Episode Transcript
[00:00:00] Speaker A: Mike, welcome aboard to our show today. I'm sure we're going to have a lot of fun.
We were just chatting and you said there's a non LinkedIn bio.
That cracked me up. You have a background in law enforcement and would it be fair to say a little bit of organized crime?
[00:00:18] Speaker B: Okay, so. Well, the law enforcement side of it is because I worked in local government. I was the CISO for the city of Seattle for about eight years, and I've worked with state government and I've worked with the federal government with a Homeland Security government coordinating council.
But that's all comparatively very recent.
I have occasion to talk to students a lot.
I'm the founder of the Pisces project, which does no cost cyber monitoring for small cities and counties in return for collecting data and using it as live fire curriculum for 14 universities, teaching people to be cyber analysts with real critical infrastructure, real time events.
So in that context, talking to students, I let them know, today you can get your, you know, your new shiny degree in cybersecurity, but if you get your pedigree the way I got mine, you're going to go to prison.
[00:01:12] Speaker A: Look, it's. I can't move forward without asking to tell me that story. That would be the definition of being a bad interviewer. So you got to get this background.
[00:01:22] Speaker B: Okay. All right. So statute of limitations has expired. So I can talk about this stuff. Some of this I am going to hold back a little bit. So you know who Kevin Mitnick is, right? Was he died. Died recently.
[00:01:35] Speaker A: Share for the audience Bring Bring them on this journey.
[00:01:38] Speaker B: Kevin Mitnick was at one time the most famous cyber criminal.
He was caught, what he is accused of is trying to steal next generation cell phone technology. And the way he did this was he was an expert social engineer. He just talked people into stuff.
And so I ran a large bulletin board system at the University of Southern California, and one of the users came to me once and said, hey, I heard you're a system administrator on a vax in a geology department. I said, yeah. Got any unused accounts? Because I got some friends on the Internet, you know, this brand new Internet, I'd like to send him email. I said, sure. So I gave him an unused account, gave him the password. And that guy's name was Louis Depain. And he and his best friend Kevin Mitnick used the account that I gave him to get into some serious trouble. And so of course, the FBI crawled up my backside. And I have an interesting, we'll just call it a historical artifact from Kevin Mitnick's lawyer trying to pin the whole thing on me.
Yeah, that's one of them.
[00:02:45] Speaker A: Would I be correct in assuming that that was part of what got you into cybersecurity?
[00:02:51] Speaker B: Partially. Really it was because when I got out of graduate school, I went to work at the Jet Propulsion Lab in Pasadena, California, and my job was algorithm development for hyperspectral remote sensing of the ocean to try and figure out from space.
[00:03:06] Speaker A: Okay, that was a mouthful.
[00:03:08] Speaker B: Yeah, it was.
[00:03:09] Speaker A: Give us the version to grand on ground. What does that mean?
[00:03:13] Speaker B: The easy thing is we were trying to figure out how much carbon the ocean takes up during the process of phytoplankton photosynthesis, and we need to do that from space because it's too expensive to go throw buckets in the water and do a bunch of chemistry with. So.
[00:03:26] Speaker A: So global warming, basically.
[00:03:28] Speaker B: Well, chasing carbon around the planet, we'll say.
But there came a period when there was a tool released. I don't know if you remember this, it was called satan, the System Administrators Tool for the Analysis of networks, written by a guy named Dan Farmer. Who named that Dan Farmer. Oh my God. And it was the original kind of vulnerability scanner. I think it turned into Cyber Cop, if you remember that. But they told us we had to secure our research networks to survive a SATAN scan. So I started learning about the firewall toolkit which Markham Raynham wrote and made out of the public domain and was able to turn all my Sonos workstations and basically standalone firewalls. And all of a sudden that was more interesting than hyperspectral remote sensing and algorithm development and all of that stuff. So I went into business hand rolling firewalls and selling them in Southern California.
And that was 1994. And since then it's been, first of all, I had no idea how to run a business.
But since then it's been, you know, was consulting, contracting.
