Cybersecurity Burnout, Deception Tech, and National Security with Cynthia Brumfield
Season 2 Episode 8 •Show Notes
In this episode of Cyber Focus, host Frank Cilluffo speaks with Cynthia Brumfield, a prolific cybersecurity journalist and analyst. Brumfield discusses her reporting on the human toll of cybersecurity incidents, including mental health challenges and burnout among cyber professionals. She also explores the evolving role of deception technology in cyber defense and highlights key cybersecurity provisions in the latest National Defense Authorization Act (NDAA). The conversation covers the growing threats posed by foreign adversaries, including China, and the importance of resilience in cybersecurity operations.
Main Topics Covered:
- The mental health impact of cybersecurity incidents and the need for better support systems
- Deception technology and its role in cyber defense beyond traditional honeypots
- Cybersecurity funding and policy changes in the NDAA, including a $30 billion investment in military cyber operations
- The rise of ransomware and its classification as a national security threat
- The establishment of the NSA’s AI Security Center and its implications for national security
- Supply chain security concerns, including Chinese technology risks in ports and telecommunications
Key Quotes:
“I don’t think I realized until I wrote it and having talked to all the folks who have gone through this… I don’t think I realized how traumatic it is to be in the middle of a cybersecurity incident. In fact, it’s very much like any other emergency situation.” – Cynthia Brumfield
“You need to lay the baseline of an appropriate emotional and psychological response to these incidents before they occur, so that you don’t have the burnout, that you don’t have the PTSD.” – Cynthia Brumfield
“[Deception technology] is basically this term of coming up with a very broad strategic goal of tricking the enemy and getting them lured into dead ends on your network.” – Cynthia Brumfield
“I think [the Cyber Force discussion] has legs this time… There’s some momentum on this. I’m getting asked more and more and more questions, including from skeptics.” – Frank Cilluffo
“It’s important when we’re talking about Chinese supply chain threats and espionage threats to sort of separate the wheat from the chaff. There are some serious concerns… but we have to have a much more sophisticated grasp on what are the true threats and what are not really true.” – Cynthia Brumfield
Relevant Links and Resources:
Managing the emotional toll cybersecurity incidents can take on your team
Increasing the response level to ransomware
Guest Bio:
Cynthia Brumfield is a leading cybersecurity journalist and analyst, writing for publications such as CSO Online. She runs Metacurity.com, a cybersecurity news site, and has been covering the field for over a decade. Her work focuses on cyber policy, national security, and emerging threats, with an emphasis on making complex issues accessible to a broad audience.
Transcript
1
00:00:00,720 –> 00:00:05,848
Frank Cilluffo: Welcome to Cyber Focus from the McCrary Institute, where we explore the people and ideas
2
00:00:05,944 –> 00:00:10,952
Frank Cilluffo: shaping and defending our digital world. I’m your host, Frank Cilluffo, and have the privilege
3
00:00:11,016 –> 00:00:16,200
Frank Cilluffo: today and this week to sit down with Cynthia Brumfield. Cynthia is a prolific writer
4
00:00:16,360 –> 00:00:22,552
Frank Cilluffo: on all things cyber. She runs a major cyber news site at Medicurity, which I
5
00:00:22,656 –> 00:00:30,062
Frank Cilluffo: recommend everyone subscribe to. And I think most importantly, she goes in depth on a
6
00:00:30,086 –> 00:00:35,166
Frank Cilluffo: number of stories that don’t get the attention that they deserve in our ADD world
7
00:00:35,238 –> 00:00:45,086
Frank Cilluffo: in cybersecurity. So really excited to sit down with Cynthia today. And Cynthia,
8
00:00:45,118 –> 00:00:49,770
Frank Cilluffo: thank you for joining us. Thank you, Frank. I’m very honored that you invited me.
9
00:00:50,390 –> 00:00:55,250
Frank Cilluffo: Well, we’re privileged to have you. And I thought I’d start, start with a very
10
00:00:55,290 –> 00:01:00,482
Frank Cilluffo: recent article you wrote and it was looking at the human cost of cybersecurity, the
11
00:01:00,506 –> 00:01:06,850
Frank Cilluffo: mental health issues, burnout themes that I don’t think get as much attention as they
12
00:01:06,890 –> 00:01:10,642
Frank Cilluffo: probably deserve. But before we jump into the article, I’d be curious, what led you
13
00:01:10,666 –> 00:01:14,834
Frank Cilluffo: to write this article? Have you been hearing from a lot of friends and colleagues
14
00:01:14,882 –> 00:01:23,102
Frank Cilluffo: or what was that initial thought to be able to go deep? So initially, and
15
00:01:23,126 –> 00:01:29,262
Cynthia Brumfield: it’s interesting that you were asking this question because initially I had proposed writing a
16
00:01:29,286 –> 00:01:34,190
Cynthia Brumfield: piece on. So this is for a publication called CSO Online, which is aimed at
17
00:01:34,230 –> 00:01:39,662
