When AI Changes the Rules of Cybersecurity

Show Notes

Cyber risk is changing — and AI is accelerating it.

In this episode of the AI Proving Ground Podcast, former NSA Director Rob Joyce joins WWT’s Madison Horn to explain how nation-state cyber activity has shifted from quiet espionage to strategic pre-positioning inside critical infrastructure.

AI isn’t introducing new tactics — it’s collapsing timelines. Reconnaissance, phishing, and exploitation now move at machine speed, shrinking response windows from weeks to minutes. The result is a fundamentally different threat model.

The conversation focuses on what leaders need to understand now: how agentic AI reshapes cyber risk, why basic discipline still matters but no longer scales on its own, and how AI must become a force multiplier for defenders.

A clear, high-level look at the cyber line that’s already been crossed — and what comes next.

More about this week's guests:

Madison Horn is a cybersecurity executive and national security strategist whose work spans technology, policy, and critical infrastructure. With 15+ years of experience, she has led global incident response, digital risk transformation, and cyber strategy across highly regulated and high-risk environments. Madison has held leadership roles at FusionX, Accenture Security, PwC, and on the founding team of Siemens Energy's Global Security practice. She currently serves as National Security & Critical Infrastructure Advisor at WWT, advising on AI governance, ICS/OT resilience, zero trust, and cyber-informed engineering. A frequent media contributor and advocate for women in technology, Madison is driven by advancing digital trust and national resilience.

Madison's top pick: Infrastructure as a Strategic Target of War

Rob Joyce has more than 30 years of leadership in cybersecurity, cyber operations, and intelligence. He has dedicated his career to advancing national security and cyber resilience. Rob previously served as Director of the Cybersecurity Directorate at the NSA, overseeing defense of the nation's most critical systems, and held senior roles including Acting Homeland Security Advisor and Special Assistant to the President for Cybersecurity. He is the founder of Joyce Cyber LLC and currently advises boards and executives on emerging cyber risks, with advisory and board roles spanning technology, national security, and critical infrastructure.

Rob's top pick: Who Owns AI When It Breaks

The AI Proving Ground Podcast leverages the deep AI technical and business expertise from within World Wide Technology's one-of-a-kind AI Proving Ground, which provides unrivaled access to the world's leading AI technologies. This unique lab environment accelerates your ability to learn about, test, train and implement AI solutions.

Learn more about WWT's AI Proving Ground.

The AI Proving Ground is a composable lab environment that features the latest high-performance infrastructure and reference architectures from the world's leading AI companies, such as NVIDIA, Cisco, Dell, F5, AMD, Intel and others.

Developed within our Advanced Technology Center (ATC), this one-of-a-kind lab environment empowers IT teams to evaluate and test AI infrastructure, software and solutions for efficacy, scalability and flexibility — all under one roof. The AI Proving Ground provides visibility into data flows across the entire development pipeline, enabling more informed decision-making while safeguarding production environments.

Chapters

• 0:00: Why Infrastructure Is the New Target
• 2:11: Nation-States, Real-World Impact
• 6:36: AI Made Phishing Smarter
• 10:58: When Hackers Use Agents
• 15:35: AI Risk Hits the Boardroom
• 19:15: Tool Sprawl vs. Real Scale
• 23:25: OT Systems: Built to Break?
• 27:35: Policy, Power, and Partnerships
• 32:00: What Actually Matters Next

Transcript

SPEAKER_02: 0:00

From Worldwide Technology, this is the AI Proving Ground Podcast. Over the last few years, nation states have shifted their focus, away from stealing data and towards something far more destabilizing, critical infrastructure. Things like water systems, energy grids, communications, the kinds of systems that most people assume are off-limits until they aren't. And increasingly, these attacks aren't being carried out by humans alone. They're being accelerated by AI, probing faster, scaling wider, and exploiting gaps that organizations don't even know exist. So this raises an uncomfortable question for enterprise leaders. Are your defenses built for yesterday's threats or for an adversary that never sleeps, never gets tired, and learns as it attacks? So on today's show, former NSA Director of Cybersecurity Rob Joyce and WWT Chief National Security and Critical Infrastructure Advisor Madison Horn talk about what's changing in the cyber threat landscape right now and how AI is reshaping both offense and defense. They'll talk about why basic cyber hygiene is suddenly a board-level issue and what security teams need to rethink as speed becomes a new weapon. So if you're responsible for protecting operations, reputation, or trust at any scale, this episode isn't just theoretical, it's timely. So let's jump in. Okay, well, Madison, Rob, thank you so much for joining. First time on the AI Proving Ground podcast. I very much appreciate the time. How are you?

