Disruptions, Disinformation, and Defense with Dr. Pablo Breuer

Show Notes

In this episode of The Entropy Podcast, host Francis Gorman sits down with Dr. Pablo Breuer, cybersecurity expert, retired U.S. Navy officer, and co-creator of the DISARM framework. The conversation dives into the looming post-quantum threat, the role of cyber operations in geopolitics, the rise of AI-driven disinformation, and the cultural shifts needed in cybersecurity practice. Pablo shares insights from his military career and explains why preparing for disruption now is critical for both governments and private industry.

Takeaways:

• Quantum Threats Are Real, But Not Immediate: The “crypto apocalypse” is likely a decade away, giving time for preparation with new encryption standards.
• Cyber Is Geopolitical Power: From influencing elections to disrupting food supply chains, cyber touches every lever of national power.
• Maslow’s Hierarchy of Cyber Needs: Security must be framed around basic human needs like food, shelter, and safety — not just industry sectors.
• Disinformation Needs Structure: The DISARM framework helps organizations map how misinformation spreads and how to counter it.
• AI & Deepfakes Demand New Thinking: Detecting “bad” won’t scale; we need to verify what’s “good” and authentic.
• Culture Over Technology: Cyber teams must move from being the “department of no” to being racing brakes — enabling speed with safety.

Sound Bytes:

• “We’re probably 10 years before a crypto apocalypse.”
• “Cyber touches every instrument of national power diplomatic, informational, military, and economic.”
• “Don’t frame security by industry, frame it by Maslow’s hierarchy of needs.”
• “Disinformation isn’t a silver bullet problem it’s a thousand-bullet problem.”
• “Don’t be the department of no. Security should be like racing brakes, built to go fast, safely.”

Transcript

Francis Gorman (00:01.185)
Hi, everyone. Welcome to the Entropy podcast. I'm your host, Francis Gorman. If you're enjoying our content, please take a moment to like and follow the show wherever it is you get your podcast from. Today's guest is Dr. Pablo Breuer, a cybersecurity expert, retired U.S. Navy officer and two-time DEFCOM Black Badge winner. Over his 22-year military career, he held leadership roles at U.S. Special Operations Command, the NSA, the U.S. Cyber Command,

and also a co-founder of the Cognitive Security Collaborative and a leading vice in the fight against this information, having helped create globally adopted frameworks like Amit and Disarm. Pablo, it's fantastic to have you here with me today.

Dr. Pablo Breuer (00:38.008)
Thanks for having me, Francis.

Francis Gorman (00:40.673)
Look, it's really good. I think you've got lots of different angles that I want to kind of scratch on today and bring to the surface. But the first thing I wanted to talk about Pablo is how urgent is the post quantum threat in your view? And are we already in a steel now decrypt later era? And we just have to really grasp the reality of a jet.

Dr. Pablo Breuer (01:03.27)
You know, I think when you talk to various experts, I think that there's still a disparity of opinions. I will tell you that I am personally of the mind that I don't think that we're as close to the crypto apocalypse as some would have you believe. One of the things that gives me hope is the fact that we are talking about it now. There are large corporations now that are trying to figure out, OK, what do we do about this? What is our plan when it gets here?

We've got national and international standards for post-quantum safe encryption, and they're being tested and in some cases implemented now. I really think that one of the things that people fail to take into account is how long we need to keep things secret. So given enough time, we can crack just about any encryption currently without using quantum. The question is,

by the time I crack the encryption is the thing that you're trying to keep secret still valuable. And so, you if you're working in national intelligence, then your horizon for how long you have to keep things secret is much higher than, say, if you're an online merchant and you just need to keep the session cookie secret for the length of the session. The other thing that people, you know, fail to take into account is really how encryption works. So...

Even if we could say that quantum computing could crack every possible key for an encryption algorithm at once, you end up with this unordered list and you still don't know which one is the correct one. So you have to go through and try them serially. And in some cases, if they manage to capture the traffic and save it off, that may or may not be a useful attack. But if you're trying to do it in real time and you're not able to actually capture the traffic, then

It's really not going to help you very much. The transmission is going to be gone probably by the time that you figure out the key. So my best guess would be we're probably 10 years before a crypto apocalypse.

