How Vulnerable Are We? Inside America’s Cybersecurity Crisis

Show Notes

In this episode of the At the Boundary podcast, Dr. Tad Schnaufer moderates a panel discussion on key insights from the 2025 Cyber Bay Conference. Joining him are Dr. Linda Nhon, Resident Fellow at GNSI; Dr. George Burress, Professor and Chair of the Department of Criminology at the University of South Florida; and Chris Hunter, Chief Legal and Compliance Officer at IWP Family Office.

The panel took a broad look at cyber security, especially as it relates to national security, and emphasized the need to create a stronger knowledge of cyber preparedness in case of malicious attacks on critical infrastructure. Examples of past cyber-attack incidents, such as with the Salt Typhoon and Vault Typhoon groups from China, and Sandworm from Russia, gave insight into how both cyber and physical vulnerabilities can be exploited by hostile actors. Currently, most critical infrastructure in the U.S. is not prepared for a large-scale attack or grid shutdown.

As the world becomes more integrated, the panel underscored how modern tech can be exploited to take advantage of the individual user, a company, or even the government. The individual needs to be educated on how cybercrimes can affect their personal lives, and the broader community needs a plan of action for when a cyber-attack may cause a grid shutdown.

Links from the episode:

• Tampa Summit 6: Nuclear Weapons in Modern Warfare 

• Axis of Resistance Episode 8: General (ret) Frank McKenzie Interview

At the Boundary from the Global and National Security Institute at the University of South Florida, features global and national security issues we’ve found to be insightful, intriguing, fascinating, maybe controversial, but overall just worth talking about.

A "boundary" is a place, either literal or figurative, where two forces exist in close proximity to each other. Sometimes that boundary is in a state of harmony. More often than not, that boundary has a bit of chaos baked in. The Global and National Security Institute will live on the boundary of security policy and technology and that's where this podcast will focus.

The mission of GNSI is to provide actionable solutions to 21st-century security challenges for decision-makers at the local, state, national and global levels. We hope you enjoy At the Boundary.

Look for our other publications and products on our website publications page.

Transcript

Jim Cardoso: 0:00

Jim, hello everyone. Welcome to this week's episode of at the boundary, the podcast from the global and national security Institute at the University of South Florida. I'm Jim Cardoso, Senior Director for GNSI, and your host for at the boundary. Today on the podcast, we're conducting a follow up conversation with the participants from a panel GNSI organized for the recent cyber Bay conference in downtown Tampa. That panel examined the question is cybersecurity the foundation of national security? It was moderated by our own Dr tat schnaufer, strategy and research manager at GNSI. Joining him on the panel is Dr Linda known resident research fellow at GNSI, Dr George Burrus, the founder of the Cybercrime interdisciplinary Behavioral Research Laboratory, otherwise known as the cyber lab here at USF, along with Chris hunter, a former lawyer with the Department of Justice who is now the chief legal and compliance officer in the IWP family office, and A GNSI non resident fellow, take it away Ted.

Tad Schnaufer: 1:24

Well, we're here with the GNSI team that spoke at cyber Bay on a panel. Is cyber security, the foundation of national security. We were able to explore that topic in depth. But first, why don't we go around the team and talk about the overall, your overall assessment of cyber Bay. How did the conference go? And then, what were your major takeaways? What were the things that you learned about cyber or saw that might keep you up at night? So we'll start with you.

Unknown: 1:49

Linda, Thanks, Ted. I thought the turnout was great at cyber Bay. It's very exciting to see Tampa Bay, kind of going head to head with Silicon Valley. It's very awesome to see a good representation from USF cyber Florida, the Bellini college was there awesome food two days, a great food. And I heard there was an awesome drone show too. And so, yeah, it was very great seeing like academia, government and industry coming together talk about cybersecurity

Tad Schnaufer: 2:21

issues and what was your biggest takeaway? What was the thing that you learned about cybersecurity, and maybe a discussion you had in the hallway or from one of the other panels?

Unknown: 2:30

I think what really hit home was how it isn't how cybersecurity isn't just an IT problem. It's actually more than that. It's pretty holistic. And I think GNSI has a great opportunity to kind of pitch into the conversation. Oh, great, yes.

George Burruss, Ph.D.: 2:52

I just to kind of reiterate just the diversity of people that were there in terms of their backgrounds in military, law enforcement, cyber security, academia and so on, right? So it was, I've been to a lot of different cyber security conferences, and, you know, they tend to go towards, you know, one particular group, there might be an academic conference where they're mostly all academics or or professionals. So I think the the main thrust of this was to bring a lot of people from a lot of people from a lot of different backgrounds together, so you get a lot of really cool conversations going things you didn't really think about. So for me, that was one of the best things about it. Excellent.

Unknown: 3:31

Chris. Cyberbay is fantastic. Really. Was just terrific, high impact conference, and I'm looking forward to subsequent iterations of it. Cybersecurity is the present and future fight, and to have the people present at cyber bay that were convened, I think, is a testament to USF, to the Bellini College, and to the broader cybersecurity community that we have here in Tampa Bay, exactly as George just mentioned, I would really single out and highlight the people, because cyber security is, well, a technical problem. At the end of the day, it's also a people problem, but also people solve that problem. And we had some outstanding people from across the practitioner community, the military community, academic community, was great, right?