SPEAKER_03: 1:30

Awesome. I mean, can you be like frustrated with the fact that you have this beautiful view outside and great company?

SPEAKER_02: 1:36

Down in Cabo.

SPEAKER_01: 1:37

Doesn't get any better.

SPEAKER_02: 1:38

Can't beat it. We should do all of our podcasts here every time.

SPEAKER_01: 1:40

I'm in. Anytime you want me here, I'm here.

SPEAKER_02: 1:43

Yeah. Uh Rob, I want I want to start with you. You know, obviously, a storied career within the government. Thank you for your service. We hear a lot about this changing landscape, the evolving threat landscape. There's so many buzzwords that go into it. AI, quantum, you know, whatever you might want to throw in there. From your vantage point and what you've you know experienced during your career, what have been some of those major shifts that you've seen over the last six to twelve months that have piqued your interest?

SPEAKER_01: 2:08

Yeah, there's there's a couple places, right? First is the geopolitical risk. That that landscape is dynamic. The second is the technology landscape. And so I'll start with geopolitical first. The thing that really has strikingly changed is the way nation states are now focusing on critical infrastructure. We used to have to worry about theft of intellectual property, the government had to worry about keeping it secrets. There's always the constant ransomware and criminal activities. But now we've seen this case where China's pre-positioning in the U.S. critical infrastructure for the day that there's rising conflict. And the the part everybody should understand about that is what the U.S. government revealed in congressional testimony, they brought some intelligence to that. They talked about the plans and intention of the Chinese government, and that was to cause societal panic at a time of escalating tensions. They wanted us in the U.S. focused here domestically in the U.S. when there was some conflict on the other side of the globe, maybe you know, Taiwan, China, Straits. And that to me, that crossed a Rubicon. That was China saying they wanted to inspire terrorism in the U.S. through cyber means. And you know, we've got to get to the point where they're not willing to do that.

SPEAKER_02: 3:32

Yeah. Why, Madison, what are they targeting? Why are they targeting it? Trevor Burrus, Jr.

SPEAKER_03: 3:35

Sure. I mean, if we think about it, right, then right now we're living in a time where there are no longer boundaries. You know, the the prepositioning of the United States, the advantage was the fact that we had oceans dividing us from our the nation's adversaries, right? Those all those boundaries no longer exist. So the the why now is because bat the battlefield is now digital. And so when we think about, if we look at what happened in the leading up to the invasion of Ukraine, then we saw red flags where you know we would see Russia or other adversaries targeting their government or their government infrastructure and public infrastructure. And so that is the prepositioning leading up to major conflict and war. And those are some major lessons learned that we can see as we are looking to prepare for what China may be looking to do. But I'd love to add into the conversation at some point, like, you know, our customers, part of the question that we have to articulate to our C-suite is why make the investment into cyber? Not just why now, but why is it more than just an insurance policy? And I think part of the conversation is that we don't recognize is China doesn't necessarily want to go to war with the United States. Because if they did, that is an economic disruption. While their, I would say, citizens can tolerate a little bit more pain than the US can. They don't want to go to the war to war with the United States because of the economic impact that that would have. And so it's a little bit of playing like chicken of who's gonna move first. But you know, what are we willing to risk?

SPEAKER_01: 5:12

Yeah. And to make it clear, it's not just China, right? When we had Russia-Ukraine on the eve of the Ukrainian invasion, the Russian invasion into Ukraine, the Viasat satellites got taken out in Europe, right? The the service that connected wind farms in France went down. And, you know, that was collateral impact for what the Russians felt they needed to do to have a successful campaign in in the Ukraine theater. We've seen other examples when tensions escalated in Israel, Gaza, yeah, the Iranians came into the came into the mix and a small municipal water plant outside Pittsburgh got hit. Not because the US was in the fight or or that, you know, that city outside Pittsburgh was in the fight. They were hit because they had bought infrastructure that came from Israeli lineage. So Israeli companies built these controls for the water processing plant, and the Iranians thought they were fair game because anybody using Israeli technology worldwide, you know, could be could be picked up in these operations. So I think anytime today we see escalating tensions, whether it's US, China, Russia, Ukraine, you know, Israel, Gaza, any of those, we're going to see more pop out and they're going to come to us in the cyber domain.

