Podcast
Anthropic and the Fight Over Frontier AI Risk with CyberScoop’s Greg Otto
Season 3 Episode 26 •Show Notes
As frontier AI models become more capable at finding vulnerabilities, cybersecurity is entering a period where old timelines, disclosure norms, and governance tools may no longer fit the speed of the technology. In this episode of Cyber Focus, Frank Cilluffo speaks with CyberScoop editor-in-chief Greg Otto about the recent controversy surrounding Anthropic’s Fable-5 and Mythos 5 models, the government’s use of export controls, and the difficulty of distinguishing between dangerous AI capability and legitimate defensive cyber use.
The conversation moves from the Anthropic fight to a broader operational challenge: AI may help defenders discover more weaknesses, but organizations still have to validate, prioritize, and fix them. Otto explains why vulnerability disclosure, patching, open-source security, and public-private coordination are all being tested by AI’s pace — and why the most important question may not be whether AI can find the problem, but whether institutions can absorb what it reveals.
Main Topics Covered
- Anthropic’s Fable-5 and Mythos 5 models
- Project Glasswing and vetted model access
- AI-enabled vulnerability discovery
- Jailbreaks, guardrails, and defense-oriented prompting
- Export controls and frontier AI governance
- Vulnerability disclosure timelines
- Microsoft, Nightmare Eclipse, and researcher-vendor trust
- AI-generated bug reports and remediation overload
Key Quotes
“I think a lot of it was in the White House not fully understanding what is possible. And that’s not necessarily on the White House. This is new technology.” — Greg Otto
“The model itself isn’t the problem, it’s the output.” — Greg Otto
“[AI vulnerability discovery] has really laid bare just how dependent we are on software that is literally maintained by people in their basement.” — Greg Otto
“If you’re using AI to generate the answer, that’s bad. That is unequivocally bad. It is not going to help.”— Greg Otto
“If you’re using [AI] for something that requires judgment or human care, I think that you should really exercise some caution.” — Greg Otto
Relevant Links and Resources
Guest Bio
Greg Otto is editor-in-chief of CyberScoop, where he leads coverage of cybersecurity, emerging technology, public-sector cyber policy, and the threats shaping the digital ecosystem. He also hosts CyberScoop’s weekly podcast, Safe Mode, which examines major developments in cyber and technology through conversations with practitioners, executives, researchers, and reporters.
Transcript
Greg Otto [00:00:02]:
And explain how, okay, if we have this capability, what can we do to make sure that it doesn’t run rampant? And I think that’s where Anthropic is having a real struggle right now, is communicating that to upper level people in the government that may not have the understanding on the way that this bleeding edge technology works.
Frank Cilluffo [00:00:27]:
Welcome to CyberFocus from the McCrary Institute, where we explore the people and ideas shaping and defending our digital world. I’m your host, Frank Cilluffo and this week really excited to sit down with our guest, Greg Otto. Greg is the editor in chief of CyberScoop, one of the preeminent news organizations focused exclusively on cyber. And he is also the host of a weekly podcast, Safe Mode. And I highly urge all our listeners to tune in to Safe Mode after they listen to CyberFocus.
Greg Otto [00:00:59]:
Appreciate it.
Frank Cilluffo [00:00:59]:
Greg, thanks so much for joining us here.
Greg Otto [00:01:01]:
Absolutely.
Frank Cilluffo [00:01:01]:
Pleasure to be so as an editor and also a prolific writer. And we’re going to talk about the piece you wrote this week, but you’re constantly sitting down and speaking to government officials, researchers, academics, policymakers. What were the biggest stories that surfaced this week? And I want to save some of the discussion around Anthropic because that’s this week, next week, and the previous five weeks. But in addition to some of the anthropic discussion, any other stories really make it above the fold from your perspective?
Greg Otto [00:01:34]:
Well, I’d say let’s separate it into two buckets. Like you said, the anthropic AI policy news. Yeah, let’s save that for deeper in our discussion. Non anthropic news is the way I’ve been describing it this week. That’s the right way to do it in the newsroom. Two big things in terms of cybersecurity that we’ve been following. One is I would say this was probably the biggest story in the cybersecurity space. Pre export control news is the fight between vulnerability researchers and vulnerability disclosure, particularly with Microsoft.
Greg Otto [00:02:09]:
There is this researcher out there who is only known to the public by their handle, Nightmare Eclipse. And they have put forth and released publicly, I think to this point, 70 days affecting Microsoft products. And the reason this has come out is because the researcher says that Microsoft has not played fair when it comes to vulnerability disclosure. Microsoft has put out some public facing material to explain why they do what they do when it comes to vulnerability disclosure. And everybody’s mad about it, both on the industry side and both on the independent vulnerability researcher side. And this has been a really big deal, especially because of the way that AI factors into this now where, look, if you are smart enough to do so, you don’t need Mythos or Daybreak access. You just need access to an LLM. And if you know what you’re doing, if you prompt it the right way, you can discover all types of bugs in all types of software platforms, hardware, operating systems, whatever.
