Over the past couple of years Reimagining Cyber has featured guests with lots of interesting perspectives and opinions, but it seems that our info hungry audience wants even more.
Hosts Rob Aragao and Stan Wisseman have been asked to share news of their own interactions and experiences, and who are they to say no?
So, in the first ever ‘Reimagining Cyber Extra!’ Rob and Stan bow to listener demand and address the following:
- The war in Ukraine and a link to a decrease in cyber attacks
- A brush with “one of the ‘the biggest minds in cyber and cryptology” (Hint: it’s not Rob or Stan)
- “Who are all of these weirdos?” Stan reminisces about his early days at the NSA
- Cyber Informed Engineering
- Can President Biden’s zero trust strategy apply to the OT environment?
Follow or subscribe to the show on your preferred podcast platform.
Share the show with others in the cybersecurity world.
Get in touch via reimaginingcyber@gmail.com
Over the past couple of years Reimagining Cyber has featured guests with lots of interesting perspectives and opinions, but it seems that our info hungry audience wants even more.
Hosts Rob Aragao and Stan Wisseman have been asked to share news of their own interactions and experiences, and who are they to say no?
So, in the first ever ‘Reimagining Cyber Extra!’ Rob and Stan bow to listener demand and address the following:
- The war in Ukraine and a link to a decrease in cyber attacks
- A brush with “one of the ‘the biggest minds in cyber and cryptology” (Hint: it’s not Rob or Stan)
- “Who are all of these weirdos?” Stan reminisces about his early days at the NSA
- Cyber Informed Engineering
- Can President Biden’s zero trust strategy apply to the OT environment?
Follow or subscribe to the show on your preferred podcast platform.
Share the show with others in the cybersecurity world.
Get in touch via reimaginingcyber@gmail.com
Hey everyone. Welcome to Re-Imagining Cyber Extra. So, Stan and I have heard quite a bit from our listeners that, it's great that you have all these guests come on and share a lot of interesting perspectives. We’ve been doing that for over two years, believe it or not. It'd be great to hear from the two of you directly.
So, we thought, hey, why not bring forward some of the recent relevant interactions and news that we're seeing out there and participating in, and just share that with you and see how that goes. So, it'll just be very simple, casual conversation amongst us as to some of those activities, some of those engagements that we've had, and we'll kick it off today.
And Stan, why don't we give it to you? What have you been seeing out there? What have you been working on? What have you been hearing?
Actually, one of the things that's really cool, Rob, you, we've had Shawn Tuma on our podcast twice [ Shawn Tuma, Cybersecurity and Data Privacy Attorney at Spencer Fane, LLP, episodes 15 & 27] and I had never had the opportunity to meet him in person. COVID got in the way as sort of meeting people.
I was in Dallas last week and had the opportunity to have lunch with him. Very cool. Nice. And again, for our listeners, one of the things that Sean is heavily involved with is his security and privacy practice around cyber insurance. Yep. And we talked about that as far as how's it been going as far at his practice and all that.
And it's been a down year. Really, I'm not saying his practice per se isn't necessarily down, but he had an event with his peers last month and in general, cyber-attacks in the US at least are down. So that impacts, again, the folks in his sector, lawyers trying to protect and respond to their customer needs.
And then he said some of the incident responders are laying people off. The speculation is that a lot of the bad actors that perpetrate a lot of these cyber-criminal conduct activities are in Ukraine and Russia.
Ah, yeah, so their energy is somewhere else at this point. They are either conscripted and they're fighting a war, or they're right, fighting each other. And this is just probably a temporary blip in the radar screen. But it's an interesting perspective though. Yeah.
So, I don't know if anybody else is seeing that out there. I think we are certainly seeing the headlines still. There certainly are attacks occurring, but in general, they are seeing a downward trend in claims to these cyber insurance providers. The IR folks we're not getting as much business, and the legal side wasn't seeing as much business.
But it was great to meet Shawn. I actually have a chance to just hang with him and get to know him better. Great guy.
It is always nice to have the opportunity, right? As you said, COVID has put a dent in a lot of these face-to-face interactions, so it's great to hear that you did that.
But you had one recently, right? Face-to-face, yeah.