SPEAKER_02: 6:36

I mean, so we're talking about cyber warfare here. Where does AI enter the picture? This is an AI podcast after all. Is it just accelerating things? Yeah, there you go. Is it accelerating things? Is it using AI to defend? I imagine it's all the above. Rob, you know, I you had some particularly interesting things last time I heard you speak about your shift, somewhat shifting uh views on AI over the last couple of years.

SPEAKER_01: 6:58

Yeah, absolutely. So I I started out a couple of years ago as LLMs emerged, understanding they were going to be a big threat for socially engineering attacks. And that's where a lot of attacks and compromises start is you know, phishing emails and things like that. Can I get somebody to take an action that makes them less secure? And and that's come to pass. And and there's been this evolution too. Phishing emails have gotten much, much better and robust, right? They're not the Nigerian prints bad spelling. Yeah, they're using punctuation.

SPEAKER_03: 7:30

Come on, how much fun would that be?

SPEAKER_01: 7:32

But they've advanced to where now you'll get a whole storyline. You'll get, you know, this email chain that starts with somebody winning a contract, supplying their service, delivering and expecting to get paid and something going wrong in that payment process. And then all of a sudden, you know, the the emails are going to somebody who promises to get them paid and help them out. And it ends with this last one going to accounts receivable, where you're supposed to pay the invoice. And this story is coherent. It has all the right people, it has the right emails, and none of it from the start to the finish is real, but it's all been generated in a very convincing way by AI. And so that's getting really dangerous.

SPEAKER_02: 8:15

Yeah. And Madison is not even just words, it's it's real voices, it's real video. Or maybe not real, but it's authenticated uh video.

SPEAKER_03: 8:22

It looks real. And what he's pointing out is it's not the sophistication has changed, it's the time commitment that adversaries have to spend. One, they don't have to spend as much time, but they're so much more personal to the targets. So we're talking about psychological warfare that can be achieved in a in a very low type of impact type of manner, but long term it has devastating impacts on a company.

SPEAKER_02: 8:45

If that makes sense, what does all this mean for security teams of not only our clients, but just organizations out there? Madison, we can start with you. Like, what is that? What is all of what you've just covered? What kind of types of shifts is that forcing CISOs and security teams to tackle that maybe they weren't tackling before?

SPEAKER_03: 9:11

You know, I I never want to bash our security teams because I say this like the cybersecurity community. I mean, we are really here because we're passionate about our landscape, we're passionate about the industry. We understand the threats, but we are not alone. And so what we are seeing with the landscape is the understanding that cybersecurity is no longer a solo sport. And so, you know, I never knew that cyber was cool. I always thought we were like just the, you know, the weirdos, like having like more energy drinks than we needed in the background. And it was that moment that we saw a you know, Super Bowl commercial that was talking about cybersecurity. And I was like, sick, we're mainstream now. But the reason why I say that is because we realize it is a shared responsibility model in educating individuals about, you know, what is your role in cyber? And so we're seeing this pivot of saying, even if it is an individual who works in marketing, what is their responsibility to protect the business and their role in contributing to the end mission of what is the mission of WWT? What is the mission of a bank? What is the mission of a utility company? So everyone understanding of what their part is, all the way down from internal to vendors, and we're talking about you know secure by design and vendors understanding that you know basic security hygiene has to be baked into a tool versus something that an engineer on the downstream has to worry about. So I'd say that's the huge shift that we're seeing and kind of the the drumbeat that we're also seeing from a regulatory perspective.

SPEAKER_01: 10:35

Yeah. I think I think the thing you can expect though is the speed, scope, and scale is just going to continue to grow exponentially. You know, the ability for LLMs to generate hyper-targeted phishing emails, right, at scale. But more importantly, what we're going to see is LLMs starting to do agenc hacking. And that's a whole new world. And and that's here today. I don't think people understand how much of the threat space is now starting to get automated through AI.

SPEAKER_02: 11:10

Yeah. Well, pull on that string a little bit more. You mentioned how it's a it's a new world that we're already in today. So what does that you know agenc hacking look like in practice? Is it just that the the timelines are going to be way more condensed and things are going to happen rapid fire? What else is part of that?