Tad Schnaufer: 4:21

And you know, like we all noted, is that cyber has become a very ubiquitous threat. It's everywhere. It's a part of our everyday lives. It's part of all the critical infrastructure of the United States. And a cyber attack, although might stay in the digital form, if you will, in cyberspace, it can also translate into physical effects, which affects people you know, who are dealing with that threat, whether if it's at one of our ports or one of our chemical factories or water treatment plants, for example. So why don't we first, you know, re discuss, as was discussed at cyber Bay, that fundamental question is cyber security the foundation of national security, and if so, how ingrained is it in the overall security of the.

Unknown: 5:00

Nation, I think it's very much ingrained into our national security, especially and today's society. Not only is our military very much digitally connected, but all of the fabrics of our society, from going to the grocery store to going to the bank, being on campus, everything has become interconnected on the digital ecosystem, so that becomes very much a point of vulnerability or potential

Tad Schnaufer: 5:29

attacks. So you know, going back to that point, is that everybody kind of your point, Chris as well, is that everybody's on the front lines now. So whether you're again, just doing banking, just doing your day to day activities, most of it is happening in some form or fashion in cyberspace. So whether if it's a criminal attack in your account or a state actor, you're possibly a threat, and if that attack is large enough, it could have wider societal impacts. I

Unknown: 5:52

very much believe cybersecurity is the foundation of national security today, tomorrow and indefinitely. So many unfortunately, so many examples to illustrate the truth of that, and salt typhoon and vault typhoon are are two of the more recent examples. Probably worth getting into some of that right now. Vault typhoon is the name given to a Chinese cyber espionage operation that accessed critical infrastructure embedded malware essentially allowed the Chinese Communist Party's various entities to be inside the systems and services that civil society relies on, just for day to day living salt typhoon was a Chinese cyber espionage operation that compromised the telecommunications systems in the United States in ways that are only now fully beginning to be understood. The Salt typhoon compromise allowed access to real time intelligence about people and communications it's been called perhaps the most significant cyber espionage attack in the United States ever. And yet, both vault typhoon and salt typhoon are not necessarily widely known outside of the communities that are paying attention to stuff like this. So I think that the challenge is one that requires very much a whole society effort to both be aware of and then to solve to and that's, yeah, one of the things I think was terrific about cyber base. It brought together that sort of whole society representative group to really take seriously the problems and to think through solutions.

George Burruss, Ph.D.: 7:41

Yeah, one aspect of the security. Part of it is, if you think about nation state actors using hackers to get into the system, that just seems like one more tool in an espionage toolkit, right? But the thing about hacking is it's evolved motivation where people are doing it, sometimes speak for profit, because they can make a lot of money off it. Sometimes because they're kind of forced to do it, like, if, especially if you're in a, you know, nation state where they're, you know, you're forced to do things because they make you do it. But a lot of times it's simply the nature of hackers, is they want to hack things because that's, it's fun to do, right? It's, it's a motivation that if I can score big, not only does it benefit me in terms of profit, but also benefits me in social relationships, so I can build my hacker persona. So it's always gonna be the case where we're behind the curve, not just because technology evolves, but because the motivations of the hackers evolve, and the way they do things is just we're always gonna be catching up to be catching up to them, whether it's a nation state or an individual hacker, and, you know, in some remote country.

Unknown: 8:46

Yeah, I agree with you that the the line between cyber crime and state sponsored, uh, cyber attacks, that becomes a little bit blurry when it comes to attributions. I think tad you had mentioned during the panel that it takes much longer time, like sometimes years, to actually confidently say who the attackers were after the incident. And I think when it comes to vault typhoon, for example, think the US knows pretty confidently that as the Chinese backed hack, and the reason, from some sources that these malware, you know, we're still uncovering where they lie, but the reason why they're still dormant is almost A form of strategic deterrence from China's perspective of if the US tries to align themselves with Taiwan in the scenario of an invasion, China's invasion to Taiwan, they have implanted these potential these malwares in our. Political infrastructure that I'm not sure to what extent the US government knows what type of damage that malware will cause, but it's almost like a a you know, let's be careful about how we're going, how the US will respond in a potential invasion of Taiwan. I think that's exactly right. The strategic window that the Chinese Communist Party wants to create with full typhoon is is essentially a strategic window of deterrence, so that if the Chinese Communist Party decides to move on Taiwan, so to speak, it has the cape. It meaning the CCP has the capability to destabilize us, domestic, civil society, creating that strategic window to allow for action in Taiwan while, while the United States is distracted. And unfortunately, the parallels between what was going on in Taiwan in the fall of 2024 and what was going on in Florida and elsewhere in the southeastern United States in 2024 are too stark, as we know here. Hurricanes Helene and Milton hit back to back, and the Tampa Bay area hit and among other places and were just absolutely devastating. At the very same time that those Hurricanes were hitting here, Taiwan was observing its its National Day, which is October 10, and the President of Taiwan, at the time, gave a speech that President Xi Jinping of of China didn't care for. And the response was swift. Within 48 hours or so of the National Day speech China engaged in what was called Joint sword 2020 4b which was a massive multi domain military exercise in and around Taiwan, in the air over it and the waters around it, to demonstrate to Taiwan and to the world a level of kinetic ability to try to deter Taiwan from acting further on the ideas expressed during that National Day speech. Meanwhile, here in Florida, post Helene and Milton, civil society had become disrupted, not by vault typhoon, but by the hurricane. So gas lines were extraordinarily long. Not only were gas lines long, but Fights broke out. I mean, in one county in Florida, within the first 48 hours following one of the hurricanes, there were 177 law enforcement calls for fights at gas stations. That same type of civil society disturbance can potentially be caused by a cyber espionage actor gaining access to critical infrastructure, destabilizing society by shutting down water, shutting down sewer, shutting down power sources. I mean Colonial Pipeline, for example.