I eventually, and so this is true, took a job doing consulting with an organization that was raising, I didn't know this at the time, fake investments. Right. So we're going to build an Internet mall and they needed somebody to talk to their investors to tell them how all this worked. And so they were paying me. And pretty quickly it became clear that these guys were organized crime and nobody was going to get their money back and I had to leave them. And so I ended up having a four hour interview with special agents from the irs, SEC and FBI and kind of told them everything I knew. And then it's like, look at the time. I think I'm going to move to Arkansas now. So I did that and was. I did a contract with Walmart headquarters out there in Bentonville. And my job was to convert the country of Mexico over to a new DNS client. And I got picked up by a startup when I was there and they said, well, we'll relocate you to these seven places on the east coast or Seattle. I'll take Seattle.
So I showed up in Seattle and my wife and I got an apartment, then another apartment, and then we moved into a house in Kitsap county. Three days into the house. FBI. Hi. We'd like you to testify against these guys. I don't really want to do that.
[00:06:02] Speaker A: Can you say no to the FBI? Is that a thing I did?
[00:06:04] Speaker B: Yes, I did. They could have compelled me. They did not.
So that was, you know, I mean, there's a lot of experiences back there that give me perspective from, let's just say, the bad guys side of things.
I don't do those things anymore. Now I start companies and nonprofits and play drums and three bands.
[00:06:28] Speaker A: Mike, what an incredible journey and background to your story. I want to ask you, when companies, individuals are thinking about their cybersecurity, what in your opinion is the biggest risk that they're really facing?
[00:06:45] Speaker B: So that's a good question, Ari. It's really three things that are the most prevalent. And I say this because for the last almost 20 years, I've been putting out a daily news blast, right? Here are the trends, the events that you need to pay attention to. And three things have really come up to the top.
So social engineering is always going to be a problem, right? There's no firewall for stupid. Right. You're going to be able to trick people into doing stuff that's just human nature. We have cognitive biases that help these people. Right. The authority bias, ooh, it came from the CEO. Right.
Second one is credential misuse. So credential stuffing, password guessing, using credentials that have been located in other dumps, and finding out you use the same password in two places. And there's a whole lot of that going on, especially with the remote access methods that we make available to our employees.
And then the third one, which has really started to suck all the air out of the room, is vulnerability management and vulnerability exploits. So today, when a vulnerability is announced, made public, and patch is released, teams of criminals and nation states all go to work reverse engineering the patch to figure out what it fixes so that they can develop an exploit to break that thing and own that computer simultaneously scanning of The Internet looking for vulnerable Systems starts within 15 minutes now of that announcement being made. So it's really, it's those three things.
If you wanted to focus on something borderline brilliant, Right.
[00:08:23] Speaker A: Because you can work incredibly hard, try and find a vulnerability, or just take advantage of the fact that there's going to take time between announcing a vulnerability and everybody installing it.
[00:08:34] Speaker B: It's a race.
[00:08:35] Speaker A: That time is just a race. And it's an opportunity for everyone.
[00:08:37] Speaker B: It's a race. Yeah. So, you know, if a vulnerability is announced and it's on a piece of technology you have facing the Internet, that's an incident that just became your highest priority.
[00:08:48] Speaker A: Right.
Wonderful. I am. Okay, first of all, I'm going to ask for permission to quote you on the. There's no firewall for stupid. That's absolutely.
[00:08:57] Speaker B: We have shirts.
[00:08:59] Speaker A: Really? Do you. Oh, that's. That's delightful. I have never heard this before. That's absolutely delightful.
[00:09:05] Speaker B: Yeah.
[00:09:06] Speaker A: You mentioned cognitive biases and how psychology is used to basically manipulate people. Is that a fair description of it?
[00:09:14] Speaker B: It is. And these things are very straightforward, like the one I talked about, the authority bias. But, you know, there's, you know, the current events bias. Okay. So if, you know, also known as recent bias, right now if I send him a piece of email or a text message with a link in it and said, thousands of ballots found destroyed, you know they're going to hit the link. You know they're going to hit the link. So, you know, in fact, I remember when I worked at the city of Seattle, this was one that was really effective at the time. Saddam Hussein found alive.