Greg Otto [00:03:18]:
That’s the reality of the situation now. So given that there’s been a lot of Talk around the 90 day vulnerability disclosure and how 90 days with the advent of AI is like almost a half decade, I feel like when it comes to disclosing bugs. So on top of that with this whole episode with Nightmare Eclipse, there’s some really big discussions about just the rapid erosion of trust between the people in the industry that are responsible for patching these bugs and the researchers that find these bugs. It’s. The daggers are out, I will say, and I can understand how on both sides where, look, this is not a new fight. What’s new about it is the fact that the timelines are so compressed due to AI. But we’ve been talking about this, I feel going back 3, 5, 8, 10 years where there’s always been a butting of heads between the research community and Microsoft on this. And I shouldn’t say Microsoft and Microsoft is key to this time around, but whether it’s, I don’t know, pick a big technological supplier that has researchers to reach out to it day in and day out, where there’s always been a fight, there has always been a fight and there’s always been inherent, some distrust.
Greg Otto [00:04:40]:
It’s now that that trust is the worst that I’ve ever seen based on what we’ve seen with Nightmare Eclipse, where I don’t know where we go from here, I don’t. And I think that a lot of people are going to have to have a come to Jesus moment with the vulnerability disclosure timeline because I think that is really the crux of the problem here.
Frank Cilluffo [00:04:59]:
Well, you, you, you foreshadowed more than foreshadowed. You jumped in right into where I do want to go. And I thought into some of the vulnerability disclosure questions, which you’re absolutely right. Our systems cannot absorb what we’re doing and we’ll talk through some of the complexities around that. And yeah, the bug bounty business has changed dramatically, but it’s been around for a while. But for those that haven’t followed every twist and turn on the recent news around, anthropic news around Fable-5 and its implications help, help us paint a picture there.
Greg Otto [00:05:38]:
So okay, the big deal with this is that Fable-5 and Anthropic’s other model, Mytho 5, have been the talk of the cybersecurity community since Project Glasswing. The project that Anthropic launched was revealed in April. And Mytho came out with a warning from Anthropic that they were going to put guardrails onto this through the project and let vetted companies and vetted organizations into the model have access to the model in order to find those bugs. Because Anthropic’s own testing found that they almost were like, this is too good at what humans are currently capable of when it comes to vulnerability hunting. It was released initially to a handful of companies in April under Mytho Preview, and then last week, last Tuesday, I believe at the beginning of June, we’ll say Anthropic said that we are going to bring more people into the fold. And then also what we are going to do is release a Fable-5, which is how it was described to me as Mytho on a leash. Basically, there were additional safeguards put in place, and Anthropic’s own testing found that it was not able to be universally jailbroken. In other words, those guardrails couldn’t be taken down completely.
Greg Otto [00:07:04]:
There were some reports that there were ways that Fable-5 could do some stuff that didn’t really jive with the way that policymakers and experts in Washington were comfortable in having out into the public. Then over the weekend, one weekend recently, I shouldn’t say even the weekend, it was a Friday that national cyber directors on Caracross, Howard Lutnick, Scott Besant got on the phone with Anthropic and said, we don’t like what you’re doing. Please stop. Can we please stop this? And Anthropic went, this is another old adage when it comes to technology. This is a feature, not a bug. The powers that be in Washington didn’t like that. And so we saw late Friday of that week, Anthropic was slopped with, slapped with export controls, basically couldn’t let foreign. Foreign nationals have access to it at all.
Frank Cilluffo [00:08:05]:
Even though it’s working?
Greg Otto [00:08:06]:
Even though it was working, yeah. Anthropic was like, well, we have. That means that our own staff can’t use it because we have foreign nationals. So they shut it off. Then over the weekend, there was reporting, and I was talking to sources about this too, that Amazon passed along a report to the federal government that outlined some of the technical issues that they found in Fable. Anthropic passed this report to some experts in the field when it comes to cybersecurity and export controls, including one in particular, Katie Moussouris, who is a long
Frank Cilluffo [00:08:43]:
time thinking about bug.
Greg Otto [00:08:44]:
Yeah, yeah. She is one of the foremost experts in vulnerability disclosure, in bug hunting, in export controls. Like, if there was one person on the earth that could tell you right from wrong with this report, Katie’s it. And basically she was like, yes, the reports here are showing that there is an issue with what Fable-5 is doing, but it wasn’t something that was inherent to Anthropic. It is something that is inherent to just technology at large. Whether it is OpenAI’s LLM, these open weight open source models that you see that may have Chinese backing. This is all possible just due to the technology. So her response and some other responses from the cybersecurity community was, this isn’t the way that we should be going about this.
Greg Otto [00:09:37]:
Again, I go back to the prevailing idea that I have come away with myself after talking to a bunch of experts is this is a feature, not a bug, in what is going on with Anthropic that has got the federal government so mad. I think a lot of it was in the White House not fully understanding what is possible. And that’s not necessarily on the White House. This is new technology. Like, what is capable here is new to 99.9% of the population. But we’ve seen stories where there have been unintended consequences of asking AI and AI agents to do something by very, very smart people. And they were like, well, I didn’t expect that to. So I think part of it lies in the White House seeing that report.