Tad Schnaufer: 13:05

Because you might not think that those you know gas has any type of cyber to it. It's just in a truck and it drives and it fills up a gas tank, right? But that gas typically comes from a port, and that port structure is runs on a cyber system. That cyber system could either be hacked and then, you know, used to overflow or actually cause physical damage, but also going to just be simply hacked, and then the response would be to shut down the system to prevent the hacking from going further, which, either way, keeps that fuel from getting to people. So it's the same type of scenario that you might have in a hurricane. The only difference is, is that this is all happening digitally, which whether it's a cyber crime, maybe they hold a port or a fuel system at ransom. You pay us, you know, so much money, then we'll open up your you know, we'll stop cyber attacking your system. Or it's or it's a nation state purposely doing it to cause that social unrest, because cyber attacks have those secondary and tertiary effects into into society. Yeah.

Unknown: 13:58

And I think what you just alluded to is the aspect of not only can a pandemic cause supply chain disruptions or tariffs, but cyber attacks can also cause supply chain disruptions quite rapidly, as what we saw with sand worm. That's another operation that happened. Think it started in 2015 but it's continuously start kept going in 2022 2023

Tad Schnaufer: 14:27

Can you explain a little bit more what sandworm is? Yes.

Unknown: 14:30

So sandworm, it started in Ukraine. So it's the way that they attackers deployed. It was through phishing emails, once they were able to access the credentials, then they were able to implant a Trojan, which they named it black energy. Once they were able to get into put in implant the malware, they were able to go into the command center, Control Center, and. Then from there they were able to then gain access. So this is where they're going from the IT realm, moving laterally into the OT, the operational tech. So once you're accessing what they call the ICS, industrial control systems, that's what the operator on the outside would see is on their computer, there's this mouse that starts to move and starts to control the circuit breakers, so like someone

Tad Schnaufer: 15:29

takes control of your computer, is moving your mouse. Yes, all right,

Unknown: 15:33

and that's part of the design in the malware they're now having. Well, let me back up. Part of the strategy was for the attackers to gain remote access, and that's what they took control of. Was what the ability to gain access into the ICS so the industrial control systems from a different location. So once they're inside, they control the circuit breakers. And the person, the actual Ukrainian personnel, they can see the circuit breakers signals moving down, pushing down, so they're the attacker is trying to cause a blackout. And immediately the operator realizes that, okay, this is not a normal situation. And then part of the other strategy is to create not hysteria, but the operators will start to freak out, because they also, somehow, I don't know how, but was able to hijack the phone systems. So now the operators in this room, they're seeing that the control has been hijacked. But then the phone starts ringing off, ringing, so there's a ring, ring, ring, ring, ring, ring throughout the throughout the room, and so they're panicking, and they're actually now eating into the scheme, or which is for the operators to turn that power back on as quickly as possible. And so what happens when you turn the power back on? Fast, overload the system. Yes, you overload the system, and you cause a power surge. And so what actually ends up happening, ended up happening, which is partly what the attackers wanted, is for these transmissions to blow up, so that starts to cause actual physical damage onto the Ukrainian grid system, sand worm. It's backed by the Russians. So you could see why this is and this is in 2015 so this is before the Russian invasion, but they're already starting to, I guess, enter, I guess the Russians are trying to test out their cyber capabilities in Ukraine. You were speaking to Ukraine and Russia Ted. You were recently in Poland at a security summit there talk about the front lines of the fight in every way, both kinetic and non kinetic, especially cyber. Curious some of the some of the observations that were shared in Warsaw about how Poland and Eastern Europe is dealing with the cyber security challenge that is presented by Russia, sure.

Tad Schnaufer: 18:24

Well, I mean, as we've noted here, that critical infrastructure, not just in the United States but within our allied nations, is certainly at risk, particularly those that are in proximity to, you know, potential adversaries, in this case in Europe, the Russians, and they felt, they have felt and experienced cyber and hybrid attacks for years, but even recently, you know, in 2020 the Polish stock market was attacked. So again, this is affecting everyday citizens. When your pension fund or your investments get affected, you know, you log into your accountants, there's a bunch of zeros, or you just, it just says error, or you service, that really causes some unrest as causes an unsettling feeling. And that's that social dynamic, where a cyber attack might sound relatively benign, but large spread, it can have some large societal effects. And that's what the Finnish use is, these ideas of vital societal functions. So you have critical infrastructure, which is a piece of that, but you're also trying to hold society together. So that's trying to limit crime, trying to keep leadership informed, trying to keep messaging on tasks. Or going back to what Linda was saying about the telephones, what if you have nobody you can call because the phones are down, so something bad has happened, you don't know what to do because you haven't been trained, or you're not familiar with what's going on. And then the people you typically would call when something comes up, it's denied to you that mode of transport or that mode of communication. And one of the things that the Warsaw security forum we mentioned quite a bit was this major cyberattacks on the Ukrainian government right before the invasion, in February of 2022 where the Russians knocked out or were able to cause a denial service of many Ukrainian government websites. What this This might not sound like a big deal, but when the invasion started. People are looking for information. I'm a normal citizen in Kiev. There's bombs going off, there's people in uniforms running around. I don't know what's going on. And you know, an official source that I could trust would be maybe a government website, but that's not up. So now, what do I do as a normal citizen? Do I am I supposed to run and hide? What is my reaction? That's one of the key things as well for coming out of cyber base that, how do you message and, in a sense, get a society ready for that and but before we go there, maybe we talk about the deterrence and defense piece of it.