Right. Everybody clicked. You know, people, come on.
[00:09:55] Speaker A: So when you. When I want to go down this rabbit hole just a little bit, if you're going to use, let's call it a bait click, that is so egregious that it will clearly be wrong. Ultimately you're going to, you know, you're going to have a negative perception.
How do criminals use this? In a way, because they're, you know, they're going to be caught ultimately that this was bullshit or by then it's just too late. What. How are people actually using these things?
[00:10:20] Speaker B: Nobody, nobody cares whether it's factual or not.
[00:10:23] Speaker A: Okay.
[00:10:24] Speaker B: Right. The idea is just to get the click just to pull them in. You know, when. The last time, in fact, the last time we did a phishing test here, it was, your registration was found in Arizona. Your voter registration was found in Arizona. You need to clear this up.
[00:10:39] Speaker A: Got them.
[00:10:40] Speaker B: You know, so, you know, it's yeah, it's patently false. It's a lie. But it's just bait, you know, and the bait. And I've seen the bait that's been created by, you know, the generative AI. And so are you familiar with an advance fee scam? You know what that is?
[00:10:57] Speaker A: No.
[00:10:58] Speaker B: The Nigerian prince.
[00:11:01] Speaker A: Okay.
[00:11:01] Speaker B: You're being offered something of value. Okay, sounds real good. You engage in communication, and all of a sudden you start getting asked for money. Got to pay a bribe, you know, got to file this paperwork. I got to fly to the other side of the country for me, whatever. Okay? So I get this one from a. I won't identify the person, but it is a billionaire, a philanthropist. And there were Forbes articles referenced there about how this particular billionaire is giving away his fortun. And it was a letter from this billionaire saying that, yeah, here's all this. And I do this, and you can verify all of this, and then you get to the money quote. And here's the. Here's the reason for this message. I'm giving away millions to random people. Okay? So, of course, there were no grammatical mistakes. Is a real person. There were Forbes articles. There were references in there that you could all check out, right? But if you engage, it's like, okay, all you gotta do is pay the $135 processing fee for the ATM card that's gonna come loaded up with half a million dollars on it. Okay? A Genai advanced fee script, which pulled in a lot of people. I use that in, actually our security awareness training. We do that once a month for anybody that wants to come see it online. That's one of the examples.
[00:12:17] Speaker A: So do you have the numbers? How many people fell for this?
[00:12:21] Speaker B: Well, globally, no, but it was such good bait. And so many get wrapped into these things, even the dumb ones. You know, I'm a soldier in Syria with a barrel of money that I want to get back to the United States. Or I'm an old lady dying of cancer and want to give away all my remaining fortune, and I need somebody to help me do that. Or I'm trying to move a pallet of gold from Thailand to China, and I need someone with your logistical expertise. Right? It's. You know, I've seen people get pulled into this for years, and you cannot talk them out of it. And again, cognitive bias, right? Who wants to admit I have been a dumbass this whole time? They're just not going to. So they're going to stay with this right to the very end, right? Until just painfully, they realize what's going on. And I've seen that pain.
[00:13:18] Speaker A: That's really interesting. This isn't a topic that we kind of talk about too much is the experience that those individuals go through through.
Do you have a story that you can share that what this felt and looked like from the perspective of the person who went through, who got scammed.
[00:13:37] Speaker B: So I can tell you there was a person who was interested in investing into my company and he sounded very sure of himself. He was known to be wealthy. I knew people that know him and vouched for for him and we were talking, talk, talk and things were delayed, didn't understand what was going on. And finally he said, I'm helping to move a pallet of gold from Thailand to China.
And all became clear. And so we all swarmed and we tried to talk him out of this knowing that he was not going to invest in the business. Right? But let's save this guy.