Cynthia Brumfield: CISOs and they seek practical information on how to do their jobs. And so I
18
00:01:39,686 –> 00:01:45,210
Cynthia Brumfield: had proposed an idea on how CISOs can talk to the board about the cost
19
00:01:45,510 –> 00:01:52,850
Cynthia Brumfield: of cyber incidents. And my editor suggested, well, can you throw in there perhaps the,
20
00:01:52,890 –> 00:01:59,154
Cynthia Brumfield: you know, the human toll cost as well. And when I started talking to various
21
00:01:59,202 –> 00:02:04,242
Cynthia Brumfield: people about that, I realized it needed its own piece. I wasn’t going to, you
22
00:02:04,266 –> 00:02:08,242
Cynthia Brumfield: know, do it justice to do a paragraph and a piece on how to talk
23
00:02:08,266 –> 00:02:14,920
Cynthia Brumfield: to the board about the cost of incidents. And the more I of dug into
24
00:02:14,960 –> 00:02:21,480
Cynthia Brumfield: it, the more compelling the whole subject was that that piece that, that was published
25
00:02:21,560 –> 00:02:26,824
Cynthia Brumfield: was a very long one for, for CSO and also generally for any publication it
26
00:02:26,832 –> 00:02:32,536
Cynthia Brumfield: was 2,000 words. And even at that I had to leave a lot on the
27
00:02:32,608 –> 00:02:37,656
Cynthia Brumfield: sort of the cutting room floor because it’s just such an in depth topic and
28
00:02:37,728 –> 00:02:42,968
Cynthia Brumfield: a compelling one. And I don’t think I realized until I wrote it. And having
29
00:02:43,024 –> 00:02:48,200
Cynthia Brumfield: talked to all the folks, folks who have gone through this, have experience in this,
30
00:02:48,320 –> 00:02:55,256
Cynthia Brumfield: the psychologist who’s developed a program around it, the cyber professional who’s trying to get
31
00:02:55,328 –> 00:03:00,952
Cynthia Brumfield: organizations to pay attention to this issue, I don’t think I realized how traumatic it
32
00:03:00,976 –> 00:03:06,376
Cynthia Brumfield: is to be in the middle of a cybersecurity incident. In fact, it’s very much
33
00:03:06,448 –> 00:03:13,204
Cynthia Brumfield: like any other emergency situation. And I use the example in my piece of, you
34
00:03:13,212 –> 00:03:21,588
Cynthia Brumfield: know, police departments and fire departments so very. And indeed, the program that was developed
35
00:03:21,684 –> 00:03:26,276
Cynthia Brumfield: by the psychologist that I cite in my piece to help deal with the mental
36
00:03:26,308 –> 00:03:33,700
Cynthia Brumfield: health issues surrounding cybersecurity professionals, particularly during an incident, he modified that on the. From
37
00:03:33,740 –> 00:03:39,470
Cynthia Brumfield: a PTSD program he developed for the US Army. So, you know, I don’t know
38
00:03:39,510 –> 00:03:45,918
Cynthia Brumfield: that it. Having written about Cybersecurity, it’s been 10 years now, and having, you know,
39
00:03:45,974 –> 00:03:54,782
Cynthia Brumfield: spoken to many cybersecurity professionals, just how, how serious the mental health impact is, you
40
00:03:54,806 –> 00:04:01,102
Cynthia Brumfield: know, particularly if you’re dealing with a very severe incident. True. And I would imagine,
41
00:04:01,246 –> 00:04:05,410
Frank Cilluffo: and I’d be curious since you did tie it to sort of the C suite.
42
00:04:06,130 –> 00:04:11,498
Frank Cilluffo: By and large, I often say security is always too much until the day it’s
43
00:04:11,514 –> 00:04:18,458
Frank Cilluffo: not enough. And the time that most executives are paying attention to these missions is
44
00:04:18,514 –> 00:04:25,898
Frank Cilluffo: obviously after something bad has happened. Are you starting to see some companies that are
45
00:04:25,954 –> 00:04:32,272
Frank Cilluffo: being maybe a little more focused on some of these issues? And if not, what
46
00:04:32,296 –> 00:04:38,544
Frank Cilluffo: do you think we should be discussing and thinking and doing? So it’s interesting because
47
00:04:38,632 –> 00:04:45,408
Cynthia Brumfield: as I note in the piece, I spoke to several experts, one of whom you
48
00:04:45,464 –> 00:04:53,648
Cynthia Brumfield: may know, Joe Sullivan, who was the CEO at his last job of Uber. That
49
00:04:53,784 –> 00:04:59,862
Cynthia Brumfield: created quite a bit of personal stress for him and he, his fellow CISOs, on
50
00:04:59,966 –> 00:05:05,650
Cynthia Brumfield: how they can survive these incidents. And I guess the sense I walked away from
51
00:05:05,950 –> 00:05:15,238
Cynthia Brumfield: this piece is that organizations are not doing enough. One of the things that
52
00:05:15,374 –> 00:05:21,238
Cynthia Brumfield: Sullivan and other folks I spoke to stressed with me is that you need to
53
00:05:21,294 –> 00:05:29,040
Cynthia Brumfield: lay the baseline of an appropriate emotional and psychological response to these incidents before they
54
00:05:29,080 –> 00:05:34,064
Cynthia Brumfield: occur so that you don’t have the burnout, that you don’t have the ptsd, so
55
00:05:34,072 –> 00:05:41,184
Cynthia Brumfield: that people are looking at them as sort of normal. It’s, you know, and Joe
56
00:05:41,232 –> 00:05:46,032
Cynthia Brumfield: Ma mentions this, is that you think of yourself as a fire department, you know,
57
00:05:46,136 –> 00:05:55,224