Yeah, pretty good. Sizable event. Interesting one. So, this is, I don’t know, maybe a few weeks back or so at this point. So I won't share who the organization was, but basically a very large US based telecom, do probably more of their business on the consumer side with their services, obviously in products.
And they do a great job annually of putting on a one-day internal cybersecurity event or conference. Really. And, the keynote actually was done by Bruce Schneier, which was awesome right? Wow.
You want to give some people a background on who he is because again, not everybody may know he's been around forever, but he's been around for a long time.
He's been around since the creation of the internet as he shares. And he's one of the biggest minds in cyber and around cryptography, right? So, he is just so ingrained in the day in day activity that we're all used to doing now in cybersecurity that he has been involved with for years.
He's teaching policy at Hartford University now. He has his tentacles in every little thing. Still to this point, the passion right, of cyber just comes across and he just did a nice job in going through the state of what he's seeing out there in the world of cyber.
And one of the things he, a couple things really that he emphasized that I took away is one which I really love, and you and I talk about this all the time, it's a key theme behind, the. show and at the core of why we even started this, right? Which is around cyber resilience, right?
And he was talking about that kind of maturation of, cyber resilience and how it's just great to see that people are finally come around to think of it in that regard. And some good things happening in that space. And the other thing that was really the main theme of the entire day. Which he again included in his keynote is all around the need to secure the software supply chain. And so, if you think about that, it translated into this particular client of ours that we work very closely with. It was, I'll say it was very refreshing to hear what they're doing.
We've worked with them pretty closely for some time now, but we've always had the discussions more so of course on kind of the security audience side of the equation.
And we talk about, that need to really balance things out with the dev teams and ingrain ourselves more in the dev teams and not slow them down. Just really how do you bake security in? They're doing it and it's one of their key top three initiatives to continue to really drive that relationship so that more of the security capability is in the hands of the dev teams and the validation, the gate checks if you will, just are more seamless with security, over the top with some more governance than anything else.
So, I, I was just impressed because it wasn't just a cybersecurity leader within this organization that was sharing that, it was in true partnership on stage with the head of development as well. So, the two of them, side by side, sharing that actual perspective.
Going back to Bruce for a second I don't know about you, but I always monitor his Schneier on security. He has that little blog. Yeah. And yeah. He posts. Things that catch his eye. Snippets, yes. Little snippets. Sometimes it's in the news, sometimes it's some kind of, publication.
He wrote the seminal book on cryptography. Yeah. Yeah, he's got another book coming out actually too.
So, I so I joined NSA National Security Agency back in 84, and I joined as part of something new. The computer security center. And we did orange book evaluations. Yeah. Okay. But we were so different from the rest of NSA. All of NSA was about cryptography. And who were these weirdos over here publicly facing. We had a multisystem that had forms that were talking to vendors and you guys are doing what the heck is computer security? It's it was just this alien concept of all these crypto nerds, and then it was it was uncomfortable because we really were, the black sheep.
And now of course, we, the whole career, the whole industry has changed. And has grown. But at the time it was very odd. Yeah. And all of us, even though we were doing computer security, we all had three weeks of learning about crypto. Cuz if you're gonna be at NSA, you better learn something about crypto!
Of course. You know what's interesting too, is being, as part of that event with that that telecom, it brought me back to my days being on the telecom side and running security as well. This is 20 years ago now. So just it's just the kind of back then and this was more of a backbone provider that I was working with back then.
And all of that really was very early stage security. Those firewalling access control list. The basics at that point in time and It's just crazy to think about all of, in that timeframe just being in the industry and how it's all evolved different things.
Yeah. And that translation of yeah, when I was in telecom it was all about the networking and then we had this access control list and the kind of beginning of some firewalling. Yet now we're really talking about the kind of, here's what's burning. How do you deal with the software supply chain?
Here these are the things we're actually doing. And honestly back then I was like, ah , I feel like we're so far behind with telecom. But being there, again, a few weeks ago, it was like, they're actually ahead of the curve now in a lot of things that we've seen out there where, they're not truly partnering out with the dev teams and making that true embedding of security a reality.
So, it's just nice to see how that's happened.
But one of, one of the areas that let's we all know is behind or is joining catch up his whole operation technology. In the OT sector. And we've talked some about that right? In our podcast episodes. But I was at an event last week that the Department of Energy sponsored.
