Skip to content
Don't miss

Get the daily Cyber Briefing in your inbox

SIGN UP
Podcast

AI-Orchestrated Cyber Espionage and the Future of Cyber Defense with CISA’s Nick Andersen

Season 2 Episode 50 •

Show Notes

AI is speeding up cyber operations and shrinking the window for defenders to respond. Nick Andersen, who leads CISA’s Cybersecurity Division, explains why Anthropic’s recent report caught attention: it described what Anthropic called the first publicly reported AI-orchestrated cyber espionage campaign, in which threat actors misused its Claude models to automate and scale parts of an intrusion. Andersen and Frank Cilluffo unpack what that signal means for resilience, from model safeguards to the infrastructure and people surrounding them. They apply secure-by-design thinking to frontier AI, stress risk ownership for adopters—especially in OT—and warn against silver-bullet claims. The conversation closes on what it takes to build capacity, including KEV-driven prioritization and CISA’s Scholarship for Service pipeline.

Main Topics Covered

  • Why AI changes cyber defense through speed, scale, and attacker efficiency.
  • What the “Anthropic/Claude” case signals about resilience for AI providers.
  • Secure-by-design expectations for AI systems and the infrastructure around them.
  • OT adoption: governance, data flows, and safety-first decision-making.
  • Workforce and talent pipelines, including CISA’s Scholarship for Service interns.
  • Practical prioritization: vulnerabilities, KEV, and remediation at operational pace.

Key Quotes: 

“If we don’t engage now in having a resilience conversation around our artificial intelligence companies, we’re going to see a lot more of what, what happened with Claude, in this case.” – Nick Andersen

“The core principles regarding what we’re focused on as cyber defenders don’t necessarily change here, but the speed through which I think we can expect known vulnerabilities to be weaponized and exploited in the wild now that’s going to change for us.” – Nick Andersen

“There is no silver bullet. Anybody who has a sales pitch they’re receiving that says that this AI solution is going to solve all of your problems… they should immediately become exceedingly skeptical and start asking an awful lot of questions.” – Nick Andersen

“OT operators are going to have some really tough conversations coming up about what control are they willing to give away… We know within the OT environment safety and security has to come first.” – Nick Andersen

“Our adversary has a pretty clear-eyed view of what they’re trying to achieve. And it is both the opportunities for, you know, discord and societal panic.” – Nick Andersen

Relevant Links and Resources

House Hearing: The Quantum, AI, and Cloud Landscape: Examining Opportunities, Vulnerabilities, and the Future of Cybersecurity

Anthropic Report: Disrupting the first reported AI-orchestrated cyber espionage campaign

CISA: Principles for the Secure Integration of Artificial Intelligence in Operational Technology

CISA: Scholarship for Service

Guest Bio: 

Nick Andersen serves as Executive Assistant Director for CISA’s Cybersecurity Division, where he leads national efforts to defend against major cyber threats and improve the resilience of U.S. critical infrastructure. He previously held senior cyber leadership roles at the White House, the Department of Energy, and in intelligence roles for the Coast Guard and Navy. 

Transcript

1
00:00:00,000 –> 00:00:01,000
Nick Andersen [00:00:01]: OT, OT operators are going to have to have some, I think really tough conversations coming up about what control are they willing to give away, what control are they willing and is appropriate sort of giveaway when we consider this because we know within the OT environment, safety and security has to come first.

2
00:00:01,000 –> 00:00:02,000
Frank Cilluffo [00:00:20]: Welcome to Cyber Focus from the McCrary Institute where we explore the people and ideas shaping and defending our digital world. I’m your host Frank Cilluffo and this week I have the privilege to sit down with Nick Anderson. Nick leads the cybersecurity division at CISA, dare I say the cool club at CISA where a lot of the action emanates from and is leading a significant workforce that is essential to our national security and to our homeland security. Nick is a decorated veteran out of the US Marine Corps, HUA, Semper Fi. So thank you for that. And has also had stints in intel roles at other military services including the US Coast Guard and the Department of Navy. He has also served in senior roles in the private sector including with telecommunications companies like Lumen, and is a genuine leader and one of the Paul Revere’s and initial drivers around operational technology which our listeners and viewers know is near and dear to the institute.

3
00:00:02,000 –> 00:00:03,000
Frank Cilluffo [00:01:25]: So Nick, thank you so much for joining us today.

4
00:00:03,000 –> 00:00:04,000
Nick Andersen [00:01:27]: Thanks. You know we can hang this up now because I can leave saying, telling my kid today that somebody said I was cool.

5
00:00:04,000 –> 00:00:05,000
Frank Cilluffo [00:01:32]: You are cool, dude.

6
00:00:05,000 –> 00:00:06,000
Nick Andersen [00:01:33]: No, that’s it. This is, this is a success.

7
00:00:06,000 –> 00:00:07,000
Frank Cilluffo [00:01:35]: OT is cool. And you know, before we jump into the conversation, I think you’re just back, I don’t know what time zone you’re on, but you’re just back from an interesting visit to Israel. Anything you’d like to share there?