And it was impossible to talk him out of it. Right. And you can't get derogatory about something like that. You have to just say, look, I mean, here's this pattern. I've seen this over and over and over. And you know, it's he probably ended up borrowing money to try and, you know, keep this thing afloat until, you know, he was ultimately going to get his payout. And you know, I don't know how that ended up for him, but he was so sure of himself.
I have another relative who got caught up in something like this and they ended up using a other people's credit cards to continue to pay these perpetrators. Right. And so it gets really deep. They are so convinced that there's an outcome here, right. Regardless of the fact that they have no skills that these people actually need. You know, how were you selected out of the blue? Why did some Internet rando send me this? Nobody asked themselves those questions.
[00:15:20] Speaker A: Is there an easy technique where you can just help yourself avoid these kind of scams? What would you advise to our listeners that that may come across this?
[00:15:29] Speaker B: Yeah, well, there's some easy things to do. So for example, you know, you ever try to call somebody Gen Z on telephone, they don't answer. They do not answer. Okay, good on you. Right. If something comes and you did not expect it, whether that's social media, whether it's text message, email, phone call, if you didn't expect it, you don't recognize who it is that's trying to get a hold of you, ignore it, just ignore it. That's the best way. But for businesses, I'll say This, you know, again, when I was at City of Seattle working for the public sector, we took a lot of measurements and we could prove at the time, and this has since been borne out in other research. 40% of the compromised assets the city were due to the use of personal email. Right. So here's Outlook. It's all cleaned up. We paid a lot of money. No links, no attachments. Everything's cool. Right next to it is a web browser opened up Bubba's email service. All right, with no controls at all. What good did it do to spend all that money? None. Okay, so a policy of personal use on a personal device drives 40% of the problem off a cliff. Right. Gmail lives here, Facebook lives here. Not on your work computer. Right. It's okay to melt your phone, but don't do it to a water utility or a hospital.
[00:16:55] Speaker A: Right? Right. Absolutely.
You talked about vulnerability management and you alluded to the fact that it's a hot topic right now.
What does that mean? What's vulnerability management? And how do we even approach dealing with this?
[00:17:13] Speaker B: Sure. Okay, I'll give you an example. So a long time ago, because I'm og a program called Send.
[00:17:19] Speaker A: I love that. By the way.
[00:17:21] Speaker B: Sendmail was one of the original MTA's mail transport agent. Okay. So it's not what you type your email into, it's when you say send, it's the server on your network that it goes to. That server figures out where it goes to get delivered to the recipient. Okay, so Eric Ullman is writing send mail as a graduate student. He says, okay, I need a variable for sender address. Sender address will never be more than 255 characters. So I'm going to give it a 255 byte buffer. And he did not bound the buffer, make it impossible to go over that 255 character limit. So what happens when a piece of email comes in? It's got a sender address of 256 characters or 712 or 1497. It overflows the buffer. And if you do that just right, you can offset just right. You can put your choice of executable code into the running stack of the machine. You now own the machine. That is a buffer overflow exploit. Okay. And so when vulnerabilities come out, very often they're buffer overflow vulnerabilities. That's why I say they reverse engineer the patch, figure out what that offset is, all of that stuff and then figure out, okay, all I got to do is hit them with this particular thing. And that firewall is mine, or that remote access server is mine, or that public engagement server in a city is mine, and this is happening with alarming frequency, did that all that make sense? Is that a good explanation?
[00:18:50] Speaker A: Absolutely. And how do you basically keep yourself in front of these things?
[00:18:57] Speaker B: Well, there are a number of ways that, you know, a number of tools that you use to scan for vulnerabilities. Everybody knows about nessus and openvas. I mean, there's a whole bunch of these. But what you do with that information is important then, because you need to prioritize. There's a lot of things that are embedded in your network that you really put off to the side and not worry about. Right. Provisionally accept those as risks.
But again, if something's facing the Internet and it is a, has a CBSS score that is high, means it's easy to exploit, and it's on the known exploited vulnerabilities list that's maintained by cisa. It is an incident. Right? You need to drop what you're doing and take care of this right now. And if there's no patch or if you haven't received it yet, you need some kind of compensating controls in place. So it's all about, yes, detecting the vulnerabilities by scanning, but then prioritizing those and really, really getting after the ones that matter.