And it was called the Energy Infrastructure and Environment Summit. And part of this is the whole exercise of trying to share from the government what the priorities are. What are they doing? Some of the ways in which they're trying to move the needle. We have this infrastructure bill, what does that mean to the industry?
$68 billion associated with green infrastructure. How can we actually help ensure this time we build security in as they build that out. Cuz everybody wants to, like I have solar panels on my house now and I want to have visibility into what does that mean? How am I reducing my energy bill?
Everybody wants visibility into the grid. It's not made that way right now. Yeah. And so how can you actually provide access, but also control access. And one of the things that was new to me that I heard about at the event was a new guideline from DOE called cyber informed engineering.
And it's that, it offers a framework on how to engineer out cyber risk throughout the design and operations lifecycle. And it's really tailored for those OT engineers and operators. Yeah. So, a build security in, but really with an OT focus, recognizing they have a different world than the IT side of the house.
And they're hoping that, that guide will help with the decision process of how to apply those kinds of controls to eliminate some of these avenues of attack that can occur in the OT environment. It's cool. It is cool.
And I'm glad to hear it because we know right from the critical infrastructure side it's been neglected, right? It hasn't been thought about. And obviously some events have opened people's eyes and obviously current events are making it even that much more concerning. We've had some guests on to talk about that. I think we actually you said it, we need to actually get some more guests on that topic going forward because it's so prominent.
But I'm glad to hear that they're actually truly looking at ways to embed it in. And it's coming very much from the government perspective because, I think back to just a few years ago on the medical device side of the equation , right? And IOT and all these connected medical devices and there's actually a lot of good security that's occurring.
Yeah. Actually, I think we, we spoke to that products security director at Siemens, Brett Harris about how he's actually helping build security into the medical devices they've got. Yeah, exactly. Sometime people aren't thinking about those things, right?
Like we, we know, right? The connected device is basically vulnerable. It doesn't matter what it is. I don't care if it's a, if it's a Tesla, right? I don't care what vehicle it is, if it's a medical device, right? All these type of elements as you're talking about critical infrastructure, we had Inkjo [Ikjot Saini, Assistant Professor at the University of Windsor in Windsor, episode 14] remember talking about IOT security and a lot of the research that she's doing.
Connected vehicles. Exactly. So I think, it's, it's good to start seeing more emphasis on it because it truly is the kind of that next level of the attack surface of, how much security is really being baked in. So, to hear some of these things actually coming into the design phase is really great.
One of the interesting areas that they talked about on the panel was you have this executive order from Biden around zero trust, right? Or has zero trust in it, and how do you apply zero trust to the OT environment. Yeah. Yeah. It breaks. Yeah. You can't just try to shove zero trust concepts into OT. It takes rearchitecting in many cases. And then, part of the observation was, look, it's a marathon. It is not a sprint. The use cases will vary, areas of focus. If you go back to the CISA you have those different areas of focus, whether it be on network or data or identity, right? An organization may pick identity, another one may pick data as far as where to start their race.
But it's, it is gonna be a challenge in those kind of operational technology environments to apply zero trust without impacting operations. Yeah. And so that was an interesting conversation.
No, that's a great point. That's a great point. Now, Stan, I'm gonna wrap things up, but before I do that, you are somewhere now and there's something else going on, yet another event that you're gonna be speaking at.
Maybe you can give the audience a little glimpse into what that is and what you're gonna be covering.
Yeah. I'm in San Antonio right now. We have the AFCEA TechNet Cyber conference coming up this week and I'm speaking tomorrow on securing the software supply chain. And it's really around how we can look at the supply chain risks in a way, you know that we understand the use cases. There are those that are intentionally trying to actually inject malicious code into supply chains, a la solar winds. You also have. Yeah. Unintentional introduction of risk by consuming software components that may have vulnerabilities in 'em.
And how do you put in place mitigations for both those kind of scenarios? I think it's a, it's, really relevant right now as far as definitely a lot of organizations are concerned about both use cases. And I'm looking forward to a good conversation. Good. I'm sure it will be for sure.
It's very much the top of mind for many people, we/ve been talking about it just today. Some of those different examples we were sharing. So, I hope everyone enjoys this, something different for us. We'll see if it works, and we'll continue it if it does. So, thanks for joining us today.
Looking forward to the. Until next time, Rob.