8
00:00:07,000 –> 00:00:08,000
Nick Andersen [00:01:49]: Yeah, I mean it’s just a fantastic partnership that we have with the Israelis in general. You know, we have to do more to continue to align ourselves with, you know, like minded, like minded nations and those that, you know, share our values. And the work that, the work that INCD is doing, you know, their National Cyber Directorate, is just fantastic in particular with critical infrastructure. Because you talked about how near and dear OT is. You know, to my heart being able to have a conversation with them about how they are thinking about critical infrastructure, what’s really important to them as a country. And I mean they’ve been more tested than most these last few years.

9
00:00:08,000 –> 00:00:09,000
Frank Cilluffo [00:02:24]: Live in a tough neighborhood.

10
00:00:09,000 –> 00:00:10,000
Nick Andersen [00:02:25]: To put it lightly. So it’s, it was a really, really interesting exercise just to see how much they really get that risk and threat picture related to critical infrastructure. And the moves that they’ve taken and how that’s reshaped their mission over the last several years. So, you know, we look, we look forward to continuing to both exchange threat intel with them on the operational side and, you know, partner with them over the long term.

11
00:00:10,000 –> 00:00:11,000
Frank Cilluffo [00:02:45]: Awesome. And, and I like to say that what we see popping over there could be a movie coming to a theater near you. So it’s really important to understand and learn and hopefully improve. My dad used to say, always learn from your mistakes, but even better to learn from those of others. So hopefully we’re doing some learning there. And especially when it comes to strong allies. I thought I’d start with the Anthropic case. You did an amazing interview with Fox News not too long ago on this topic.

12
00:00:11,000 –> 00:00:12,000
Frank Cilluffo [00:03:20]: But I think that there’s so much more to this issue and I thought we’d start with sort of the basics. What was unique about the Anthropic enabled cyber attack from a computer network exploit or from an espionage standpoint? Why was it different?

13
00:00:12,000 –> 00:00:13,000
Nick Andersen [00:03:36]: Well, I think it’s unique because it’s the first. So that always gets people’s attention, which can be a positive thing in this regard, you know, to see that we’re getting that, that attention on how critical this is going to be moving, moving forward for us. So the firstness makes it, makes it unique, but really the, the enablement to be able to move at speed, I think is, is what really made this, made this critical. And the core principles regarding what we’re focused on as cyber defenders don’t necessarily change here. But the speed through which I think we can expect known vulnerabilities to be weaponized and exploited, you know, in the wild now that’s going to change for us, the speed through which we can see the adversary taking advantage of taking humans out of the loop on their side. You know, the last couple of years, this is just the next evolution in continuing to sort of reduce cost and barriers to entry for people that want to be malicious actors in cyberspace, whether it’s criminal groups or nation state threat actors. So that’s, that’s really the uniqueness here in my mind. But hopefully we use this as sort of a, you know, a wake up call for folks that we need to take this seriously because this is going to become underlying core critical infrastructure for all segments of our economy and our national security.

14
00:00:13,000 –> 00:00:14,000
Nick Andersen [00:04:51]: So if we don’t engage now in having a resilience conversation around our artificial intelligence companies, we’re going to see a lot more of what, what happened with Claude, in this case.

15
00:00:14,000 –> 00:00:15,000
Frank Cilluffo [00:05:01]: Yep. And, and I would imagine frontier models and everything else, that that’s going to have some significant security implications going forward. Right?

16
00:00:15,000 –> 00:00:16,000
Nick Andersen [00:05:11]: Yeah, yeah. No, it, it absolutely is. And I think being able to, you know, have that conversation about training and understanding of the models and what type of controls are within the models and the types of responsibilities that people have in these cases, we want people to be forward leaning and we want them to share that information early and we want them to share it often as part of a responsibility within this space.

17
00:00:16,000 –> 00:00:17,000
Frank Cilluffo [00:05:32]: And who would have thought that’s part of the public private conversation five years ago that you would have been laughed out of the room? And it’s essential today. So the, I think we all know that that partnership is essential, but it’s changing so fast and government and speed to me don’t always come in the same sentence, but it’s essential.

18
00:00:17,000 –> 00:00:18,000
Nick Andersen [00:05:54]: Shocked to hear you say that.

19
00:00:18,000 –> 00:00:19,000
Frank Cilluffo [00:05:57]: It’s true though. You know, and we’ve had a number of guests on who’ve talked sort about the AI from the red lens or the blue lens. So every attacker says AI benefits the attacker, every defender says AI benefits the defender. The reality is it’s both. Right? It’s a double edged sword. So I’d be curious, how do you feel that balance is playing out and, and given CISA’s significant role in, in defense, how, how do you see that playing out?

