The Lock & Key Lounge — An ArmorText Original Podcast
Welcome to The Lock & Key Lounge, the official podcast from ArmorText, the leader in secure out-of-band communications. Each episode brings you into the conversation with the sharpest minds in cybersecurity, law, critical infrastructure, intelligence, and government. We go beyond the headlines and vendor buzzwords to unpack real-world challenges—from incident response and cybercrime innovation to legal landmines, boardroom decisions, and threat intelligence at scale.
Pull up a chair, pour a drink, and join us as we explore what it takes to stay resilient in a world where operational security, compliance, and communication have never been more intertwined.
Available wherever you stream your podcasts, or right here on ArmorText.com.
The Lock & Key Lounge — An ArmorText Original Podcast
Podcast#3 Cyber Safety Without a Net
What Happens When Government Steps Back
Now, on this episode, we'll be exploring a question that has been on a lot of people's minds -- What happens when the federal agencies tasked with cybersecurity begin to pull back? As workforce reductions hit CISA and the Cyber Safety Review Board is disbanded, many are left wondering how critical infrastructure and national cybersecurity posture will adapt. In this episode, we speak with Joe Slowik about the real-world consequences of these decisions, what gaps they leave behind, and whether the private sector can step in effectively.
We’ll also explore how threat actors like Salt Typhoon and Volt Typhoon fit into this new landscape, and hear Joe’s reflections on transitioning between the public and private sectors during a time of instability.
Hello, this is Navroop Mitter, founder of ArmorText. I'm delighted to welcome you to this episode of The Lock & Key Lounge, where we bring you the smartest minds from legal, government, tech, and critical infrastructure to talk about groundbreaking ideas that you can apply now to strengthen your cybersecurity program and collectively keep us all safer. You can find all of our podcasts on our site, armortext.com, and listen to them on your favorite streaming channels. Be sure to give us feedback.
[00:00:34:12–00:02:40:03] Navroop:Hello, and welcome to The Lock & Key Lounge podcast. I am Navroop Mitter, your host for today, and today we're going to be diving into the ripple effects of a shifting federal cybersecurity landscape with someone who is uniquely equipped to help us make sense of what comes next. Joe Slowik, welcome to our program.
Joe Slowik:Thanks, Navroop. It’s a pleasure to be here.
Navroop:All right. So, for those of you who don't know, Joe Slowik is one of the most respected names in threat intelligence and critical infrastructure defense. He most recently served as Principal Critical Infrastructure Threat Intelligence Engineer at MITRE and led CTI efforts for the MITRE ATT&CK framework. Over the last 15-plus years, he's built and led teams at Dragos, Los Alamos National Laboratory, and Huntress, and spent nearly five years as a Cryptologic Warfare Officer in the US Navy. Through his firm, Paralus LLC, Joe has also advised governments and private sector organizations around the world on threat intelligence, detection engineering, and security for ICS and OT environments. Whether he's tracking nation-state activity, analyzing supply chain threats, or developing adversary detection strategies, Joe brings a rare blend of hands-on technical skill and strategic perspective, and we're thrilled to welcome him to The Lock & Key Lounge. Now, Joe, with your background, the problem we had wasn’t finding something to talk about. It was actually figuring out how to get the topics we were going to address today to a less than 20- to 30-minute segment. So, if you're okay with it, I'll actually jump around a little, as there are four big topics that I know we want to cover tonight.
Joe:Okay, let's do it.
Navroop:Now, in this episode, we'll be exploring a question that has been on a lot of people's minds. What happens when the federal agencies tasked with cybersecurity begin to pull back as workforce reductions hit CISA, and the Cyber Safety Review Board is disbanded? Many are left wondering how critical infrastructure and national cybersecurity posture will adapt. In this episode, we speak with Joe Slowik about the real-world consequences of these decisions, what gaps they leave behind, and whether the private sector can step in effectively. We'll also explore how threat actors like Salt Typhoon and Volt Typhoon fit into this new landscape, and hear Joe's reflections on transitioning between the public and private sectors during a time of instability. So, Joe, let's dive right in. Let's start with the CISA layoffs and workforce reductions. What does this mean for federal cybersecurity operations, and what signals should the private sector be taking from this?