Francis Gorman (03:11.394)
It's probably gonna take 10 years to get everyone off the scratch, I suspect. it's...

Dr. Pablo Breuer (03:14.382)
No, no, no, listen, there's an RSA next year, so we'll have other buzzwords next year.

Francis Gorman (03:20.418)
That's always good to know. And suppose, Pablo, you've often spoke about strategic latency. How does post quantum cryptography fit into the idea of a latent technological disruption?

Dr. Pablo Breuer (03:33.1)
Well, again, it's one of those things. One of the things that gives me hope is the fact that, again, we're talking about it now. There are other things, there are other technologies that cost massive change and massive disruption. And we either fail to recognize the level of disruption or we fail to appropriately prepare for it. And then it happens and now we're playing catch up. I think with post-quantum encryption,

The fact that we realize that it's probably going to be a game changer and the fact that we're talking about it now, we have standards now, companies are getting inventories now and really trying to figure out what specific business units this is going to affect really makes me believe that we're starting to learn some of the lessons from the last, you know, arguably 40 years of security. And so I think other things were...

not so good at. think, you know, we still follow the Gartner hype cycle. I made a kind of a fun poke at RSA, where, you know, we all go to RSA. It's a fantastic event, but, you know, I come out with a bingo card of, you know, what are the buzzwords going to be for the year? Because I know I'm going to get nothing but hype from vendors with those buzzwords, most of whom can't tell you how they're actually employing whatever that technology is. But I think

Post-quantum encryption and quantum computing is one where people have really paid attention because of the possible strategic cost, and they're not waiting to think about how to implement corrective action.

Francis Gorman (05:15.861)
And Pablo, in Europe, we have regulation like Dora coming in, which kind of focuses on technology, technology resilience. And within that regulatory framework, there are specifics around cryptography and, you know, building an inventory and keeping abreast of changes. And then quantum is a reference as part of that piece. In the States, is there any regulatory frameworks that are putting a spotlight on cryptography in terms of the quantum era?

Dr. Pablo Breuer (05:43.04)
Yeah, absolutely. So NIST has several standards out. They put out several papers. NIST, for those of you across the pond, is the National Institutes of Standards and Technologies. It's kind of our national version of ISO. And they put out several white papers on quantum cryptography. They've put out a strategic plan for how corporations and government should look at it.

They've suggested a couple of standards which they continue to test and continue to put out papers on and so I really think that this is one of those where You know, we may just get this one right we may be prepared before there's a problem and that's really That's really wonderful to see because we've not been so good at it in the past

Francis Gorman (06:32.707)
I think it's a bit reassuring to hear. I think the more conversation that people create around this topic, better, you know, so people get informed and start to understand, you know, where to start now. And I think getting an inventory is the first hop for most companies, you know, where is crypto used across my organization and what is weak and what needs to be changed out and how do we strategically plan for that transition. Pablo, I want to change slightly.

topics away from the cryptographic space and talk a little bit about the geopolitical landscape we see and the cyber role in it. How do you see cyber operations shaping future conflicts? And will there be an opening act or a main stage in your opinion when we get down to the nuts and bolts of kinetic warfare versus cyber warfare?

Dr. Pablo Breuer (07:24.502)
Yeah, no, this has been an ongoing topic for, gosh, at least 20 years. And people keep talking about cyber Pearl Harbor. I think that that's not the way I prefer to look at it. But I think you can take a look at the way that modern nation states are using cyber, either pre-kinetic as a form of influence or post-kinetic. You can look at what happened in the Ukraine.

And that's an example of how cyber will be used. I think you can look at North Korean efforts to, you know, bypass embargoes by using crypto and cyber. I think you can take a look at misinformation campaigns from Iran, from China, from Russia to influence. You know, people forget that when you...