20
00:00:19,000 –> 00:00:20,000
Nick Andersen [00:06:25]: Well, like I said, I mean, this is, this is lowered barriers to entry for people who a couple years ago would not have necessarily had either the scale or the technical know how in order to be able to orchestrate these types of, these types of attacks. So yeah, it’s absolutely a force multiplier on red side for sure. But again, core principles haven’t changed here. We still want people to be focused on securing their systems, understanding their vulnerabilities, looking at operating principles, hardening their interfaces. The types of TTPs we need to secure ourselves against aren’t changing here. It’s just, it’s, right now, it’s scope, scale and velocity until we get to the next evolution of this, which is the ability for adaptive malware, it would be changing attack surface methodology on the fly. Until we get to that stage, then this is really where we’re focused right now. On the blue side, it’s, this is just an opportunity again where we still think it’s incredibly important for humans to remain in the loop.

21
00:00:20,000 –> 00:00:21,000
Nick Andersen [00:07:21]: Cyber defenders aren’t going anywhere. But being able to enable them to move a little bit faster and enable them to reduce some of the gaps that we know exist in decision science to help them make smarter decisions faster, that’s, that’s really where there’s some good opportunity for us. This isn’t going to save the day or cause civilization to come crashing down, at least, you know…

22
00:00:21,000 –> 00:00:22,000
Frank Cilluffo [00:07:39]: At least not today.

23
00:00:22,000 –> 00:00:23,000
Nick Andersen [00:07:40]: As of today.

24
00:00:23,000 –> 00:00:24,000
Frank Cilluffo [00:07:41]: Knock on wood. Yeah, yeah. You know, and I think that’s a truly valid point because, I mean, I like to say technology changes, human nature remains consistent, but the same defensive steps, agnostic to the technology, are essential. Right? And the ability to bounce back, bounce forward, ideally, all of that. The problem is, happens so fast. And when we talk again sort of about what those partnerships, they’re changing. And I’m glad CISA’s stepping into that and having some of those really important discussions. And I think that goes on the heels of a major executive order that was promulgated not too long ago.

25
00:00:24,000 –> 00:00:25,000
Frank Cilluffo [00:08:28]: And I’d be curious how CISA is taking some of the steps and the many customers and critical infrastructure stakeholders, owners, operators, you support, how do you see that playing out? How do we take the EO from concept into capability?

26
00:00:25,000 –> 00:00:26,000
Nick Andersen [00:08:43]: Well, I mean, really, the EO focuses on, you know, preserving and promoting American leadership in the AI field writ large. A big part of that is reducing the potentially complex burden that could be layered on with many states and localities, you know, trying to regulate our through, our way through what is kind of a gray space right now and a knowledge, a knowledge base that is in some ways lacking.

27
00:00:26,000 –> 00:00:27,000
Frank Cilluffo [00:09:10]: Yeah. It’d be nice to know something before you regulate it. Right?

28
00:00:27,000 –> 00:00:28,000
Nick Andersen [00:09:12]: It would be, like, when we just talked about just, I mean, just how rapidly this field is evolving. You know, the types of concerns we would have had five years ago are not the types of concerns that we have now. And I think it’s gonna be very, very challenging to create regulation and an approach that’s going to be evergreen and is not going to result in handcuffing a lot of these industries because again, the core principal focus of this is preserving the opportunities for American leadership and economic prosperity enabled by artificial intelligence and the types of supporting infrastructure that we uniquely in the United States can provide. So…

29
00:00:28,000 –> 00:00:29,000
Frank Cilluffo [00:09:44]: And we can’t take for granted.

30
00:00:29,000 –> 00:00:30,000
Nick Andersen [00:09:46]: We absolutely can’t take it for granted. I mean, this is, this is a rapidly evolving space, not just on the adversarial cyber side, but the amount of companies that are now emerging as, you know, unique potential offerors within this space that are either a supplement to core, what I consider core artificial intelligence companies like Anthropic, in addition to, you know, all of the elements that we have to consider like our energy infrastructure that’s going to be supporting and the resilience elements that we have to have there and the data centers that are going to support and the human workforce gaps that we have associated with it as well. Those are all elements that the, wants to tackle. CISA’s piece of the pie is really focused on how do we, as a nation’s cyber defense agency best partner both for federal success in this area and with the private sector for critical infrastructure owner operator success.

31
00:00:30,000 –> 00:00:31,000
Frank Cilluffo [00:10:35]: Which is essential. I mean, they’re on the front lines. And I might note, Anthropic disclosed really quickly. So that’s part of it. So you seem to have some of our industry partners recognizing they don’t know where everything’s going to go so that they, they think it’s important to be part of that conversation. Five years ago, I’m not sure that would have been the case. Right?

32
00:00:31,000 –> 00:00:32,000
Nick Andersen [00:10:59]: No, I definitely, I don’t think it would be. But that’s, again, these are the types of behaviors we want people to disclose. We don’t want people to be worried about saying we’ve seen a potentially malicious thing happen. I want to hide that information. I don’t want to tell anybody because it might put my business at risk. These are the types of responsible behaviors we should be encouraging from people.