SPEAKER_01: 11:28

So my history at NSA, I worked both offense and defense, right? I got to play nation-state hacker and then defender against those nation-state attacks. And the thing I learned was we at NSA succeeded against the targets we need to pull intelligence out of by knowing their network better than the people who built and defended it. Right. The the littlest detail could be that crack that's enough to allow something in. And what we're seeing now with AI is it gets to be relentless in probing and attacking and finding the things that you don't know are liabilities inside your infrastructure. So, you know, we've all looked at for years, you know, shadow IT, things that are not maintained and patched because the people whose job it is to do that security doesn't even know they're part of their infrastructure. We've seen the bad passwords that you know we're trying to drive out through multi-factor authentication. But it turns out that you've got two exception accounts that have been authorized not to have to use MFA. And so if you've got a gentic AI that can try every account, it'll find the ones that are the exceptions to the rule. And there's really good examples of how this is in play already. There, there's a company called Hacker One, and they run bug bounty programs where you can sign your company's infrastructure up to be tested, crowdsourced by hackers around the world to see if your security is up to snuff. And they claim bounties for finding misconfigurations and unpatch boxes and cross-site scripting and all of the flaws that we know are you know going to be detrimental, but maybe we haven't found them. So, you know, this crowdsourcing will help. Well, we crossed a really big line a few months ago when an agencai system became the number one bounty claimer hacker one. This company called Expo ran an agent, and it just it it doesn't do creative hacking, but it it runs through all the basic attacks over and over and over relentlessly. And it doesn't sleep like you know, the energy drinks. You don't need energy drinks anymore, but but they still at some point go offline to eat and sleep. And eventually, you know, this AI, if you want to scale it, you just bring more servers online. And so that's what I mean by relentless is the ability to jiggle every doorknob, every IP address in your whole environment and test it against every known vulnerability constantly. And and that's what we're up against. So when you see new exploits come online, we've watched those, the time from exploit discovery to you know exploit deployment drop from months to weeks to days, and now it's going to get to hours and minutes.

SPEAKER_03: 14:26

But what but what he is saying is, you know, we talk about basic cyber hygiene. That hasn't changed. The approach to what do we what are the tactics that we need to take to protect our infrastructure isn't necessarily changing. It's the scale in which we need to protect and defend and understand, you know, how quickly we need to patch a set of systems when a zero data is released. That is what's changing. But what what we also have to remember, and this is where I'm a glass half full type of gal, and Rob claims to be, but we're we're gonna get there at some point, I think, in the conversation. But you know, what we have to remember is that we have the same tools, and we just have to ensure that we're making the right investments to enable our cyber defenders to be able to compete against our nation's adversaries. And that's the change that drastically needs to happen. And that's part of our responsibility as advocates to ensure that we're not saying, hey, the sky is falling and come at it from a place of a place of doomsday. But why is it the investment that you need to make to ensure that your business is operating and what is the downstream impact if you do not?

SPEAKER_02: 15:29

Yeah. Well, I mean, let's let's uh scenario play here. I'm a board member and I'm thinking to myself, well, I you know, I don't want to make that investment. What what are you responding with to say, hey, this isn't just, you know, this this isn't like it was before. You do need to make these investments. What's the value add? What's your response?

SPEAKER_03: 15:44

Sure. I mean, uh, first and foremost, I mean, it's understanding that person's perspective on the board. You know, what is, you know, the what do they believe is like most viable business? Like what do you need to ensure that a product goes out the door or a service goes out the door? And then you ensure that they understand their risk profile, whether that be from basic supply chain disruptions to, you know, what if a generation facility went offline? What is the reputational harm? What is the you know economic harm to that company? And then talking it back to them and saying, okay, well, if we understand one, your risk profile, you understand the investments back then, that then it becomes a conversation in a language that they understand. It can't be about ones and zeros at that point.

SPEAKER_01: 16:29

So one thing I believe is you know, AI is going to be that problem, but it's also going to be the solution, right? It is going to be the defender's arms race to bring the speed and the relentless coverage that the attackers are bringing. And you'll be able to defend your network by knowing your network and finding those flaws before the attackers can. So I really believe that you know things like agentic AI will be something that can augment the defensive teams and give them the ability to work in this hyper speed environment. Those that use AI are going to outperform those who don't. And it doesn't matter whether you're on offense or defense, that's going to be the magic solution.

