91ÖÆƬ³§

00;00;00;08 - 00;00;21;23

Speaker 1

Hey everyone! I'm super excited to be sitting down with Andy Boyd. He's the recent head of the CIA center for Cyber Intelligence. This is a guy who was briefed the US cabinet on cyber threats to the most powerful country in the world, and how they can respond. I want to know what keeps him up at night. What we should be worried about and what intelligence is being kept from us for news junkies like me out there.

00;00;21;24 - 00;00;34;18

Speaker 1

We're going to go deep on cyber. Less so on traditional warfare. Like what we're seeing in Iran is real. It should be an amazing conversation. Let's jump in.

00;00;34;21 - 00;00;49;29

Speaker 1

Andy, thanks so much for being here today. I really appreciate it. You are the former director of the center for Cyber Intelligence at the CIA. Maybe, just to start off, can you can you give us a flavor of what the center for Cyber Intelligence does the CIA.

00;00;50;15 - 00;01;13;15

Speaker 2

Good morning. Thanks, Jeff, for for having me on the podcast. It's a really exciting opportunity. Yeah. So I retired from CIA back in October 2023. And for the four preceding years, I was, as you noted, the director for the center for Cyber Intelligence. And so what I I've said publicly about this before, and there are obviously some limitations to the level of detail I can get into.

00;01;13;18 - 00;01;36;25

Speaker 2

But, the center for Cyber Intelligence is what we would call the mission manager for all things cyber CIA. That means offensive cyber strategic analysis and all the technology tools engineering that goes into both of those disciplines. At the at the end of the day, CIA is an intelligence collection enterprise and an intelligence, analytical, enterprise.

00;01;36;27 - 00;02;04;00

Speaker 2

And so the center for Cyber Intelligence produced all the strategic intelligence for the president on down, in the US government, on nation state and on nation state cyber threats. How they related to to the US government and how it related, to threats against, our, our economy, our private sector, and whatnot. But but in addition to that, we were responsible for using our tools, to collect intelligence across a whole array of disciplines.

00;02;04;10 - 00;02;15;14

Speaker 2

Be a counterterrorism, to, to near a pure nation state competition. And it was a great honor to, to lead that work, workforce, a highly skilled workforce for the four years I was in that job.

00;02;15;15 - 00;02;41;26

Speaker 1

So let's say it's super, super interesting. And, you know, obviously so, so important. You mentioned, you know, offensive cyber capabilities in the analysis side. Was there a role to play defensively as well and sharing intelligence that could be used to help you know, organizations either public or you know, within the U.S commercial to, you know, defend against potential, you know, bad actors or was it purely more on the offensive side?

00;02;42;09 - 00;03;05;19

Speaker 2

No. So, I mean, and this is an interesting, point because there's tactical intelligence and I mean that from a small AI, you know, not necessarily just government intelligence. And then there's strategic intelligence. And what the CIA does is more at the strategic level. When I was getting out, via retiring from the government, I got a lot of calls from folks asking if I was interested in various CSO jobs.

00;03;06;02 - 00;03;35;20

Speaker 2

And I said, I'm not qualified to be a CSO. I'm not a network defender. And I never have been. But what our strategic analysis looked at is to give the context as to what the cyber threats were, principally from nation states, China, Russia, Iran, North Korea, but also ransomware actors, other criminal actors, a whole variety, of hacking schemes and wrote it at a level, for executives, really, to make decisions on how to defend the country.

00;03;35;21 - 00;03;56;02

Speaker 2

I mean, why is, you know, kind of half hacking. What? The sort typhoon, bowl typhoon situations. Why were the Russians doing what they were doing with their cyber tools? It was useful for context for the the average CSO, even US government CISOs to use to understand the context. But it wasn't going to tell them how to defend their network.

00;03;56;04 - 00;03;58;21

Speaker 2

That's a different type of intelligence.

00;03;58;23 - 00;04;23;16

Speaker 1

Right? And did you find so I mean you sort of had a front row seat to, being able to understand exactly the threat levels that, that, that we could expect here. Yeah. Did you find that most, you know, kind of organizational leaders, whether they're. Yeah, I'm thinking largely outside the government, but inside the government, too. Were they able to properly assess the threat level or did you find they were underestimating it?

00;04;23;18 - 00;04;36;10

Speaker 2

It depends. I mean, there's certain industry, you know, the, our the Department of 91ÖÆƬ³§land Security, sets up which does all the cyber defense and critical infrastructure, defense identify.

00;04;36;10 - 00;04;37;15

Speaker 1

Better know.

00;04;37;18 - 00;05;02;18

Speaker 2

Yeah. Well, they identify 16. Oh, and they do, but they they identify 16 critical infrastructure sectors. And certain sectors are extraordinarily good at cyber defense. You know, the financial sector really understands it. Because it's a no fail mission for them. If a nation state or non nation state actor hacks into a major, banking system, I mean, we're all going to be, you know, hurt by that.

00;05;02;21 - 00;05;25;28

Speaker 2

But they also because they're they're banks and financial resources to have good cyber defense. Gotta go all the way down the spectrum. And there are certain critical infrastructure sectors that that don't have a good cyber defense. And it's not necessarily their fault. They sometimes didn't even really consider themselves part of a digital landscape. For instance, water treatment plants, wastewater treatment.

00;05;26;11 - 00;05;49;19

Speaker 2

And so they they were victims from nation state actors, from ransomware actors over the other past few years. And so Cisa and others have begun to really focus on that. So I think it varies from industry to industry. And I do think the US government, the private sector, is coalescing around a way to defend those critical infrastructures, but it's going to be it's going to vary from industry and industry.

00;05;49;19 - 00;05;50;28

Speaker 2

Frankly.

00;05;51;01 - 00;06;01;01

Speaker 1

So what when you were leading the center, what what kept you up at night and what keeps you up at night these days? And how is the, you know, kind of cyber threat landscape changed in that time?

00;06;01;21 - 00;06;04;22

Speaker 2

I've never slept better since October 2023.

00;06;05;04 - 00;06;06;12

Speaker 1

I'm happy to hear that.

00;06;06;14 - 00;06;28;04

Speaker 2

Maybe, what? What kept me up? You know, I spent the bulk of my CIA career, serving in the Middle East. Arabic speaker. I did, you know, a lot of work in the counterterrorism space, as most of my generation did after 911. That stuff kept me up at night. You know, because of the mission, but also worrying about what it all meant.

00;06;28;07 - 00;06;52;20

Speaker 2

You know, so as as the leader for the center for cyber, intelligence, I had less sleepless nights. But it was more of a longer burn than counterterrorism. It's thinking about, you know, do we have the manpower? Do we have the infrastructure? Do we have, the relationship between the government and the private sector to to really defend against what I think is an existential threat?

00;06;52;28 - 00;07;20;23

Speaker 2

It's not the kind of threat that takes down the World Trade Center. It's not the kind of threat that results in an airplane crashing, into the Pentagon. You know, that's a very visible threat, but it's as much an existential threat with, with the longer burn time. And and I'll say one, you know, private sector example, that is not necessarily a nation state ransomware actors, which frequently have a dotted line relationship, particularly in Russia with state actors.