33
00:00:32,000 –> 00:00:33,000
Frank Cilluffo [00:11:18]: Times ten, exactly. And where does secure by design or, I’m a proponent of the cyber informed engineering discussion, same sort of concept. But where do you see AI fitting into that in terms of what the government buys, uses and how it uses it?

34
00:00:33,000 –> 00:00:34,000
Nick Andersen [00:11:35]: I think when you look at sort of first principles, we believe very strongly that AI and other technology segments should be secure by design, they should be secure by default. We need to have a hard conversation where people understand and recognize that the American public and American consumers have put a lot of trust and confidence, special trust and confidence in both the companies that are deploying these types of technologies, as well as their government and being able to provide for secure capabilities that aren’t going to put their data and information at risk. They’re going to put their lives at risk by continuing to use these things as they emerge within the market space. So for us, when we look at secure by design, it absolutely extends to this space. And we again, we want this to be an open conversation with people that are developing the models, the people are developing all the infrastructure that’s going to wrap around them and be essential for our success. Where we want to, we want to build these things securely from the start because it’s gonna be a lot easier to do that than it is gonna be 5, 10 years from now and try to reverse engineer everything.

35
00:00:34,000 –> 00:00:35,000
Frank Cilluffo [00:12:38]: Yeah. And, and I mean we have a challenge from a supply chain perspective writ large. This just exacerbates it in some ways. That’s why it’s so important to get it right, bake it into the, to the initial thinking. You know, you put out some significant guidance and some important guidance around AI and OT. So how do we take sort of what we’re seeing here, in D.C. we love to talk about policy, into actual implementation and execution. What would be your sort of thoughts there for infrastructure owner operators from an OT perspective?

36
00:00:35,000 –> 00:00:36,000
Nick Andersen [00:13:15]: So I just got through talking about our special trust and confidence that people place in this.

37
00:00:36,000 –> 00:00:37,000
Frank Cilluffo [00:13:19]: Yep.

38
00:00:37,000 –> 00:00:38,000
Nick Andersen [00:13:20]: There’s even more when people sort of walk into a room and expect the lights to come on when they flip on a light switch.

39
00:00:38,000 –> 00:00:39,000
Frank Cilluffo [00:13:24]: No kidding.

40
00:00:39,000 –> 00:00:40,000
Nick Andersen [00:13:25]: So our OT ecosystem and our critical infrastructure owner operators know that better than, better than most. I think when you start looking at the types of principles that we’re putting out there, it’s really about having that, like what to expect when you’re expecting conversation. You know what to expect when you’re thinking about adopting, adopting AI. You really need to have a core look at how are you going to govern this. You know, that’s a, that’s a key gap for us when we start looking at this is everybody’s, everybody’s amazed right now by the possibilities of AI. I think we need to sort of temper expectations for what this can reasonably achieve. You need to have a governance conversation.

41
00:00:40,000 –> 00:00:41,000
Nick Andersen [00:14:03]: You need to understand how this is going to impact your environment. You need to understand how the data flows are going to work within your environment. Is this going to have, as you look to integrate it, is this going to have the opportunity to autonomously change elements of your environment or be making decisions for you, or is it just going to make you, allow you to more rapidly make decisions within your environment? OT operators are gonna have to have some, I think, really tough conversations coming up about what control are they willing to give away, what control are they, are they willing and it’s appropriate sort of giveaway when we consider this because we know within the OT environment safety and security has to come first. An exceedingly positive benefit of being in the OT space is it is a safety driven culture and we certainly don’t want that to be lost just because we’re talking about the possibilities that come with adopting AI.

42
00:00:41,000 –> 00:00:42,000
Frank Cilluffo [00:14:58]: No, that’s well said and I’m really glad you brought up the governance set of issues which we’re all grappling with. But, you know, at the end of the day, trust and confidence is key. And especially when you have the advent of something that really could change the way we do things and is to some extent or another. But if you lose that trust, kind of game over. Right? So that really, really is, I think is essential going forward. And on the offensive side, I like to say there’s certain things where the human in the loop is so important. I want someone who swore to the US Constitution to make certain decisions.

43
00:00:42,000 –> 00:00:43,000
Frank Cilluffo [00:15:38]: I’m not handing that out to anyone else. And on the defender side, same sort of thing. Anything else in terms of gaps between where we hope to be and what you’d like to see? You’ve lived in the role as a CISO yourself. You probably drowned in a lot of documents. And at the end of the day, they have to do something. Anything else from the gap between concept to capability you think?

44
00:00:43,000 –> 00:00:44,000
Nick Andersen [00:16:05]: Well, I mean, it’s, again, to your point you just made, we don’t think that this needs to be a documentation heavy exercise. It really needs to be a risk, a risk ownership conversation. You know, what is your tolerance? You know, what are the potential impacts within the environments and overall, what are you hoping to, what are you hoping to achieve? It’s, that conversation has to be had not just by the technical leadership, but by the business leadership, by the communities that they’re serving. You know, again, you need to have a real understanding of how are you going to govern this, what is your responsibility associated with this and what are the potential impacts within your environment. Again, there’s not going to be a silver bullet here for solving this challenge with AI.