And it's, it's hard. And there are really no good products that automate this from end to end.
[00:20:04] Speaker A: So are people, companies on this every day looking at these scan results, getting notifications, or are they dealing with it once a month, once a quarter? What is the reality of how people are handling these vulnerabilities look like?
[00:20:19] Speaker B: Well, the reality is poorly. And that's why, you know, like the move it file transfer vulnerability, Remember that? Right. A thousand organizations got smacked by that.
So first of all, yes, the scanning. Do it monthly something. I mean, we do it monthly. I don't know, a lot of organizations do it quarterly. But the fact of the matter is your vendors are going to be telling you, here's the patch for this thing, this Cisco firewall, this sonic wall, whatever. Get this applied right now. And if you hear from the vendor, it means everybody else in the world just heard from that vendor as well. So when you're doing scanning, you're going to find you should turn off that SSL cipher or something like that when a vendor says our product is vulnerable, here's your patch and you're facing the Internet. You know, there, there's all kinds of organizations. They'll go, we're too small. They're not going to come after us. We don't have anything. The scanner doesn't give a damn how small you are. They're going to find if you have that vulnerable system and you haven't gotten after it, you're getting whacked. So how are people getting after this? Very poorly.
The process of detecting vulnerabilities and then prioritizing them and then pitching them over the fence to the team that can do something about it. That is not a well integrated, well oiled machine anywhere I've ever seen, honestly.
[00:21:44] Speaker A: What's the. So I want to. You said something really interesting that's counterintuitive. I think a lot of companies tend to think, okay, we're not a target, like nobody's going to come after us. But on the other hand, you're describing this world where, you know, they're going over anybody who's vulnerable automatically. It's no skin off their back if they go after you or not. Right. What does that look like? So you have a vulnerability. Maybe they've taken over your machine. What do they send you a demand letter? Pass this or we will corrupt your machines. How does that normally work out?
[00:22:15] Speaker B: No, so that's called initial access. Okay. First thing they do, I mean, they can do a lot of things with that. All right? The one that we're all worried about the most is extortion. Ransomware. Okay, Right. We call it ransomware because we have a lot of dumb secret handshake language, but it's extortion. So what happens is you get that initial access, then they need either through interactive access, right? Somebody with a keyboard is logging into your network, coming and going as they please, and they're going to find your critical servers and your backups and potentially, in fact, more and more frequently, records to steal so that they can hold those records in abeyance. And you're going to say, well, we're not going to pay your extortion demand. We're going to, you know, we're going to just rebuild everything. Oh, really? Because we have these records and if we make this public, here comes the class action suit. So the records generally proceed, laying in the encryption software that will then encrypt everything in the network, probably including your backups. And then the extortion demand hits. That's one thing. Another thing, they can, if they can install cryptocurrency miners and use your electricity and your CPU to mine cryptocurrency, they can lay in keystroke monitors to really for espionage. That's used a lot for espionage to get further access to more accounts inside. With the goal being domain admin. Once they have domain admin, they can do anything they want. That really doesn't take that long. Which really begs the question, right?
Why are we investing in all of these things to prevent this thing from happening when it is a foreseeable event? Okay, it's for real. They say that cybercrime globally, we took an $8 trillion hit in cybercrime in 2022. Next year it's projected to be $12 trillion. By 2027 it's projected to be $24 trillion. That makes it on par with the biggest economies on earth. And you little corporation are not going to go glove to glove with a country sized economy and win. Okay? So this is a foreseeable event.
