that before I kind of over optimized for making everything secure You know last year when I talked with you about phishing emails It's kind of the same problem in one way and I also start in my phishing research Which is another part which is a quantified [00:10:00] economic aspect to this and what should you What should you pay to make make your employees not fall for phishing and so forth in it in the large Context of all cyber attacks.
This is kind of what it comes down to, right? What? What is it worth to increase cyber security for a, for a company, for a country, et cetera, et cetera, uh, Some companies, you know, operate on the strategy that we're just going to take the hit and then we're going to pay, uh, rather than paying a lot of protection.
And for countries, to some degree it's similar, to some degree it's not similar because we have a lot of cyber physical systems. Some cyber attacks begin to, you know, be physically threatening for people, then, uh, but even then that this incredible thing with these things, right? Even if a cyber attack can cause physical harm, there are dollar values to human lives, which is to say whatever you want that does, but there are strategy risks calculation for these things.
And that's, for me, that's been very interesting to see that everything comes back. I don't really like it, but that's also the name of the game. And even if I create [00:11:00] fantastic technical solutions, if they're too expensive, if they're not feasible, then no one's going to use them. And so many people I talk to always come back to, you know, how does this affect growth?
How does this affect profitability? I think you're going to have to come back to that. Then from a counter perspective, how do you, how is this implemented? How can I counter implement, you know, large scale cyber efforts? That's the, these things are. They're definitely technical, but they're also political and they're also business oriented.
So I think, yeah, you just have to look, look at the broader perspective.
Marco Ciappelli: Well, political science is the art of compromise. And I feel like there is always a compromise where it comes to. This kind of thing in cyber security, too. It said, you know, if it's too secure, it is not usable. And it also it comes into place a lot of different, a lot of different variables here.
So what I am curious to know, and I'm sure it's [00:12:00] going to be part of your presentation, but you kind of come up with some kind of a way to To give score to this policy to to evaluate how good they are or not. And I'm curious to know how you do. That is a more of a technical and maybe from a prevalent technical perspective.
Or again, you put in there all other socioeconomics and political aspect in doing this number one number two, which may be connected is how good are you. If they just stay on their own, I mean, I feel like the success of something like this, and when they start cooperating one with another, and I don't know if that's part of the, of the program as well.
Fred Heiding: Yeah, yeah, Marco, these are fantastic questions. So basically, like, how do we score them? And are these, can we look at these things in isolated instances? Or does everything have to play together? And that's exactly what we asked ourselves too. And I think this is [00:13:00] There are short answers, there are long answers, and to some degree there are no answers, but these things are complicated to start with, and that's why Cyber is so interesting.
But to start with, there are some scores, uh, cyber scores, cyber indexes and so forth that other people have done. I think that's fascinating to look at. I really enjoyed that. We found some criticism internally with existing scores from before. We also found other people. who criticized, quite heavily criticized other cyber indexes, because it's hard to score.
No, we're going to give us a ranking. We're going to give Australia a ranking. And what we did that I'm very happy that we did this is we found some of the people who criticized previous rankings and we call them, we had meetings with them and say like, you, you bashed down this other index pretty hard.
And we see your points. Uh, it's, it's hard to score these things. Um, how would you do it differently? And we really had their input on how we could do this. We learned a lot. So some of the criticism with just scoring in general is that, for example, sometimes you make this isolated, which I [00:14:00] think is a big mistake, but you look at U.
S., then you look at Sweden where I'm born, you look at the Netherlands, and sometimes you see these scorings and then the Netherlands has more of a sort of cyber capability than the U. S. And from one perspective, that can be true, because you know, they're very tech savvy, you know, they're digitalized and so forth, but we also, we all know that that's not true, right?
It's just like, it's difficult. So the way we sort of went about to do this, this is rather than having absolute scores, we have a relative scoring, which is that we use three different categories, which is basically this country, a leader, is this country meeting the bar or are they lagging? And we always look in relation to each other.
