This episode, we turn to the future world of cyberwarfare â from life after encryption to the 5G debate, from the next election to the next generation of cyber professionals, and a lot more.
Our guestsÂ include:
- Dawn Thomas, Associate Director and Research Analyst on the Safety and Security team ofÂ CNA;
- Paul Gagliardi, a former U.S. intelligence contractor and current threat intelligence analyst atÂ SecurityScorecard;
- Dmitri Alperovitch, Co-Founder and CTO atÂ CrowdStrike;Â
- Adam Segal, who directs the Digital and Cyberspace Policy Program at the Council on ForeignÂ Relations;Â
- Matt Wyckhouse, CEO at FiniteÂ State;Â
- andÂ B. Edwin Wilson, Deputy Assistant Secretary of Defense for CyberÂ Policy.
A transcript of this weekâs episode isÂ below.
Find last weekâs episode here.Â
Last week we reviewed how cyberwarfare has shifted from worry about other organizations and big companies to folks like you and me âÂ to the stuff in our cell phones and our wallets, and how well we protect those things with a healthy dose of skepticism and discipline and patience. Donât click on phishing links, or put random thumb drives into your computer, for example. We learned how nefarious hackers are pivoting from massive data breaches to more targeted leaks, down to specific individuals. And how some marketing companies are adopting some of those same tactics as well, strangelyÂ enough.Â
This week, weâre gonna inform and possibly scare you just a little bit more. Because our discussion this week turns more toward nation state hackers â programming teams from Americaâs so-called great power competitors like China andÂ Russia.Â
It also concerns the technology race for 5G services thatâs playing out across the globeÂ today. Weâll get into a bit about autonomy and quantum technology â and how some experts see those things shaking up our lives as well as our already-shaken up definitions of things like âcyberâ and privacy and what to expect in future presidential elections here in theÂ states.Â
Dawn Thomas has given many of these forecasts about the future a great deal of thought. You may recall from last week, sheâs an Associate Director and Research Analyst on the Safety and Security team of CNA â and thatâs a nonprofit research organization based in Arlington, Virginia. This spring, her team at CNA released a report entitled âCybersecurity Futures 2025,â and she sat down with me recently to elaborate on a few of thoseÂ findings.
Thomas: âThis project started a long time ago, so this is the next iteration of the first round. And the first round consisted of some folks at UC-Berkeleyâs Center for Long Term Cybersecurity, developing some scenarios talking about the world in 2020. And that was the future date. And it was writing scenarios to think about the what-ifs âÂ what if cyber took on a different meaning in our world, in our societies, in our countries, and what would be the kind of non-obvious results of cyber invading kind of our worlds in that way? So they wrote these scenarios and then they kind of wrote a report and they sent it out to the world. The second time around, they thought well part of this is global, itâs a global question. So how is America gonna respond to these things versus how people in Asia respond, and how people in Europe respond? And obviously when youâre talking about now kind of a much wider audience and the differences between them, you start to see where traditional alliances may not hold up anymore. And traditional enemies may become â you may have a lot more in common with them in this new world. So the concept was that they would join with CNA and with a partner from Steptoe & Johnson and with the World Economic Forum and say well letâs start doing these â these new scenarios for 2025 around the world and start answering those questions: How do people see things differently based on where youÂ sit.â
Watson: âSo this first scenario that Iâm looking at here, itâs called Quantum Leap. And as I was reading it, scenario one of four, as I was reading over it I was reminded of the changing nature of cyber, the changing applications of cyber. We donât even have a quantum computer yet. Right now, Quantum Leap, of course, is the Scott Bakula show that I grew up with. And I was thinking that maybe I could use this as an excuse to get the theme song in. Maybe we will, I donâtÂ know.â
Thomas: âThatâs a great show, so yes, doÂ that.â
Watson: âI still love it. But this is a whole other, of course, a whole other framing. And quantum technology, as far as I understand, the Defense One headlines that we have and the reporting here and there on quantum computing tends to be a almost a neck-to-neck race between the U.S. and China. What can you tell us out of scenario one, Quantum Leap, which is maybe most useful for our listeners who are trying to make sense of the risks of cyber in the coming weeks, days, months andÂ years?â