And increasingly the actors are domestic. So it's not I'll attack you from the other side of the world. It's all through a USB stick in your bathroom. And wait, so the amount of money that we've lost makes it clear that we're up against groups who are highly motivated, highly compensated. Right? So foreseeable event. If you look at the expression for risk, there's two terms. The likelihood of a bad thing happening and the impact of that thing. All right, so first of all, what's a bad thing? Scary Russian cyber buffer overflow, SQL injection, no records disclosure, theft, extortion, service disruption and being used as a third party to attack others. There's five business outcomes that all cost money and we kind of know how much money they all cost. Right? So the trick is, or the good way to think about this is you buy down risk in addressing that likelihood term through the application of preventive controls, firewalls, train your users, manage your vulnerability, blah blah, blah, blah, blah. You will never drive that risk to zero. Then you turn to the impact term. The impact can be the help desk cleaned up somebody's workstation. The impact can be the FBI just called and all of our records are for sale online. Right? You get to choose which one you want with good monitoring, detection, investigation and response. Right? If you put out the grease fire on the stove, the house will never be engulfed in flames. And so I mean this is really in the 21st century. People have got to understand this language. It's a foreseeable event. And in fact there is a, in the legal profession there is a standard of foreseeability which says, I will paraphrase, if you do not take steps to MITIGATE a foreseeable risk, you are guilty of negligence. And the negligence word is starting to pop up more and more and more. So that was a whole lot right there in answer to your question.
But this is really the way to look at this now. It's going to happen. You really need to make sure that you minimize that impact however you can.
[00:26:42] Speaker A: When we think about being exposed to risk, there's the stuff that we can do to do the patches, train our people. Is there stuff that we can do early on in planning of our infrastructure, of our software, of our architecture where we would be less likely to be hit?
[00:26:59] Speaker B: Sure.
[00:27:00] Speaker A: What does that look like?
[00:27:01] Speaker B: Well, I mean, there's the network architecture and this is all fairly well known. It's happened for a long time. Right. You segment your network. Right. You have good access control at the network layer. So. Right. Is there any reason why finance should have access to HR systems? Not really. Right. I mean, so you can segment your network that way you can get to micro segmentation, which is super useful in healthcare settings, for example, because of all of the medical technology. So yes, you can do this a priori by designing the network. Well, you can do it with software, by designing the software. Well, DevSecOps, SEC, DevOps, whatever you want to call it.
But to drive this, it's always been pretty much voluntary, but now the federal government, as one of the tools in the toolshed, is using market forces to do this for us. So for example, SBoM is the software bill of materials.
And so federal government says, hi, hey, we're the federal government, we are the largest purchaser on earth, and if you want to sell to us, your stuff has to be provably, demonstrably secure, out of the box with a vulnerability detection plan and a way to get updates and patches to us. And if those three things aren't met, we're not going to buy your stuff. So rather than regulate them, they just gave them the basic carrot part of this. If you want more money, capitalists do it this way and we'll be a good customer. So that's another way of making sure that in the beginning things are secured. Rather than buy this thing and figure out how to secure it later, with.
[00:28:49] Speaker A: Your permission, I want to change the topic a little. Sure. There are all kinds of compliance standards out there. Soc 2, ISO 2701. If I am compliant, I consistently pass the audits. Am I secure?
[00:29:05] Speaker B: No. No.
[00:29:06] Speaker A: Okay, tell us more about that.
[00:29:10] Speaker B: Well, again, you know, with something that is foreseeable as this, you can put all the controls in place that you want, but it does not mean somebody's going to pick up. Somebody won't pick up a USB stick in a parking lot and shove it into a machine to figure out who owns it.
You know, what are you going to do about threats to your employees and their families if they don't give up a password? Because this is happening now, right? You've heard of scattered spider and the Gen Z? Basically, cyber criminals that use the Russian affiliate models and ransomware as a service and things like this. Well, they're all domestic. And so, you know, yeah, you can tick off all those compliance boxes, but it doesn't mean nothing will ever happen. What it means is you've differentiated yourself enough and you have security papers to show that tell your business associates, your partners, your customers that you're safe to do business with. To the extent that we've been able to define what safe is. So, you know, again with, you know, federal government doing this, right? The CMMC Cybersecurity Maturity Model certification. If you want to do business with a company that does business with a company that does business with the DoD, you have to comply at the same level the company doing business with the DoD does, because they want that all the way back to supply chain. They want to secure all the way back. And so we're not really talking about the Lockheeds of the world, although we are. But if you are a small company that makes a special coating for a bolt that goes on a spy satellite, that's you too. So, you know, again, using the power of the purse to do this. Because if you don't comply, if you can't show those security papers, your certification and your level of compliance, you can't even bid on a federal contract.