When you talk about how nation states affect one another, you've got the, in the US military, we've got these things we call instruments of national power. And one of those is diplomatic. One is informational, one is military, and one is economic. And if you look at diplomatic, diplomatic really relies on information and intelligence, economic. I think we've used, we've seen a lot of cyber.

being used to economic fortunes and tariffs. Certainly countries like China have been accused of intellectual property theft to help their national economy. So I think across the spectrum, you can really take a look at cyber and go, listen, cyber really touches every one of these instruments of national power. Now, what I will say is when you look at

kind of the current state of the world, with the possible exception of China, the West relies on our cyber infrastructure a lot more than our adversaries do. When you look at Russia's current state infrastructure, it's not nearly as modernized and as connected to say the United States or Europe. And so,

Dr. Pablo Breuer (09:42.848)
we're at a bit of an asymmetric disadvantage just because we rely on the technology. And every so often, usually around elections, you start hearing about cyber protection of infrastructure and those kind of things. And then it kind of dies down. You don't hear a whole lot about the investment. And so we've got to quit using that as a political football. And we've really got to start.

paying attention and realizing that our transportation systems that transport people and food rely on these industrial control systems, electric power generation. Everybody talks about the lights being out. people will get uncomfortable if they're without lights for a couple of days, but really we're four missed meals away from complete anarchy. And so imagine a world where

Ships can't pull into port and trains can't run on time to transport food into and out of major population centers and now we've got real problems.

Francis Gorman (10:51.191)
that when you start to bring it to life and kind of bring it back to the basic services, transportation, water, electricity, it's been polarizing when you think of it in those veins and the interesting lens of deprecated technologies are actually a bonus in this space, which goes against everything I believe in.

Dr. Pablo Breuer (11:13.71)
Yeah, security through obsolescence. Yeah, security through obsolescence is a thing. Well, so let me suggest a different way to scope the problem. Because we talk about this in cyber realms. We talk about it in the case of industry, right? So we talk about transportation, and we talk about electric power generation. And I'm going to say that's the wrong way to look at it, right? Because that's an industry look.

I prefer to look at it as Maslow's hierarchy of needs, because that stuff is there for people. so things that are at the bottom of Maslow's hierarchy of needs, the basic things like food and shelter and physical security, those things absolutely must be protected. If I can't commute to work, that's one thing. If grocery stores can't get agriculture,

That's a much bigger concern in the grand scheme of things. And so you really have to look at things from a national security perspective. You really need to look at things from what do the citizenry need, right? What are the things that cause governments and countries to collapse? And invariably, those things come back to Maslow's hierarchy of needs. Yes, people are unhappy if they can't get through their social media. They're angry if they can't feed their children.

That's a whole other level of anger and angst. And so really I would encourage people when they have these discussions about national infrastructure, don't talk about the industry, talk about Maslow's hierarchy of needs and what it means for the citizenry.

Francis Gorman (12:53.053)
way of framing it and it does kind of trigger some aspects of the brain to focus in at a more granular level I suppose then on the problems you you follow the supply chains follow the infrastructure and kind of bed it up from there. You talked a little bit about disinformation and misinformation there Pablo and I know that you co-developed the disarm framework what led you to co-develop the disarm framework and how effective has it been in combat and

this information in real world scenarios.

Dr. Pablo Breuer (13:26.434)
Yeah, so back in 2017, I was still in uniform. was working at Softworks, which is the innovation space for your special operations command. And one of the things we were charged with was once a quarter, we would hold an event to educate the leadership on something that represented either an asymmetric threat or asymmetric capability to the nation and to special forces. And so in 2017, we did one on missing disinformation and deep fakes.

And the reception was very bifurcated. Some people that came to the event said, wow, this is really amazing. I had no idea we were here. This is very concerning. And then there were a lot of people that said, this is not a problem that I'm concerned about. This is not one of my problems. I don't feel like this was a good use of my time.

Regardless, we had people come from literally all over the world, as far as Australia, Italy. We had obviously some Americans there. So it was really an eye-opening experience. And then after the event, we all went out to dinner and we kind of had some uncomfortable conversations. And we realized that where counter disinformation was at the time.

is a bit like where cyber was in the early 2000s. And what we meant by that was there were various different groups that were talking about this. There were various different groups that realized that this was gonna be a problem. There were multiple groups that needed to get involved to provide some sort of solution. This is not a...

something that only technology people can solve or only legal people can solve or only regulatory people can solve. This is not a silver bullet problem, it's a thousand bullet problem. And then we realized that every one of those communities was using very different language. And so it made it very difficult to talk and coordinate and figure out what should be done and how it should be done and how we do these things while protecting