Thomas: âI think the Quantum Leap scenario is one of two that has the most implications for geopolitics. That the division on what you do with quantum once you have it â if you give it to everybody, if you just give it to your military, if itâs government-controlled, if you decide to put it out into the world, if everyone has it then kind of no one has it â that kind of decision-making process that every country is gonna have to go through is a game-changer in the geopolitical world. And also in the criminal world. The idea that this kind of technology can fall into the hands of nonstate actors, but also just cybercriminals that are just looking to watch the world as it burns or just make a lot of money when it does. It has extremely both frightening and amazing consequences, right? Because the flip side of all of this stuff is what opportunities are we opening up? What can we do in the medical world, for example, once we have quantum? And the advances that we could make areÂ mind-blowing.â
Watson: âCould you kind of illuminate some of the applications? Like I hadnât even thought about drug cartels utilizing this technology, and itâs really probably because I just donât have a fluency in its applications â basically the worries about proliferation have been stuck to kind of armed drones over the last couple years with the rise of ISIS, these like very very clearly bad guys. What about some of the quiet guys like a drug cartel or what are some of these applications of quantum? I guess the only other application that Iâm aware of is messaging, maybe highly secureÂ messaging.â
Thomas: âRight. So if you think of encryption â and Iâm not an expert on this topic, and I think if you ask most experts on this topic youâre gonna get different answers as well. So that kinda covers me. So I think, though, when you think about encryption no longer being the way that you keep anything secure, and the implications of that, thatâs pretty much it in a nutshell what kind of these groups could do when they can kind of obliterate any files from Interpol. Or they can getÂ intoââ
Watson: âThatâsÂ frightening.â
Thomas: âYes. Or they can get into any information that border security uses so that maybe you have great facial recognition that you use at the border â or even other biometrics like fingerprints âÂ but then the dataâs not there anymore. Or, even scarier, itâs manipulated. When you think of kind of criminal organizations being able to have this kind of identity fluidity because nothingâs secret anymore, thatâs the kind of worst-case scenario that people hide under their bedsÂ for.â
Watson: âInteresting. Off the top of your head, we have three scenarios left. Is there another that kind of stands out above the other two? Iâve got Wiggle Room. Iâve got Barlowâs Revenge. And TrustÂ Us.â
Thomas: âI actually love Trust Us, and itâs probably because Iâm a child of the 80s and I watched those âMinority Reportâ and the âiRobotâ and kind of all thoseÂ things.â
Watson: âPhilip K.Â Dick.â
Thomas: âRight. So anything where the machines take over is something I watched growing up âÂ âTerminator,â all that stuff, I kind of lived and breathedÂ it.âÂ
Watson: âLegendaryÂ Skynet.â
Thomas: âExactly. So anyone who grew up in that time, definitely this strikes a chord because we already saw it played out. So when we read it we say, âYes, I know what this is gonna look like, and itâs dark.â So I think thatâs the one that â it gets to the very fiber of what it is to be a human. And I think anytime you get to that question, youâre talking about something ofÂ consequence.â
Watson: âThose are the bestÂ questions.â
Thomas: âYes, those are the best questions. And the capabilities to almost build a human is mind-blowing. Itâs fantastic in where you could use it to help society, to help our environment, to help kind of the big problems of our time. Itâs terrifying existentially âÂ like, what is a person? âÂ but itâs also very scary in application about kind of how would we as humans maintain control of these systems that we built to function without us. Iâm all for something other than humans driving cars because I just think the data probably bear out that an autonomous vehicle could do it better than a human. So in some ways Iâm like bring it on. Thatâs what I would like to see is kind of little old ladies and the very aggressive drivers taken out of theÂ loop.â
Thomas: âOn the other hand, nothing is 100 percent secure. So what happens when things are manipulated? Itâs an easy way to have a high-impact event happen. Itâs not easy; the kid in the basement, hacker type is not gonna be able to do it. But a nation state? Yeah. Those are the kinds of things I worry about once you hand over certain aspects of the way we live toÂ autonomy.â
Weâll return to the risks of autonomy a bit later. Because there are some concerns about the risks of cyberwarfare that weâre likely to encounter before robots completely reshape the globalÂ workforce.