SPEAKER_03: 17:09

You know, we learn from each other constantly. Obviously, he has an incredible background. And so, you know, being able to work with him has been phenomenal. But, you know, if you and I were walking into a boardroom together, what would be that one question or that one leave behind that you would want the board to know? I'd love to hear that. Your thoughts.

SPEAKER_01: 17:24

So for me, it would be less about the one leave behind and the encouragement of running a tabletop exercise. So they do that self-learning. So all the things you talked about, you know, thinking about what's it mean if your generation plant goes offline or your supply chain shuts down. It's it's one thing to have an expert like Madison come in and brief the board. It's another for them to do the tabletop and have that oh crap moment of, wow, that could happen to me. And this is the business impact. Because, you know, cybersecurity is often a cost center, right? It is you you're balancing that cost center against the business needs. And the the language the board's going to understand is what's a bad day in cyber look like to my business outcomes? Yeah.

SPEAKER_02: 18:10

And that's who else needs to be involved? I mean, you're talking about the board. I'm assuming it has the executive leadership team there as well. How many other teams or groups need to be a part of that? I mean, are you rippling that out to marketing, et cetera?

SPEAKER_01: 18:22

CTO, CIO, CISO, all other people.

SPEAKER_03: 18:25

Legal is there. Even marketing and branding needs to be there. Again, like majority of cyber attacks, and you hate to hear that say that word, but I mean, they have reputational damage, regardless of the organization or what type of attack it was, because all the general public hears is, oh, why company was breached? And we're living in a time where people are feeling less secure than any time in history. And so they're like, oh, is that the company that I need to be working with? And so it's just, it's a mindset shift. And so branding, legal, infrastructure teams, anyone who's going to be in that remediation type of workflow.

SPEAKER_00: 19:05

This episode is supported by Panduit. Panduit offers physical infrastructure solutions to support network and electrical systems. Optimize your operations with Panduit's reliable infrastructure products.

SPEAKER_02: 19:18

Rob, I want to go back. You said you spent, you know, a portion, if not a significant portion, of your career playing offense and defense. You know, you've hacked the, you know, some of the world's most secure networks. What from that perspective, what has kind of been the traditional blind spots for security teams and where are the blind spots now? Are they the same? Have they changed?

SPEAKER_01: 19:39

A lot of them are the basics, right? Attackers are only going to do what they need to do to be successful. And, you know, often there are really wide gaps in network security if you're diligent about looking for them. And that's what trips up a lot of the security teams is they make assumptions about their ads. Is. They assume that I've done MFA, so all of the accounts are locked down. You know, I have architected my network to the point where I've got logging and I can find that intrusion. And I will tell you, when we go to an incident response, what we often find is, you know, yes, 95% of the accounts are locked down, but guess who found the 5% who are not, right?

SPEAKER_03: 20:23

That one contractor.

SPEAKER_01: 20:24

Yes. We have logs for almost all of the network. Guess where the intruder is operating from, right? That one bastion inside your infrastructure that has no logging invisibility. So those are the kind of things that you've got to take away as security is all about the details. And that's where I think the next generation of AI is going to super be a superpower for the defenders, in that it can help us look with rigor across all of the domain. And it can do that 24-7 understanding. And it'll be able to bring disparate events from many different sources, aggregate them, and tell a story that might not have been intuitively obvious from any one point inside that collective data.

SPEAKER_02: 21:12

Yeah. These are high stakes conversations and situations, though. So how do where how do we get to the point where we're trusting the AI to get to that whole comprehensive portfolio? I mean, it feels like there's a gap there.

SPEAKER_03: 21:26

I mean, it it's not as if you're like, AI seems cool. Let's just throw it in there. Yeah, turn it on. Now we're in the streets. Yeah, yeah. Sure, you were gonna say human in the loop, right? Yeah. Also drink. No, no, the point is, right, the the adoption period for AI is just this is the same as other technology, right? What are your use cases? Where do I want to make investments? Where can I get the the biggest bang from my buck, right? Whether that be eliminating resource deficiencies or you know, blind spots you didn't have or you had previously in the environment, kind of articulating the needs, right? Then putting it into some type of testing phase and then deploying it from there. So it's it's not as if it's like turn the AI plug on tomorrow. I mean, it's the same adoption phases in in my mind. Do you thoughts differently?