00;07;20;26 - 00;07;41;13

Speaker 2

But there was a ransomware attack against, you know, the health care, this past year. And, and a subsidiary of United Healthcare called Change Healthcare, which essentially manages all the pharmacy distribution, CVS, Walgreens in the United States, at least I don't know about Canada, but that may be part of the same system. And I'm not sure that ransomware attack the ransomware.

00;07;41;13 - 00;08;18;19

Speaker 2

Attackers asked for $22 million in ransomware, which was paid. What frequently gets overlooked is that the overall cost and loss in revenue to United Healthcare was north of $1.6 billion. And I think it's it's still growing and you multiply that. And that's just one company. Now, granted, a very large company, but still just one company in one of those critical infrastructure, sectors, you multiply that across multiple industries and, you know, there's billions and billions of dollars at stake every single day due to cyber threats, due to data theft, intellectual property theft, ransomware attacks, etc..

00;08;18;19 - 00;08;27;04

Speaker 2

So it is an existential threat. So in the aggregate, all of that stuff kept me up at night. But I'm sleeping better now.

00;08;27;07 - 00;08;51;23

Speaker 1

I'm. I'm happy to hear that. And, I mean, even in the conversation so far, you know, there's everything from, you know, existential threats to organizations financially to, you know, attacks on, on critical infrastructure. You know, if you were advising and I think in some cases, you are, you know, organizational leaders, what what type of actors would you want them to be most concerned about?

00;08;51;24 - 00;09;04;26

Speaker 1

Is it is it nation states? Is it, you know, organized crime? Is it one offs you mentioned kind of nation state adjacent actors. And what are the implications of some of the, you know, some of the threats there?

00;09;04;29 - 00;09;35;23

Speaker 2

So I think, you know, even in the, the, very advanced, folks like in the financial services industries who have, you know, very strong, personnel working on cyber security, even they admit that they need to engage with the US government, be it with DHS, be it with, entities, Treasury or whoever. They're, you know, as, as we like to call it, sector specific relationship with the federal government is because they don't know everything, and they need to know the strategic context.

00;09;36;15 - 00;10;03;20

Speaker 2

And they they need to understand why possibly a state actor would want to attack, you know, a certain network and whatnot. For example, you know, in February 2022, the Russians invaded Ukraine. But we, you know, then that and I was still a government. Then we went through different decisions, you know, at the policy level and what level of support we were going to provide, to the Ukrainians.

00;10;03;23 - 00;10;26;22

Speaker 2

And we had many discussions in policy circles as to what that may trigger. As far as cyber attacks, you know, other attack. But my focus obviously was cyber attacks, from the Russians. And you know what I found is a lot of the critical infrastructure leaders in the private sector wanted to understand, okay, what's coming down the pike and what should we be prepared for, potentially from the Russians?

00;10;26;24 - 00;10;51;11

Speaker 2

It turns out that there wasn't much coming from the Russian side against, US networks, financial institutions, etc.. But that doesn't mean we, you know, that was unknowable in February 2022, and we had to be prepared. And so it was interesting to me is some of the most highly skilled cyber defenders in those critical infrastructure sectors. Still wanted to understand, you know, what the threat was, from Russia.

00;10;51;17 - 00;11;28;29

Speaker 2

I think the same context we now, you know, again, I made reference to Volt Typhoon, which is essentially is the, the People's Republic of China, China pre-positioning tools on critical infrastructure in the event that there is a potentially across Taiwan Strait, conflict between the United States and China bought typhoon and then salt Typhoon, which was again some entity within the Chinese government, I suspect their intelligence agency putting tools down on our telecommunications infrastructure in the United States and using it to collect information against senior US government leaders, and others.

00;11;29;01 - 00;12;00;24

Speaker 2

I think the conversation has shifted away from the, at least for now, from what the Russians are doing, because that's just it was sort of a nothing burger and a, for the United States at least, to something that is not a nothing burger. The Chinese threat, both from an intelligence collection perspective and a critical infrastructure, protection perspective, and having those industry leaders, telecommunications leaders be cognizant of that threat, potentially even at a classified, government information level, I think is critical.

00;12;00;27 - 00;12;08;13

Speaker 2

All those conversations are happening. You know, and maybe not on a daily basis, but at least on a weekly basis. So.

00;12;08;15 - 00;12;39;27

Speaker 1

Right. And and so, you know, if you had the, the magic power to be kind of everywhere at once across the, yeah, I guess the, the, at the defense surface, so to speak, you know, across governments and organizations and, but then let me, you know, say first, like my goal here is not to expose national weaknesses, but like, where do you think like, where would you be most concerned about shoring up, you know, our ability to, to defend ourselves against some of these attacks.

00;12;39;29 - 00;12;40;15

Speaker 1

I mean, I.

00;12;40;16 - 00;13;08;00

Speaker 2

Think most immediately and this has been talked about in the press quite a bit, I think we have to, reset where we are in the telecommunications infrastructure because that undergirds, you know, everything that we do. Luckily, I mean, knowing that that is the threat and it's there is important, but it's to, you know, the the telecommunications infrastructure in the United States is sort of a balkanized infrastructure that was cobbled together from what used to be AT&T.

00;13;08;03 - 00;13;31;11

Speaker 2

And then it became what we call in the US, the Baby Bells back, back in the 80s. And so as a result, it's not a particularly logical, infrastructure. And that has to be changed because, you know, the barn door was wide open and that's how the Chinese got in. So so that I would love to see that, you know, be a major focus in 2025 for infrastructure, security.

00;13;31;13 - 00;14;01;25

Speaker 2

But, you know, there's a lot of other things as well. I mean, how how we, you know, it's it's something that's evolved over the past two years, the advent of ChatGPT and the advances that we have in AI technology. I worry deeply that our intellectual property is getting stolen, at a rate that it's almost too late to close the barn door, and we have to develop the defensive techniques against our, our algorithms, our our our way, our way of defending our intellectual property and AI.

00;14;01;28 - 00;14;28;02

Speaker 2

And then legislation and then policy that helps, helps us do that. That is my next, major concern as far as the other critical infrastructure sector, you know, gas and oil transportation, electric distribution, water distribution, wastewater, treatment, health care, education, all those are critical infrastructure sectors. We, you know, we have to address those as well.

00;14;28;24 - 00;14;36;22

Speaker 2

But honestly, we don't have enough bandwidth in the US government or the private sector to do them all at once, but we'll get there. Yeah.

00;14;36;24 - 00;14;59;08

Speaker 1

You mentioned policy, and I'm curious from it, from a defensive posture perspective, like what is the role of policy versus, you know, technological defense versus, you know, defense in terms of like, you know, human user training and defending from that perspective? And I'm sure that there's a few other dimensions as well. But is it all three? Where do we get the most bang for our buck?

00;14;59;11 - 00;15;26;11

Speaker 2

I mean, it is it is all three. And I'll just reference, you know, I was last week was the, the RSA the, the, the leading, you know, cybersecurity conference in San Francisco every year. And there was, you know, 60,000 attendees, private sector, you know, global, private sector representation, but also, international government. And the the current administration was very well represented there, from the secretary of 91ÖÆƬ³§land Security.