So we didn't look at isolated instances and that's. It's very, very important because in cyber, there's a lot of shared global resources. Every system is to some degree interconnected in this big interconnection in the world. So we only really care about the relative difference. And we don't care about absolute scores to some degree we quantify, but we also just looks at highlight.
We want to [00:15:00] see success cases because the main reason about this, although it's very cool to have scores, that's not really our reason to do this. Our reason is just help people write better policies. So we thought, for example, Lachlan in our team was part of creating the Australia framework. He knows he said like this is the list that he would like to have when he did the work because the work is really Tricky and we talked to a lot about other countries the teams who create these strategy documents and just taught him Hey, like what are your problems?
What do you think is easy? What was difficult and then based on this? We created our framework to find out these things that will help them. So it's not focused on scores It's focused on what are the success cases if you look at all these countries what worked really well for the US What worked really well for Australia, you know, what didn't work?
So well, what can we learn from and and I think that's really cool And to the best of my knowledge, we've got very positive feedback on that and that's That's sort of our plan. We just want to collaborate and take all the knowledge that exists and help facilitate information sharing [00:16:00] because if there's one thing, and we have a lot of highlights, right, what do everyone think is a good thing?
And one thing that always pops up is information sharing, facilitate collaboration. We have to be better at these things. And this is kind of, Good, I think, because then what happens too is that smaller countries that might not have a national cyber security strategy yet When they want to create a new one, they didn't necessarily care about, you know, what score does this country have?
What score does this country have? What they do care about is, you know, what can we learn about this? what should we look at? And the last caveat before I stop talking this paragraph is that everything is quite context dependent too. So you can't just take a strategy and copy it because you have to look at the local threat actors.
Every document is kind of biased by their surroundings, which makes sense, right? So that's also something we have to kind of take something subjective and context specific. And generalize that so that other countries can make it context specific for them. But so, so [00:17:00] that's a long way of saying that we, we look at the relative difference between countries.
That's, and seeing who did this well, and why did they do it well, and how can other people learn from them.
Sean Martin: So I'm gonna, I'm gonna throw out a few words. And I'm hoping it'll paint a picture for you in your head, because you know this stuff. And something's gonna pop out that's interesting. So, cause. Words that I've heard over the last number of months that continue to rise to the surface.
I think there's resilience is one term that I hear a lot about. Um, I've heard risk management, uh, come kind of shift to exposure management. I've heard, uh, Well, obviously there's been a lot around AI and the AI act and you, for example, um, that changes what I, the word, the other word I'm throwing [00:18:00] out now is scope, right?
So the scope of these strategies. So. And then, of course, just dynamics. Things change all the time. So dynamics, scope, resilience, and exposure. What do those four words conjure up for you in light of the work that you're doing?
Fred Heiding: Yeah, that's a great couple of words to throw out there. I'm going to start with a pretty scattered ordering and just talk about what makes most sense right now.
One thing that's fun to talk about is AI. We have one part. Our framework is made up of five categories. I'm going to, of course, talk about all the categories a lot in black hat, but then these categories are a lot of subcategories. For example, one category is how much does this strategy document focus on protecting people and institutions?
And subcategories are things such as how well does it protect critical infrastructure and how well does it protect vulnerable populations? And another category is, you know, how well does this document focus on generating capacity? Almost everywhere around the world. We need more cyber people. We need more skilled, competent cyber workers.
[00:19:00] So how does this kind of work on generating capacity and so forth? And one of these, uh, one of these subcategories is, you know, emerging threats. AI is a big part of that. And we're quite, Positively surprised by this. There's a lot of work, even in the documents that are a little bit older. We analyze documents that are at least between now and four years old.
So from 2020 and onwards, and even those are from 2020, 2021. And they talk quite a lot about emerging technologies, building future proof strategies. So I think I'm relatively happy about that. Um, also like when you look at the governmental changes, the. They work pretty quickly and the US is starting new agencies to the right and left almost, and they do quite a lot to protect against emerging threats.