We covered influence operations and propaganda work in last weekâs episode. Hereâs Adam Segal â who directs the Digital and Cyberspace Policy Program at the Council on Foreign Relations â with some of the things heâs a bit more concerned with as we look to theÂ future.
Segal: âI think thereâs been a lot of talk about deep fakes and since weâre talking about influence operations and the manipulation through machine learning and other tools of video and audio to either, again, to create disinformation, try to stir up social disruption, or to basically allow also people to say, âNo, I didnât say that. Thatâs a deep fake. Itâs all fake.â So I think people are worried about that as we move forward into the elections. I think other applications of AI to cyber attacks, either in just allowing for greater scale because you can automate, or perhaps providing some insight into targeting. Those I think are areas that people are most kind of focused on. I think looking probably farther out past the next couple of years, the impact of quantum information systems as the Chinese seem to be moving ahead at least on quantum communications, if there are breakthroughs on quantum computing, then thatâs gonna have large impacts on encryption if weâre not prepared forÂ them.â
Other experts arenât quite so worried about the quantum realm. I called up Dmitri Alperovitch of the cybersecurity firm CrowdStrike. And hereâs what he advised about the whole quantum technologyÂ debate.Â
Alperovitch: âIâm not as concerned about quantum in the cyber realm. Probably the biggest impact of quantum computing will be the ability to break some of the existing cryptographic algorithms like the RSA algorithm and the DiffieâHellman algorithm, which are used in public key cryptography. But we now have algorithms that can replace that; theyâre quantum-resistant; we are now working hard to standardize those algorithms and get them deployed. By the time quantum is gonna be here in significant fashion, Iâm pretty confident we will have quantum resistant cryptography, so Iâm less concerned about that. And in other areas, quantum is gonna be incredibly powerful, but itâs not gonna solve every problem; itâs not a panacea. Quantum computers are not general computing devices; youâre never gonna run Excel or Outlook on a quantum computer. Itâs gonna be focused on solving very, very specific computationally hard problems like breaking cryptography and many optimization problems. But I donât think itâs actually gonna have that huge of an effect on security. The one area that people have thought about using quantum computers to actually make things more secure is with quantum key distribution where youâre basically leveraging the properties of quantum physics to basically have unbreakable and untappable cryptography; but unfortunately that doesnât really scale. It requires a direct-to-direct link where you can have photons going over that line â doesnât really lend itself well to our internet-based systems where we go through different packet switching devices numerous times before we reach our destination. So I think even application of those systems is gonna be quiteÂ limited.â
5G andÂ Huawei
The more immediate concern, the 50-meter target, as the U.S. military would say, is giving us all faster service with a new network infrastructure with 5G speeds. And that brings tensions between the U.S. and China into very sharpÂ focus.
Segal: âThe real issue is because of the nature of 5G, and so much data going back and forth between the core and the periphery, some of the base stations, and the constant need to push out new software and update the systems, even if you inspected the source code and the software, once version 2.0 or 3.0 came out, you would still not be assured that there wasnât information beingÂ gatheredâ¦â
Information gathered by, for example, hackers and spies working for the ruling Chinese Communist Party, which experts like Segal refer to in shorthand as theÂ CCP.