00;15;26;11 - 00;15;55;26

Speaker 2

Christine. Come on down. Military figures, intelligence community figures. And what there's there's obviously very significant differences in policy. And, you know, human resources practices between the Biden administration and the Trump administration. But what struck me was the seriousness with which the the current representatives last week from the, administration are thinking about cyber security, akin to what the previous team, in the Biden administration did.

00;15;55;26 - 00;16;22;20

Speaker 2

So cyber security is a is a bipartisan, issue. And policy is part of that. And I'll, I'll say one, one point that that Christina and deputy, talked about at a forum I attended, there's a, a policy started under the Biden administration called Secure by Design, wherein software developers don't beta tests their their software on their customers.

00;16;22;20 - 00;16;58;08

Speaker 2

They actually design it with security in mind and, you know, user experience and functionality and whatnot. I had thought that that was going to change significantly with this current administration, and there may be tweaks on it as far as how they address the private sector. But in general, it would appear that that the new administration supports Secure by Design and it's going to, you know, set policy parameters in collaboration with Congress on legislation, to mandate that private sector, software development is done with security as a default in mind, which I think is critically important.

00;16;58;10 - 00;17;16;17

Speaker 2

So, so the, you know, private sector, how how they develop software and deal with infrastructure policy from, from the white House, the executive branch and the government and legislation from Congress are all critical. In my mind, you know, three legs of the stool, so to speak.

00;17;16;19 - 00;17;37;27

Speaker 1

Right? So, you know, you met, you mentioned secure by design. And to me, that's, you know, that's an arrow in the quiver, let's say, of what an organization can do to, you know, remain secure when you're advising, you know, CISOs or, you know, senior security leaders at different organizations, if they were if they're asking, like, where do I start with this?

00;17;38;04 - 00;17;50;14

Speaker 1

How do I, you know, what tactics can I put into place to make sure that we're secure? You know, do you have some stock answers for, you know, the best starting points that are going to, you know, have the most outsized impact?

00;17;50;17 - 00;18;15;22

Speaker 2

It really depends on the size of the company, like a major bank with tens of thousands of employees can buy an enormous amount of products to, you know, deal with, external threats, deal with insider threats, deal with vulnerabilities on their own networks and whatnot, you know, down to, you know, companies of a dozen people or less. And, and it's more the small companies that that are an issue, I think.

00;18;15;22 - 00;18;53;07

Speaker 2

And they have to really lean on. Sis, try to get help from the government where, you know, they're not going to they're going to have to really track or outsource to us because, you know, some companies are too small to even have a source of, or even an it, you know, provider. So they have to be careful who they bring in to, to manage that sort of stuff, because there are certain small companies that, frankly, are as important as the big companies, that company that makes, you know, some certain widget for, you know, US Air Force fighter aircraft, if they if their networks are compromised by a state actor that wants to understand

00;18;53;07 - 00;19;19;12

Speaker 2

how those jet engines or whatever are assembled, they're equally at risk as the Lockheed Martin's of the world are, yet the Lockheed Martin's of the world are going to be able to buy every tool that you can imagine. So I, I, you know, a lot of those discussions happen at, RSA, a lot of people focused on like, how do we detect those, those external threats, but there are an enormous number of products out there for what we would call attack surface management.

00;19;19;27 - 00;19;46;20

Speaker 2

And, you know, looking inside at your own, inventory, the bring your own device epoch that we live in makes defending networks even more difficult because not every, everybody is going to be as wise, as as to how to, to secure your, your own endpoints. So it's, so it's a, it's a very big job for, for CISOs or the security providers for that, for those small companies.

00;19;46;22 - 00;20;08;09

Speaker 2

But, but what is great now is, you know, ten years ago, nobody was really focused on any of that, both at the US government level and the private sector level. We're having a very open conversation. You know, as evidenced last week at RSA. And I so, so I do think we're we're heading in the correct direction to ensure that those existential threats are minimized.

00;20;08;18 - 00;20;11;16

Speaker 2

To the greatest extent possible.

00;20;11;18 - 00;20;40;24

Speaker 1

The so, so thinking about those like small and mid-sized organizations, I mean, I, I agree with you. I feel like that is the biggest risk and it's the long tail of risk. There. If, if the board of one of those companies brought you in and said, you know, Andy, you know, how exposed are we? Do you have sort of like a questionnaire in your mind or, you know, a quick cheat sheet for how you would assess their exposure level to threats?

00;20;40;27 - 00;21;19;24

Speaker 2

I don't have a cheat sheet because again, every company is going to be different. But I have addressed, you know, various, boards of directors, on that particular issue. And I'm on three boards myself, so I'm constantly worried about that as it relates to the companies that, that I'm involved with. But, you know, I what I say is, if you're a company that's big enough to have a CSO or a chief security officer, you know, it mean a really two things is, is identity management and ensuring that you don't have people pretending to be other people on your, you know, in your organization, and then access control if you, if you manage

00;21;19;24 - 00;21;47;01

Speaker 2

those two things, pretty much everything else, you know, takes care of itself. The third thing, and this is, you know, basically since the dawn of of, you know, hacking in the 80s, you know, teach your, your employees about, phishing and social engineering and do not click on that link if you if you don't know it's from I mean, it's it sounds like like, well, yeah, of course not.

00;21;47;01 - 00;22;22;07

Speaker 2

Like in 2025 nobody would do that. But the overwhelming majority, of ransomware attacks in particular. But also, you know, state actors have been hacking is via spear phishing. And with the advent of, AI tools, ChatGPT and the other ones, it makes it a lot easier because, you know, previously the emails would be written in gibberish, would be like, okay, this is obviously some guy from, you know, you know, wherever in the planet trying to hack my computer, click, you know, click on this and we'll give you $200,000 or whatever.

00;22;23;18 - 00;22;51;10

Speaker 2

Not now because of AI tools, you can idiomatically correct American English. And, you know, it can sound like it's coming from your boss. So it's it's a very difficult thing to do there. There are identity management tools that are much more advanced and than they were several years ago. But really, I mean, that is what I would say to a board is identity management and access control and ensure that people who don't need access to certain SharePoint devices or whatnot don't have that access.

00;22;51;12 - 00;23;11;00

Speaker 1

Yeah, no, it makes sense. And I think I think that's very much in line with what, you know, I've heard from security analysts around here anyway. But you did. You brought up AI, and you brought it up a little bit earlier, and I, I want to talk about that for a minute. How in your mind is AI changing the threat landscape these days?

00;23;11;06 - 00;23;21;17

Speaker 1

I mean, I'll ask that in two ways. How is it changing it from the bad actor perspective? How is it changing it from our ability to defend and, you know, net net, what does that mean?

00;23;21;19 - 00;23;56;22

Speaker 2

You know, so I, I think it's it like a lot of advances in technology, both the attackers on the defenders sort of go down that field together and maybe not at the exact same pace, but you know, so again, the social engineering aspect of ransomware is a lot easier with the AI tools. Also, you know, someone who really has no vulnerability research or exploit development skills can use AI tools to frankly, just build exploits and send them down the pipe with really no training or experience in that, as well.