Dr. Pablo Breuer (15:38.166)
people's right to free speech and people's right to to opinions and sharing those opinions. So let me backtrack a bit and let me kind of explain the difference between misinformation and disinformation. Because people use them interchangeably and they're different. So disinformation is when where there is an intent to deceive. And so I am knowingly presenting you incorrect, incomplete,

Or information out of context in order to deceive you to lead you to a conclusion. I want you to have That is different from misinformation misinformation is when I'm either infected by disinformation or When I read legitimate information and I somehow misinterpret it and get the wrong message out of it And now I'm out there putting out information that I believe to be true Not intending to deceive but as part of that, I'm deceiving

The Soviets had this great term for people that are infected with disinformation and then continue to propagate it, not realizing it as faulty, and they called them useful idiots. That's not very politically correct in these terms, but that's certainly kind an accurate description of what's going on. So that's the first thing. The second thing is that I want to point out is disarm isn't there to tell you what is disinformation and what is not disinformation.

That's not what disarm does. What disarm does is it lays out what are the different steps in the kill chain necessary to carry out a disinformation attack. And then what are the different tactics, techniques and procedures I can do to meet that requirement in the kill chain. And then for each one of those tactics, techniques and procedures, what are some defenses? What are some counter moves that I can do?

And so really it's a planning tool. I kind of like to refer to it as the MITRE attack of misinformation.

Dr. Pablo Breuer (17:42.678)
So going back to the story, at that dinner, realizing we had those problems, one of the other things that was also lamented was that there was a lot of funding for conducting mis and disinformation, but nobody was funding the defense. Nobody wanted to go anywhere near it either because they didn't see an operational gain from it. They didn't see a political gain from it. in the case of most Western societies,

they were concerned about being accused of censorship. And so my dear friend, Sarah Jane Farmer and I decided, well, we've got some time. This is a problem. We live here too. Let's see if we can take a swag at this. And so we started working on it. It was originally called AMIT, the Adversarial Misinformation and Influence Tactics and Techniques Framework.

and then it was presented at Black Hat 2019. We stood up the Cognitive Security Index, which was a panel of good people that were willing to give some time and some expertise to help us fill it out. And we've gone through several iterations. The latest version is Disarm 2.0, Disinformation Analysis and Response Measures. And that is, it is freely available

You can go to disarm.foundation and go in and see the work. We're actually asking for input so we can make changes and improvements for the next version coming out. So it's free for use. It's a GPL license. And we really want to hear back from the users and from the analysts in the community that can tell us what we got right, what we got wrong, and what we can do better so that it can continue to be an international standard.

Francis Gorman (19:39.588)
That's really, really impressive, Pablo. And hopefully some of the listeners will hear that call and go take a look and, you know, feedback into the loop for you. That would be useful. When we talk a lot about disinformation, as well as artificial intelligence has now crept stealthily into that space. You know, a lot of people reference deep fakes and that sort of thing. When you look at artificial intelligence and you pair it disinformation,

what do you perceive as the biggest threat?

Dr. Pablo Breuer (20:14.412)
OK, so let me start out by saying that I'm just like the crypto apocalypse. I don't think that AI is going to end the world. I think the difference between quantum computing and encryption and AI is unlike with quantum computing, where we've said, hey, this is going to be a problem. We should plan for it. We've not had that same kind of due diligence for AI for the most part. And so we're a bit behind, frankly. I don't see.

a whole lot of companies and governments talking about in really a way that can be operationalized. How do we protect ourselves from deep fakes? How do we protect ourselves from authentication attacks when we can no longer trust what we see on the Zoom call and what we hear on a phone call? And so that's got me a bit concerned. There are some relatively easy defenses that we can add in place right now at zero cost.