Europe is obviously doing a lot as well, playing the regulation game and so forth. So that's good, uh, regarding, um, so that's something worth, uh, worth saying. On the [00:20:00] other bullets, so, um, you said resilience, I think. And resilience, it's, um, it's a broad one. One thing in these documents. I mean, that's really interesting for me since I come from a technical document.
There's not a clear answer, but a question I ask myself a lot is how technical should these documents be in the context of resilience? Like, should he talk about what protocols to use? Should we talk about not using window systems to avoid what we saw last Friday with the whole world being wiped out? No, should it go that deep or should he talk, um, in a more broader context?
And that's tricky. Resilience is definitely a focus of the documents. It's often something that's focused not necessarily by mentioning, but by talking about other parts. You know, indirectly, you know, they build resilience by generating capacity, by protecting critical infrastructure units and so forth.
Um, so that's definitely done, but it's done in different ways. And to some degree, [00:21:00] that is the entire purpose of the document. And one thing in that, on that line, because in order talking about resilience, we also have to talk about measuring resilience. And let's say there's something that most of the documents do well.
There's some things that most of the document can learn from and do better. And talking relatively vaguely about needing Resilience. Of course, every document does that because that's the purpose of them. Measuring resilience is another part. Some countries have specific progress reports. That's beautiful.
I really like that. Say that every year this accountable party is going to do this work to measure how we did this. That's rare, unfortunately. But I think measuring resilience is something we need more from. Because if you're serious with this, and not just creating a document to look good, but creating a document that's transparent for all of the world, or at least your country, to see.
And so forth, then you have to have a plan for how do we measure this? How do we hold ourselves accountable? Who is [00:22:00] accountable? That's one thing we will look a lot at. So codifying responsibilities and saying, you know, you need to have someone account if no one is accountable, it's not really serious for our perspective.
Um, so, so that measuring aspect is quite big as well. And some does it well, some does it, um, not so well. And in general, I think the strategy documents, one of them. Highlights that we think they can learn from is to have more specific, uh, more specific deadlines, more specific responsibilities, more specific accountable parties, but there are exceptions.
Some does this really well.
Sean Martin: Nice.
Marco Ciappelli: Yup. Sounds to me. This is a, uh, it's a document that is never going to end. It's a, I like, I like that you're using relative, uh, Like, you know, from what perspective are you looking at things and even when you measure resilience is You're going to measure it depending on where you are.
What are the policies? Where are the [00:23:00] economic situation? What is there trying to achieve? There is not resiliency as one specific goal. It's a challenge. So I think everything needs to be fluid. And the most important thing, I guess, is collaboration and learn from each other. So I think it's going to be a great conversation, especially because it's on my, uh, Non too technical side of my brain politics and sociology and economies and all of that So i'm going to do definitely my best to come and and see the talk which is going to be Wednesday august the 7th at 11 20 in the jasmine a level 3 and uh Wherever that is good luck and find it but I know at black cat there is good people there that are going to point You The right direction.
And, uh, you know, it's gonna be fun shown. It's gonna be fun to be there. Good to see Fred in person. [00:24:00] Maybe have another conversation with him. I know you guys were chatting about that. And, um, uh, our coverage keeps going and going and going even before we get there. And I'm very excited. For the Xeer Black Hat.
Sean Martin: Yep. Thrilled to have you on again, Fred. And, uh, yeah, super excited for this work. And I too can't wait to, uh, hear the session. And, uh, dig deeper. We're not allowed to talk too much about it here. So We'll, we'll, we'll come and hear all the good bits, uh, uh, on, on location there in Las Vegas. So Fred, thanks for, uh, thanks for joining us and everybody listening and watching, thanks for, uh, tuning in to our coverage of Black Hat and, uh, stay tuned, lots more coming and we'll see you all in Vegas.
Fred Heiding: so much.
Marco Ciappelli: Thank you.