So, you know, no, you will never be secure. But it's a way of demonstrating due care and the fact that you've implemented a standard of practice.
[00:31:16] Speaker A: Right? And I'll note that 175 and 53 is way more compliant, way more expansive than SoC and ISO. That's a very detailed spec with I think over 300 controls, if I'm not mistaken. That's quite undertaking.
[00:31:35] Speaker B: So make sure you understand the difference between regulatory requirements as standard of practice, because NIST853 is not regulatory for anyone but federal agencies. Okay? The ISO standard is completely voluntary. It's only if you want to hold the thing up and say, hey, we're better than Anybody else, we're ISO certified. The SoC2, better known as SSAE18, is also voluntary. And you get to Pick your own scope. Right? So it's only the protection of customer data we're talking about and not our finance systems and not all these other things over there. So the ones that are really regulatory in nature, Payment card industry data security standard, the criminal justice information services standard. Right. For law enforcement, the NERC critical infrastructure protection standards for energy generation. Right, Those are really regulatory and auditors really come after those. The others are voluntary and, you know, I mean, they're excellent papers to show. Right. We are secure and we can prove that because all these controls are in place, but they're not going to get audited against those.
[00:32:43] Speaker A: So it's quite a frustrating perspective. Right? We have this arms race and tell me if you disagree with this. We have this arms race of the security companies, the consultants, everybody who's working to protect us versus this armed race on the other side of people trying to hack us, which is organized crime, foreign countries, all kinds of players.
Is there anything that we can do to get a leg up? Is there some kind of missing standard? Is there a missing regulation? Is there something that we can do to basically somewhat win this competition, this race?
[00:33:23] Speaker B: Yeah, well, so the answer is yes, but it's not going to be through any further regulatory oversight and it's not going to really be through market forces either. It's going to be through public policy at the federal level in cooperation with our allies and other countries in the world. So when the time comes that we start to treat our logical border as any other border, okay, China has the great firewall of China, right? They watch every packet that goes in and out. They know if somebody's saying they don't like, you know, they're really good at this. Well, can we do this?
[00:33:57] Speaker A: Did you hear about the social score?
[00:34:00] Speaker B: Yeah, well, exactly right. China throws an immense amount of computing power at things. In fact, we should probably loop back on that because it has relevance to the election coming up here. But if China can do the great firewall of China, why can't we implement an entry exit point for packets coming in the United States that enforce a standard of behavior on this side? Many countries in the world agree to this, which is probably the hardest part. The technical part's probably doable easily such that if there are violations of that standard of behavior, we start to incrementally ramp up the sanctions, the penalties, whatever you want to call them up to and including, we'll lock your country out of ours. And so everybody will say, well, then Russian criminals will just use Switzerland as their jump off point. What are you going to do about that? We can do attribution. We know where stuff started. In fact, FBI is particularly good at that. And so look, Russia, we know what's coming from you. So we're locking your banks out. And then Russia's bankers go stand on the desk of the president and go scream at him and say, make the criming stop because we can't do business until we get to there. Yeah, it's going to be. It's like every organization for yourself. And now, you know, we're doing this so poorly. Think about healthcare. Healthcare already on the ropes, right? Margins are nearly nothing. Okay? They can't find people that want to work there because everybody got yelled at so badly during COVID They just say, well, I don't want to work in this place anymore. They're already on the ropes. Then they get hit with ransomware, extortion, okay? Records, disclosure, all right? And right after that comes a class action suit. We're suing our hospitals out of business because of laws we put in place. All right? We are doing it wrong. And now you know why they don't let me make public policy.