[00:02:51:16–00:06:13:21] Joe:Right. So, for those who are not aware, there have been a series of workforce reductions—one of which appears to be due any minute now—for CISA, as well as impacting other areas of the federal cybersecurity ecosystem. And it's been very concerning because CISA is still a relatively new organization. It was stood up in 2018, I believe, during the first Trump administration and, arguably, has just been sort of finding its legs and maturing into achieving what that organization was built to do and providing a clearinghouse or a central point of access for cybersecurity efforts for both the .gov space as well as for critical infrastructure entities—whether very large entities for coordination purposes or, more critically, quite small entities that lack the resources to do a whole lot on their own. What's been interesting is that through both workforce reductions and executive orders, there's been what appears to be an attempt to shift greater burdens in these spaces to the states, which is interesting. There have been moves by certain entities, like Texas, for example, in starting up sort of like a state cyber command to look after state infrastructure. But really, that key federal coordinating role of being able to see the bigger picture of what's going on across the entire United States and being able to apply that visibility and that knowledge to entities across the entire country seems to be degrading, not going away. I think there are still going to be people there, thank goodness. But it's really hard to see the mission continuing in the same capacity as it has existed. Given that we're talking cuts of up to a third—I think are some of the numbers that I've seen of current headcount—so pretty concerning. And from a private sector perspective, one thing that can be taken from this is that, well, someone's going to have to step up on these items. Whether that means smaller asset owners that otherwise would be reliant on CISA for services like threat information sharing, doing things like tabletop exercises and assessments—that's going to have to be paid for somehow and farmed out to the private sector. So, how does that going to work, and where are those resources going to come from? It also means that, for the larger entities in the private sector, that certain coordination mechanisms are likely to be impaired in the near future. And what's going to replace them to allow for large electric utilities, large telecom companies? Who's going to be the neutral third party in the room to facilitate certain coordinated activities? So, certainly, there are the Information Sharing and Coordination Centers—the ISACs—that can play a bigger role and certainly already play a role. So, it's not like nothing exists in order to fulfill some of these missions, but it will change what we've been used to for the last five-plus years at this point. And CISA has matured and become more relevant and more capable within this space.
Navroop:I couldn't agree more. We've also been seeing, though, that there was a disbanding of the Cyber Safety Review Board—a move that raised a lot of eyebrows in the wake of Salt Typhoon. What's the impact of losing an impartial body like a CSRB?
[00:06:13:23–00:09:25:15] Joe:So, that's an excellent question, because I think the real answer right now is that we're not quite sure. Because like I mentioned with CSA, as a maturing organization, the Cyber Safety Review Board was very much new. It had really only done a couple of things—investigating a breach at Microsoft and some other activities—so it was very much an organization in development. What's unfortunate about this is that the most recent item that they had taken on was an investigation of the Salt Typhoon intrusions into major telecommunication companies. And, as I'm sure many listeners are aware, the information on the Salt Typhoon intrusions is not very readily available—at least not in public and open sources. And so, the Cyber Safety Review Board’s evaluation of this represented not just an opportunity to determine, well, how did this happen, but also an excellent opportunity to share more information about, well, what was going on. How did this take place? And what can we learn about Salt Typhoon activity from both individual organization intrusions as well as larger? What's the purpose behind these intrusions, and fleshing this out a little bit more from a handful of major media stories and some similar information? So, with the CSRB, it was eliminated at a time where they were still just getting started. And so, it's difficult to point to what's the value that was lost because they, again, were relatively new. But I think it's also very critical to acknowledge that we are now not even going to find out how beneficial having that sort of a function would be for both broader information sharing as well as for the lessons-learned activity that could allow us to build better collective defense and share information with organizations on how to evade or defeat these sorts of intrusions.
Navroop:Now, I can't imagine having a major airline crash or other issue take place without the presence of the National Transportation Safety Board—the NTSB. Not having the CSRB in place, even though it may have been of limited value today in the wake of the Salt Typhoon breach, does seem like a miss. I agree that, potentially, they weren't adding as much value as we would have liked. Well, my hope would be that this would have been part of that balancing act. Right? Perhaps it went a bit too far in some of what their analysis was at Microsoft. But in the future, if they went a little bit too shallow or not deep enough, that at some point there would have been a discussion that we would all had collectively as a community to help rightsize or redirect where their efforts would go and how much they would do. So, it does feel like we are at least losing out on that opportunity to create the CSRB of the future that we would want to see.
Joe:Yes, and I agree with that. And I hope my earlier comments aren’t construed as indicating that I don't think there was value with the CSRB. Rather, I think we're missing out on a lot of potential future value, as that concept was in the process of growing, in the process of developing. And, like you said, with the NTSB, we would never imagine there being something like an airline incident without having the NTSB investigating to perform root cause analysis and improve the overall safety of air transportation. Similarly, while there were or are various difficulties in the cyber perspective between private and public resources and ownership of various activities and networks and so forth, there's still a lot that we could be doing as an industry, as a government, from a regulatory perspective to try to apply lessons learned from breaches like Salt Typhoon, like Apt29 or, whatever—to go back to the Microsoft case—that aren't going to be effectively communicated or will only be communicated in siloed fashion among things like private commercial, threat reporting, or classified reporting, which undermines the ability of being able to extend lessons learned to as large of an audience as possible to improve collective defense.