Cynthia Brumfield: firemen and firefighters, women too, go into crisis situations, but they don’t have. They have,
58
00:05:55,312 –> 00:06:01,512
Cynthia Brumfield: they have the training, they have the psychological mindset, they have the social support of
59
00:06:01,536 –> 00:06:07,208
Cynthia Brumfield: their peers and their superiors to talk about these issues that make it a lot
60
00:06:07,264 –> 00:06:14,472
Cynthia Brumfield: easier for them to handle these kinds of crises. And the message that came through
61
00:06:14,576 –> 00:06:19,660
Cynthia Brumfield: from my conversations is that we need to do that too in the cybersecurity. We
62
00:06:19,700 –> 00:06:27,452
Cynthia Brumfield: need to set up particular programs that enable particularly those on the front line and
63
00:06:27,476 –> 00:06:35,052
Cynthia Brumfield: in the security operations centers where the heat is the highest, enable them to kind
64
00:06:35,076 –> 00:06:41,052
Cynthia Brumfield: of deal with this a lot better, enable them to talk about it and otherwise
65
00:06:41,116 –> 00:06:47,120
Cynthia Brumfield: kind of manage it better. What I’m hearing is that there’s not enough of this
66
00:06:47,160 –> 00:06:55,408
Cynthia Brumfield: going on in corporate America, that the obstacle right now is trying to inform human
67
00:06:55,464 –> 00:07:04,288
Cynthia Brumfield: resource departments, HR departments, that cybersecurity workers are different. These are not your regular sort
68
00:07:04,304 –> 00:07:09,632
Cynthia Brumfield: of stress reduction mindfulness programs at lunch. This is something a little deeper, a little
69
00:07:09,656 –> 00:07:17,722
Cynthia Brumfield: more serious. And, you know, although CISOs, the people who organize their teams to deal
70
00:07:17,746 –> 00:07:23,978
Cynthia Brumfield: with these incidents are very amenable to it, the sort of the last holdout seems
71
00:07:23,994 –> 00:07:27,322
Cynthia Brumfield: to be the HR departments. They need to be convinced that this is something that
72
00:07:27,346 –> 00:07:33,882
Cynthia Brumfield: they should undertake, which of course costs money. And everything in cyber. Everything in cybersecurity
73
00:07:33,946 –> 00:07:40,352
Cynthia Brumfield: costs money. And that’s a problem. Yeah, it is a cost center, and I think
74
00:07:40,376 –> 00:07:44,016
Frank Cilluffo: it’s fair to say it’s more than just having a yoga room and some ping
75
00:07:44,048 –> 00:07:50,864
Frank Cilluffo: pong table, whatever else. And the reality is, is even in the first responder community,
76
00:07:50,952 –> 00:07:56,192
Frank Cilluffo: it didn’t take on great salience. So after we had a catastrophic incident. So I
77
00:07:56,216 –> 00:08:02,272
Frank Cilluffo: remember after Oklahoma City, after the bombing at the Alfred P. Murrah building bombing, and
78
00:08:02,296 –> 00:08:09,492
Frank Cilluffo: then again after 9 11, of course, it suddenly became a more prevalent set of
79
00:08:09,516 –> 00:08:16,772
Frank Cilluffo: issues. So I think you’re tying it to first responders. First preventers is a great
80
00:08:16,796 –> 00:08:23,172
Frank Cilluffo: approach in emergency managers because like you said, they do have some training. And at
81
00:08:23,196 –> 00:08:26,612
Frank Cilluffo: the end of the day, if you look at our military, our special forces, they
82
00:08:26,636 –> 00:08:32,372
Frank Cilluffo: spend a lot of time on the behavioral side. And that battlefield here is probably
83
00:08:32,436 –> 00:08:38,580
Frank Cilluffo: even more important than the kinetic one in some respects. So I’d be curious what
84
00:08:38,620 –> 00:08:43,636
Frank Cilluffo: some of your thoughts were around first responders. Anything in particular that we can maybe
85
00:08:43,668 –> 00:08:51,284
Frank Cilluffo: apply. Obviously it’s not the exact same, but there are some parallels. Well, the one
86
00:08:51,452 –> 00:08:59,168
Cynthia Brumfield: main point that came through in my piece is to normalize, as I mentioned, normalize
87
00:08:59,284 –> 00:09:08,792
Cynthia Brumfield: the crisis that lessens its emotional impact. If the cybersecurity workers are prepared,
88
00:09:08,936 –> 00:09:14,904
Cynthia Brumfield: that someday something really serious and bad will happen and they will be in a
89
00:09:14,912 –> 00:09:20,120
Cynthia Brumfield: pressure cooker and be responsible for getting things up and running. If they know that
90
00:09:20,160 –> 00:09:25,762
Cynthia Brumfield: in advance, if they’re able to talk about it in advance, and you know, when
91
00:09:25,786 –> 00:09:34,626
Cynthia Brumfield: an incident does occur, able to talk about it, not bottle up their emotions, which
92
00:09:34,698 –> 00:09:41,746
Cynthia Brumfield: is what firefighters. One of the experts I cite in this is somebody who spent
93
00:09:41,778 –> 00:09:51,674
Cynthia Brumfield: 10 years as an emergency response dispatcher who basically said that police departments that
94
00:09:51,682 –> 00:09:57,450
Cynthia Brumfield: he worked with, were the kind to kind of say, all right, it’s over, no
95
00:09:57,490 –> 00:10:01,482
Cynthia Brumfield: need to talk about it, it’s done. They would bottle up their feelings, but the
96