Greg Otto [00:10:23]:
And then Anthropic going, yeah, that’s the way that this works. And the White House going, we are not comfortable with that. That led to the actions being taken where they turned around and told Anthropic, shut it down, turn it off. And Anthropic said, well, we really don’t want to do that. And then Howard Lutnick said, well, then we’re going to exercise export controls. Like, we’ll do what we have to do to make sure that you turn this off. And here we are.
Frank Cilluffo [00:10:45]:
You know, it does beg a bigger question here. And the old adage, and I’ve been a bit of a buzzsaw on this, repeating myself over and over. I’ve always said the public private partnership, long on nouns, short on verbs, but. But the reality, there was always this belief that government lead, private sector follow. When we look at who holds the cards going forward, it may not be that traditional model, it’s a handful of companies, and it’s not even the critical infrastructure owner, who I think essentially need to be able to gain access and identify vulnerabilities that can affect every American economically, militarily, public safety, health wise, and the like. But do you think that there’s a lot of. And part of this is understandable because it is a transformational technology, but that partnership. And do you think that we’re missing clarity in terms of what the government’s position is? Because right now it’s anthropic.
Frank Cilluffo [00:11:45]:
Two weeks from now it’s going to be someone else. Three weeks from now it’s going to be someone else. If it’s China, I don’t think there’d be any press conference. I don’t think we’d have any discussion. We’d be owned by the time it was let out in the wild. But what do you think this means for. For that bigger discussion?
Greg Otto [00:12:01]:
So the bigger discussion I think actually should. Shouldn’t have been done in this manner. Because I think going back to the export control part of it and what Anthropic’s argument is basically like, this is a feature, not a bug. Well, okay, but if it was a feature, not a bug all along, and you rolled this out in April, like, why were we not having these conversations six weeks ago? Or maybe don’t release this and educate the government on what exactly it is that we have here and needs to be done. And maybe things could go a bit bit differently and it not be this, you know, really fighting with. Fighting between everybody, fighting within the media and having it be anthropic versus the federal government, which we already know based on what we saw at the Department of War, is something that is tense. It’s tense and it’s still underlying. Like even that is underlying from the standpoint of that, yes, Secretary Hegseth has gone out and there was that fight around what the models could do, but yet the NSA had access to Mythos when it rolled out, and nobody objected to that whatsoever.
Greg Otto [00:13:21]:
So I do think that the clarity that you talk about, I think is happening, but it’s happening as a cleanup almost. And if Anthropic would have done a better job of getting in front of the government and describing these capabilities and really helping them understand what was possible, and maybe not rolling out Project Glasswing in April, we’d be having a different discussion.
Frank Cilluffo [00:13:49]:
And I don’t think there are black and white right and wrongs here. Right. I mean, these are complex issues that we are just Struggling with from a governance standpoint. And I think that’s actually kind of healthy in a democratic society. Not sure we know what that means yet.
Greg Otto [00:14:07]:
And I think the government is figuring that out as they go along, which isn’t great. But also like I also think about it and I’ve been talking to experts about this. I am not a lawyer. I. So I can’t speak for you.
Frank Cilluffo [00:14:18]:
Don’t play one on tv. Yeah, right. I don’t.
Greg Otto [00:14:19]:
I don’t do that. I don’t pretend to know all the ins and outs of the Wassenaar agreement or the export controls or everything like that. But I have seen the opinion where that export controls might have been heavy handed just by the way that export controls have been applied to software in, in the past. Going back to the expertise that Katie Moussouris has in the Wassenaar agreement. That’s really been around like zero days and the transfer of zero days. And when I ask everybody listening or watching think about what we mean when we talk about the transfer of zero days. I can put a zero day on a drive and potentially take it to a foreign national or foreign country. That’s not necessarily illegal.
Greg Otto [00:15:04]:
But what the export controls say is check in with us please before you do that. Because it is the transfer. Because we literally very physically do not want those exploits if they are being bought and sold. We don’t want them purchased by a government or whatever it is a transfer. We don’t want somebody to have the tangible ability to have that when maybe they shouldn’t in. In our interest. With Anthropic the model is a bit different. Like it’s almost.
Greg Otto [00:15:31]:
It’s software in the same way that Microsoft Word is software. And what we are really worked up about right now is the outputs. Like we’re not. I can’t unless I was an insider threat at Anthropic where I could find a bunch of hard drives and go to.
Frank Cilluffo [00:15:48]:
Which is a legitimate issue by the way.
Greg Otto [00:15:49]:
Right. But it does not have to get that way. Go look up what distillation attacks are like. That’s something totally separate. Which is. But. Well, I shouldn’t say it’s not totally separate because it gets back to what I’m talking about with output in that the model itself isn’t the problem, it’s the output. But it is in a way software as a service in the same way that Gmail or Office365 is.