And then there are some more difficult things that we should really talk about. But what troubles me is that the discussions I'm hearing about the defenses, I think are doomed to fail. And what I mean by that is that we've got a whole lot of companies, a whole lot of governments talking about, we'll watermark anything that's created by an AI so you know it's created by an AI. And then you can think about whether or not you want to believe it. And I go, well, that's...

great if you're a legitimate company, but the cyber criminals are absolutely not going to watermark their AI. And then we've got deep fake AI detection tools, and that's really a race condition. And what I mean by that is we find a way to detect a deep fake. The people that create deep fakes look at it. They figure out how we're detecting it. They make the deep fake better to bypass that filter. And we've lived that dream.

since inception with antivirus, right? Antivirus is great, yet every month there are new viruses and new attacks that come out that bypass antivirus. We've even had attacks that leverage the antivirus as the point of entry. So I think detecting bad is, I think it's doomed to fail. I think what we need to do is we need to assure good, right? And the very simple way I was explaining it is,

Dr. Pablo Breuer (22:39.61)
When I was in the military, and I would pull up to a base gate, they didn't ask me if I was Osama bin Laden. They asked me to show an ID to verify that I was known good and actually belong there. And so if I can verify the things that I know are good, everything else is at least suspect, not necessarily bad, but least suspect. And now I can kind of treat it accordingly. And I think that's really a much better way to go.

It's allow known good and inspect everything else as opposed to block known bad. Because there's gonna be a lot of bad out there that we're just not able to identify. So I kind of teased a bit that there's some easy solutions for authentication. Let me give you a simple solution. So I think most of us at this point have had the thing come up where...

the bank or the debit card or credit card company calls us and says, hey, there's a charge on your card that looks a little funny. Are you good with this? And so kind of the authentication mechanisms there are that ostensibly you're the only one that has your cell number and your phone. We know that there are ways to kind of bypass that for very large financial transactions.

it can be not only a phone call, it can be in some cases a video call. And so one of the things you can do is you can just ask for passwords, right? Or information that only that person, the legitimate person would know. Now we have to be careful about how to do this, right? If my bank calls me and says, hey, can you verify your mailing address? Well, that's publicly known. That's probably not going to be the...

the best way to do that. But asking for things like the security code on the back of my debit card might be OK, assuming my debit card hasn't been stolen. Asking for things like the middle name of my youngest child. There are things that we can ask that are not necessarily public information. And if we've got a big enough list of those, then I think that's an easy way to bypass it. There are some things that are

Dr. Pablo Breuer (24:59.914)
Not so good. I happen to use a particular bank and one of the security questions that they'll ask me is they'll refer to me by my retired rank. They'll say, Commander Brewer, can you tell me which service you served in? Well, if I'm a bad actor and use the term commander, well, that's either going to be the Coast Guard or the Navy. You've gotten rid of the Army, the Air Force, and the Marines. So maybe that one's not such a good question.

There are other things that we certainly could ask. And again, this is an evolving thing. There is no one correct answer for this. Biometrics can be bypassed, and multi-factor authentication can be bypassed, and voice can be bypassed, and video can be. But the more of these things that we pile on, the harder it gets to bypass all of them at real time. And so it's all helpful.

Francis Gorman (25:56.312)
And I think Sam Altman called us during the week or maybe two weeks ago at this stage when he pointed out that he was shocked banks still use certain biometrics for authentication when AI can now easily bypass those pieces, which is probably going to create a real problem into the future for some of those systems if you can't figure out intuitive ways to authenticate your customer base. And it may be also leading to the shift proceeding into blockchain.

And in some areas, know, we're seeing Visa has now adopted some blockchain technology in the back end and other large companies. you know, is there is there a shift happening there that's just been caused by pure disruption in the technology space that's been fueled by AI and inevitably quantum as it comes down the road.

Dr. Pablo Breuer (26:44.664)
Well, you know, I kind of find it funny that people always go to the financial sector. And I'll tell you why I think it's funny. The one thing that is sure to spur investment in security solutions is a loss of money. Believe me, financial firms spend more money than anybody else on security. So if there's going to be an early adopter for a security technology, it's going to be the financial firms. I'm far more concerned about national infrastructure.

right, and utilities that aren't necessarily going to do that because nobody wants to pay more taxes to do these things, right? They want more social services and less taxes. And then there are other companies that they're just going to look at it as the cost of doing business. You know, when you look at things like energy production, know, buying industrial control systems is very expensive. And usually those investments are there for

30, 40, 50 years and it's just not in their budget and they may go, look, we haven't been hit. If we get hit, it'll cost X million amount of dollars, but that's actually less money than it would take us to retool the entire factory, right? And so those are the ones that have me more concerned. Interestingly, I'm aware of two incidents that have already happened where deepfakes were used to...

make large money transactions fraudulently. Neither one of those was a financial service. They were both corporations. And that's probably because, frankly, the corporation security posture is less than that of financial institutions.