Unknown: 20:30

Yeah, that's exactly what I was just gonna say. So you know, how do you deter that? If you're whether you're Poland, Ukraine, United States, or any nation state that's on the receiving end of advanced persistent threat activity in the cyber domain. How do you deter the actor when, as Linda observed, attribution sometimes isn't immediate, if ever on the one hand, on the other hand, sometimes attribution, although may not be pristine from a technical sense, is clear as day from a geopolitical sense and and the challenge then, of course, is to to respond proportionally, but also to do so in a way that deters future conduct with without taking a step up on the escalation ladder, so to speak and keeping the conflict at a non kinetic level. But you know, so many analogies, I mean, gosh, I remember when, when China hacked OPM many years ago, which is the federal government's human resources department. The Chinese Communist Party was able to suck out bio data on millions of Americans who held security clearances. They did it through cyber means. But imagine, as silly as it may sound, imagine a scenario where foreign nation state armed forces, you know, descend on the on the HR building, set up a perimeter, go inside and steal all the HR files and then x fill. That would be a pretty serious physical breach that would require a pretty serious, presumably physical response. But when the very same thing is done, except, quite frankly, with greater effect, because the comprehensiveness is is much easier to achieve from a cyber attack than from a physical theft. The dilemma is, is real, right?

Tad Schnaufer: 22:33

How do you respond to attack that clearly in physical in the physical domain, would be an easy response to a cyber attack, which you have that deniability, and it happens so quickly, and most people don't even realize it. So how do we deter those things? How do we respond to them?

George Burruss, Ph.D.: 22:48

Well, so there's two levels. Of course, the you know, one is the nation state level, and then the other is the individual level. And as a criminologist, one thing we've been looking at for a long time is whether or not hackers that is malicious. I should say malicious hackers can be deterred, and the assumption was probably not, because the probability of them being arrested and prosecuted for committing hacking from international courts is so low that it's not even something to think about. But then we put that to the test. So we what we did, we did an experiment where we tracked a bunch of malicious hackers through a website called zone age, where they can log their website defacements. So I'm a newbie hacker, and I want to prove myself so that I can make contact with more lead hackers, I can learn more skills and so on. So I go to a website, let's say the UN's website, and I hack it. And on the front the web page. Front web page, I put Spongebob, flipping off the UN and so that that shows that I can do it. And I've done it for, you know, major organization. So this website, zone H will then I log, I go to the website, I log it in the website. Then sends about to take a picture of the defacement so I can prove it. And then I, you know, I count that as a tick on my my resume. So we know these people are hacking because they they're showing us that they're hacking. So what we did was then randomly sampled a bunch of them, and then we followed them for a while on their social media, made sure they had social media accounts, so YouTube, Facebook, tick, tock, etc, and then we created our own fake hacker account. So we made a bit ourselves a fake hacker. And so we kind of hacked the hackers, and we had, we, I think we bought, like, 10,000 followers, and then we had our grad students with daily login, you know, just kind of post stuff on computer technology and hacking and stuff, so that we had our own presence. And then we and then after a while, we messaged the hackers and we said, look, you know, we just got, we have a friend who just got busted, the FBI came with guns drawn. You need to lay low for a while, or else, you know, because they're after us. And just to see if that, just putting that into the the ether would have an effect, and because they kept logging their defacements over, you know, months and weeks, we could then. Track the decline in defacements, we saw that that was the case. So surprise, you know, somewhat surprising to ourselves that we saw that it actually did have a pretty good deterrent effect, and that's at the individual level. But one thing to think about is a lot of nation state actors may not be employed by the Chinese Communist Party military or the North Korean military. They may be hired out by these countries to do things that they don't even know why. They're just being paid to do it. So they're basically contract hires. So those people could probably be deterred again, if they think that there's a possibility they're going to be they're going to be arrested. Now, of course, the corollary of that is there has to be, actually a threat there that the governments can can go after them. And the FBI has, in many cases, they've gone after people for ransomware or people for sex extortion cases where they've, you know, they've arrested people in Africa and Europe for doing those types of right.

Tad Schnaufer: 25:51

Because, you know, going back to that point about deterrence is you can deter individuals, because some of the state actors are just simply hiring hackers, and the hackers might not even know who they're working for. They're just getting paid, you know. So that hurts. Attributions makes it very difficult to, you know, again, blame the Russians or the Chinese for everything that goes wrong with cyber attacks, but also the international law piece. So if I'm a hacker and I'm I'm doing a cyber attack from Turkey to the United States, for example, how does who's got a jurisdiction who can actually adjudicate that and then prosecute if necessary? So just create some some difficult barriers to deterrence. And then even on the defensive side, can you defend against cyber attacks or cyber crime completely?