00:10:01,506 –> 00:10:06,890
Cynthia Brumfield: firefighters did the opposite. They really talked things out, and as a consequence, they were
97
00:10:06,930 –> 00:10:12,230
Cynthia Brumfield: more resilient and they were more. They were less traumatized by things that happened. So
98
00:10:12,530 –> 00:10:19,124
Cynthia Brumfield: I think the big takeaway there is be prepared. Don’t, you know, tell them in
99
00:10:19,132 –> 00:10:26,292
Cynthia Brumfield: advance something bad’s going to happen. Be prepared and normalize. Normalize the bad stuff. And
100
00:10:26,476 –> 00:10:33,060
Cynthia Brumfield: ironically, that makes it a little easier to handle. And you mentioned Joe Sullivan. He
101
00:10:33,180 –> 00:10:40,180
Frank Cilluffo: paid a very high price personally. He did. Or so oc and obviously that signals
102
00:10:40,260 –> 00:10:44,942
Frank Cilluffo: to others, hey, if you take these jobs, you could be held at a, at
103
00:10:44,966 –> 00:10:49,566
Frank Cilluffo: a bar that even if you do try to do everything in, in your authority
104
00:10:49,598 –> 00:10:55,566
Frank Cilluffo: and capability to do so, you still may not meet that bar. So he prosecuted,
105
00:10:55,678 –> 00:11:01,854
Cynthia Brumfield: he was a federal prosecutor who was absolutely. For obstruction of justice in a fairly
106
00:11:01,902 –> 00:11:08,462
Cynthia Brumfield: complex case involving Uber, the very, I think the very first CISO who ever had
107
00:11:08,486 –> 00:11:14,340
Cynthia Brumfield: that happened to them. And that was a watershed moment where everyone got a little
108
00:11:14,380 –> 00:11:20,836
Cynthia Brumfield: scared thinking they could go to, you know, in the end, he got probation. But,
109
00:11:20,908 –> 00:11:25,732
Cynthia Brumfield: you know, it raised the prospect of, of going to, you know, being. Going to
110
00:11:25,756 –> 00:11:31,380
Cynthia Brumfield: prison for, for trying to handle an incident the best you can, which oftentimes does
111
00:11:31,420 –> 00:11:38,478
Cynthia Brumfield: come with the fog of war. That’s. So, yeah, no, he, he learned. And his,
112
00:11:38,534 –> 00:11:44,170
Cynthia Brumfield: his object lesson, I think, has been very helpful to the rest of the industry.
113
00:11:46,310 –> 00:11:51,214
Frank Cilluffo: Like I said. And, and they are balancing also accountability. So it is a tough
114
00:11:51,262 –> 00:11:58,142
Frank Cilluffo: set of issues if you’re. To your shareholders, your customers, your clients and others. So
115
00:11:58,166 –> 00:12:03,838
Frank Cilluffo: it is, it is complex. It’s not a very simple, simple set of solutions. But,
116
00:12:03,894 –> 00:12:07,534
Frank Cilluffo: but I do hope, I mean, any other parting thoughts before we jump to one
117
00:12:07,542 –> 00:12:13,262
Frank Cilluffo: of your other articles, what companies could do, should do. And, and I know on
118
00:12:13,286 –> 00:12:22,622
Frank Cilluffo: the HR side, but if, if you were staffing a, a Fortune 100 company, are
119
00:12:22,646 –> 00:12:26,558
Frank Cilluffo: there a couple of steps you think that our viewers, listeners, and others can sort
120
00:12:26,574 –> 00:12:32,080
Frank Cilluffo: of walk away with? Well, another point that Joe made that’s in the piece is
121
00:12:32,120 –> 00:12:41,152
Cynthia Brumfield: that CISOs often shoulder the burden of security alone, even though they’re not totally responsible
122
00:12:41,216 –> 00:12:47,808
Cynthia Brumfield: for the policies that kind of govern how organizations do and can respond to incidents.
123
00:12:47,984 –> 00:12:54,928
Cynthia Brumfield: And his recommendation is to share the burden with the other executives, to make them
124
00:12:54,984 –> 00:13:02,550
Cynthia Brumfield: aware of what happens to the cybersecurity teams, to make them aware of the damage
125
00:13:02,630 –> 00:13:10,822
Cynthia Brumfield: that could. Psychological and psychic toll that could fall on cybersecurity workers so that it
126
00:13:10,846 –> 00:13:19,350
Cynthia Brumfield: is maybe not top of mind for them, but until the senior security leader within
127
00:13:19,390 –> 00:13:25,508
Cynthia Brumfield: an organization speaks up and tells the general counsel or tells, you know, the CEO
128
00:13:25,604 –> 00:13:31,588
Cynthia Brumfield: or the board or whoever it might need to be that, hey, bear in mind
129
00:13:31,644 –> 00:13:37,012
Cynthia Brumfield: when these things happen, we need the resources or the consideration for the workers who
130
00:13:37,036 –> 00:13:42,500
Cynthia Brumfield: are dealing with these incidents. So I think, you know, maybe from the first responder
131
00:13:42,580 –> 00:13:47,012
Cynthia Brumfield: perspective and the perspective of sharing with the board, there’s a lot more conversation that
132
00:13:47,036 –> 00:13:55,198
Cynthia Brumfield: needs to be going on within the organization about the impact of cybersecurity incidents. And
133
00:13:55,254 –> 00:14:04,318
Frank Cilluffo: just the burnout workforce challenges the deficit. I hope that your piece does trigger that
134
00:14:04,374 –> 00:14:11,250
Frank Cilluffo: discussion, a discussion that undoubtedly is needed and we’re only beginning to scratch the surface.