45
00:00:44,000 –> 00:00:45,000
Frank Cilluffo [00:16:50]: And probably not a single answer either until we actually see it play out. Right? You got to learn from experience. There’s a reason most CISOs have scar tissue. They have to live through some of these. We just can’t lose that trust in the process, I think is absolutely essential. Sort of transitioning a little bit to the workforce sets of issues.

46
00:00:45,000 –> 00:00:46,000
Frank Cilluffo [00:17:15]: What do you think this means for the workforce of tomorrow? We’re already struggling as a country and I’d say as a society writ large to bring in some of the STEM and cyber workforce. It’s exacerbated on the AI side. Right? And I think you just came out with a pretty cool initiative just yesterday or the day before around the scholarship for service and AI. Anything to highlight there?

47
00:00:46,000 –> 00:00:47,000
Nick Andersen [00:17:43]: Yeah, I mean, we’re really excited about our scholarship for service opportunity. So, you know, CISA just announced yesterday that we’re going to be bringing on 100 interns through the Scholarship for Service program. You know, Cyber Corps is an exceptional program both for students and…

48
00:00:47,000 –> 00:00:48,000
Frank Cilluffo [00:18:01]: Auburn loves it, so.

49
00:00:48,000 –> 00:00:49,000
Nick Andersen [00:18:02]: Yeah, I would not even think about not mentioning the fact that Auburn is one of those Scholarship for Service schools.

50
00:00:49,000 –> 00:00:50,000
Frank Cilluffo [00:18:08]: War Eagle. As a fellow SECer. Right?

51
00:00:50,000 –> 00:00:51,000
Nick Andersen [00:18:13]: That’s exactly it. I’m not going to talk about South Carolina football.

52
00:00:51,000 –> 00:00:52,000
Frank Cilluffo [00:18:19]: Well, Auburn doesn’t have much to talk about there either. Actually, we’re returning.

53
00:00:52,000 –> 00:00:53,000
Nick Andersen [00:18:22]: I don’t, I don’t know if I have more scar tissue from that or from my former CISO life, but it’s…

54
00:00:53,000 –> 00:00:54,000
Frank Cilluffo [00:18:28]: You and me both.

55
00:00:54,000 –> 00:00:55,000
Nick Andersen [00:18:29]: The, the Scholarship for Service program is just a, it’s, again, it’s a wonderful opportunity for students. It’s a wonderful opportunity for us to be able to bring people into that workforce for them to better understand, even if they don’t come work at CISA, to better understand our mission and what we’re trying to achieve and to get a better understanding of the risk profile and what we’re trying to achieve for our nation. That’s fantastic. I mean, again, it’s, if nothing else, that small opportunity to turn additional people into ambassadors for CISA and ambassadors for the nation’s cyber mission. And eventually, you know, their Scholarship for Service recipients are going to come into the federal government. Wherever they land, we want them to be part of that extended workforce. So, you know, anybody can go onto CISA.gov right now, they can see information that’s on there about the Scholarship for Service.

56
00:00:55,000 –> 00:00:56,000
Nick Andersen [00:19:10]: They can see information about how to apply. We’re really, really looking forward to welcoming those students, even those postgraduate students into the environment.

57
00:00:56,000 –> 00:00:57,000
Frank Cilluffo [00:19:20]: And you know, from a student’s perspective, there’s nothing like having actual real world experience. So whatever you’re learning in the classroom, I don’t know if it translates to the next day. So being in the role I think is essential and that’s what I think SFS enables and allows. So we are dependent, my institute, a lot of our researchers dependent upon really smart students that obviously have a strong education. But it’s in the experience that they, they actually get better and better and better and better. So hats off to that. Anything in terms of, so you can’t blink and have an ad now that says I have sort of that AI silver bullet, as you referred to it.

58
00:00:57,000 –> 00:00:58,000
Frank Cilluffo [00:20:07]: What should owner operators, how can they siphon through the signal and the noise here?

59
00:00:58,000 –> 00:00:59,000
Nick Andersen [00:20:13]: Yeah, well, I mean, short of me getting people just to turn off any commercial that they, they see.

60
00:00:59,000 –> 00:01:00,000
Frank Cilluffo [00:20:18]: Good luck on that.

61
00:01:00,000 –> 00:01:01,000
Nick Andersen [00:20:19]: Or any ad on the Metro or on a bus or any other element of very creative advertising that I can’t escape in my life. There is no silver bullet. There’s a silver bullet for anything. You know, it’s, it’s so just, just like with life, there is no silver bullet that’s going to come and solve all these problems for us. We have to focus on core principles for how we operate as network defenders. We have to focus on core principles for what is going to help make us successful within the economy. No, no AI tool is going to solve all that. It is going to be a great enabler.