[00:10:09:09–00:15:59:06] Navroop:So, okay, now let's pivot to one of those other many topics we want to discuss. Let's pivot to the threat landscape—Salt Typhoon, Volt Typhoon. We've been hearing their names a lot. Can you break down who these groups are—how they differ and why? While Salt Typhoon has dominated the headlines, perhaps our attention would be better spent on Volt Typhoon.
Joe:Yes. So, Salt and Volt Typhoon are two threat clusters that are linked to the People's Republic of China. The threat clusters were named by Microsoft using their naming convention, where Chinese-origin threat actors are referred to as typhoons. Both of these actors have been around for a bit, although there is some confusion—some uncertainty—as to what specifically these actors align to within the broader PRC information operations and cyber operations space. So, like we've seen for other threat actors—like a Sandworm—that there is ample public reporting linking that group to a very specific unit within the Russian military. We don't have, publicly, that sort of assignment for these groups, so they're a little more murky in nature than some other threats that we're tracking. That murkiness aside, though, these groups have been quite concerning, given what their operations have consisted of in terms of targeting critical infrastructure. So, Volt Typhoon is the first to really enter the scene through some reporting from Microsoft and then subsequent reporting from CISA and other partners on Volt Typhoon intrusions into critical infrastructure environments, such as electric utilities, logistics systems, and other related entities. And the assessment was that this was not information collection, but rather information gathering for the purpose of executing follow-on, likely disruptive events—potentially linked to a Taiwan Strait or similar scenario. So, that's pretty scary stuff. And we're talking about cyber operations as a preparation for disrupting critical elements of how we as a society function. Not that long after Volt Typhoon—maybe a little bit longer, I guess maybe a year or so—Salt Typhoon entered the consciousness with, initially, major media reporting about Salt Typhoon being an entity of concern for breaches into major telecommunication operators, and doing so to the degree that they were able to do things such as piggyback off of lawful intercept, collection mechanisms within the total communication networks, and collect individual telephone communications—voice calls from Parliament figures, including prominent politicians and so forth. That's pretty scary. And I would add that for Salt Typhoon to be in a position to do this sort of collection also means they're in the position to actually, say, disconnect these systems or impair them in some way, which can have devastating effects for the ability to communicate. Although there's no evidence, like we've seen with Volt Typhoon, or at least no assessment that Salt Typhoon is really there for potentially disruptive purposes, but rather really seems to be much more of a very sophisticated, very effective intelligence collection operation. So, putting those two perspectives in mind, Salt Typhoon is certainly very scary and gives people a very uneasy feeling that their voice communication—supposedly private voice communications and similar—are being intercepted by a foreign intelligence agency for some reason. That is not a pleasant feeling whatsoever, but I think we really need to set that in the context of that's bad and has lots of implications for privacy and the confidentiality of information. But is it as concerning as continued—because Volt Typhoon is not going away—activity burrowing into physical or cyber-physical infrastructure that can have impacts for things like how we move food across the country, and supply chains for moving military personnel and equipment across the country, or the ability to have reliable electric utilities and power delivery, or water and wastewater treatment operations? Because that's really where Volt Typhoon has focused its efforts on. And depending on who you talk to, they are either more or less focused on entities that are close to major national security installations. But that's still an awfully large part of the overall society in question. And there are real concerns in terms of impacts to human life and well-being. If the power goes out through some sort of cyber mechanism—which is not an easy thing to do, but certainly is a possible thing to do—how long do hospitals have to operate on backup power before we start seeing negative outcomes to patient care and similar? So, Salt Typhoon has certainly attracted the majority of headlines over the last year, especially around the US election in 2020—2024. Wow. Okay, I can get my years straight. But I would still argue that we can't keep, or take, our eyes off of Volt Typhoon, given the nature of that threat and what they have been targeting.
Navroop:Was it 2020—2024? It is all a blur ever since the pandemic started. But I couldn't agree more. Right? The privacy communication’s absolutely important. There are especially a range of communications—for example, what we deal with with out-of-band comms for incident response—that are especially important to protect. But a lot of the actions of Volt Typhoon could be much more immediately disruptive to our very ways of life. And so I agree. This is a lack of attention amongst many on the actions of Volt Typhoon, simply because Salt Typhoon dominated the media headlines.