135
00:14:11,830 –> 00:14:15,982
Cynthia Brumfield: Yeah, there’s a lot more. Yeah, yeah, there’s a lot more there, there. I’m not
136
00:14:16,006 –> 00:14:20,430
Frank Cilluffo: a psychologist. Don’t play one on tv. So I don’t know what I don’t know.
137
00:14:20,470 –> 00:14:25,728
Frank Cilluffo: But I do know from a lot of friends, and this is not empirically based
138
00:14:25,784 –> 00:14:31,664
Frank Cilluffo: evidence, but just anecdotal that they are paying a price. And at the end of
139
00:14:31,672 –> 00:14:37,152
Frank Cilluffo: the day, this is a risk like any other risk that I think the corporate
140
00:14:37,216 –> 00:14:44,900
Frank Cilluffo: C suite does have to take ownership of to a large extent. Not to pivot
141
00:14:45,560 –> 00:14:49,952
Frank Cilluffo: in a rough way to another story, but you had another really interesting piece also
142
00:14:50,056 –> 00:14:56,088
Frank Cilluffo: for, I believe, CSO online, and you’re regular contributor for them, and they do great
143
00:14:56,144 –> 00:15:04,952
Frank Cilluffo: work. And that’s looking at changes in not deception from an adversarial standpoint, but from
144
00:15:04,976 –> 00:15:09,752
Frank Cilluffo: a cyber defense perspective. And I think every one of our viewers will have a
145
00:15:09,776 –> 00:15:17,992
Frank Cilluffo: lot of awareness around Honey Pats and some of these other more tactical defenses. But
146
00:15:18,096 –> 00:15:24,384
Frank Cilluffo: I thought your piece went much more broadly and I’d be maybe start with framing
147
00:15:24,432 –> 00:15:29,024
Frank Cilluffo: the piece and then we’ll jump into a couple of the big takeaways. Yeah, well,
148
00:15:29,112 –> 00:15:38,512
Cynthia Brumfield: so it’s interesting. This piece came out of a conference that sadly had its last
149
00:15:38,616 –> 00:15:46,320
Cynthia Brumfield: run in January here in Washington called Shmoocon. And I attended a session. There was
150
00:15:46,360 –> 00:15:55,064
Cynthia Brumfield: a former FBI computer scientist named Russell Handorf. He’s actually kind of was kind of
151
00:15:55,072 –> 00:16:01,176
Cynthia Brumfield: a big wheel in the Philadelphia FBI office, but he gave a presentation that was
152
00:16:01,328 –> 00:16:10,072
Cynthia Brumfield: utterly fun and fascinating about this whole field of deception technology, which, as you pointed
153
00:16:10,136 –> 00:16:17,350
Cynthia Brumfield: out, Frank, most of your readers are going to be familiar with honeypots. And that’s
154
00:16:17,690 –> 00:16:22,850
Cynthia Brumfield: for a large portion of the industry, kind of the, the beginning and the end
155
00:16:22,890 –> 00:16:30,082
Cynthia Brumfield: of what deception technology is. And honey pots just to, you know, shorthanded Are, you
156
00:16:30,106 –> 00:16:37,890
Cynthia Brumfield: know, assets, typically servers that are, you know, sacrificed or, or put into place to
157
00:16:37,930 –> 00:16:47,798
Cynthia Brumfield: attract enemies or adversaries, to get more information on who they are and to attract,
158
00:16:47,974 –> 00:16:52,742
Cynthia Brumfield: divert their attention away from the really good stuff so that they, you know, if
159
00:16:52,766 –> 00:16:57,030
Cynthia Brumfield: they’re not, you know, completely averted, they’re slowed down and you get more information on
160
00:16:57,070 –> 00:17:01,990
Cynthia Brumfield: them and you can find out who they are. It’s a relatively inexpensive proposition from
161
00:17:02,030 –> 00:17:07,558
Cynthia Brumfield: a couple thousand bucks a year maybe to install servers and then attract the bad
162
00:17:07,614 –> 00:17:13,081
Cynthia Brumfield: guys and then just kind of get rid of those servers. Deception technology is a
163
00:17:13,105 –> 00:17:18,809
Cynthia Brumfield: concept, also comes from the military as, as do many things in, in cybersecurity. But
164
00:17:18,849 –> 00:17:25,849
Cynthia Brumfield: deception technology was sort of pioneered by the NSA in the 1980s and 1990s as
165
00:17:25,889 –> 00:17:34,393
Cynthia Brumfield: a sort of theoretical and academic matter. And now it is basically this term of
166
00:17:34,481 –> 00:17:43,394
Cynthia Brumfield: coming up with a very broad strategic goal of tricking the enemy and getting them
167
00:17:43,562 –> 00:17:50,066
Cynthia Brumfield: lured into dead ends on your network and within your systems so that you can,
168
00:17:50,138 –> 00:17:58,270
Cynthia Brumfield: A, find out who they are, B, get, you know, signatures and footprint information and
169
00:17:58,890 –> 00:18:05,084
Cynthia Brumfield: slow them down and otherwise, you know, kind of situation, set up this very elaborate,
170
00:18:05,212 –> 00:18:11,740
Cynthia Brumfield: elaborate trap for them. And it is beyond honey pots. It is a strategic and
171
00:18:11,780 –> 00:18:19,260
Cynthia Brumfield: very complex view of things. It is also something that while intriguing and I, I
172
00:18:19,300 –> 00:18:22,972
Cynthia Brumfield: had a lot of fun writing this piece and I’ll explain why in a minute,
173
00:18:23,036 –> 00:18:27,900
Cynthia Brumfield: because it had to do with Handorf’s presentation. He did a real world analogy of
174
00:18:28,020 –> 00:18:34,442
Cynthia Brumfield: his life and kind of likened that to the concept of deception technology. But the
175
00:18:34,466 –> 00:18:42,090
Cynthia Brumfield: reality is it is a very complex proposition to launch a deception technology campaign. For
176
00:18:42,130 –> 00:18:49,722
Cynthia Brumfield: the most part, it is very large organizations that do this level of trying to
177
00:18:49,746 –> 00:18:58,472
Cynthia Brumfield: trick the enemy or the adversary and it’s expensive. And some organizations, I had a
178
00:18:58,496 –> 00:19:03,960
Cynthia Brumfield: conversation with Russ after his talk and some organizations go to incredible lengths. They will
179
00:19:04,000 –> 00:19:13,320
Cynthia Brumfield: actually set up fake departments within their organization with fake workers typing in fake
180
00:19:13,400 –> 00:19:23,080
Cynthia Brumfield: emails, you know, that are scripted and you know, creating letterhead and fake invoices and
181
00:19:23,120 –> 00:19:30,230
Cynthia Brumfield: everything else. Because for very sophisticated threat actors, that’s what’s necessary because they will easily
182
00:19:30,310 –> 00:19:36,950
Cynthia Brumfield: pick up on, you know, kind of really half hearted attempts to create phony assets.