Greg Otto [00:16:12]:
Where are we really trying to slap export controls on outputs and can we do that legally? Is that something that you can legally do. That’s where I go back to.
Frank Cilluffo [00:16:23]:
Great.
Greg Otto [00:16:24]:
I am not a lawyer. I do not know that I am. I am just having conversations with people that are asking these questions too, where it’s like we are. Is the federal government being a little bit too obtuse in the way that we are. We. I say we the government. The way that the government is expressing displeasure with the way that anthropic is handling the release of me.
Frank Cilluffo [00:16:44]:
This, you know, you raise and the output versus that. That’s actually a good point. To me, cyber is the outcome you’re trying to achieve rather than the instrumentality in itself. That, that’s a, that’s a great conversation. I want to table that for one second though, because when you look at this issue, it’s an AI safety issue. Yes. It’s an export control issue. Yes.
Frank Cilluffo [00:17:08]:
It’s a cybersecurity issue. Yes. And it’s all playing against the backdrop of strategic competition with the People’s Republic of China, where you also don’t want to stymie your innovation and your ability to get ahead because that’s unacceptable either. We lose that race. So it’s all of these, it’s a confluence of all of these events simultaneously. Right. And I’m not sure one is trumping the other. That’s, that’s what’s hard here.
Frank Cilluffo [00:17:36]:
And I would be curious, you said you’re not a lawyer, but you speak to a lot of lawyers on Capitol Hill. What are, what are their considerations at this point?
Greg Otto [00:17:44]:
So I think that they were also blindsided. Whether it’s lawmakers, staffers or even lawmakers themselves that were blindsided and sort of waiting to see how this all pans out. We have a story on CyberScoop where we talked to Mark Warner, we talked to Andrew Garbarino who are all people in the Intelligence and Homeland Security like people that have a vested interest. Yeah, thoughtful, but vested interest in seeing how people use anthropic. Whether that is people at CISA that use it for their own threat hunting capabilities or how we are using it in terms of the intel community or also what our adversaries are going to do if just within the in, in the LLM space, but also some of them, like this has all become frankly politicized. Just. I mean, what hasn’t at this point? But Mark Warner also said it to us where he was like, look, the federal government has the wherewithal to do some of this. They’re in power, they’re going to exercise what they feel.
Greg Otto [00:18:53]:
However, I think it Would. Let’s go back to the fight that Anthropic has been having just on a tonal and a personality basis with the White House and the Trump administration. And doesn’t it seem like we’re just fighting for fighting sake a little bit? So, yeah, I’m going. Lawmakers are like, it’s almost too fast to keep up with. So we’re just going to let this play out and then we’ll figure it out from there. But I mean, all of us, I’ve been doing this for 15 years, as you know. I cannot tell you how fast this is moving. It literally is.
Greg Otto [00:19:29]:
Every day feels like over the past 10 days, every day feels like a watershed moment.
Frank Cilluffo [00:19:35]:
Yeah.
Greg Otto [00:19:35]:
And I don’t understand how anybody keeps up with it. I’m exhausted.
Frank Cilluffo [00:19:39]:
I feel the exact same way. Trying to keep up with those that are trying to keep up with it. So I hear you on that. And I mean, a week feels like a year. Right. And if you were to look at the trajectory of where the technology is going, a week is probably more like 10 years in terms of the exponential
Greg Otto [00:19:58]:
change and going back to something that you said in terms of the way that the models are moving, like right now, this is the fight that is consuming Washington. But it’s almost going to seem quaint. And it’s going to seem quaint not that far into the near future because, okay, we’re fighting about the capabilities that Mithos may have. And Anthropic has even said this themselves. Anthropic has said this. OpenAI has said this. Any AI expert has said this, where we got six months tops before this does become something that is open source. So what really are we trying to achieve right now? That, that.
Frank Cilluffo [00:20:33]:
But it sets precedents. That’s why it matters. Right. And, and, and everyone’s seeking clarity, which might be hopeful thinking right now, because we’re all grappling with the implications. It literally touches everything we as an economy, we as a national security community, we as a society is dealing with. So I actually think some of that tension is okay. But I do want some clarity and I want to make sure that we’re learning the lessons now, at least codifying them so we don’t rep the same mistakes over and over and over.
Greg Otto [00:21:07]:
And the clarity, I think some technical clarity would be worthwhile because from what I understand, what was in the Amazon report from a technical perspective that was positioned as a jailbreak is something called defense oriented prompting. Defense oriented prompting is not a universal jailbreak. I mean, you may explain jailbreak.
Frank Cilluffo [00:21:28]:
I Do want to.
Greg Otto [00:21:29]:
So defense oriented. Defense oriented prompting is basically when you go into an LLM and you give it directions, it can. Unless you set up guardrails, it can go a whole manner of ways. We’ve seen this. Think about hallucinations that we’ve seen reported in media or that you see with, particularly with Mithos and defense oriented prompting. You are giving it guardrails, you are giving it rigid instructions on how to operate. Now, when you are a pen tester or a red teamer, that’s perfect. That’s exactly what you want to do.