00;23;56;22 - 00;24;14;06

Speaker 2

And there's, you know, they're not going to be able to build zero days off of AI tools per se. But there's a lot of, you know, the top ten vulnerabilities, on endpoints are all end days and have been out there and unpatched for a very long time. AI tools are going to help, bad actors deal with that.

00;24;14;13 - 00;24;39;14

Speaker 2

That being said, you know, AI tools in the SoC, in a, in a, a companies, you know, security operations center, are are advancing at it at a, at a rate that I never would have predicted two years ago that they would have been and and and automating the ability to see what the threat landscape is out there, automating the ability to look inside your network and watch changes on endpoints.

00;24;39;18 - 00;25;01;24

Speaker 2

And, and, you know, actors that are doing things that are outside the normal, the average human is not going to be able to detect those abnormalities, and shut them down. So, I mean, I think, you know, over time, frankly, over the next year or two, I think a lot of those security operation center tools are going to be completely driven by AI, other AI tools.

00;25;01;24 - 00;25;44;09

Speaker 2

And folks that I saw, at RSA and RSA last year using those AI tools to detect, detect deep fakes, to detect audio fakes, a lot of audio fakes, I mean, a number of your, your viewers and listeners may have been getting random spam calls on their phones. Don't ever answer them. Because what I think, what we think people are doing is trying to get a voice cut from you and then use that, well, for audio deepfakes to use, like, if you use, an audio or a voice imprint for getting access to your bank account or whatever, I think a lot of the banks are moving away from that, thank God.

00;25;44;18 - 00;26;10;17

Speaker 2

And using different, forms of, MFA, but all of those tools are being developed, video like detection tools for video deepfakes. I mean, I, I, a friend of mine has developed an audio deepfake tool, which you may remember from, the election when, President Biden was still in the race, he, he somebody made a trigger, his voice telling people not to go to the polls.

00;26;10;28 - 00;26;51;26

Speaker 2

In New Hampshire during the New Hampshire primary. It sounded exactly like him. This guy's tool was able to detect that. That's not actually present violence. And those. And that's a very, you know, famous example, but that sort of stuff at a much lower level happens on almost on a daily basis. So I'm very confident where we are as defenders, you know, on both sides of that AI equation, but also from, from just a, a, a how we build software in general, or I think a lot of the writing of software, is going to be, done using AI tools, leaving the human to work on on more advanced things or enhancing the

00;26;51;26 - 00;27;07;23

Speaker 2

user experience and whatever the software tool is. And so, you know, there's been a lot of talk of it's going to replace, you know, people shouldn't go to get computer science degrees anymore because you're going to be replaced. And you know, why learn how to code. When I was going to do it. You still have to learn how to how to code.

00;27;07;23 - 00;27;29;06

Speaker 2

If you're going to be in that industry, it's just going to make your job a lot easier. And you can work on other things and you can, you know, quality check as opposed to, you know, writing the basics, of software development. So, so I think in the aggregate, AI tools are going to be great, for the cybersecurity industry.

00;27;29;08 - 00;27;47;26

Speaker 1

That's great. And yeah, I, I tend to agree on the coding side. And, you know, what I think about too is it's like like engineering didn't as a field didn't disappear when the advent of the calculator came along. Right. Or the computer. It's, you know, it automates some of the, you know, some of the more operational stuff. But yeah.

00;27;47;26 - 00;28;14;27

Speaker 1

Fair enough. I did want to ask you, though, Andy. What whether it's AI related or not. And, you know, I'll let you use your own discretion in answering this, but what can you tell us? Maybe a little bit about any, any cyber attacks or capabilities that you uncovered that surprised you with their sophistication or even their innovation?

00;28;14;29 - 00;28;16;06

Speaker 1

00;28;16;08 - 00;28;40;01

Speaker 2

Yeah. I don't know if it's innovation per se. It's it's the brazenness of it. Maybe, and I'll go back to the vault. Typhoon. Assault. Typhoon. I mean, a number of, experts have discussed this in the press. So it's it's not particularly, sensitive, but, I mean, it's sensitive to the industries, but not from a, intelligence perspective.

00;28;41;03 - 00;29;12;14

Speaker 2

But the Vol typhoon Pre-position, you know, tools was was executed using what we call living off the land techniques. So it wasn't some very sophisticated zero day exploit. It was essentially looking for those vulnerabilities and using what is already existing out there. As far as tools go. So, so that the very aspect or the very act of living off the land, of using end days or tools that you can find on the dark web, you really don't look like a major nation state actor.

00;29;12;14 - 00;29;35;27

Speaker 2

And so it took a long time for us, both in the private sector and the government, to detect that. And that was pretty gutsy on the, on the, on the, on the, you know, the People's Republic of China government, we think the, the military, cyber entities, pre-positioning tools and infrastructure for in the Indo-Pacific, pre-positioning tools on infrastructure in the United States.

00;29;35;29 - 00;30;00;00

Speaker 2

But just, you know, being very hard to detect because it's not it doesn't look like nation state actors. So that that surprised me in that sense. What also surprised me and other Chinese attacks and salt like an attack was that they really stuck, muddied the target. And again, it wasn't a sophisticated zero day per se, but they they studied the vulnerabilities and built what they needed to to get in those networks.

00;30;00;08 - 00;30;28;29

Speaker 2

And it was essentially not unlike the ball typhoon exploiting our own weaknesses. So it's it's it's taken a change in how we analyze the threat. Previous it was like, okay, sophisticated actors, zero days, they're really going to build something that is just so innovative. And we hadn't seen before. And it's actually really the opposite. Now. It's using, our own vulnerabilities and exploiting those, which did surprise me that, that that technique is being used.

00;30;29;02 - 00;30;54;18

Speaker 2

So we just have to be much more cognizant of that and be more cognizant of our own weaknesses. Just like if you're the CSO at a medium size company, it's important to know what the threat is externally. But you have to deeply understand your own vulnerabilities, your own endpoints, your own network vulnerabilities, or what's on the outside is going to have a much easier, you know, job, getting on the inside.

00;30;54;20 - 00;31;02;21

Speaker 1

When you talk about vulnerabilities and weaknesses, can you, can you add a little bit of color to that? What what types of vulnerabilities are we talking about here?

00;31;03;01 - 00;31;34;29

Speaker 2

Unpatched endpoints. I mean, it at the end of the day, ransomware actors, you know, foreign intelligence, organizations or entities that want to conduct disruptive or destructive, destructive, offensive cyber attacks, they want to land on an endpoint. And at the endpoint is a desktop, a laptop, a phone. Those were the vulnerabilities. So, you know, for all of your viewers and listeners, you know, update your software on your endpoint if you're an Apple user, update as frequently as possible.