62
00:01:01,000 –> 00:01:02,000
Nick Andersen [00:20:50]: There is such fantastic promise on all of the fantastic things that AI can offer, how it’s going to help us to move it, you know, at speed and it’s going to help us scale up on opportunities. But there’s no silver bullet here. I mean, anybody who has a sales pitch they’re receiving that says that this AI solution is going to solve all of your problems and let me tell you how, they should immediately become exceedingly skeptical and start asking an awful lot of questions. Where again, we need to focus on what are the specific impacts within my environment and understanding not only our own organizational governance process for how are we going to use AI, but also having that conversation with the potential provider that you’re talking to about what is their governance process?

63
00:01:02,000 –> 00:01:03,000
Nick Andersen [00:21:30]: You know, what goes into their training data, how are they shaping their models, what does their future look like? Because we don’t want to see ourselves locked in and understanding, again, organizations need to take the opportunity to understand all of these elements about how are we protecting our data, you know, what, what are we opening ourselves up to, how are we training our employees associated with this? And if you’re not having those like open conversations with your employees about how are we expecting people to use this, they’re just, just like in the days of, you know, us having conversations about shadow IT, they’re going to find opportunities to use AI enabled tools to make their lives easier, to make them more productive at work. You, you have to get in front of this.

64
00:01:03,000 –> 00:01:04,000
Frank Cilluffo [00:22:07]: Well, well said because, but you have to map it to your business processes and the way you do business. Right? And also your responsibility to your customers, clients and, and often you want to outsource that, but you can’t, I mean, at the end of the day that is I think, essential. And, and you’re right, if, if you don’t, you can’t be left out either or people will be finding other ways to do it. And rarely does that end well. So I think that’s a, a really, really good point and, and an important set of issues. So when you look, and, and disagree with me, but you cannot be AI dominant if you’re not energy dominant. And you’re starting to see what were historically pretty clear areas between different agencies, that’s all kind of blending, isn’t it? And in part because of technology, but more importantly because of its application.

65
00:01:04,000 –> 00:01:05,000
Frank Cilluffo [00:23:03]: So how do you work with the other brethren and sisters, sister agencies on some of these issues?

66
00:01:05,000 –> 00:01:06,000
Nick Andersen [00:23:10]: Yep. Well, I’m definitely not going to disagree with you. Uh, it’s, we, I think we’ve got some really good opportunities now. I think one of the, one of the fantastic things about just this administration in general with our cyber leadership is we are so aligned in such a significant way on all of the big rocks that we’re trying to tackle. The only, the only problem is trying to make sure we’ve got enough time to sync up with each other and make sure that, that we’re, you know, all collectively moving in the same direction at the same exact time.

67
00:01:06,000 –> 00:01:07,000
Nick Andersen [00:23:37]: But everybody’s so well aligned on the challenges and what we’re trying to achieve overall, that is, that, that’s been, that’s been fantastic.

68
00:01:07,000 –> 00:01:08,000
Frank Cilluffo [00:23:44]: And the priority list is less, but it’s, it’s essential. Right? I mean, focus is, I think the, the word I would use, but tell me if I’m wrong with that.

69
00:01:08,000 –> 00:01:09,000
Nick Andersen [00:23:52]: Yep. No, you are, I mean, and that’s, that’s been a core direction from, you know, the president, from Secretary Noem has been like, for CISA in particular, refocusing on core operational mission. You know, why is it that CISA exists? What is it that we can do uniquely? And one of those unique things that we can do is we can serve as the convener to help bring together the inner agency and make sure that we’re having one coordinated risk conversation, one coordinated, you know, operational conversation. You know, being able to work with our partners over in DoW. Being able to work with our partners over at Energy, with the FBI. We have spent an extraordinary amount of time just talking to those leaders about how we’re all synced up and how we’re all moving in the same, in the same direction.

70
00:01:09,000 –> 00:01:10,000
Nick Andersen [00:24:30]: Because again, I think there’s, there’s a fairly universal understanding now of the threat and the risk picture and what we’re trying to tackle there. It’s just a, we’re talking about using, you know, all instruments of national power, you know, as different levers to be pulled at different time to tackle these issues. We can’t do that as a single, as a single agency. Nor, nor do we need to.

71
00:01:10,000 –> 00:01:11,000
Frank Cilluffo [00:24:54]: Nor should we. No, well said, well said. And the SRMA, the Sector Risk Management Agency’s role, that is still near and dear to CISA, correct?

72
00:01:11,000 –> 00:01:12,000
Nick Andersen [00:25:01]: Yeah, yeah, absolutely.

73
00:01:12,000 –> 00:01:13,000
Frank Cilluffo [00:25:02]: Can’t do it without it.

74
00:01:13,000 –> 00:01:14,000
Nick Andersen [00:25:03]: Look, I came from SRMA world.

75
00:01:14,000 –> 00:01:15,000
Frank Cilluffo [00:25:05]: Yeah. DOE, right? Keeping the grids, the lights on, our mics on.