Greg Otto [00:22:04]:
Say abcde, do this, do that, report back to me. Like, this is something that has been burgeoning in, in the industry for the past year, year and a half. I want to say in all of these companies that are setting up their own AI red teamers, the technical acumen in order to understand that instead of being blown away by the outputs, I think is something that is the crux of where we’re at. When you see that output, to go, oh, my God, look at what this. Look at what this can do. And we’ve been writing about it forever, or I shouldn’t say forever. It’s been incessant, I guess, is the best way that I could describe it. Where there have been some experts that have said, look, this doesn’t have to sleep.
Greg Otto [00:22:50]:
This is 24 7. I can do this, set this out to Red Team and it can find bugs that I would not be able to find because I’m a human being, need to sleep, I need to eat. Like, I need to shut off the computer and go get some vitamin D outside, need to go touch grass. I think that that is all good conceptually to hear, but once you see that capability play out in front of your face, it is like an Oppenheimer moment where it’s like, oh, my God.
Frank Cilluffo [00:23:15]:
And time becomes less relevant. Right.
Greg Otto [00:23:18]:
So when you are in a position where you are the Treasury Secretary or the head of the Commerce Department and you think about all the businesses that you deal with to go, oh, the pillars of the American economy suddenly have a pretty big fat. You panic, you panic.
Frank Cilluffo [00:23:37]:
And I understand if you think it’s on quicksand. Yeah, Right.
Greg Otto [00:23:40]:
So, but all of that is to say it is on Anthropic and on the frontier AI companies to explain that better and explain how, okay, if we have this capability, what can we do to make sure that it doesn’t run rampant? And I think that’s where Anthropic is having a real struggle right now, is communicating that to upper level people in the government that may not have the understanding on the way that this bleeding edge technology works like I.
Frank Cilluffo [00:24:17]:
And that’s almost new by the way. Cyber years. You couldn’t articulate it in a way that a decision maker can, it can resonate with the decision maker. So I think that’s a, that’s a really valid point. You know, you’ve also done a little bit of reporting, if I’m not mistaken, on some of the AI is on the agenda of like the G7 as we, as we speak. And you know, I’m back from a recent trip with some of our transatlantic partners and it was kind of interesting in that there’s a big push to build products and byproducts and a tech stack to not come from anywhere but Europe. But at the same time they’re saying hey, we need access to Glasswing. And they were complaining.
Frank Cilluffo [00:25:01]:
I don’t know how you can get it both in all ways. But I’d be curious what your thinking is. How does that conversation play out when we’re having a difficult time in the United States?
Greg Otto [00:25:12]:
I wish I could tell you because I’m watching it and I see the inherent contradictions and that’s where I go back to telling you how exhausted I am. Where it’s like I read all of the words that are coming out of officials mouths here I can provide context. Another thing that really confuses me and I think there is some clarity that could be pushed out. There is. I mean we were just talking about China. China’s the elephant in the room with all of this dragon. But we’ve seen the deals where we want to allow Nvidia to get the chips needed to build the AI anyway. So you don’t want to give them access to, to the models that we already have right now.
Greg Otto [00:26:01]:
But we’re okay with these chips going over there where guess what they’re going to do with them? Build the models anyway. So that’s inherently contradictory. Like I’m just is. It just is. I don’t have the answers for it. I’m sure there are plenty of people inside the power structure that be trying to figure that out but.
Frank Cilluffo [00:26:21]:
Or they look at it through their box and org chart and what success looks like from that perspective. Not more broadly.
Greg Otto [00:26:29]:
Right. But I wish I had an answer for you. I don’t. That’s above my pay grade to be quite honest. But I, I feel it and I think there are a lot of, of people, a lot of industry watchers and a lot of policy Officials that are also kind of shaking their head, scratching their head, going, I don’t know which way’s up here. Based on the, the news of the day, like it really does seem to change and there’s really no coherent policy when it comes to this stuff, I feel like.
Frank Cilluffo [00:26:59]:
And part of that again, I think is understandable, but we’ve got to get out in front of it as much as we can or at least learn from it, so we can then get it right. And one of the things that you touched on earlier is more from a vulnerability disclosure and management perspective. We’re learning more than we can possibly fix too. It’s a bit of a paradox there. So obviously you want to make sure that from a blue perspective, a defender’s perspective, you’re at least backfilling the most critical of our functions for modern economies and society. But what do we do when we actually do learn all of what we are finding out? How are we going to go about doing it? Our systems and our structures are built for an analog world. Right. So patch Tuesday ain’t going to cut it, is it? It’s going to be patched minute.
Greg Otto [00:27:57]:
Yeah. There needs to be a lot of conversations on how that looks moving forward. It just does. And going back to a point that you’re talking about in terms of like blue teaming and defense, that’s another angle to what we see.
Frank Cilluffo [00:28:14]:
Essential.