183
00:19:37,030 –> 00:19:41,702
Cynthia Brumfield: And you know, the, the bill for that kind of deception operation is in the
184
00:19:41,726 –> 00:19:46,822
Cynthia Brumfield: millions of dollars a year. And you know what Russ sort of hinted at with
185
00:19:46,846 –> 00:19:51,332
Cynthia Brumfield: me, he didn’t really give me names, but basically the, the organizations that do that
186
00:19:51,356 –> 00:20:01,044
Cynthia Brumfield: are major financial institutions. They run deception operations where they lure people in and create
187
00:20:01,212 –> 00:20:10,644
Cynthia Brumfield: realistic assets that at first blush, I mean, ultimately these very Sophisticated threat actors, some
188
00:20:10,652 –> 00:20:16,180
Cynthia Brumfield: of them are nation states, ultimately can figure out that, you know, for example, if
189
00:20:16,220 –> 00:20:21,370
Cynthia Brumfield: you have a thousand servers set up and they’re all built exactly the same way,
190
00:20:21,490 –> 00:20:27,178
Cynthia Brumfield: they will instantly spot that as. As a trap, and they will not fall for
191
00:20:27,234 –> 00:20:30,490
Cynthia Brumfield: it. And. And you will have spent a lot of money for nothing. So you
192
00:20:30,530 –> 00:20:36,826
Cynthia Brumfield: have to do it very realistically. And what made it really fun for me and
193
00:20:36,898 –> 00:20:42,426
Cynthia Brumfield: is that Russ had told the story, and I have this in my piece that,
194
00:20:42,498 –> 00:20:48,076
Cynthia Brumfield: you know, his knowledge of deception technology led him, after he and his wife bought,
195
00:20:48,188 –> 00:20:52,892
Cynthia Brumfield: I think it was, 40 acres of land in the countryside, discovered that it was
196
00:20:52,916 –> 00:21:01,628
Cynthia Brumfield: overrun by, you know, illegal hunters and squatters and other people. So he created something
197
00:21:01,684 –> 00:21:09,164
Cynthia Brumfield: called the Rattles. He. He literally formed a corporation or nonprofit organization, I believe, filed
198
00:21:09,212 –> 00:21:19,128
Cynthia Brumfield: the paperwork, created something called the Rattles Rattlesnake Preserve and put signs up
199
00:21:19,184 –> 00:21:24,680
Cynthia Brumfield: all over his property saying, oh, you know, welcome to the Rattlesnake Preserve. He put
200
00:21:24,720 –> 00:21:30,152
Cynthia Brumfield: up cameras, he put up microphones, he put up on the signage, he put up
201
00:21:30,176 –> 00:21:36,008
Cynthia Brumfield: QR codes so that people trespassing on his property would, you know, check it out,
202
00:21:36,064 –> 00:21:41,834
Cynthia Brumfield: and then he would have their phone number, their whatever, all their other identifying information
203
00:21:42,002 –> 00:21:47,670
Cynthia Brumfield: that he collected, you know, just for the purpose of providing law enforcement with information
204
00:21:48,210 –> 00:21:54,202
Cynthia Brumfield: on people who were, you know, committing a very small crime of trespassing. But. But
205
00:21:54,226 –> 00:21:59,658
Cynthia Brumfield: it was interesting because he kind of used that analogy to point out, you know,
206
00:21:59,714 –> 00:22:02,618
Cynthia Brumfield: what you need to do at a corporate level. You need to actually make things
207
00:22:02,674 –> 00:22:12,240
Cynthia Brumfield: look real to. To trap people into getting into your phony assets. Once all those
208
00:22:12,280 –> 00:22:16,752
Frank Cilluffo: hunters realized there weren’t rattlesnakes on every corner, did they stop? Did they. Did it
209
00:22:16,776 –> 00:22:23,936
Frank Cilluffo: work? Was it effective or. Yeah, it was effective. It was effective. He didn’t really
210
00:22:24,088 –> 00:22:29,664
Cynthia Brumfield: say out loud if he gave any information to law enforcement, but the whole goal
211
00:22:29,712 –> 00:22:36,364
Cynthia Brumfield: of it was to identify who these people are. And the reason he actually filed
212
00:22:36,412 –> 00:22:43,004
Cynthia Brumfield: for the incorporation papers and he created the signs and everything else was so that
213
00:22:43,092 –> 00:22:49,560
Cynthia Brumfield: they would think it was real and that there were rattlesnakes, you know, roaming around,
214
00:22:49,860 –> 00:22:54,700
Cynthia Brumfield: and they’d been hunting there for. 30 years and never saw one and thought, yeah,
215
00:22:54,860 –> 00:23:00,268
Frank Cilluffo: all that. That’s the grave story. And I want to push back on one thing
216
00:23:00,324 –> 00:23:05,378
Frank Cilluffo: you mentioned, sort of NSA beam up, the Greeks, and during World War II, others
217
00:23:05,434 –> 00:23:11,790