Joe:Yes, and I think Salt also approached something that most people had more connection with or seen something more immediate—because everyone uses the phone, not everyone knows how things work when you turn/flip the light switch and the lights come on. So there was a greater distance with what Volt Typhoon was impacting compared to what people were able to perceive, at least with Salt Typhoon. Certainly, I would hope that—from a defender standpoint—I don't think people have taken their eye off the ball when it comes to Volt Typhoon. But from a general sense of, “What should we really be caring about?”—the answer is care about both of them, obviously. But certainly not to let one overwhelm the other or to let one result in us devoting fewer resources to the other, which may be the case as attention drifts, especially at the policy level, towards Salt and away from Volt these days.
[00:16:31:11–00:21:07:04] Navroop:All right. And in trying to keep us on track to hit that somewhere between 20- and 30-minute mark over here, let's jump to the next topic. With government pulling back, what expectations should we realistically have for the private sector to fill the gap? Where can it succeed, and where might it fall short?
Joe:Yeah, that's an excellent question. Because, first off, we need to acknowledge the private sector. Given the nature of critical infrastructure, ownership within the United States has already been very much engaged in defending or monitoring a lot of these networks. The problem is is when it starts coming to issues like coordination at a larger scale—at a nationwide scale—or coverage for entities that lack the resources or the capabilities to do much for their own defense, like your local water and wastewater utility, who steps in there? Because there's an entire ecosystem of information security, cybersecurity firms—whether we're talking specialist entities like a Driggers or a Clarity for critical infrastructure, or larger, more generalist shops like Google, Mandiant, or Microsoft becoming more involved in this space, or CrowdStrike—that there's no shortage of private sector entities that can do this. What's going to be interesting is that as we see a pullback on the government side—as being potentially a backstop or a final coordinating entity—or degrading federal ability to do so through cuts at CISA and, pushing more authorities to states and so forth, is how are we going to coordinate this more effectively, to make collective defense possible when a lot of this is now going to be residing in a number of firms that are competitive with one another. Furthermore, well, many of these firms are highly successful, employing numbers of very talented, very skilled individuals. If we get involved in an event like a Volt Typhoon Goes Active scenario, and we start seeing cyber disruption taking place at a variety of organizations roughly simultaneously—and potentially other impacts going on elsewhere at the same time—how are we going to then prioritize what we respond to in terms of who gets access to these limited resources in terms of incident response and similar capabilities in a widespread disruption environment? Is this based upon how much people are paying for their retainers at that point? Is it a gut feeling on the part of these private firms for who they respond to first and who they get to next? That is, honestly, one of the things that is most interesting to me. Maybe “interesting” is the wrong way of putting it. Maybe “concerning” is a little bit better way of putting it, because, arguably, there could be ways through regulation and through other ways of setting and managing expectations so that critical infrastructure owners and operators have at least some idea of where they fall within this prioritization and can plan accordingly—that they are first in line for support, or they know that they are fourth, fifth, sixth, or seventh in line, based upon how things shake out. And while there is very limited transparency with that at present, I think as we start moving into a more privatized environment, there's going to be little, if any, of that transparency moving forward, which makes planning and coordinating defense—if we're talking about widespread activity—challenging, to say the least.
Navroop:Agree that it is quite concerning that, potentially, we're moving to a world in which the actual potential impact for an organization going down, or being compromised, or otherwise being impeded in their operations, may not actually dictate how we prioritize. It may just come down to how large their retainer was with whichever provider was on the hook to help them during a breach. It's quite scary because I can think of a number of places, specifically in energy or electricity, where you have rather small entities—but because of where they sit in the BES, the Bulk Electric System—they're absolutely vital for the functioning of the grid.
Joe:Right.
Navroop:And yet, they're frankly tiny. And so it's quite scary because you think about where they sit and what kind of resources they would have access to. I'm confident, though not certain, that their retainers would not be on par with their larger investor-owned utilities or publicly traded companies. That's a great point. All right. So, switching gears again to yet another topic—you've made transitions between public and private sector roles back and forth now as teams in both arenas faced cuts or rebalancing.
[00:21:07:06–00:23:05:23]vNavroop:What advice do you have for security professionals in navigating uncertainty right now?