Greg Otto [00:28:15]:
Yeah, essential angle. But it is something that companies are wrestling with. I go back to the vulnerability disclosure
Frank Cilluffo [00:28:20]:
part of
Greg Otto [00:28:22]:
doesn’t even have to be the big companies like your Microsoft’s or your AWS’s or whatever. Whether it is a piece of open source software that’s being maintained by some nice person in the Midwest or it is all the way up to Microsoft or Cisco or whatever, they are drowning in bug reports because of AI. And a lot of those bug reports are a mess or they don’t signify anything. It goes back to the hallucinations that they’re getting from AI, where AI just goes, yeah, oh my God, look at this. And then it gets submitted in a bug report and that takes away some poor analysts time from, from actually tending to something that may be critical or maybe focused on what needs to happen. I go back to a story that I wrote. I had a recent conversation with somebody at Cisco, a VP at Cisco that they just rolled out a piece of technology called LiverProtect, which goes into some of their hardware that is really essential for, for big enterprise networks of both the public sector and the private sector. They this LiverProtect basically works on the kernel level and works with a piece of software known as eBPF.
Greg Otto [00:29:42]:
I don’t know what that stands for off the top of my head. It’s in my story right now. I’m at a loss for it. But basically it works at the kernel level to almost like micro patch or like patch in real time where it’s almost like a band aid where if you have something that is a vulnerability that does get down to the firmware level or something that a nation state like China would have the wherewithal saves
Frank Cilluffo [00:30:09]:
the bleeding before you get the surgery.
Greg Otto [00:30:11]:
Right. So that is, is the type of thing that I think you’re going to see more of where you’re going to have basically a stent or a tourniquet from a cybersecurity perspective before patches do get rolled out. Because anybody will tell you like, and I’ve had this conversation more and more when it comes to patching, it’s not just we’ll just download it and update it. Like what are you talking about? Like it’s not everything works the same way as our iPhones or Android works, where we go to sleep and suddenly we wake up and everything’s fine. It takes time. A lot of these systems, you know, system. Exactly. Some of these, you can’t take a plant offline except for that rigid structure that they already have set up where they can have systems sort of balance while they patch, bounce a load and that.
Greg Otto [00:31:05]:
Right?
Frank Cilluffo [00:31:05]:
Yeah, yeah, yeah.
Greg Otto [00:31:06]:
It’s, it’s tough but, but time’s ticking. Like this is something that companies and organizations are going to have to figure out because the way that things are patched right now are just not going to.
Frank Cilluffo [00:31:21]:
It’s not, I don’t see how it can keep up. And then you look at some of the more fundamentals like the known exploited vulnerability list, the so called KEV list, what 1500 resided on that pre AI or, or forget pre AI, pre mythos even. And that’s gonna be times 5, 7, 10 overnight. So I just don’t know how we keep up. And to your point, some of that is also disproving double negative. It’s not all signal. A lot of it is noise in
Greg Otto [00:31:59]:
terms of whether it’s noise and also just because a bug is found, that
Frank Cilluffo [00:32:02]:
does not mean, doesn’t mean it’s gonna be exploited. Not all are created equally. Right. Not all bugs are equally deadly in biological sense. So trying to figure that out is going to be difficult. I’m going to do very quick lightning round.
Greg Otto [00:32:16]:
Let’s do it.
Frank Cilluffo [00:32:17]:
Just because there’s so much more to cover, but I want to sort of step back a little and jump into this discussion or take it from another perspective. But what issues getting too much attention right now.
Greg Otto [00:32:30]:
I want to say what we just talked about, but other than that, we need it, right? We do need it. It’s. It’s just. It needs to, like, everybody just needs to breathe, even just for.
Frank Cilluffo [00:32:41]:
Inhale, exhale. Right.
Greg Otto [00:32:44]:
Something that is covered too much, right.
Frank Cilluffo [00:32:47]:
Or not enough.
Greg Otto [00:32:48]:
Not enough, to be very honest. So not enough. I’m actually surprised given that this is Auburn University, the campus breach that happened
Frank Cilluffo [00:33:03]:
around finals week and our students had graduated by then. So.
Greg Otto [00:33:07]:
Okay.
Frank Cilluffo [00:33:08]:
Yeah, yeah.
Greg Otto [00:33:08]:
So, but actually surprise it all. Look, with what I do, what we do, it is very specialized. But the things that always jump out to me is when specialized stories come out and I’m hearing from people that do not specialize in this, like, what is going on? Canvas was one thing that touched everything. That, that, that touched everything.
Frank Cilluffo [00:33:28]:
Every parent, every student, kid.
Greg Otto [00:33:30]:
Right.
Frank Cilluffo [00:33:30]:
Every.
Greg Otto [00:33:31]:
Right. What is going on? I think it came and went because Canvas got back online. But I do think that that is worth examining a bit more because look, is it a water plant? No. Is it oil and gas? Is a colonial pipeline? No. But there are these events that happen every now and again where it touches so many people that it like clicks for everybody. Where this is what a bad cyber event looks like. And I think it’s worth getting to the bottom of that to really figure out what can happen, what needs to happen. And from not just a Canvas, it’s not just a Canvas problem.