Segal, continued: ââ¦So you have to trust the company, and the U.S. government has argued you canât really trust Huawei because itâs connected to the CCP (Chinese Communist Party) and is under obligation to share that information. Huawei has said that is not true, and that they would never turn over the government, which is not a particularly reassuring kind of assurance given the way that we know the government and the CCP work in China. The other thread is disruption, that somehow Huawei would turn off the system in times of national crisis. And again, that is also possible; you have to trust the operator. So I think the U.S. has done the right thing about warning about the risk; I think the issue has been that weâve tried to convince our friends and allies that they shouldnât use Huawei, but we havenât provided an alternative, right? The market is dominated by Huawei and ZTE, another Chinese company, and Nokia and Erickson â European companies. So thereâs no place for the U.S. to easily step in. So you have to either think about are we going to, how is the U.S. gonna help with that issue? Are there kind of security practices we want to develop in concert with our allies and partners? Do we want to think about investing in the next generation? Can you remediate the risk in other ways? Which, that part of the strategy, I think, has been lessÂ helpful.â
As for the Trump administration, there is a new or updated policy on the use of cyber tools and warfare and posture. But the White House isnât talking about any of that publicly. House lawmakers even passed a bill to finally see that update, and so far thereâs been no resolution to that one, but the bill just passed the House lastÂ week.Â Â
And we would, of course, love to learn more about how America is defending its citizens, infrastructure and allies from cyberwarfare today. But as you might imagine, theyâre not saying a heckuva lot about it all. One official, however, did make an effort of a sort just last month in a conversation with my colleague PatrickÂ Tucker.Â
The official was B. Edwin Wilson, and heâs Deputy Assistant Secretary of Defense for Cyber Policy. Hereâs a bit of that conversation from the 2019 Defense One Tech Summit inÂ Washington.Â
Wilson: âThe way I think about it, when I look at different technologies, especially in our arena, is really weâre in a state of digital transformation. And so I think you can point to a whole series of technologies that independently are really surging. Thereâs, you know, there was a little bit of a discussion earlier â AI, quantum computing, weâve got the whole world of autonomy, autonomous behavior in terms of cars and all of the above, large data analytics in terms of processing, et cetera, et cetera, I wonât go through the whole string â but when you bring those together, I think itâs really a two-edged sword in a lot of ways. Itâs two-edged in terms of being able to defend yourself from a military perspective and provide more robustness, but it also presents challenges because others are using it for offensive (cyberwarfare) and we would do the same obviously for high-end warfare, is this digital transformation is at a pace that I donât know that in history weâve seen anything that would match the changes that are coming at us. And itâs both challenges and opportunities, no matter what walk of life youâre in â if youâre in business I think itâs presenting tremendous opportunity for productivity, efficiencies, et cetera. In the world that I live in day in and day out, that speaks to threats, and then what are we going to do about those threats. And so the digital transformation I would describe it as the challenge is one of the things that dominates our thought day in and day out. I wouldnât sit that thought on any single one of those technologies; I think itâs the maturation of the ability to weave those together in solutions that at times â I would add 5G to that, you know 6G someday â itâs just so pervasive, the pace of those threats, the scale and scope of those threats and quickly the sophistication of those threats (and opportunities) but threats in our world present a unique challenge that Iâm just not â I canât come up with a historical analogy and if anybody in the audience has it, Iâm all ears because there just has not been a time in history from a national security perspective that weâve seen this kind of a threat and challenge, but alsoÂ opportunity.â
Tucker: âIn terms of adversaries or, if you will, potential competitors that are able to use and leverage those current trends in the exponential rate of information technology, where do you spend most of your time âÂ China,Â right?â
Wilson: âChina is the bellwether in this case. Russia as well. Both have the technology wherewithal as well as the capacity to put these technologies to use in a significantÂ way.â
And in case youâve been living in a cave lately, youâve heard about the debate over Chinese tech firm Huawei. Theyâre on the forefront of the 5G revolution. But their products have also attracted enormous suspicion from U.S. officials as part of a larger tech war with China that will unfold with more drama in the years toÂ come.Â
More drama because Huawei devices are rotten with security risks and so-called backdoors that allow cyber specialists access we ordinary consumers would probably be made quite uncomfortable discovering â and backdoors you can bet U.S. government personnel are deeply disturbedÂ by.Â
Matt Wyckhouse is co-founder and CEO of Finite State. His firm just completed a fairly damning analysis of Huawei equipment in June. And here he is unpacking his firmâs very own quite dramaticÂ findings.