Unknown: 26:30

The Department of Justice, a little while ago, stood up what was then called the disruptive technology Task Force, or strike force, and one of the more significant early cases that they brought involved an indictment of a Chinese national who had been an employee of Google and had used privileged access as an employee of a private sector company to essentially steal artificial intelligence technology for the purpose of advancing various interests in China and on behalf of Chinese entities. Oftentimes, when cases like that are one learned of two investigated and then three presented to a grand jury that returns an indictment, the bad actor, so to speak, is in a jurisdiction beyond reach. In this instance, that individual happened to be still in California and was arrested prior to leaving California, where where he otherwise was planning to leave on a one way flight back to China. That case is still pending. There was a superseding indictment brought earlier this calendar year, and I believe it was the first federal criminal prosecution involving the essentially foreign nation state backed theft of artificial intelligence technology that individual case can serve as, of course, specific deterrence against that one individual by bringing it and publicizing it, it can also achieve a general deterrence effect on perhaps demotivating like minded people. But those, but those sort of like minded people who might be otherwise affected by general deterrence are not truly employed by the MSS, for example, and so I don't know that general deterrence actually has an effect on the foreign nation state backed actors. One of the benefits, though, of one off cases like that, is it does a great job of informing business community for sure, and society more broadly, of the severity of the threat, the severity of the challenge. And I think that's one of the realities of today and tomorrow, is that so much of this, of the cybersecurity war fight, so to speak, is buy in through the private sector. You know, a lot of the a lot of the activity that is happening to both defend and protect is being done by civilian war fighters working for private sector companies. Right? Because a lot

Tad Schnaufer: 29:08

of our critical infrastructure is in private hands, and you have civilians often working in those power plants and those sewage plants, water treatment plants. I mean, again, the list goes on. Of all the critical infrastructure we have these individuals, and that goes to a point that was talked about at cyber Bay, and I think we discussed on our panel a little bit, but that one of the weakest points in cyber security might be the employee themselves. So they might be lacking the training, or they don't know what to do when a cyber attack does something that they don't have the ability to counter. So what, you know, what's, what's that look like when the employee might be the weakest link. And how does that tie into, you know, social engineering risks, yeah.

George Burruss, Ph.D.: 29:46

So, so October is Cyber Security Awareness Month, right? So he's still there, he's still there, yeah. And so, you know, you see which is the right thing to do, which is increase awareness like so, so people like us will go on the local news and talk about it. Um. There'll be public service announcements, etc, and that's all good. But the problem is, it's not so much necessarily an awareness problem that people don't understand the risk is, in general, is they don't understand the risk to themselves. So to give you an example, you might have an employee who understands they shouldn't click on links that they don't know to look for the warning signs, you know, you know an email that comes in that says, Dear friend, and then it's got grammar mistakes that used to be the case. Now AI has really made that problematic, because you can, anyone can craft a targeted email, spear phishing email to towards somebody that has all the details. So, for example, so let's say someone was targeting me, and they go and let's say I have a LinkedIn account, and they go to that and they say, Okay, well, you've, here's your expertise. I'm going to send you an invitation to a conference in Paris, France, in March, and click here to get more details. And like, Okay, well, that looks legitimate because they've, you know, it's come to me, but I know not just to click on a link because I have awareness. But let's say it's a day where I've had, you know, 20 emails, something's blowing up. I have to answer all these things. I really don't have time. And as the pressure gets up to act quickly and efficiently, then even though I have awareness, even though I know the dangers and the risks, I'm caught. And so there's, I'm sure there's plenty of times where I may have clicked on something I shouldn't have, just because, because of that reason. So so it's not just awareness, it's also organizational issues, like email load pressure, also the higher level you are. If you're in the C suite, whether you're a executive or administrative assistant, you're gonna be highly targeted for business email compromise. So again, not just knowing the general risk, you have to know the specific risk to your job, your position and etc.

Tad Schnaufer: 31:38

It sounds like a lot of extra burden on an employee, right? So you have to screen pretty much every email and be judicious. And seeing this is one letter off, because that's typically how these come in. They're one letter off, and one letter is from a different alphabet. So it even looks similar, but it's the Cyrillic alphabet and then, so now that turns out to be a, you know, a hacker, but you thought just in your glance, that you were good to go?

George Burruss, Ph.D.: 32:02

Yeah. Well, a common, common one is, instead of dot c o m, it's dot c o r n, if the fonts, they're all lowercase. And so depending on the screen, the R and the N looks like an M, so it looks like a.com Okay, what's the.com that's probably legitimate. But in fact, it's, it's not, wow.

Tad Schnaufer: 32:16

So you even have to zoom in right at the zoom in on any of this. And again, that's, you know, it's one thing for someone in just a company, or maybe at the university, but someone who's working at a critical functioning site, it's a much bigger deal. So their responsibility is a lot higher, on top of the stress of their day to day lives at the chemical plant, at the munitions plant, or whatever critical infrastructure we might be discussing. So why are those you know, obviously going back to your point, Georgia and the targeting piece. So if you're an employee at a critical site and nuclear power plant or a munitions plant, what makes them so vulnerable to cyber attacks is just simply because they're going to be exposed a lot more they're a target or what else. Yeah,

George Burruss, Ph.D.: 32:56

that's pretty much, I mean, just, it's just that you're the hackers are looking for those specific people that are gonna be important, right? So they're not just, they're not just sending out phishing emails willy nilly. A lot of them are targeted. And then you target an organization at a, let's say, 100 people. You send an email, you just need one of those people to do the wrong click. So it's cost effective. It costs them nothing to do it right, and you don't even have to be a trained computer scientist to craft these things. There's hacker for hire services where you can actually just pay for someone. And you you get the GUI, the graphical unit user interface, plug in the numbers, you know, everything you need, send it off, and then it does it all for you, and you pay for the service.

Tad Schnaufer: 33:40

Sounds like that would be illegal, wouldn't it? Like those sites would be, well, they're on the dark web, yeah, okay, just to be clear, it's not just something you Google. No, no, but that's obviously concerning. But what about, maybe our chemical infrastructure, some other infrastructures? Yeah.