00;31;34;29 - 00;31;59;23

Speaker 2

If you're an Android user, update as frequently as possible. The same goes for your desktops, and laptops. Now, you know, in 2025, that's fairly easy if you're paying attention. But, you know, there's other things on your networks that are patched less frequently. There's, you know, your your Wi-Fi routers, your network devices that unless you're an IT professional or Asus.

00;31;59;23 - 00;32;20;18

Speaker 2

So you don't really think a whole lot about those. And note that, you know, worries me. Vulnerability is on those that are you know, eventually identified by CIS, and they get a CDE rating, and whatnot. But you really got to be paying attention. You have to like, be patching those things on a, on a, on a routine basis.

00;32;20;20 - 00;32;41;28

Speaker 2

The other concern is IoT devices, which are very rarely patched. You know, I, you know, we now have, you know, refrigerators that seem to be like sentient beings, in and of themselves. And those those are attack vectors if they're on your network, if they're networked in with the rest of your devices. That is a very significant vulnerability.

00;32;41;28 - 00;33;07;25

Speaker 2

And I do think, you know, we focus on IT security, but there's OT security, operational technology that I really think we need to focus more on because that that is a significant vulnerability. And then finally, you know, I referenced earlier the bring your bring your own device, which sort of dominates, you know, most companies now, it's it's understanding, it's for the Sicilian, the IT professionals, the CIOs.

00;33;08;00 - 00;33;25;09

Speaker 2

If a company's big enough to have a CIO to understand what the threat vector is, from those bring your own device situations and ensuring that you have policies and an ability to check that your employees are actually doing what they're supposed to do and updating software on their own devices.

00;33;25;12 - 00;34;03;18

Speaker 1

Right. We've talked we've talked mainly about kind of organizational risk. And there we talked a little bit more about, you know, device level risk and how you get into the networks. One of the threats I've been hearing more about lately, and I don't know if it's been on your radar and I imagine is in some capacity is I've heard it described as I think it's called like, like pig butchering scams or basically, you know, human engineering approaches where you actually build trust over a long period of time and then, you know, you have progressively bigger asks and find ways to exploit people at a level that ends up being millions and millions

00;34;03;18 - 00;34;11;17

Speaker 1

of dollars. Is that is that something that's on your radar, and how does that fit into the, you know, the broader threat landscape?

00;34;11;20 - 00;34;32;26

Speaker 2

And I mean, it is and it's especially, concerning for vulnerable, you know, populations or, you know, older, people. I mean, you know, my, my mother and father are older. And now, granted, I brief them on that. And so they don't they don't have not yet fallen victim to that. But it happens on a daily basis.

00;34;32;26 - 00;34;56;12

Speaker 2

And there's entire, particularly in Southeast Asia, it's developed into a thing where there's entire offices or warehouses filled with folks that are that are working on these, schemes, you know, on it is not all that different than years ago when, you know, the Nigerian prince would call you up and say, hey, I just need a loan of $50,000 and I'm going to give you $1 million in return.

00;34;56;17 - 00;35;24;05

Speaker 2

I mean, it's it's the same sort of social engineering idea. It's just that it's been it's being done at a scale, that it hadn't been done before. That being said, I mean, a lot of foreign governments, even the Chinese government is very focused on it and is very concerned about it. I mean, there's Chinese nationals that have been lured into working in these, you know, pig butchering farms or whatever, whatever you want to call them.

00;35;25;15 - 00;35;50;14

Speaker 2

But as far as, like cyber threats writ large, you know, nation state threats, ransomware threats, I still would not put that in my top five of things that I focus on. I do think it's it's a major threat to vulnerable populations. But as far as existential threats to, to our livelihood, I don't really consider it rising to that level.

00;35;50;16 - 00;35;51;12

Speaker 2

Yeah.

00;35;51;14 - 00;36;27;10

Speaker 1

Makes sense. So so going back to that level and to that top five, if you think about our current, I'll call it exposure and infection. To what degree are you worried like we've talked about some of these tools. We've talked about critical infrastructure. Are we already significantly exposed in a way where if some of these nation states, you know, wanted to move to, you know, more of, like, I'll call a hot phase of cyberwar, they could they could, you know, push a button and, you know, really cripple cyber infrastructure or are we sufficiently defended now?

00;36;27;10 - 00;36;31;02

Speaker 1

And it's about staying defended. Like where are we in that cycle.

00;36;31;04 - 00;36;52;09

Speaker 2

So I, you know, I'll, I'll use a couple of, of descriptors for that. So, you know, I again, I mentioned earlier that I spent much of my career, in the counterterrorism space. And immediately after nine over 11, there was a number of U.S. government agencies that were kind of doing their own thing. We hadn't really coalesced into a into a organized entity.

00;36;52;09 - 00;37;13;28

Speaker 2

We did quite quickly, over time, the intelligence community, the special operations community, the law enforcement community, and then all of our foreign partners, to the point where by I would argue, you know, mid 2002, we had a pretty good, you know, set of tools within the US government and our allies to, to fight that terrorism fight.

00;37;14;01 - 00;37;41;00

Speaker 2

I think we're in that continuum right now in 2025, where we're coalescing our, our, our, you know, government, capabilities on the defensive, on the offensive, on the strategic analysis, on the policy and on the legislation, a major difference between what we're doing today and cyber threats. And what we did in counterterrorism is that arguably 90%, maybe even more 95% of the attack surface is owned by the private sector.

00;37;41;03 - 00;38;05;06

Speaker 2

That's a big difference. And so what that, coalescing is including the private sector. But, you know, for instance, some of the the US government leaders, that I referenced earlier were part of roundtables with CEOs, CSO, CISOs at RSA last week, and we were talking collectively about a strategy on how to deal with that, what our weaknesses are.

00;38;05;09 - 00;38;30;18

Speaker 2

And really, you know, looking at what who who owns the defensive responsibilities, who owns, you know, the middle road, the active defense of yanking threats off of data centers, other, you know, US owned or, you know, North American networks. And then who owns the offensive side, the the actual active offensive side. I argued that offensive cyber operations are really the realm of governments.

00;38;30;20 - 00;38;53;28

Speaker 2

You know, in theory, under appropriate authorities delegating to certain private sector companies. But you're not going to have, you know, the telecommunication industry, you know, hacking into the Chinese, telecommunications and, industry in revenge for assault by phone. That's just not the way it's going to work. But it was very useful to have that dialog. So are we vulnerable?

00;38;54;00 - 00;39;32;13

Speaker 2

Yes, we are vulnerable. But are we aware of those vulnerabilities as a as an industry? Yeah. We just have to have the policy and the legislation to support both the defense, the, you know, the just defending networks, the standard CSO, CSO type activity, the active defense of having the authorities to, you know, if you're a company that owns data centers, actively removing foreign threats once they've been identified, either by your own, situational awareness or intelligence provided by the government, and then how we go about using offensive tools in, in Washington.

00;39;32;13 - 00;39;55;04

Speaker 2

And you hear a lot of people, talking about wanting to get more aggressive on a on offensive cyber. The problem is sometimes they don't define what they mean by that. And so I'm spending quite a bit of time helping people get to a definition of what they mean by that. Because to your point are is some foreign entity can just push a button and attack our critical infrastructure.