SPEAKER_01: 22:14

I agree. And we have everybody has finite resources. I don't care how big your company is, how well resourced it is, you're going to always harder to play defense. You're you're going to run out of resources before you run out of things you want to do. And and AI now is the ability to magnify and accelerate the people you do have, right? So can you can you drive down the alert fatigue of those people who have to work in the sock so that AI is is shifting off a small percentage? Or can it just prioritize the alerts you have to say these are the 10 I've got to work first, right? This is the ones that could bring me down in a serious and really threatening way. And so all of that, again, is a force multiply.

SPEAKER_02: 22:57

Yeah. I mean, just to play devil's advocate a little bit, it's that that sounds like a great scenario. You get to the point where you have human in the loop, you've got, you know, a sophisticated AI posture. But you know, what about the fact that every vendor is coming out of the woodwork right now with AI-powered, whatever it might be? Tool sprawl is going to become a very real thing. And that just feels like it's going to gunk back up the system to where we were, you know, we were talking about that before AI boomed.

SPEAKER_03: 23:23

I don't mean to make the plug, but that's why you have partners like WWT, right? Because whether that be our AI proving ground or the ATC, right? We partner with companies to ensure that what they're selling with their feature set actually matches what the client is needing. But I would also say, you know, I I loved the phrase that the folks said in the business summit. So maybe that's the plug for the business summit, but they said everything is, you know, this isn't a hype cycle. AI isn't. And the industry is used to hype cycles. What was the word for so long? Visibility or, you know, single pane of glass. Oh, God, single pane of glass. And so, you know, everyone is a little bit skeptical when we're saying, okay, this technology is capable of doing this. Is it really? And so I would say as it relates to innovation and the way that companies adopt technology, that process is not different. What is different again is the speed in which companies need to adapt and again, the regulatory landscape in which we're operating in. The right now, the posture to ensure American innovation is moving as quick as we need it to, then the decision has been let's not regulate AI. Let's let the industry do it itself while also really leaning on you know, industry to say, hey, this is what we need the regulation to look like, which is a very, very, very different approach than we've seen in in other technologies, unless it was like the birth of the internet.

unknown: 24:49

Yeah.

SPEAKER_01: 24:49

Yeah. And and my point would be to pile up, you know, the AI proving ground, what that gives you is trust but verify, the ability to kick the tires, see how it operates. You know, I I watched one vendor solution, which was awesome whenever you whenever you gave it theoretical activity, but if you brought it to scale, it fell over. And, you know, most individual companies have two options, right? They have their little test network over to the side that doesn't have scale, and then they have their real environment. And so they do the test, seems okay. They bring it over to the real environment and it falls over. WWT has infrastructure that matches real corporate scale at industry scale. And I think that's that's a huge capability.

SPEAKER_03: 25:33

Aaron Powell The industry scale is gonna be an important one. And the reason why I say that is because, and and this is my plug for the space that I represent and an advocate for, which is all things critical infrastructure. You know, the OT space is so different than the enterprise. And so the unfortunate reality is the OT space will be kind of like the stepchild that's gonna be left behind in this journey. And so it's really leaning in and continuing to be an advocate in the space and ensuring that, you know, AI companies like Nvidia, et cetera, understand the technical requirements and the the deviations between traditional enterprise and basic services on it from a corporate perspective and bringing in what does it look like from a physical world and what are the technical requirements are for that space, especially given the landscape we're in.

SPEAKER_02: 26:16

Yeah, well I mean well, why is it going to be left behind? Is it just a different, different motion? Or tell me the why behind that.

SPEAKER_03: 26:21

Yeah, I uh I would love for your thought. Mine is because, you know, within the world of critical infrastructure, then they have uh rate caps. And so they can't make the necessarily the same investments that a privately held company like let's say, you know, a major bank or a major tech or media company. They just don't have the same level of expenditures to be able to do that. And the technology is more uh well is the word adoptable real? I'm gonna make this word up. Maybe I'm not, but here we are. Is gonna be more applicable. That's a better word, more applicable across other industries versus OT. And so it's just that last frontier of innovation almost. Does that make sense?