Frank Cilluffo: would say, deception in technology and military environment been around for a long time. But
218
00:23:12,250 –> 00:23:19,458
Cynthia Brumfield: that is correct. That is correct. But in the digital realm. In the digital realm,
219
00:23:19,554 –> 00:23:28,690
Cynthia Brumfield: they took these ancient practices of fooling the enemy And. I’m going to give you
220
00:23:28,730 –> 00:23:33,506
Frank Cilluffo: one guy to read about because he was phenomenal during World War II, R.V. jones
221
00:23:33,618 –> 00:23:39,492
Frank Cilluffo: and, and he was a British scientist. I don’t think people still have an appreciation
222
00:23:39,556 –> 00:23:48,452
Frank Cilluffo: for just how significant deception was for tricking the Nazis in so many battles and
223
00:23:48,556 –> 00:23:54,132
Frank Cilluffo: ultimately saved lots of lives, not to mention possibly the war. But great, great set
224
00:23:54,156 –> 00:23:57,300
Frank Cilluffo: of issues. Just one more question on that because I want to get to one
225
00:23:57,340 –> 00:24:04,340
Frank Cilluffo: more big story you wrote for sure. And do you think deception technologies and you
226
00:24:04,380 –> 00:24:08,948
Frank Cilluffo: touch on this, can be integrated with zero trust security models? Do you see that
227
00:24:09,004 –> 00:24:15,364
Frank Cilluffo: connection? So at least one of the experts I spent some time talking to really
228
00:24:15,452 –> 00:24:23,172
Cynthia Brumfield: hammered home that point that you don’t want one of the things that happens if
229
00:24:23,196 –> 00:24:29,080
Cynthia Brumfield: the enemy gets enemy, the adversary gets wise to the fact that they have been
230
00:24:29,120 –> 00:24:36,100
Cynthia Brumfield: tricked frequently they will go on a rampage and they’ll destroy everything that is around.
231
00:24:37,600 –> 00:24:41,512
Cynthia Brumfield: And therefore you want to make sure. If you do it, you do it for
232
00:24:41,536 –> 00:24:48,248
Frank Cilluffo: real. Right? Yeah, yeah, right. But you also want to insulate your real assets from
233
00:24:48,304 –> 00:24:57,578
Cynthia Brumfield: any form of destruction from an angry adversary. And zero trust. One expert I spoke
234
00:24:57,594 –> 00:25:03,114
Cynthia Brumfield: to said you’ve got to have a zero trust platform which is, you know, anything
235
00:25:03,162 –> 00:25:10,650
Cynthia Brumfield: that’s surrounding this particular deception trap, you know, you only permit what has already been
236
00:25:10,690 –> 00:25:19,146
Cynthia Brumfield: pre authorized. The access entry, you know, is following sort of a zero trust model
237
00:25:19,178 –> 00:25:24,178
Cynthia Brumfield: where you don’t trust anything, you don’t trust anybody, you only permit in those things
238
00:25:24,234 –> 00:25:28,162
Cynthia Brumfield: you’re absolutely sure about. So that’s where zero trust comes in. When it comes to
239
00:25:28,186 –> 00:25:35,794
Cynthia Brumfield: the deception operations, you’re insulating all this stuff. Yeah, and I also think, and again
240
00:25:35,882 –> 00:25:40,242
Frank Cilluffo: disagree with me, I may be wrong, but it’s also very effective to counter insider
241
00:25:40,306 –> 00:25:43,778
Frank Cilluffo: threats by and large. Because at the end of the day, if you have an
242
00:25:43,834 –> 00:25:49,980
Frank Cilluffo: insider that can either be directly an insider or enable an outside group, that’s a
243
00:25:50,020 –> 00:25:55,692
Frank Cilluffo: much more difficult set of issues to defend against. So I would imagine that was
244
00:25:55,716 –> 00:26:00,204
Frank Cilluffo: high on the list in some of the experts you were speaking to and some
245
00:26:00,212 –> 00:26:05,260
Frank Cilluffo: of the thoughts. Yeah, you’re correct. There’s nothing to correct you because they did point
246
00:26:05,300 –> 00:26:11,612
Cynthia Brumfield: out that it’s not only adversaries, it’s insiders who are roaming around into places that
247
00:26:11,636 –> 00:26:17,046
Cynthia Brumfield: they should not go. And so you can trick them as well into these sort
248
00:26:17,078 –> 00:26:24,342
Cynthia Brumfield: of, you know, dead end, but very effective for the organization assets that, you know,
249
00:26:24,366 –> 00:26:28,342
Cynthia Brumfield: if somebody is roaming around, oh, this looks really interesting. This is where all the
250
00:26:28,366 –> 00:26:34,406
Cynthia Brumfield: financial accounts are and they’re really not someone who should be there that a deception
251
00:26:34,438 –> 00:26:40,934
Cynthia Brumfield: operation can, can really get a hold of those people. And I want to close
252
00:26:41,022 –> 00:26:46,950