Greg Otto [00:34:13]:
It’s a broader problem. It’s a broader problem. Right. It touches upon stuff that we’ve covered and that. I know you’ve talked about, funding, opportunity, workforce, all of that stuff. I do think that it was just another breach story to some degree. And there’s follow up from us that we’re working on. And I think more should come of that because I do really think it’s a big incident that just kind of happened.
Greg Otto [00:34:39]:
School’s over and everybody enjoys their summer. Well, no, not really. I think there’s more there.
Frank Cilluffo [00:34:43]:
Penultimate question, biggest disconnect between what policymakers are debating and operators are experiencing right now. From your perspective, is there a disconnect or is it aligned
Greg Otto [00:34:58]:
in. In what sense? In D.C. vis-à-vis or D.C. and what is actually happening out in
Frank Cilluffo [00:35:04]:
the rest of the country?
Greg Otto [00:35:05]:
I really think that open source security and the attacks that we’ve seen on just maintainers, open source maintainers and Pieces of software that nobody has unless you are a software developer. Know, know what they are. I mean, look, I, I play around in software all the time when covering, when covering this stuff, so I know more than most. But with what we’ve seen in open source security over the past, I want to say since really the beginning of the year, it has really laid bare just how dependent we are on software that is literally maintained by people in their basement. I don’t mean that as a pejorative. That’s just the reality of the situation. I think about a comic that gets passed around, an XKCD comic where it’s almost like a Jenga wall and it says this is the Internet. And then there’s an arrow that points to a little jut that’s holding this big monstrosity of a project that says this is an open source maintainer sitting somewhere in their basement that is really holding the Internet together.
Greg Otto [00:36:14]:
There are actors out there because of the way that AI has evolved and allowed people to poke holes in stuff that they weren’t poking holes in before to go after this open source software that powers applications across the board. It is in your phone, whether you know it or not. But it is very dangerous to know that this is being targeted by actors based on AI and can really poison the fundamental code that powers so much of our economy, of our infrastructure, of what’s in our phones. To say that, yes, like look, we were talking, talking about the threat of, of Mythos. Mythos does not need to happen or does not need to be put into public for these attacks to occur. I mean, we’ve seen it go read cyberscoop or read some of the other coverage that is out there with this stuff. This is happening all the time. And I think that there needs to be an understanding more policy wise in D.C.
Greg Otto [00:37:17]:
on just how much of the technological pillars of the economy are fragile. Are fragile.
Frank Cilluffo [00:37:25]:
Yes.
Greg Otto [00:37:25]:
The fragility.
Frank Cilluffo [00:37:26]:
Think of like MacGyver. Yes, that combines bubblegum and toothpicks and
Greg Otto [00:37:30]:
that is literally what is powering a lot of the software that we are making hundreds of millions of dollars on and creating this new economy. And I think something needs to be done because it shouldn’t, it shouldn’t work this way. Sure, open source software needs to exist, but there needs to be more in terms of protecting that. Like the toothpaste is out of the tube on that software powering this, but there needs to be some backfilling in terms of protecting that software.
Frank Cilluffo [00:37:58]:
I lied. Two more questions keep coming. First one, how is AI changing Journalism, how has it changed your life? Or is it. And then I’m going to give you the last question is what questions I didn’t ask that I should have so you can bundle those.
Greg Otto [00:38:13]:
I would say so AI in journalism, I would say that. Look, when it comes to something that is so judgment focused, I don’t see AI like replacing what is is out there. I can’t do what I do. Like, I hate to sound egotistical by saying that. I just think it’s a reality of the situation. I can’t do what I do and it’s because it’s a judgment thing. But I do use it in my reporting. But I use it from a research standpoint to say I don’t know what that is.
Greg Otto [00:38:44]:
Can, can I help me understand the intricacies of like what I just was talking about with that EDPF? I know a little bit about what it is, but I need to understand it like on a paragraph or 2 paragraph. Just so I have that understanding. Not that I’m taking that whole cloth and putting that in there, because like we’ve said a couple of times, AI hallucinates. I’m not going to trust it enough to put it in my story. But when I’m researching things in news gathering, I use it if I don’t understand something or if I don’t understand where to find an answer. Like I have.
Frank Cilluffo [00:39:18]:
And can you tell immediately an AI generated article that’s spreading on the Internet? Y.
Greg Otto [00:39:24]:
Absolutely. Because it’s devoid of.
Frank Cilluffo [00:39:26]:
It’s tinny.
Greg Otto [00:39:28]:
Yes, there’s that. But also there are tells. AI loves em dashes. And AI loves.
Frank Cilluffo [00:39:36]:
I actually love M dashes too. So did I. Stealing them from me.
Greg Otto [00:39:40]:
It’s almost like there’s a back. Yeah, there’s like, wait a minute.