00;39;55;04 - 00;40;22;10

Speaker 2

It doesn't work that way. There are three components of effective cyber attacks speed control and intensity. And they're all sort of countervailing, variables. You can have some really intense cyber attacks, but they're going to be out of control. And then you get sort of a worm that goes globally breaking everyone's networks. There's certain actors that are happy to do that, but you really can't affect and disrupt and destroy particular targets if you're going to do it.

00;40;22;10 - 00;40;48;20

Speaker 2

That. But so we just as a government and with our allied partners really need to come to coalesce around what we mean by offensive cyber, and how that is going to contribute to the defense or, the more importantly, as a deterrent, to foreign cyber attack. But all those conversations are, are going and that some people think, you know, people in glass houses shouldn't throw stones.

00;40;48;20 - 00;41;02;07

Speaker 2

And in context of, offensive cyber operations, I mean, you know, our foreign, adversaries have pretty fragile glass houses as well. So I think we're all in the same know playing field there. So.

00;41;02;17 - 00;41;30;27

Speaker 1

The offensive cyber is exactly where I want it to go. And it's already interesting. You kind of distinguished offensive cyber versus what you called active. Defensive. Are we would you consider us in a state of either cold cyber warfare right now with any nation states or hot cyber warfare? And what what do you like? How would you describe our current posture toward, you know, offensive operations there?

00;41;30;29 - 00;41;59;11

Speaker 2

No. So I don't think we're in a state of constant cyber warfare. I mean, it just it's it's I mean, warfare involves, bombs and, you know, guns and and death and destruction, and we've never seen a cyber attack or, you know, result, you know, quite that. So, I mean, I think a lot of what we see as or get interpreted as cyber attacks are really intelligence operations collecting information on whatever the target may be.

00;41;59;14 - 00;42;20;19

Speaker 2

And sometimes it's not U.S government. I mean, the Chinese have stolen an enormous amount of intellectual property, from, you know, a variety of industries. It is that cyber warfare, right? I don't think so. Really. It's it's it's intelligence operations, but in a very different context than we would use our intelligence tools. The Vol Typhoon Pre-positioning, tools.

00;42;20;26 - 00;43;02;16

Speaker 2

Is that an act of warfare? Yes, theoretically, but it's really preparing, for potential warfare. So, so, I mean, we are in a very you know, active period of, of, you know, doing reconnaissance against our adversaries in cyberspace to understand what the threat is. But we're not we're not in a period of active, active warfare now, on the on the military side, Cyber Command has a mandate, to to continue ously look at these various networks in case of war time against a whole variety of adversaries, not as not necessarily just the Chinese, Russians, Iranians and North Koreans.

00;43;02;27 - 00;43;30;18

Speaker 2

But again, I would argue that's a candid, you know, driving an aircraft carrier like, you know, off the coast of, of a, of an adversary nation, they know you're there. They they know you're in. And in the cyber context, they know you're in the networks. And it does act as a deterrent in some ways. It's not a very public deterrent like an aircraft carrier, but it it is in a lot of ways, a similar sort of thought process.

00;43;30;18 - 00;43;53;05

Speaker 1

So, so, so that's that's exactly what I wanted to ask you about next. Okay. Is it are we currently in a state where we're able to use, you know, the threat of cyber warfare or, you know, offensive cyber operations as a deterrent? And in your mind, you know, is that an effective strategy that we should be pursuing?

00;43;53;08 - 00;44;19;12

Speaker 2

We are not yet there. But that conversation is happening. And and, you know, the conversation also, you know, happened during previous attacks with, or sorry, I'm using the Laura language. So there was under attack the SolarWinds incident, which was an intelligence collection operation or the ransomware attack on Colonial Pipeline, where, you know, our our, gasoline distribution got shut down on the the eastern seaboard several years ago.

00;44;20;14 - 00;44;43;13

Speaker 2

You know, so so there was a lot of discussions on how you respond to that. You don't necessarily need to respond to a cyber incident with cyber tools. You can use diplomatic tools, you can use sanctions, you can shut down embassies or consulates, eject, you know, for foreign adversary diplomats, or whatever the, the case may be.

00;44;43;15 - 00;45;17;00

Speaker 2

But as far as a true cyber deterrence, we're still having that conversation. Yep. And having, you know, coalesced around what that looks like. But for example, the Iranians attacked, water treatment, facilities, IoT devices that were made in Israel but used in Pennsylvania, new Jersey and Texas. I believe last year they attacked these as sort of a demonstration of their their, our problem against us for having an Israeli company, you know, manage our, our water treatment.

00;45;17;17 - 00;45;39;10

Speaker 2

I believe a deterrent stat on that is, is that if an attack like that happens again, we should have a reciprocal. Again, I'm not in a policy position, but this would be my recommendation is to have a reciprocal attack to say we know you did this. Now we're going to do something to your water treatment plan that doesn't result in, in, you know, death and destruction.

00;45;39;10 - 00;45;58;05

Speaker 2

But but there's a point which I think in the aggregate will be a deterrent, will have a deterrent effect against the Iranians or whatever other actor it is. And I'll cite as since we're talking about Iran, I will cite, what the Iranians have used their cyber tools for in the past in what I would call coercive diplomacy.

00;45;58;08 - 00;46;20;01

Speaker 2

It's not warfare. It's it's something other than warfare. But the Albanians were hosting, the Mujahideen al hulk, which was an Iranian opposition organization. And the Iranians seem like that. And they put pressure on the Albanians to eject the mujahedeen al hoc from their safe haven there. And all Albania and the Albanians were, you know, not listening.

00;46;20;03 - 00;46;41;21

Speaker 2

So the Iranians shut down the Albanian government networks, I mean, really destroyed the networks and and did not try to hide it. It it had the intended effect. The Albanians started rethinking whether they were going to host the of being a hawk. So, I mean, countries do use their cyber tools in to, to achieve diplomatic or defensive ends.

00;46;42;00 - 00;46;58;04

Speaker 2

We just have not really done that yet. And for a variety of policy and legal reasons. But I think we're, you know, we're, we're moving the policy in that direction where we're going to have those offensive tools, at the ready, and more so than we have in the past.

00;46;58;06 - 00;47;14;13

Speaker 1

I love the I love the analogy of, you know, the aircraft carrier and being able to just just have kind of a I don't know if you can call. I've, I've never called an aircraft carrier subtle before, but like, a subtle display of strength and deterrence there or even, you know, I think more recently of like surfacing a nuclear sub.

00;47;14;16 - 00;47;19;24

Speaker 1

Right. Like just being able to show like, hey, we're here, we have the capability, and.

00;47;19;26 - 00;47;40;27

Speaker 2

And the Navy has done that for years. I mean, that's why, you know, Navy ships around the world make port calls. It's in part so that the sailors can get off and relax a little bit. But the real reason is a show of force saying, we're here. You make reference to submarines. You know, we're here. We're, you know, one country away from whatever adversary it might be.