Wyckhouse: âWhat we did is we wanted to get a broader picture of the security risks of Huawei devices than whatâs been done toÂ dateâ¦âÂ
And thatâs one of the points Adam Segal was making. The U.S. government has alleged risk in Huawei equipment, but it hadnât put out very robust proof to back that claim up. Thatâs where Finite Stateâs report comes in, as MattÂ explains.Â
Wyckhouse, continued: ââ¦Thereâs been effectively a gap in the analysis where you know policymakers on one side are saying we just assume Huawei has backdoor access to the devices that they deploy and Huawei is saying absolutely not, we donât operate the infrastructure so we donât have access to these devices. And so what we did at Finite State was try to understand the overall risk of each device, and we did that very comprehensively. We looked at over 500 different products, almost 10,000 different firmware images for those products and looked for trends across that entire dataset. So we looked at nine different dimensions of risk, a few of those that stand out that are important are: Are there backdoor credentials backed into the devices? Are there accounts that might be undocumented that exist in the device that would allow someone to log into the device with some sort of an administrative privilege or just some of access into that product which could facilitate additional access and exploitation of that device. We looked at what are the known vulnerabilities in the software thatâs being used inside of the device â are they using particularly vulnerable versions of third-party libraries? Thatâs actually where a lot of vulnerabilities come from in embedded devices like network equipment and IoT devices is they might be using an old or vulnerable third-party library. We look at that. We also assess different types of risks associated with the software engineering practices and security engineering practices of the company. So we look for evidence to see are the engineers there making good security decisions? And one way we looked at that was analyzing whether they were using safe functions versus unsafe functions. And oftentimes in libraries that are used, you can choose to use a particular function to, for example, copy memory from one location to another, or copy a string from one location to another. And itâs a fairly straightforward substitution to use a fake version of that function which would prevent a buffer overflow. What we saw with Huawei devices was that they most of the time were using the unsafe versions. And when we looked at the credentials we found between the credentials and possibly baked into cryptographic material, more than half of the devices had some sort of a possible backdoor. And when we looked at the known vulnerabilities we saw that there were more than 100 different known vulnerabilities or known CVEs in every device and those are all very highÂ numbers.â
You might be wondering what an enormous and influential company like Huawei thought of MattâsÂ report.Â
Wyckhouse: âHuawei has responded. They initially â they have responded in a very fragmented fashion, letâs say. So their U.S. chief security officer Andy Purdy originally came out right after the report and said this is exactly the type of transparency that the telecommunications industry needs, and if the U.S. were to implement this type of analysis across the board, everyone would be more secure. Effectively, Iâm paraphrasing here. Then the Huawei product security instant response team had a fairly barbed response that they shot back at us looking for holes in the analysis that we did and they believed that they found some. They accused us of using outdated firmware, which was untrue. More than 95 percent of all the firmware we used was the latest version as of April 2019. And they accused us of using flawed analysis methods, which is also untrue. They wrote off some of the backdoors that we found as not remotely exploitable, but the point is that theyâre there and they can facilitate privilege escalation and all sorts of other parts of the attack chain. And thereâs no legitimate reason that they need to be there in the first place. So weâve had some pushback and weâve actually responded to that as well, and you can see on our website we go through the pushback that weâve received and explain why as part of a secure software development or hardware development practice, you shouldnât have these things in there. So there has been some response. But we stand by it. The bottom line is the findings that we came up with are quite consistent with the other public analysis thatâs been done, which is the UKâs HC-Sec analysis and with our report we can see that two completely independent sources have found that the software development practices at Huawei are far below industry standards from a security standpoint and a quality standpoint. We both are independently saying there are high numbers of vulnerabilities of these devices. We are going out there and saying there are trivially-exploitable vulnerabilities in these devices that can facilitate access. Some of those are as simple as knowing what the password is to a backdoor account named Huawei on that device. And that account is oftentimes undocumented. So there are serious security issues here and itâs very hard to push back on this analysis, and thatâs why we did it the way we did it. We looked at this across the board â this isnât just one or two Huawei devices that has these problems; this is consistent across their entire productÂ line.â
Alperovitch: âI think people are rightly calling the internet the fifth domain ofÂ warfareâ¦â
Hereâs Dmitri AlperovitchÂ again.