SPEAKER_02: 27:05

It does. I mean, Rob, is that why we're seeing those small water plants be targeted? Because it's those, it's that's just where the cracks are.

SPEAKER_01: 27:12

A little small municipal water plant doesn't have a CISO. They probably don't have, you know, a security team, let alone, you know, a budget to modernize from Windows XP up to the latest version of Windows. And so they're pretty soft targets often.

SPEAKER_03: 27:27

Aaron Powell But to your question though, the why goes back to the beginning of our conversation around the geopolitical climate that we're in. You know, initially we were talking about why is OT the last for technology innovation, and that's because of the investment and the market demand. But why would it a water company be targeted is because of what we were talking about before. You know, the the intersection of technology, national security, and human impact. For the water supply to be targeted, that is disrupting communities, which then creaks havoc, which allows you know China or another nation adversary to wreak havoc in the U.S.

SPEAKER_01: 28:04

Yeah, and and OT is a different beast. When when you think about you know large production plants, they have scheduled outages. And, you know, it may be 18 months between times where you're going to intentionally take the line down. And, you know, in the IT world, we're looking at, you know, a high value exploit has come out. I need to patch in 24 hours or I'm going to get exploited. Well, if you're not going to bring your line down for 18 months, you know, you're not going to be doing any patching during that window. So what other defenses and architecture are you doing to make sure that you're protecting that vulnerability from being exploited? So there's there's a there's a very different mindset in the OT world, and there's there's physical constraints that differ differ in the IT and OT world.

SPEAKER_02: 29:01

You mentioned, I think you mentioned uh policy. What are we seeing right now in the regulatory landscape or arena? Or what should we expect maybe within the next 12 months? I know it's a crystal ball question. Yeah. Policy, regulation, what should what should we keep be keeping our eyes on?

SPEAKER_03: 29:15

I mean, specifically as it relates to AI, and this is where you know I'd really like some back and forth here because it's not that him and I think to see the world different. I think it's just at the pace that we're going to see. You know, during this current administration, obviously we've seen a lot of individuals leaving the US government and coming into industry like no time than we've seen in history. Now we can say, is that good, bad, or ugly? I would say most individuals don't necessarily understand the way that the US government operates. So for individuals that understand those mechanics, understand the way policy is moving forward, and for them to be coming into the private sector actually is really, really, really beneficial because it's gonna allow the private sector to better collaborate with the public sector. And why do I think that's important? Well, we just talked about the way that AI isn't necessarily being regulated by the government. It's being really looked to industry because of the fact that we have this coalescence that is happening within the private sector. I think that we're gonna be able to better communicate. Now, we're in the early days of this, and so it's chaos. Chaos. But what I am hoping to see, and this is where I'm a glass half full type of gal, is what I'm hoping to see is perhaps year three of the administration, that a little bit of this chaos starts to turn into harmony.

SPEAKER_02: 30:32

Rob, you know, she said that this is where you guys start to differ a little bit.

SPEAKER_01: 30:36

We've had some long discussions about this, and you know, the the reality is we're impaired. We've lost a lot of government capacity, whether you measure it by numbers, you measure it by expertise, or you measure it by the things the administration's accomplished to date, right? We've got CISA, one of the most important, you know, externally facing cybersecurity entities, still doesn't have confirmed director. You've got the National Security Agency without a director. Cyber Command, same person in that dual hat, is not there. But there's other tangible things like Congress has not has let SISA 2015, which is the fundamental authorization, letting private industry have safe harbor for sharing threat information with the government, they let it lapse. And they've not been able to get to the point where they can agree on a renewal yet, right? Everybody talks about how important it is, the fact that they want to renew it, but they haven't been able to get it over the over the hump. We've got things like funding for the ISACs, so the information sharing and security alliances. Those are places where private industry meets government, right? And we slash the funding for those. So so there's just this series of things when you aggregate them from expertise to capacity to authorizations to personnel. We're not going in the right direction. And we were we were not capable of deterring some of these major attacks, whether it be in the ransomware side or the nation state its side before that occurred. So we're in a hard place right now.