Unknown: 33:55

I mean, I think over the last 20 years, the numbers of reported, reported critical infrastructure incidents. So attacks on our critical infrastructure has increased by tenfold consecutively over the last like each within each decade. So for example, in 2005 time period, there was only about like 10 reported incidents. Then you jump into 2015 2010 2015 time period. Now you're in the hundreds, and today we're in the 1000s, like there's been. So far this year, it's been 2300 reported incidents on of attacks on the critical infrastructures. And that number, obviously, is expected to increase. We're not sure if it's still on that same trajectory of 10x by the next decade, or 100x because now we're in the realm of AI being used to increase the frequency of these attacks and so but that's. That's a good and bad thing. So if the offense is using AI, you would also assume that the defense would also and could use AI to speed up the patchwork and scanning for all these vulnerabilities. So it is getting more difficult, I think, in terms of securing the critical infrastructures, just because they're getting bombarded with these attacks at a much higher frequency than previously seen.

Tad Schnaufer: 35:30

So if you, if you're an employee, and you click on a link, what actually happens if I open the email? Nothing? I haven't introduced malware, but it's just clicking on the link, is that's the critical step.

Unknown: 35:40

Maybe in the future, it'll be sort of like what happened with a spinal tap drummer. Just spontaneously, poof.

George Burruss, Ph.D.: 35:46

Well, it can do a couple things. So it can most common things. It'll send you to a website, so it's, you know, it's still the social engineering part. So I'll say, click on this link for your, you know, free access to Netflix or whatever. And so by doing that, then you go to the website, and then once you go there, will download the payload onto your machine, right? So it's whether it's surveillance or a ransomware or something like that, or sometimes it'll be a an attachment like, say, here's an Excel file. Go click on this. So to give you an example, and this always, always think about this. I when I moved here to Florida from a previous university. One of my I get an email from a colleague that says, here's the data, and there was a Excel file, and it came from their email address, you know. So I thought, Okay, well, everything looks fine. I was about to click on it, I thought, but that's not the way they usually communicate. Usually there's a long list of things they want me to do. I'm like, well, that's weird. So I just reached out and called and said, you know, did you send me something? And she said, No, I haven't sent you something in a couple of weeks. I said, Well, I think somebody's gotten into your email and they're using it to email me, so you need to call it immediately, and then I just deleted the email. I probably should have sent it on to our it to look and see what it was, but, I mean, that was such a targeted spear phishing attack that they went into their probably what I don't know for sure, but probably what happened is they went into this person's email. They got inside, could read the emails and know that we communicated with data. Knows that she sent me excel files all the time. So it's all that insider information again, even if I have awareness, I'm the chances of me clicking gets greater and greater.

Tad Schnaufer: 37:18

Yeah, if it's late, it's five o'clock in the afternoon, you're just trying to get through the day. You're just like, looks pretty good. Wow. I mean, but you caught that one, so, right?

George Burruss, Ph.D.: 37:26

So that's, that's pretty good. That's the one I caught it. There's probably ones I didn't catch, but that's

Tad Schnaufer: 37:30

what I got. But would you know? So if I'm working at a chemical plan nuclear plant, would I know if I accidentally click on something that it's something's been installed, or is it pretty much all in the background?

George Burruss, Ph.D.: 37:38

It's all in the background? Yeah, unless, unless it's a ransomware that immediately pops up. Yeah, it's, it's, it probably a lot of times it's just surveillance, like, you know, the keystroke, they're logging your keystroke so they can see what your password is, you know, all kinds of information. Then they get in your email. Then they can, they can go further. And a lot of times it doesn't have to be a key person that they go after. It could be somebody who's on the it could be a vendor that you do business with. They get into their account because they have low cybersecurity. Look at the email that you're talking to the, you know, the buyer in your corporation, then send an email from that, then you click on it. Now they're in your you know, and so on, right? So, again, that's why it's evolved motivation. They they're trying all these things, and some of them work. Some of them don't work.

Unknown: 38:17

Unfortunately, a great example of exactly what you just described George occurred several years ago where a small excavating business in northwestern United States was targeted by Russia. Would not be the sort of business that would be expecting to receive a foreign nation state cyber attack, and that was precisely why it was targeted, because it had no particular reason to have enhanced cybersecurity defenses, and it just so happened to provide services to to a utility. It then became the backdoor, the vector into the utility, which then allowed Russia the capability to essentially shut down the grid if it had wanted to do so, and this was all publicly reported a number of years ago. But one of the big challenges, again, really, for the private sector, as much as for the government, is how to, in an age of scarcity and tight budgets, how to nevertheless allocate sufficient budgetary authority to have sufficient cybersecurity defenses, knowing that the reality is, there's no such thing as a final state of being cyber secure.

Tad Schnaufer: 39:32

You can't build a cyber wall, right? Is that? Is that true? So you can build a firewall, I guess, in cyberspace, but it's still not impenetrable, because there's that human element we've been talking about. So you might have a amazing defensive you know, in the cyberspace, you have all these different protections, but if someone clicks on a link now they're inside your wall, if you will, right? It's just that simple. So that's why the training, the awareness of employees, and then again. Just normal citizens as well as we've talked about. So you might be working at an adjacent industry to critical infrastructure, and you have responsibility there, and that's one of the topics we wanted to discuss a little bit more too, is what role does the government have with a partnership with the private sector to protect not only the critical infrastructure industry, but also those adjacent industries that are dealing with it? So we're not just talking about the military, but again, that military, but again, that vendor that's working with, you know, the oil pipeline, whatever it may be,