00;47;41;07 - 00;48;01;01

Speaker 2

And so it does send a message. I mean, it's harder to do that in cyberspace, but, you know, we we have cyber part both on the military side, and across the U.S. government, we have, cyber relationships, defensive and offensive cyber relationships across the globe. And our adversaries are aware of that. And that sends a message as well.

00;48;02;01 - 00;48;34;07

Speaker 1

Yeah. You mentioned, you mentioned Iran. And it came up in a few different contexts there. When I think of, you know, offensive cyber operations still, you know, the number one that comes to my mind, you know, ever is probably Stuxnet. And I'm curious, I mean, first of all, and for for listeners or viewers who aren't familiar with Stuxnet, it was, you know, if I can call it a virus, it was malicious code that was injected into, Iranian, you know, nuclear, you know, refineries or plants that, like, really set back their nuclear program.

00;48;34;09 - 00;49;02;18

Speaker 1

So, I mean, a couple of questions for you, Andy. First of all, is Stuxnet in your mind still the greatest, like the the most impactful example, of, you know, cyber offensive operations. And second of all, do you expect us to see another front from that, just from the US or Israel or whoever globally? Do you expect to see another Stuxnet sized moment in the next five years?

00;49;02;21 - 00;49;42;22

Speaker 2

So, you know, I, I will neither confirm nor deny my own knowledge of that outside of, a fantastic book by a good friend of mine, Kim Zetter. There's a book called Countdown to Zero Day, which is is the most detailed account of the Stuxnet, event. And you know what? I, what I would say, it differentiates, you know, what Kim talks about in that book is, the very specific, you know, using, process plc process logic controllers and a very targeted thing to achieve a specific, policy goal.

00;49;42;24 - 00;50;00;21

Speaker 2

Right. And that goes back to my speed, intensity and control. You can do it fast. You can do it intense. You can do it controlled. But all those variables have to be in sync. And I would argue you know, again, the way that Kim Zetter outlines it in her book, that all those variables were in synchronicity.

00;50;00;21 - 00;50;23;09

Speaker 2

And that's a very, very rare thing. So are we going to see more of those, in the future? Yeah, maybe. I mean, if if a nation, state, United States or others is trying to achieve a very specific goal, in an operation short of war, maybe, but again, I'll go back to February 2022. And.

00;50;23;09 - 00;50;51;23

Speaker 2

And the Russians, I mean, we. Yeah, we expected, you know, Stuxnet, like cyber attacks from the Russians against the Ukrainians, against, NATO, our NATO partners, against us. If we supported, the Ukrainians. And for the most part, that did not happen. I mean, there was one the day before the Russians invaded Ukraine. There was a want to attack against the satellite communications network that was fairly effective.

00;50;51;25 - 00;51;12;20

Speaker 2

That indicated to us that they had preplanned that and thought that one out. But if you don't if you as a as a as a government in this case, the Russians didn't very specifically plan out like one would plan, you know, the invasion. And they didn't do a very good job of planning their invasion. You're not going to have effective cyber attacks either, you know?

00;51;12;20 - 00;51;36;00

Speaker 2

So so again, to the whole point, like, can people just push a button? No, it has to be very well thought out and have a very specific objective, something I would think in the next five years in, you know, international arena will, you know, trigger the need for some nation state, to do that. But it's not going to be like in the movies where like the power goes out, you know, from Los Angeles to New York.

00;51;36;00 - 00;51;55;03

Speaker 2

It's just it just doesn't work that way. It would have to be very specific. They want to take down X or they want to do have, you know, y effect on a particular network. And then, you know, if that happens, I hope, you know, Kim Zetter writes another book. You know, so that I, I can reference that by saying, you know, my own knowledge of it.

00;51;55;05 - 00;52;14;13

Speaker 1

Right. I do want to come back to the Russian piece, though, and you described it earlier is like that the cyber warfare component of the Ukraine invasion as, as a nothing burger. And in some ways, at least from what I've read, I, I've read variant things from either. Yes, it was truly a nothing burger to wow, there was actually more than we're hearing about publicly.

00;52;14;13 - 00;52;31;17

Speaker 1

And, you know, there were some operations there. But it's as far as I can tell, we were almost caught off guard by how absent the cyber warfare element was from that invasion. And I'm curious if you have any insight or speculation as to why.

00;52;31;19 - 00;52;58;26

Speaker 2

So so the why is is is multifaceted. I mean, I do I do think, Ukrainians beefed up their defenses after not Petya and various other cyber attacks starting, you know, when the the Russians invaded or occupied Crimea back in 2014, on through 2017 and then up until 2022, they built out their own government cyber defenses, very, you know, in a very robust manner.

00;52;58;26 - 00;53;35;20

Speaker 2

They also partnered, with Western cyber defense companies. They partnered with Microsoft and a whole variety of other, other foreign entities. I mean, all of that, you know, quadrupled after the invasion, but they had already built up those relationships. So that's one I mean, the defenders had about, two goes back to my, my, my, the other point where, you know, you had that highway going up towards Belarus, int into Ukraine where tanks, Russian trucks were all, like, stuck because they didn't think through the logistics and the fuel necessary for that, for that invasion.

00;53;35;23 - 00;54;00;18

Speaker 2

There was a corollary on the cyber side, they didn't plan particularly well on the cyber attacks. They didn't really inform the the leadership of the cyber entities to the degree that they needed to. So, you know, you need very, you know, detailed planning to have effective cyber attacks. So I think that's the second variable, that that you know, made it what we thought were going to be more intense of attacks just just never happened.

00;54;00;20 - 00;54;24;03

Speaker 2

And then the third is, you know, the Russian, you know, Vladimir Putin's perception that if he escalated cyber attacks against NATO, or just the United States or NATO writ large, that may have been an escalatory event that triggered something that the Russians didn't want to deal with. I mean, in their mind, the Ukrainian invasion was going to be a short lived.

00;54;24;03 - 00;54;47;00

Speaker 2

That it wasn't, and they didn't want to escalate. And I do think and maybe correctly, you know, Putin continues to fear that that escalation, despite the fact that we crossed almost every red line that we predicted, you know, providing weapons to the Ukrainians, cutting off the Russians from, the banking system, this work system and whatnot.

00;54;47;11 - 00;55;08;14

Speaker 2

And they and they, you know, you know, still didn't retaliate for that. And then the fourth variable actually is I mean, if the Russians destroyed all the Ukrainian networks, in route to their invasion, that they would have no networks to use when they got to Kiev. I mean, they thought it would be a short, short lived invasion.

00;55;08;14 - 00;55;29;23

Speaker 2

They would occupy, they would take over the country, and they were going to need those, though. And so once, once it the it was clear that that wasn't going to happen. That they, you would have thought they would have, conducted cyber attacks against the networks in key or the electric grids, but instead what they did is, is they used, you know, artillery and missiles and rockets and whatnot.

00;55;30;26 - 00;55;53;26

Speaker 2

In my mind, if they actually had the tools to attack the electric grid in Ukraine, they would have because a cyber attack is certainly cheaper than sending ballistic missiles against the electric grid. So, so, so I think, you know, all four of those variables are relevant. And I think that information will inform how we assess nation states whether it's going forward.