Alperovitch, continued: ââ¦and in any domain of warfare, you do not want to rely on your potential adversary for key weapon systems and key capabilities. So the Huawei debate, for me, is actually a little bit misguided because I think the focus on a singular company is not helpful, because it really is not about the company. It is about the countries that are adversaries. And we do not buy tanks and aircraft carriers from Russia, China, Iran or North Korea for very good reasons. So I do not know why we would consider buying key infrastructure in the digital domain from those countries regardless of who the company is because obviously the intelligence services and the military services of those countries would do everything in their power to plant backdoors and try to degrade those devices in a time of conflict. And we can just not trust it just like we would not trust buying military equipment fromÂ them.â
So what are the alternatives to using Huawei equipment? Are there any? I put the question to Matt of FiniteÂ State.Â
Wyckhouse: âYeah, thatâs a really good question, and thereâs a very complex set of policy issues at hand here for lawmakers around the world. The problem is thereâs been a bit of a market failure in the 5G space, in particular. And thatâs where thereâs the most concern right now because 5G is really gonna be critical infrastructure with a lot of services of national and international strategic value riding on top of it as we become more dependent on these faster networks. The challenge here is that there are only three or four companies that make 5G equipment. And Huawei has effectively taken the lead in terms of features and time to market. And so because of that market failure thatâs happened over the last several years, companies that want to implement 5G are in a bit of a bind: you have Huawei thatâs offering a low price, a high degree of features options, and China often incentivizes that beyond just the product at least appearing toÂ be the best. So in short: very, very complicated. We need to figure out how to incentivize other providers in the space and increase competition. Part of that I think is making sure that everyone understands the total cost of going with something that might appear on the surface to have more features and might be first to market but really is possibly lower quality. It could be lower quality in terms of maintainability, but also in terms of security. If you have something that has a weaker security posture and you go an implement that, over time youâre gonna have to spend a lot more on security controls for that network. And if you have these devices getting hacked, you have to spend more on incident response and recovery and dealing with down time. And so security needs to be a requirement. At Finite State, we really believe that the answer here â and I agree with Dmitri that itâs not necessarily about one company âÂ itâs that we should screen everything thatâs going into critical infrastructure. And if we increase that transparency and we set a minimum bar for the security of these devices no matter where they come from, itâs gonna start to equalize the market because those who are skimping on security wonât necessarily be able to win anymore. Theyâre gonna have to invest there, and that levels the playingÂ field.â
The nextÂ election
As we all wait for that 5G market to diversify and give us alternatives that donât come with the baggage of a centralized state like China, we here in the U.S. have a presidential election to prepareÂ for.Â
And while the news from this beat is predictably full of noise and divisiveness and increasingly overt racism from the president of the United States and those attending his campaign rallies in, for example, Greenville, N.C., this week, cybersecurity analysts like Paul Galiardi is one of the few voices sounding alarm bells over the voting infrastructure ahead of November 2020. And not just the systems our ballots go into, but also the cyber hygiene of the major parties themselves. Itâs all still quite bad, according to a recent analysis from Galiardiâs employer, SecurityScorecard. Hereâs Paul on what theyÂ discovered.
Galiardi: âSo we came out with a report recently where we focused on the security of the parties themselves. Not necessarily the voting systems or the actual voting implementation. What we found domestically was that we do think that the Republicans and Democrats are certainly improved since the 2016 election; I would say that their hygiene is not matching what I witness in the DOD or financial sectors. So our system finds cyber hygiene issues or factors that normally we wouldnât want to see in a completely buttoned-upÂ company.â
You might think it shouldnât exactly be like this â poor cyber hygiene now three years since the Russian influence operation of the last U.S. presidential election. But perhaps weâre just overestimating what we Americans have in fact learned from theÂ past.Â
These political parties, Paul told me, donât have the resources for this kind of defensive posture that you might expect them toÂ have.Â
Galiardi: âThe Bank of America CISO came out and said we have a blank check for our cybersecurity defenses. You know, Northrop Grumman and Boeing have significant resourcing to defend their IP and network. The Democratic party probably does not have that significant of a budget. The smaller parties certainly do not. We observed â weâre not gonna name the party, but itâs not the Democrats or Republicans â they had exposed a web server where you could type in someoneâs name and out would pop their address, date of birth, full name, and it was seemingly some voter validation form. This was âÂ we found that about a month ago. We called them, disclosed it to them, they fixed it within 12 hours. So we were pleased with the turnaround of the fix. That is a rather glaring problem. And if we could find that within a few hours of work, I think we could extrapolate that a motivated attacker would have someÂ success.â