Unknown: 40:29

solar winds, right? Yeah. I mean, solar winds is the breach that involved lots and lots of private sector companies and lots and lots of federal government entities, major software or a major vendor in the software sort of supply chain. It's a whole of nation effort that requires close and continuing cooperation and resources and serious thought and serious people and serious dedication to sort of solving the problem continuously over and over again. One of the things that I really like about what the team in Florida is doing and has done, and you you mentioned it, one of the great ways for the government and the private sector to cooperatively think through the problem and come up with solution set is through tabletop exercises, whatever you want to call it, but the sort of activity that brings people together and really goes through simulated experience of a cyber attack, what happens, what the effects are, what the consequences are, how to respond, but in a very realistic way, and the lessons learned from those, those opportunities to come together in those sorts of settings are ones that can really drive the sorts of changes that must be made, whether you're in the government or in the private sector, right? And that's

Tad Schnaufer: 41:53

one thing that cyber Florida, here at the University of South Florida, is doing, you know, they're doing a lot of hands on education approach, with legislators, with other groups setting up those tabletop exercises as well as educating, you know, students in middle schools and high schools as well. So getting them primed for their entire life will be, you know, cyber based. So they absolutely need to have that cyber literacy. But also here at USF is the Bellini college with AI cyber, cyber they're also going to be have be pushing out a lot of cyber professionals in the next few years with with degrees, our criminology department, our School of Information. I mean, there's a lot of cyber components education here at USF working to, again, inform the public, but also inform future employees that hopefully they are not the weak link. Well, that's

Unknown: 42:36

critical, and that's exactly how we begin our conversation. It's a focus on the people and the the work that USF has been doing, is doing, and is going to continue to do, is to develop the experts that are needed in the government, in the private sector. But at the end of the day, it's a, it's a people problem that people can solve. Yeah, that's, I mean, that's exactly right. You know, NIST National Institute of Standards and Technology, they came out with a infographic and on it, it said that the lack of talent and human failure will contribute to over 50% of future cybersecurity incidents. Right now, I think the US needs about 1.5 to 2 million cybersecurity type professionals, and we're short of that between 200 to 500,000 so definitely need more folks in that space.

George Burruss, Ph.D.: 43:34

One thing about the way USF is approaching it is you could just get a degree in cyber security, and they just have one department. Let's say it's adding computer science, and that's it. But the but I think we've come to realize is cyber security is such a vast discipline that you need people in business to understand the cyber insurance aspect of it. You need people in Information Sciences to understand the big data issues. Computer Science, for obvious reasons, criminology, you know, we're having, we were launching a bachelor's in cybercrime to teach the legal aspects of it, the social, behavioral aspects, and then also digital forensics. Because, you know, so we're trying to change the sort of the next generation of law enforcement people to handle those types of things. So, so I, you know, again, the if you go to a university that's got a lot of those options, you should be able to learn, you know, pick out a sort of a niche area that allow you to be like, you know, really top performing, you know, future cyber professional.

Unknown: 44:35

And I also want to put a plug in for Florida, since, you know, we're pretty attune to prepare for natural disasters, Hurricane prep, I started thinking about this a bit more when it came to how do we prepare for a cyber attack, especially when it comes to critical infrastructures, and the outcome, whether it's a natural disaster or an attack on the grid system, is. It would physically be about the same, like we're talking about food shortage, field shortage, lack of power. And so I was looking at the hurricane prep list for like, Floridians, and I'm like, oh, yeah, you know, you need all these critical documents because you can't access it through the computer. You need to have cash on hand. You have to have a certain amount of food supply. The only difference between a hurricane prep list and a cyber attack prep list is the season. You know, in Florida, it's from May to November. And for cyber attacking, it's going to be your year round. One

Tad Schnaufer: 45:36

of the things about hurricanes, when I thought about this after after our panel so our bay, is at hurricanes, you typically have a few days heads up so you can, you know, oh, you know, I should take some cash out if you have a zero day event with cyber meaning zero day, meaning you have zero days to prepare. It's happening. You know, just clicks. It happens. Now you have no power. How do you go out in the marketplace and again, procure food and survive for, you know, maybe it's only five days, but five days a long time if you don't have running water, or you don't have electricity, or all of the above. And we saw that with people who stayed in the Tampa area after Milton, for example, many areas were out of power for four or five days. So are you ready to endure that? And then while enduring it, ensuring that there's not civil unrest, which is the secondary piece I think we've already touched on. So you know, we're talking about preparing, you know, what can an individual citizen can do? But what about, you know, at the level of our critical infrastructure and things like SCADA, what could they do possibly, you know, toss it over to you.

Unknown: 46:31

Linda, so, with SCADA. So SCADA stands for supervisory control and data acquisition. This is a software that is deployed across sectors, whether it's in the chemical facilities, critical manufacturing, energy, feel, transportation, it's a common software and it's, it's the connector between the IT systems and the OT, so the operational tech and so what that really means when you hear the word SCADA, you're really thinking about physical systems that have been connected to the it, and it allows like engineers to gain remote access to the power plants, for example, because, you know, it's really inconvenient to go all the way out into the power plant to, You know, monitor and control the systems. It's much more convenient and efficient to do it remotely, but that's also a point of vulnerability and area where attackers would like to enter. How would you secure that? I'm not sure, but I know from what Cyber Command did that was novel is cyber command was on one floor of a building, and they what general Nakasone had done was move the NSA into the same floor as cyber command to allow cross talk much more efficiently. So like what Chris is mentioning, you know, the aspect of the human in planning for the security, I think similar thing can happen with at a organizational level for these companies with these critical infrastructure, is moving their IT team to with their ot team in one central area so that there's constant communication and that, yeah, so if there is anything that happens, it could be you have a human there to try to address the problem, or humans as soon

Tad Schnaufer: 48:31

as possible, right? Because right now, when you need it, you send an email off, and you wait, you know, a week, and then they, you know, they show up at your office and they help you out with with what it is. But if you're actually having an operational crisis, kind of like we talked about with the Ukraine piece towards the beginning, you're gonna want someone who has a has that cyber background that IT background that can tell you this is some this is a problem. We should just shut everything down to stop the attack, or what they might have that expertise. Well, you as the operator, have the expertise of the actual physical plant. Yes.