00;55;53;28 - 00;55;58;26

Speaker 2

But we shouldn't, you know, over learn those lessons because China is a very different place than Russia.

00;55;58;26 - 00;56;23;02

Speaker 1

Yeah. So so as we think about threat vectors going forward, you know, I think a lot has been said about this and I don't want to unnecessarily rehash it, but in your mind, are there any kind of, underreported or, you know, under-covered, threat vectors that you think should get more air time or should be are higher on people's minds?

00;56;23;04 - 00;56;43;02

Speaker 2

I mean, not necessarily. Although, you know, we focus, in this industry a lot on things that we discovered. We talk a lot about, you know, the telecommunications industry because of this all typhoon attack. What I worry about is the thing that we haven't discovered yet. So as soon as we identify a threat, we should start pivoting off to.

00;56;43;02 - 00;56;44;14

Speaker 2

Okay, what are we missing?

00;56;44;17 - 00;56;45;02

Speaker 1

00;56;45;04 - 00;57;16;06

Speaker 2

We discovered bolt, typhoon and and penetrations of critical infrastructure in that context. But what are we missing? And so I think it has to be a constantly refreshing discussion, on, you know, the threat vectors, you know, there's the known loans, the, the known unknowns and then the unknown unknowns that, to use a phrase that former Secretary of Defense Donald Rumsfeld used to use to use, it's the it's the unknown unknowns that that concern me deeply within the critical infrastructure sector.

00;57;16;08 - 00;57;45;02

Speaker 2

And it just takes a lot of creative thinking from cyber defenders, to to think this through and to have a public dialog about it, you know, the only thing that we should we should do behind closed doors in the US government is if we have intelligence that we can't, you know, discuss publicly due to sources and methods, but otherwise we should have a very public discussion, on these threats, because, you know, there's plenty of industries out there that are not going to have access to the US government.

00;57;45;23 - 00;57;51;11

Speaker 2

On, on a, on a direct basis. And they need to be part of the dialog for.

00;57;51;13 - 00;58;06;27

Speaker 1

So what's your best advice for CISOs and for boards, you know, across the private sector on, you know, their like your best advice for how they keep themselves safe and contribute to keeping, you know, the nation safe.

00;58;07;00 - 00;58;31;29

Speaker 2

So, for boards or, you know, chairmen or CEOs, might and people in this industry, we'll, we'll recognize this point. But stop treating your CISOs, like they're basement dwellers and they, they don't belong, at the board meeting or they don't belong in the C-suite. If you're serious about cybersecurity, then treat your CSO and your CSO like part of the leadership team.

00;58;32;01 - 00;59;08;22

Speaker 2

For years, CISOs have been treated like, oh yeah, we got to hire CSO, but we don't really want to see them, you know, and and just sort of lock them in the basement and, and that'll be fine because what, you know, policy and legislation, it's in some ways it's already there. But more more is coming if you don't as a CEO or a board member, understand the threat vector and and have a routine conversation with your CSO, with your CSO, you're going to be liable for for, you know, cyber attacks, you know, against your customers data or, or whatnot.

00;59;08;24 - 00;59;31;13

Speaker 2

So that's the advice for the boards and other leadership entities, at various corporations, for the CSO is my I mean, I could recommend, you know, go on for an hour about various tools, various, threat factors to worry about. But I think the best strategic advice I would offer at any CSO is just that, just as it's incumbent on the board to understand the CSO, the CSO has to understand the board.

00;59;31;15 - 00;59;59;10

Speaker 2

And you can't be, you know, you know, you know, crying wolf every time there's a threat vector because your job is to prevent those threat vectors. And you have to understand. And a lot of folks in the cybersecurity industry are very you know, channeled down that cybersecurity realm. You have to understand what is important to your CEO, what's important to your CFO, what's important to the board, and what matters from a product development perspective, what matters from a revenue perspective?

00;59;59;17 - 01;00;20;09

Speaker 2

And frame everything that you do as a Cisco or CSO into how you're contributing to the mission of the company. The whatever the product is via the software company or, or, you know, a a toy manufacturer or whatever the case may be, because, you know, for years and CISOs were locked in the basement by the CEO, but they kind of liked it.

01;00;20;11 - 01;00;40;10

Speaker 2

They kind of like being in their own world. CISOs cannot just sequester themselves in their own world. They have to be part of the dialog and they have to have reasonable requests for investments and security. You know how to explain to the CEO and the board how an investment in million dollars and in fact, surface management tools or network?

01;00;40;10 - 01;00;58;22

Speaker 2

Yeah, network defense tools, why it matters and what the cost will be if they don't invest that. And that's hard. A lot of IT security professionals don't necessarily know how to how to have that dialog with the senior leadership of their companies, but they have to learn.

01;00;58;25 - 01;01;18;02

Speaker 1

What well said. And it makes sense. And I think that's, you know, it's extremely powerful advice for for both sides there. And I did want to ask you, dangerous question. What's your craziest cyber career story that you can share today? I the.

01;01;18;02 - 01;01;51;27

Speaker 2

The I don't know if it's crazy. It's just it was it was a wake up call for me. On the importance of cyber or as it relates to the intelligence community, but how it relates to national security writ large. It and again, goes back to February 2022. I received a call from the director of CIA, Bill Burns, at the time that I needed to participate with him in white House level meetings, you know, with cabinet level meetings, not as a cabinet member, but as a backbencher supporting him.

01;01;52;00 - 01;02;21;01

Speaker 2

And I was like, that's weird. I'm not the guy in charge of, you know, that thing in Europe. But it was because of, the potential for cyber threats, that were out there that that I participated in those conversations. And that was a wake up call to me where, I mean, I was very cognizant of our capabilities in cyberspace and whatnot, but it was a wake up call to me like, oh, wow, this is we're now cyber warriors, so to speak, are now at the front table.

01;02;21;20 - 01;02;48;08

Speaker 2

And, you know, frankly, it's a corollary to what we just discussed about CISOs like, I, I didn't sequester myself in the basement as director of CCI. But I didn't necessarily think I was going to be at that table for that particular, particular discussion. But cyber defense, and cyber strategic analysis is infused in everything now. So I shouldn't have been surprised, but that was that was a very surprising moment in my tenure.

01;02;48;20 - 01;02;50;15

Speaker 2

As a cyber leader.

01;02;50;18 - 01;03;10;04

Speaker 1

Well, I mean, it's amazing. And it speaks, on the one hand, I'm glad that that's starting to get that recognition, but it speaks to the importance of it. And, you know, kind of acts as a beacon. I would hope to, you know, some of the organizations that are maybe, you know, are maybe resisting, you know, that that position and want to keep CSOs in the basement.

01;03;10;04 - 01;03;11;07

Speaker 2

So, right.

01;03;11;09 - 01;03;23;02

Speaker 1

Right. Awesome. Andy, this has been a super, super interesting discussion. I wanted to say a big thanks for joining today. So we we covered a lot of ground. And I really appreciate your insights.

01;03;23;04 - 01;03;25;23

Speaker 2

Thank you Jeff I really appreciate it. And I enjoyed our conversation.