Watson: âAre you noticing a little bit smarter behavior across the board, since the (2016)Â election?â
Galiardi: âI think we are. I think SecurityScorecardâs perspective on this is that weâve seen a large attack vector through vendor risk or vendor ecosystem. So if you want to get through to a large corporation or company, sometimes itâs easier to go through one of their vendors or suppliers or contractors. That attack has repeated itself and in terms of defending yourself against that type of attack, you do have to stand up third-party risk or vendor-risk management entire teams. You really have to no longer look at just defending your own little castle; you have to assume that in a world of interconnected information that your information is actually being handled or controlled by otherÂ vendors.â
Alperovitch: âI think election interference is here toÂ stay.âÂ
Dmitri Alperovitch of CrowdStrikeÂ again.Â
Alperovitch, continued: âAnd a variety of threat actors, both domestic and foreign, will likely play in this space. Obviously we have seen what can be done in this domain in the past, both from an influence operation perspective â leveraging social media and trolls and bots and the like â to try to impact the public opinion. But also probably the most impactfully the hack and dump schemes that we have seen in the past targeting a number of different countries over the years. Those things will likely continue. The big concern of course is around the election infrastructure itself âÂ the voting rolls, the vote-tallying systems, and the reporting systems, everything thatâs actually involved in doing an election â we have not yet seen significant attempts to interfere with that process in the past; but that, Iâm sure, isÂ coming.â
I asked Dmitri if he thought we should just go to an all-paper ballot system for our elections, and hereâs hisÂ answer.Â
Galiardi: âI think itâs very telling when cybersecurity experts, myself included, are suggesting that virtual voting booths should not beÂ encouraged.âÂ
Thatâs Paul GaliardiÂ again.Â
Galiardi, continued: ââ¦ When you have peoples whose job it is to automate things and bring stuff into the IT computer world suggesting that we need to revert back to paper ballots hand counted, thatâs obviously veryÂ telling.â
Watson: âIs that where youÂ are?â
Galiardi: âI would certainly suggest that as well,Â yeah.â
Also ahead in the future: all those things sharing your routerâs wifi signal at home are probably going to be silently hijacked in all kinds of ways we can hardly even imagine at this point, Matt Wyckhouse told me. Thatâs one of the things that you could say keeps him up atÂ night.Â
Wyckhouse: âAt Finite State and me personally, so Iâm very interested in how the Internet of Things impacts cybersecurity. And we are acutely focused on that. Whatâs happening,Â the big trends that we see is that weâve moved from an era where cybersecurity was all about information loss âÂ you know, intellectual property was being stolen, medical records, credit card numbers were being stolen. And thatâs how the attackers were either making money or achieving their strategic objectives, if it wasÂ a nation state. With the growth of the internet of things, and thereâs also been a simultaneous growth in ransomware, and those two things kind of converge, attackers are finding they can win either economically or strategically by causing damage or threatening to cause damage all the way up to the possibility of loss of life. So cybersecurity is not just information security anymore, it also includes safety and resilience and reliability of the systems that are running our daily lives more and more. So the internet of things is where the digital world and the physical world overlap; and where those are overlapping right now, and there are vulnerabilities attackers are starting to exploit those things and hold them for ransom or use that to achieve mission objectives, and that is probably the most concerning trend. The attackers are moving from stealing to harming. And harming people has these effects in the real world when weâre talking about systems that are connected to these physical devices â medical devices are a huge area of vulnerability right now where you have devices that have been built over long periods of time with long supply chains and a highly regulated environment that had a lot of vulnerabilities in them and those are keeping patients alive at some points and theyâre sitting on networks that might have other types of devices on them. We actually do spend quite a bit of time looking at the healthcare industry and helpingÂ hospitals.â
The nextÂ generation
Thomas: âSo the great thing about where all these things are going in a scary way is that theyâre also going in this way in ways that can protectÂ usâ¦âÂ
Thatâs Dawn ThomasÂ again.
Thomas, continued: ââ¦and we just need to make sure that we (a) know we need to be protected, (b) know whatâs worth protecting, and then (c), have a way to doÂ it.â
How can we do those things better in the future? For Dawn and others I spoke with, awareness of the risks of our very cyber lives is becoming more commonplace among Americaâs youth. And thatâs a promising development. But to make our future generations a bit smarter and bit more skeptical, I suggested to Dawn perhaps we ought to teach stuff like symbolic logic at younger ages across more high schools in America. Which is a start, sheÂ said.