Unknown: 48:58

And actually going back to the sandworm student, if there was more crosstalk? Yes, there's the IT team who knows how to turn the controls back on, but the OT operator, operator may say, hey, let's not turn on so rapidly, because we don't want our transformers to

Tad Schnaufer: 49:14

blow interesting. So you need, you pretty much need, that human dynamic of both the cyber expert and then the operational expert. If not, you're going to have problems, which we saw in Ukraine. Wow. So with all that, plenty, plenty more that we could continue to discuss, but I'll just go around room. Rapid Fire, your big comment for you know, as we look at cyber Bay coming back up in March of next year, what are some of the focus areas you think we need to continue this conversation on? Obviously, we've talked about the human domain, social engineering, some of the deterrence and defense factors within cyber but where should this conversation go now?

Unknown: 49:52

Education and action. It's a virtuous circle. Every time you learn, you are better informed as an actor. Every time you act, you learn something from that, and it informs how you approach the next problem set. And that's one of the things that I think was fantastic about cyber Bay. It's one of the things I think is fantastic about the work that GNSI And the Bellini college are doing at USF. And going forward, I think that's really where the where the answer will continually lie, which is in that education action interchange that's continuous and ongoing.

George Burruss, Ph.D.: 50:24

I think we need to focus on readiness, both in Tampa Bay, but everywhere else in Florida and beyond. Is, is what are small, medium and large businesses doing to protect themselves? What's their level of preparedness? Find out who the innovators are, then, who the adopters? What's, what's motivating, all that? So sometimes you'll hear a lot of people say that cybersecurity is the Wild West. So anybody can, you know, get a couple certificates, hang them on the wall and call themselves a cybersecurity expert and start a firm. But we need to really figure out, you know, who is really driving the best practices within that. And so I think we can tame that a little bit just by finding out what the landscape is and doing some landscape is and doing some research on that.

Unknown: 51:05

I think cyber Bay, I had mentioned the private sector, in addition to bringing the private sector more into the conversations, more so than they already are. And another area is civilian education, what to do in the aftermath of the cyber attack? I'd like to see more of that. Well,

Tad Schnaufer: 51:26

that's great. And I think we've established pretty firmly that, you know, cybersecurity is certainly a foundation of national security. You cannot have national security in today's modern era without protecting your cyber base. And as we noted, that cyber has a huge human component, and it's certainly going to be a cycle. It doesn't just end. We have a conference, and now we've solved all the cyber issues in the world. So we will look forward to the next cyber Bay. We look forward to our ongoing conversations here at the Global national security Institute. Thank you all for coming.

Unknown: 51:53

Thank you. Thank you.

Jim Cardoso: 51:59

Special. Thanks to all our guests today, atfer Linda known George Barris and Chris Hunter for discussing the highlights of their panel at the recent cyberbay conference and also delving a little deeper into some ideas that arose afterward. It's become almost impossible to discuss national security without cybersecurity issues being part of the conversation. We hope you enjoyed this one. As we wrap up the podcast today, a couple quick notes, we're excited to announce the next GNSI Tampa summit for March 2026, the theme of the conference will be nuclear weapons and Modern Warfare. President Trump's recent announcement on the resumption of nuclear testing created media waves and international responses and highlighted the reality that nuclear weapons on today's battlefield are not an abstract concept, but a distinct possibility requiring thoughtful policy discussions genocide. Tampa summit six is set for March 24 through 25th here at USF, you can find more info on our website. We'll drop a link in the show notes. The final episode of the Axis of Resistance research initiative led by GNSI Research Fellow Dr Arman mahmudian, was just published on our YouTube channel. In this concluding episode, Armand took everything he's learned over the first seven episodes and spoke at length with GNSI Executive Director, retired Marine Corps General Frank McKenzie, as the former commander of US Central Command. McKenzie's insight and experiences in the region offer a unique point of view that you can only find at GNSI. Check it out on our YouTube channel. Thanks for spending some time with us today, on at the boundary, next week on the podcast, we're going to turn our attention back to critical minerals and resources, specifically cobalt. It's almost the stuff a legend, not to mention movies, and it'll be the star of an upcoming genocide decision brief. Dr Linda noan, GNSI Research Fellow is writing that decision brief and will give us a preview next week on at the boundary. You don't want to miss that episode or any other Be sure to rate subscribe and let your friends and colleagues know. Follow along with GNSI our LinkedIn X accounts at USF, underscore GNSI And check out our website as well at usf.edu/gnsi. While you're there, don't forget to subscribe to our monthly newsletter. That's going to wrap up this episode of at the boundary. Each new episode will feature global and national security issues we found to be insightful, intriguing, maybe controversial, but overall, just worth talking about. I'm Jim Cardoso, and we'll see you at the boundary. You.