SPEAKER_03: 32:14

And he's he's not wrong. I mean, part of your question was from a regulatory perspective. Can you say that again? Rob Joyce, my friend, is not wrong. Yeah? Feel good? All right, I love it. We are great friends. Your initial question was, you know, how do you feel about the regulatory perspective? If we're wanting policy to get closer to the realities and industry, then I think this mix-up is fantastic. But just on the bus yesterday, which is what's so cool about events like what we're hosting here at the business summit, is was in a casual conversation on a bus with a CISO with a major utility company. And I'm like, you know, what are you feeling? Like, how is this hurt with the defunding of CISA and, you know, 200 layoffs that are happening with CISA? He's like, it's crippling. You know, what I'm being told right now is that they can't get involved until we are actually breached. And what is typically happening is there's information sharing happening from the private sector to the public sector, and the public sector is providing context. Context meaning what is happening across other utilities, what is happening across other industries, and that is critical to ensure that our CISOs are prepared and ready to defend new types of attacks, techniques, et cetera, and or when we're going to see an increase. And so what Rob is saying, and this is where I agree with you, the US government is being crippled in its ability to help the private sector defend, which puts us at a real disadvantage from a national security perspective.

SPEAKER_01: 33:47

At the same time, we're seeing industry step up, right? There are more partnerships and unusual alliances happening than I've ever seen in my whole career. And at a time when data is the currency of the realm for defending, the biggest players are realizing that they have some of the best insights and figuring out how to share across those boundaries. You know, the the enemy of my enemy is my friend. And, you know, we are all against these enemies. And so new friendships are forming. And these big hyperscale providers or some of the biggest, you know, intrusion response companies, they're all finding ways to bring their next generation of technology to this. And that is often AI, right? There is some incredible things happening in AI that are enabling the use of big data, right? Security graphs, great new concept where you're looking at all of the IP addresses in a range, all of the attacks that hit that, all of the activity that happened to the devices that use those IP addresses. And when you represent that in a massive graph, AI can now do sense making on a scale that neither of us are going to be able to hold in our head. We're not going to be able to intuit out with manual tools. It comes in and brings this layer of understanding that hasn't ever existed before.

SPEAKER_02: 35:13

That's happening now, or that's a feature.

SPEAKER_01: 35:15

That's happening now, but it's going to get better and better.

SPEAKER_02: 35:17

Yeah. Well, I you guys have given a lot of time, so I appreciate that. And I want to be respectful of your time. We covered a lot, and security teams already have a lot on their plate, meaning, how can they possibly uh ingest and understand and try to move forward in a more seamless way? It's hard, right? So maybe just end to the two of you, Madison. We can start with you. Like, what are the priorities? Give us a couple to start with that you know, it doesn't have to be industry specific, but broadly speaking, where should security teams be focusing on in 2026 so that they can weather the chaos until perhaps it levels out.

SPEAKER_03: 35:52

Listen, I I mean I think collaboration is is always key. You know, you referenced the GCAB earlier that we had, which was mostly with a large group of CTOs and CIOs. And there's always this constant friction between our infrastructure teams and our security teams because you know their missions are different. And so what we have to realize, given the space in which we have to move, we have to see some of these walls and silos breaking down. And so, you know, it's it's really is the basics. So, how can we continue to information share and cross-share between an organization, ensure that there are shared missions and alignment? Because what the the objective isn't changing. Protect a set of systems, ensure that the bad guys don't get the crown jewels. That's that's not changing. And so, how do we ensure that everyone is getting in lockstep around that shared responsibility model that is security?

SPEAKER_01: 36:44

Yeah. Yeah. And what I'd offer is AI is coming at us. And so teams need to be working on understanding how they can apply AI to their data, how they can enable the community collective defense using their information and the information of others. And, you know, you've got to get on the adoption cycle for AI. It is not the hype cycle, it is going to be table stakes. And if you wait until it's perfect and ready, you're already going to be breached. So start using and finding out what's going to work in your environment because those who use AI will outperform those who don't. So get your defense using AI.

SPEAKER_02: 37:26

Absolutely. Great advice to the two of you. Thank you so much for joining. We'll have you on again soon. Okay, thanks to Rob and Madison. What stands out from this conversation is that the threat itself isn't new, but the speed, scale, and the intent are. AI is accelerating both sides of the fight, and the organizations that learn to move with it, not fear it, will be the ones that keep control. This episode of the AI Proven Ground Podcast was produced by Nas Baker and Kara Kuhn. Our audio and video engineer is John Knoblock. My name is Brian Felt. Thanks for listening. We'll see you next time.