Thomas: âLogic is needed no matter what. And I would expand it even further; we donât even need to put cyber in there. We just need a savviness about information. We need to better understand where weâre gonna get our information from. And where it might be coming from. And to always question, to always validate. Not to take things at face value, not to click on that link in your email. That should be built in; and the only way I know to build it in is to do it from when youâre young. You know, one of the folks that we work with at Berkeley is always trying to emphasize the upside, right? So I would want to end on a note of kind of with all this advancement is amazing opportunity. Thereâs amazing opportunity to answer the questions of life right now: How to protect our planet? How do we feed our people? How do we keep peace between nations? How do we make sure that even the most vulnerable among us are protected? That we could use the data and the tools and all these things that weâre talking about in a very negative way because it can get scary, but we can use them to better society. We just need to be doing a lot more protecting, thinking, learning, teaching to make sure that weâre opening opportunities and kind of closing the most major of theÂ vulnerabilities.â
Dmitri of CrowdStrike is also not all gloom and doom about the risks that lie ahead and how awareness and defensive measures are getting better. Here he is with a bit of optimism about some of the trends heâs seenÂ lately.
Alperovitch: âI coined this phrase that has been repeated many times and Iâm sure youâve heard it, that there are two types of companies: those that have been hacked and know it, and those that have been hacked but donât know it âÂ with the implication being of course that everyoneâs been hacked. But Iâve recently been thinking a lot about it and Iâve been talking to Rob Knake and Dick Clark who just wrote a book on the fifth domain where they quote me on this, and Iâve since amended that phrase where I now believe thereâs a third type of company, which is being targeted continuously just like the other two types, but is actually able to resist those attacks. I now believe and Iâve seen this in day to day job here in CrowdStrike, how you can actually defend an organization against persistent adversaries, nation states, criminal groups, and it all comes down to speed. You have to be faster than the adversary, you have to assume that theyâre inside, you have to find them quickly, and you have to eject them before they accomplish their objective. And there are companies that are doing this every single day out there. And it is possible, so I do want to end on an optimistic note that not everything is bad out there. And weâre actually learning how to defend ourselves, even against very dedicatedÂ threats.â
Do you know teenagers fretting about what to do with their future? Theyâre probably better positioned for a career in cybersecurity than you or I were when we walked up the stage to get our diplomas. If the young folks in your life are asking you what to pursue, consider this input from Matt Wyckhouse of Finite State âÂ he describes a team that, to my ears, begins to sound a bit like a real-life version of âtheÂ Avengers.âÂ
Wyckhouse: âI mean thereâs a massive talent shortage in cybersecurity. And so anyone thatâs interested I would highly encourage them to join us and help protect the world and keep our future safe. There are opportunities for people with backgrounds in cybersecurity specifically or computer science, but cybersecurity is a field that is so complex that we need people all backgrounds âÂ from public policy, to law, to the social sciences and psychology âÂ it all comes together in this very complex dynamic. And thereâs room for everyone, and we really need to embrace that as an industry. And the point is if youâre young and youâre interested in cybersecurity, I would highly encourage you to go after it, because every single company is hiring for it rightÂ now.â
As we finished production on this episode, the Trump administrationâs Director of National Intelligence Dan Coats announced heâd just created a new job called âelection threatsÂ executive.âÂ
Shelby Pierson is taking the new post announced Friday. Sheâs been in the intelligence community for more than two decades, and most recently acted as crisis manager for election security during the 2018 midterm elections âÂ so maybe moving offices this weekend wonât be much of anÂ issue.
Coats also said heâs ordered Americaâs other spy agencies âÂ including the FBI and the CIA âÂ to name similar chiefs of electionÂ security.
Thatâs it for us thisÂ week.Â
Weâd love to hear what you think as we pivot to the past with our final episode in this series next week. Email us at [email protected]. Or leave us a voice mail atÂ 731-617-9124.
Thanks for listening, everybody. And weâll see you again nextÂ week.
This is a syndicated post. Read the original post at Source link .