Francis Gorman (28:29.379)
It's just an interesting space at the moment, I suppose. It's hard to really ascertain where we're going to, because it seems to change at a rate of knots week by week.

Dr. Pablo Breuer (28:41.134)
It is. And the other thing to look at is, you know, I'm going to put my red team hat on, I'm going to pretend to be the bad actor and say, where are there more targets? If I want to attack large financial institutions, how many of those are there in the world? The payout is huge, but there aren't that many targets. If I want to attack elderly people,

My targets are limitless, their security posture is awful and it takes very little effort. Right? And so, you we can talk about the Nigerian prince thing, but you're seeing a very large rise right now in elderly people being deprived of their life savings and their pensions through, you know, fraudulent calls and fraudulent emails and those sort of things. So those are the ones that keep me up at night because there's nobody there to

really help them out. And you can try to steal a million dollars from a bank, or you can steal $100,000 from 1,000 elderly people. Which one do you think is going to be easier? And so those are the ones that really keep me up at night.

Francis Gorman (29:54.296)
keep us all up at night when we start breaking it down to that level. Pablo, you've worked in high stakes environments for most of your career. What's a lesson from military or the intelligence culture that private sectors need to learn? anything there that you can give in terms of no good of wisdom?

Dr. Pablo Breuer (30:13.246)
so I'm going to attack this from both the corporate side and then from, my own, you know, cybersecurity community side. cybersecurity in a lot of places have allowed themselves to become the department of no. I gotta tell you saying no is not something that you get to do in the military. those planes are going to take off. The ships are going to leave port. The tanks are going to roll. It's not a matter of can I do it? It's a matter of.

How can I do this and be as safe as possible? And so that's really something that I think governance and cybersecurity in the commercial industry needs to learn. You don't want to impede the business. You don't want to be seen as a speed bump. You want to be seen as an enabler. And I recently heard this description from a good friend of mine. And it's fabulous. So I'm going to steal it.

You have to be careful about the kind of breaks you are security. As cybersecurity, you want to be like racing brakes. Racing brakes are there to enable the race car to go as fast as safely possible. Not to stop the car, but to enable it to go as fast as safely possible. And that's really what we should be doing. If security is not being involved at the ideation stage, at the strategic plan stage, then you probably have a culture issue that you need to address.

You should make sure that you have the type of culture that business leaders go to a meeting and they look in the round and they go, where's the security guy or security gal that's going to let me know where the problems are going to be before they arrive so that we can lead the target and really think about security at the ideation stage and not after it goes to implementation and now we have to bolt it on afterwards. So I would say really proactively thinking about the risk, quantifying the risk.

And then deciding what risk is acceptable is really of paramount importance. It's really easy to say no, that doesn't help anybody. You're just not going to get invited back to the meetings and the company's still not going to do it. You unless you're you know, you're a man, or crowd strike chances are that the corporation you work for, the way that they make the revenue is not security. You're a sunk cost. So you need to be able to show business value somehow. And I think that that's something that really the cybersecurity community in

Dr. Pablo Breuer (32:37.422)
you know, the corporate world is missing.

Francis Gorman (32:41.443)
That's there's no no truer words ever spoken, I would say. And from someone who had security architecture background, you know, build it in, don't bolt it on, has been a mantra for many years now. You so I fully support it. I support that. That said, mean, Pablo, it's been fantastic having you on. I think we are after covering a great deal in a short amount of time there. And, know, it was it was a fantastic conversation. Hopefully the listeners get a lot out of it and.

You know, as you mentioned, if you want to go and check out the disarm.foundation, is that the correct? Correct you. This disarmed foundation should go on over there and have a look and contribute back to the community and help make it better if they can. So that's that's perfect. Look, I hope to have you on again in the future sometime. But it was it was great having you here today.

Dr. Pablo Breuer (33:16.078)
That's it, the Storm Dot Foundation.

Dr. Pablo Breuer (33:32.206)
I had great fun, thanks so much for having me.

Francis Gorman (33:34.414)
Thanks a million.