76
00:01:15,000 –> 00:01:16,000
Nick Andersen [00:25:10]: That’s exactly, that’s exactly it. Because again it’s, these are the types of services that Americans rely on. You know, it’s, I’m not trying to, you know, denigrate our own .gov protection mission here, but if the CISA website goes down for a week, are Americans going to care more about that or are they going to care more about the fact that the lights aren’t coming on and that they can’t pump water or they can’t get gas? And you know, it’s the types of things that we take for granted because we’re just relying on them to live our lives, that’s what American citizens really care about and that’s what we’re focused on trying to deliver at the same time as delivering on our federal government protection machine.

77
00:01:16,000 –> 00:01:17,000
Frank Cilluffo [00:25:44]: True that. And we cannot take that for granted because the tactics, techniques and procedures of our adversaries continue to, this isn’t a static environment, it’s a dynamic environment and we need to invest in that and need to get the best people into this fight. So I think that that’s really sometimes lost that it’s about good people and we got to fight this fight. So we’re sort of coming at the end. We’ve got Christmas and the holidays and New Year’s and everything else and Hanukkah and Festivus and whatever else anyone may celebrate, but sort of, what’s the one thing from an AI perspective you’d like to see government and industry thinking about? And we can look ahead to next year obviously as well.

78
00:01:17,000 –> 00:01:18,000
Nick Andersen [00:26:32]: So is this the Festivus opportunity for the airing of grievances?

79
00:01:18,000 –> 00:01:19,000
Frank Cilluffo [00:26:36]: Yes, it is. Yes, it is. That’s why I brought it up. I have a lot of friends who celebrate many things, but Festivus is always at the top of their list.

80
00:01:19,000 –> 00:01:20,000
Nick Andersen [00:26:44]: There we go. There we go. You know, I think the biggest thing is just, just going to be making sure that we’re working closely together. Again, it’s less focused on Anthropic and what they saw with Claude as an individual incident. More focused on the opportunity to quickly, quickly allow for the airing of grievances associated with that. You know, by having a, an open conversation about, here’s what we saw, here’s how we potentially see it being applied and being willing to have that conversation with policymakers, with technical risk owners, with, you know, business owners and operators. That’s the type of thing that I think we need to, we need to build that more where culturally that becomes the default rather than an exception. And I think we need to, we need to be able to build an environment where people are going to feel comfortable raising their hand and saying we see something that’s going on. And I’m not going to allow for this to get bogged down in a legal review for three and a half months of here’s my carefully crafted three sentence statement that I can hand you about a thing that I may or may not have seen happen within the environment because I’m worried about regulatory action.

81
00:01:20,000 –> 00:01:21,000
Nick Andersen [00:27:48]: That’s something that the executive branch has to work, you know, with the legislative branch, with, you know, the private sector and with our industry partners on, you know, on the AI front in particular, building those partnerships and building that long term trust where we can continue to have these conversations. That’s the only way we’re going to get to the point where the American people are going to have any confidence that we’ve got their backs here and that we’re going to be able to take advantage of both the promise that something like AI can deliver as well as managing the risk in a way where it’s not going to negatively impact their lives.

82
00:01:21,000 –> 00:01:22,000
Frank Cilluffo [00:28:17]: That’s incredibly well said. The typical way is we march into the future backwards. We see an event, we fix that event, and in essence, we let the adversaries define our strategy rather than us. Because we’re reacting to something. We have a chance to get out in front of it. And I do think you hit on a couple of core issues beyond just the technology, but it’s having the governance structures, it’s having trust and dare I say, I don’t want to put you on a spot here, but having some of the laws to enable the sharing of information and protecting from liability, whether it’s CISA 2015 being reauthorized or SLCGP, making sure they’ve got the arrows and the quiver to do their jobs, these are essential. And, and, and that’s not even looking ahead. That’s just getting to the, to the table stakes. And I hope our Congress does act on some of those.

83
00:01:22,000 –> 00:01:23,000
Frank Cilluffo [00:29:13]: Do you want to comment on that? I don’t want to put you on the spot.

84
00:01:23,000 –> 00:01:24,000
Nick Andersen [00:29:15]: No. You know, look, I think as, as we’ve seen Secretary Noem and as we’ve seen Director Cairncross, you know, say in the, on the NCD side, you know, the administration, you know, looks forward to the possibility of a, you know, ten year clean reauth of, you know, elements like CISA 2015. Our state and local cyber grant program is exceedingly important. You know, we’re, we are looking to have that conversation with our state and local partners on how they can help take more responsibility and more control over their own destiny when it comes to things like resilience and recoverability. But that means that we have to be able to enable them in the right way with the right sort of tools and the right understanding of the risk profile against which they need to be building their, their own resilience.

85
00:01:24,000 –> 00:01:25,000
Frank Cilluffo [00:29:57]: Yep.

86
00:01:25,000 –> 00:01:26,000
Nick Andersen [00:29:58]: This isn’t about abandoning or walking away from a state and local relationship. This is about making sure they’re appropriately enabled to deliver those types of services, again, that their citizens in those individual states require of them.