[00:35:55] Speaker A: I mean, it's an incredibly interesting concept, right? This idea of we have physical borders. We want to make sure that, you know, we have non criminals that come through our physical borders, but we also have digital borders. So that how even that as an analogy is an incredibly interesting thought of train. Is there any work being done in this direction today that you were aware of?
[00:36:18] Speaker B: That's a great question. I have heard one mention in Congress and that was the Republican chair of, I believe is a Homeland security committee in the House of Representatives. And it was one utterance one time we should be treating our digital border as any other border and then nothing since. So, you know, I would have to say no, nothing is going on around this.
[00:36:43] Speaker A: If you though it's interesting because security agencies consider this digital threat to be one of the top and most dangerous threats. In fact, Obama even made a movie about it where basically all the technology in America stopped working. Pretty good movie, by the way. So one would think that this would be higher on our agenda.
[00:37:04] Speaker B: It would. And one has to ask, when do the losses get to be so high that we're going to start to get sideways with a problem here? Instead of the increment, well, we'll just give you new regulatory and here's some grant money that'll pay for something for three years, but then you got to pay for it for the rest of time.
These are just little chips out of a very big boulder. And really to get that boulder split in half, it's going to take federal policy with some teeth behind it and getting a lot of countries to the table to agree on what those standards of behavior are going to be.
[00:37:45] Speaker A: Mike, what an absolute delight.
So many thought provoking topics that you brought up today. I want to ask you one last question.
A lot of our audience are young professionals looking for their next step in their career. What advice would you give based on your experience?
[00:38:07] Speaker B: Don't get your pedigree the way I got mine.
So there's that.
But I would say that if you are going to school to learn cybersecurity, get as much hands on with data as you can. Right? The book reading and the test taken is not doing it.
The federal government, you know, I talk a lot about the federal government because I really monitor what's going on here. They've always had a program. Not always, but they've had a program called Scholarship for Service. Okay. They would pay your four year degree for you to go work for the federal government for a while. Even the federal government realizes the qualifications we're requiring for entry level practitioners are really bad. Right? We need an entry level analyst with five years of experience in a cissp. Ain't gonna. It's not gonna happen. Okay. In addition, I would say that the four year degree programs teach you a little teeny bit about all of these different moving parts. So if you wanna get into this business, go for the job they're hiring the most and that is analyst. It's the 10th fastest growing job in the United Bureau of Labor Statistics and projected to be that way through 2029. Now AI may throw a wrench into that, but still, if that's the role that gets hired the most, that's the one you will probably want to go for to optimize your chances of getting hired and get your foot in that door. I would say that in order to be good at that, you need to have a really good background in networking. If I say port 53 UDP, you better say that's a DNS, a record lookup. Right? That's the extent you need to know this stuff.
From that point, I would say that when you go to work somewhere, think about three things. Play, purpose and potential. Play. The job can't suck, right? It can't just be a meat grinder Amazon, that will just kill you.
Purpose. Is there a mission? Focus. Are you doing this for a reason or is it just for money? Okay. Here we work with those organizations that if disrupted, affect us at the scale of our lives. Right. So that's local government, that's healthcare. Right. That's ports. Right. Water purification, waste treatment, traffic management, 911, all that stuff. That's really critical. We're very proud of doing that. And then the last one is potential. You don't want to go to work at a place where you're always going to be stuck in the same role with no way to move into other roles in this ecosystem. So we've had analysts that have joined our company. Three of them are now penetration testers. Some of them are customer success. Some of them are sales engineers, what we call security strategists. Some of them just want to work with the computers, and so they build the network collectors and keep the operations going here in our data center. So, you know, those three things, when you get hired, have a lot to do with where you go after you get your foot in the door. Getting your foot in the door analyst is probably the best role to target.
[00:41:09] Speaker A: Mike, I would argue that if you kind of strip away the security items, that is wonderful advice for anybody looking for their next step in their career. So I appreciate you tremendously. Mike, thank you so much for joining the show today.
[00:41:21] Speaker B: Yeah, thanks, Ari. It's been fun. I appreciate the opportunity.