Joe:I think the greatest bit of advice is the ability to stay flexible and to stay curious. I think where folks are finding matters hardest—especially through cutbacks in the private sector—there have been ongoing layoffs in the information security space for a couple of years now. And now that's been joined with cutbacks in the public sector through a variety of cost cutting at the federal government and through similar organizations—and certainly adjacent organizations—that rely on federal funding. That people who are both willing to branch out into things that they're maybe not as comfortable in and willing to learn and engage with newer technologies and applications—whether that's becoming better when it comes to cloud infrastructure or learning what are the capabilities and limitations of the current generation of artificial intelligence—are really key factors in trying to migrate towards where there is spending still, where there is still growth when it comes to this space. And staying still is—while it's certainly possible—I'm not going to say that no opportunities whatsoever, but it certainly makes life more difficult in an evolving landscape that we're really seeing, I think, a ecosystem where it is evolve or die—or at least evolve or get left behind at this point. And there needs to be a willingness on the part of individuals to embrace, continue learning, and to really understand what's the state of the now when it comes to technologies and applications, whether we're talking about evolutions and cyber threat intelligence, how to manage security operations centers that are increasingly featuring a lot of offshoring, and similar. So you have very distributed teams. And what that looks like from a management communication perspective, and similar trends, all need to be understood and embraced in order to have any chance for success within the current pretty challenging market.
[00:23:06:04–00:25:40:21] Navroop:So, let's take a look at the leadership. Right. It's not just about those of us who are potentially impacted by decisions they’re making. Let's say you had the ear of government and private sector leaders today. What would you tell them? What's at stake in this moment of transition?
Joe:I would say, primarily, be careful because a lot of—we certainly haven't been operating in a perfect world for many years. So one rejoinder to a lot of the impacts on the defense in the information security space is that—well, we've been throwing lots of money and resources at these problems for a decade plus now at this point. But it doesn't seem the problems have gotten any better, and they certainly haven't gone away. So, what value are you really bringing? I am sympathetic to that argument, although I would also challenge it in that it could be a lot worse. And so, just looking at things and saying, well, we haven't really been able to succeed at what we've been doing. Maybe we just invest in resilience and recovery and call it even, and we don't need all these other fancy tools for identification, detection, and similar. That that becomes a very dangerous proposition because we don't know how worse it could get. So very much is, there is a conservative principle here that we don't really know how much worse or how much more impactful items could get if we start taking our eyes off or start focusing our attention elsewhere within these ecosystems. Having said that—because there is certainly a lot of drive, given the uncertain economic landscape and other things right now—to economize on items, that organizations are going to have to realize that while maybe we don't have the complete free spend that may have been the case five years ago in this space, at the same time, we need to figure out ways of accomplishing the missions in question in a way that allows them to exist and, ideally, succeed while still keeping an eye on budgetary items. So, understanding the tension between economizing on resources, including people, and the ability to maintain mission is going to be really vital for the next couple of years. And I'm concerned sometimes that there's an overemphasis on the economizing part without understanding or doing the effort required to understand what this economizing will do for mission readiness and mission impact scenarios.
Navroop:And with that, Joe, I think we've wrapped up most of the topics we said we were definitely gonna hit today, but if you've got time, we've got one final question. It’s a little bit more of a fun question that we like to ask towards the end of each one of our podcasts.
Joe:Certainly.
[00:25:41:00–00:26:35:19] Navroop:All right. So you've just wrapped a week analyzing Typhoon Grade APTs or navigating federal bureaucracy. What's your go-to libation as you unwind?
Joe:Oh, that's an excellent question. My go-to libation—I am a man of simple tastes. I typically stick to just a nice cold beer. It’s typically how I'm going to, at the end of a Friday of doing a lot of this work, sitting with a nice beverage. I will give a shout-out to probably my favorite for over 20 years—a good Bell's Two Hearted, which is an American IPA. That really hits the spot for me, for what it's worth.
Navroop:I love it. Okay, so then, the next time we get together, beers on me.
Joe:Okay.
Navroop:And with that, we're going to bring this episode to a close. Thanks for joining us on this episode of The Lock & Key Lounge. Just remember, you can outsource a lot of things, but national resilience isn't one of them.
[00:26:35:19–00:27:04:21] Narrator (Matt Calligan of ArmorText):We really hope you enjoyed this episode of The Lock & Key Lounge.
If you're a cybersecurity expert or you have a unique insight or point of view on the topic—and we know you do—we'd love to hear from you. Please email us at lounge@armortext.com or our website:armortext.com/podcast. I'm Matt Calligan, Director of Revenue Operations here at ArmorText, inviting you back here next time, where you'll get live, unenciphered, unfiltered, stirred—never shaken—insights into the latest cybersecurity concepts.