87
00:01:26,000 –> 00:01:27,000
Frank Cilluffo [00:30:10]: Very well said, Nick. What questions didn’t I ask that I should have?

88
00:01:27,000 –> 00:01:28,000
Nick Andersen [00:30:14]: Well, we covered SEC football and disappointment already.

89
00:01:28,000 –> 00:01:29,000
Frank Cilluffo [00:30:17]: Both of us commiserate. Yeah.

90
00:01:29,000 –> 00:01:30,000
Nick Andersen [00:30:19]: Yeah, it’s just, it’s…

91
00:01:30,000 –> 00:01:31,000
Frank Cilluffo [00:30:20]: We’re back, we’re coming back though.

92
00:01:31,000 –> 00:01:32,000
Nick Andersen [00:30:22]: Yeah. You know, every, every year for a South Carolina fan is a rebuilding year. So we’re, we’re going to, we’re going to get there one of these decades.

93
00:01:32,000 –> 00:01:33,000
Frank Cilluffo [00:30:27]: I’m also a Jets fan, so if you want a fair weather fan, obviously, because we’re so good, we have great off seasons, but then it ends.

94
00:01:33,000 –> 00:01:34,000
Nick Andersen [00:30:36]: Yeah. I can’t remember his name, but one of the recent backup QBs, he got some action on the Jets side. I had to pull him in to replace Jackson Dart. One week on my fantasy football league and I landed with a negative 1.5 points.

95
00:01:34,000 –> 00:01:35,000
Frank Cilluffo [00:30:49]: That sounds like my Jets.

96
00:01:35,000 –> 00:01:36,000
Nick Andersen [00:30:50]: Yeah, yeah. Almost missed my fantasy football playoffs because of it.

97
00:01:36,000 –> 00:01:37,000
Frank Cilluffo [00:30:53]: There you go. There you go. Even when we had Aaron Rodgers, that was our outcome, unfortunately.

98
00:01:37,000 –> 00:01:38,000
Nick Andersen [00:30:58]: Him out there with his walker. Yeah.

99
00:01:38,000 –> 00:01:39,000
Frank Cilluffo [00:31:02]: Anything else for the, for the good and welfare?

100
00:01:39,000 –> 00:01:40,000
Nick Andersen [00:31:04]: Yeah. I think we’re in an exceedingly dynamic threat environment, you know, so whether it’s our international partnerships that we started talking about or our industry partnerships that we see here with AI, you know, being able to, again, get back to first principles of what is it we’re really trying to do? How do we govern these environments? What are our expectations of these environments? Do we really understand what we’re trying to achieve? Because our adversary has a pretty clear eyed view of what they’re trying to achieve. And it is both the opportunities for, you know, discord and societal panic as well as technical impacts. I think we’re going to continue to see the evolution of elements like our nation state threat actor friends, like we see with China, Russia, Iran and North Korea, continue to evolve their TTPs and continue to get more aggressive within cyberspace.

101
00:01:40,000 –> 00:01:41,000
Nick Andersen [00:32:00]:And when we see tools like, like what we’ve seen happen with Anthropic and Claude, enable those non nation state actors, those criminal groups that are out there, they’re just going to accelerate in terms of scope and scale of what they’re trying to do and you know, just, it’s going to be a volumetric increase that we’re going to have to deal with there. So for me it’s about, if we’re thinking about first principles, we have a responsibility to address understanding our data, understanding our data flows, understanding how we’re managing vulnerability and risk. We’ve got lots of great opportunities where we’re sharing CVE information and that is such an exceedingly important program that CISA is going to continue to support over the long term. Those KEV entries that we’re putting in there for known exploited vulnerabilities, it doesn’t do us any good if we’re continuing to highlight those things and continuing to work with industry and we’re not able to have a prioritization conversation with how people are actually going to remediate that within their environment. And again, the threat actor doesn’t care.

102
00:01:41,000 –> 00:01:42,000
Frank Cilluffo [00:32:44]: Yep. And the bad guy has a vote in all of this. So Nick, thank you for your leadership. Thank you for joining us today. And let me just underscore, thank you for your public service. People often take that for granted. We’ve got to make sure that the best and the brightest are in this fight. And I’m really happy you’re in this fight.

103
00:01:42,000 –> 00:01:43,000
Frank Cilluffo [00:33:01]: So thank you for joining us today. And onward and upward. Let me leave you with the token of our appreciation, figuratively and literally, our coin. And thank you.

104
00:01:43,000 –> 00:01:44,000
Nick Andersen [00:33:10]: Well, thanks so much. I appreciate it. Thanks for having me.

105
00:01:44,000 –> 00:01:45,000
Frank Cilluffo [00:33:13]: Thank you for joining us for this episode of Cyber Focus. If you liked what you heard, please consider subscribing. Your ratings and reviews help us reach more listeners. Drop us a line if you have any ideas in terms of topics, themes or individuals you’d like for us to host. Until next time, stay safe, stay informed and stay curious.

Related Content