Frank Cilluffo [00:39:43]:
No, I know how to do three dots. And I do M just because I try to put too much in a sentence. That’s just because I’m a bad writer.
Greg Otto [00:39:50]:
But. Well, I mean, it has its place, don’t get me wrong. But on top of that, also what I call antithesis sentence structure, it’s not X, it’s Y. AI loves that. AI absolutely loves that. So if I get that in a pitch or if I, you know, right away I go, this might be AI generated. But that is to say, I don’t think that all of it. It’s tough, I would say, just tough.
Greg Otto [00:40:20]:
Because look, there are, there is software out there that is supposed to be almost like a filter where you can put something in and go, is this AI generated? And it might spit back, yes, this is. This is AI generated. Now, some of those generators might have false positives. I have run my own writing through there, and it’s said, oh, this is like 90% AI generated. Where I go, I’m insulting.
Frank Cilluffo [00:40:44]:
Yeah.
Greg Otto [00:40:44]:
Like, I am. So I am just a good writer.
Frank Cilluffo [00:40:46]:
Or maybe you’re the model that the AI is learning.
Greg Otto [00:40:49]:
And some of those. And there have been stories, I don’t think that this is the case anymore with those, with the checkers, where you could put the Declaration of Independence in there and it would come back 100% AI generated because it was trained on. And. Yeah, so there we go. So it’s tough. But I will say the one thing, the one positive thing that I will say, and I say this to journalists and I say this to anybody where I’m having a conversation about where we are with AI. If you’re using AI to generate the answer, that’s bad. That.
Greg Otto [00:41:19]:
That is unequivocally bad. It is not going to help you generate the answer. It can help you find the answer that you are looking for when you are looking to put it. Yep, yeah. Into human. Human.
Frank Cilluffo [00:41:33]:
It reaffirms your views in some ways.
Greg Otto [00:41:35]:
Like, I have used it for research. There was an investigative piece that I was working on where I did not know where to fucking. The answer. And I said, I’m looking for this. This particular piece of information. I know it is out there in some government database at the state level. Where. Where would I find this? The first answer it gave me, lo and behold, I followed it and it.
Greg Otto [00:41:57]:
I found what I was looking for. Where. If I was using Google or searching on my own, it probably would have taken me 2, 3 hours to find exactly what I was looking for. Instead, it. It looked 30 minutes. Look, bottom line is there are a lot of questions about AI and a lot of skepticism about AI that I think is worth the gravity that it has been giving to. But I am not an AI skeptic and I am not an AI sycophant. It is software.
Frank Cilluffo [00:42:22]:
It’s in between.
Greg Otto [00:42:24]:
If you can use Microsoft Excel to do your job better, use Microsoft Excel. If you can use it in accounting, sure, that’s fine. Would you use Microsoft Excel to diagnose somebody? No, that sounds ridiculous. Plug in AI. It’s the same metaphor. If I can use AI to better my business, fine. Cool, do it. It’s software.
Greg Otto [00:42:45]:
Wonderful. If you’re using it for something that requires judgment or human care, I think. Yeah. That you should really exercise some caution and last word.
Frank Cilluffo [00:42:56]:
One question. I didn’t ask any questions. I. I didn’t ask that I should have. We covered so much. I’m not even.
Greg Otto [00:43:05]:
I think that, that, that is where. Where CISA is headed. I know that there’s been a lot of talk about some people that may be up for the. The position. I think Nick Anderson is doing a good job with the cards that he has been dealt. I just talked to him, uh, yesterday. I think that he is a good person for what is going on. However, CISA needs somebody at the top.
Greg Otto [00:43:34]:
Like, it’s been too long. They have not. We have not had anybody in there. We saw the fights that played out with Sean Plankey and Majorka McCall. We saw how all of that panned out. Didn’t pan out well. There have been some names bandied about that we haven’t done any reporting on, but we haven’t done any reporting on because we’ve talked to them and they said, no, the government has not reached out to us. So we’re awaiting a possible leadership announcement, but who knows? I mean, it shouldn’t have gone this long.
Greg Otto [00:44:08]:
So that’s in a holding pattern. And I think a lot of what we’re seeing on every conversation that we are talking, that we have talked about over the course of this podcast, we would see motion on if. If CISA had a director.
Frank Cilluffo [00:44:22]:
Greg, thank you so much for spending so much time with us today. Thank you for the hard work and the newsroom. You lead at cyberscoop. Must read for all of us in the community and do tune in to Safe Mode. But like I said, after listening to Cyberfocus. Thanks so much for joining us.
Greg Otto [00:44:39]:
Appreciate it. Thank you.
Frank Cilluffo [00:44:40]:
Frank, thank you for joining us for this episode of Cyber Focus. If you liked what you heard, please consider. Consider subscribing your ratings and reviews. Help us reach more listeners. Drop us a line if you have any ideas in terms of topics, themes, or individuals you’d like for us to host. Until next time, stay safe, stay informed, and stay curious.