Frank Cilluffo: with a story that still, I’m amazed, hasn’t gotten as much attention. But this is
253
00:26:46,990 –> 00:26:52,038
Frank Cilluffo: back a month or so ago you wrote about the National Defense Authorization act and
254
00:26:52,174 –> 00:27:00,822
Frank Cilluffo: specifically went through a long document to tease out all the, all the cyber references
255
00:27:00,966 –> 00:27:08,072
Frank Cilluffo: and not to steal your headline but 30 billion toward cyber Military Oriented. You want
256
00:27:08,096 –> 00:27:11,592
Frank Cilluffo: to touch on maybe a couple of the highlights and I’ve got a couple that
257
00:27:11,616 –> 00:27:15,080
Frank Cilluffo: are pet rocks of mine that I will go into if you don’t. But I
258
00:27:15,120 –> 00:27:21,880
Frank Cilluffo: still think it’s amazing. It’s been out for a couple months, but there’s so much
259
00:27:21,920 –> 00:27:26,920
Frank Cilluffo: in there that, that I don’t think enough of the discussion is around what is
260
00:27:26,960 –> 00:27:32,456
Frank Cilluffo: actually in there. So I’d be curious what your big takeaways are. Well, I mean,
261
00:27:32,528 –> 00:27:37,344
Cynthia Brumfield: yeah, thank you. They’re. There was a lot in there. I mean, I left again,
262
00:27:37,432 –> 00:27:41,264
Cynthia Brumfield: this is a piece where I left a lot of sort of discussion on the
263
00:27:41,272 –> 00:27:49,472
Cynthia Brumfield: cutting room floor, if that’s the right analogy here. And you know, one, you know,
264
00:27:49,576 –> 00:27:56,992
Cynthia Brumfield: there’s so many aspects. There is, there was a provision that, to fund a shortfall
265
00:27:57,056 –> 00:28:06,582
Cynthia Brumfield: that the U.S. federal Communications Commission had in funding to rip out Chinese gear from
266
00:28:06,766 –> 00:28:12,550
Cynthia Brumfield: manufacturers where we’re concerned about supply chain threats from China. And that was Huawei and
267
00:28:12,590 –> 00:28:21,686
Cynthia Brumfield: ZTE. And they needed something on the order of $5 billion
268
00:28:22,438 –> 00:28:30,732
Cynthia Brumfield: to give out to mostly local, mostly rural and small town telephone companies so who
269
00:28:30,836 –> 00:28:35,148
Cynthia Brumfield: really don’t have a lot of funds. And this was money to help enable them
270
00:28:35,204 –> 00:28:40,140
Cynthia Brumfield: to rip out that gear. And so the bills provided funding, full funding, or at
271
00:28:40,180 –> 00:28:45,340
Cynthia Brumfield: least one would, hopeful funding for the FCC to disperse those funds so they could
272
00:28:45,380 –> 00:28:53,884
Cynthia Brumfield: replace the problematic gear with less problematic technology. There, you know, there was a provision
273
00:28:53,932 –> 00:29:01,532
Cynthia Brumfield: in there to protect the Department of Defense mobile devices from the proliferation of foreign
274
00:29:01,596 –> 00:29:06,332
Cynthia Brumfield: commercial spyware, which is a chronic problem. I don’t think a day goes by where
275
00:29:06,356 –> 00:29:14,080
Cynthia Brumfield: I don’t read about spyware infections globally, not just in the US of mobile devices.
276
00:29:16,020 –> 00:29:22,252
Cynthia Brumfield: There are one element in. There was a study for an independent assessment of the
277
00:29:22,276 –> 00:29:26,152
Cynthia Brumfield: need for a cyber force. This is, this comes up time and time again and
278
00:29:26,176 –> 00:29:29,768
Cynthia Brumfield: this was something that was part of the. I think it has legs this time.
279
00:29:29,824 –> 00:29:33,624
Frank Cilluffo: I think it has some legs this time, but. Oh, interesting. So you might be
280
00:29:33,632 –> 00:29:39,192
Cynthia Brumfield: able to tell me something. I don’t know, but it has been kicking around for
281
00:29:39,216 –> 00:29:43,704
Cynthia Brumfield: a while and there is a study in there to take a look at it.
282
00:29:43,792 –> 00:29:49,352
Cynthia Brumfield: And I’d be interested in why you think it has legs. There’s a lot of
283
00:29:49,376 –> 00:29:56,746
Frank Cilluffo: discussion on Capitol Hill and it’s not only. I think there needs to be a
284
00:29:56,818 –> 00:30:04,026
Frank Cilluffo: true explainer differentiating what Cyber Force could be and what US Cyber Command is. I’ve
285
00:30:04,058 –> 00:30:11,034
Frank Cilluffo: been outspoken that I don’t think we need another reorg necessarily if we’re doing certain
286
00:30:11,122 –> 00:30:18,310
Frank Cilluffo: things right. But this is about the services. And the reality is they’re not all
287
00:30:18,930 –> 00:30:25,874
Frank Cilluffo: planning, playing to the, to the level of the capability. They ought to. And it’s
288
00:30:25,922 –> 00:30:30,802
Frank Cilluffo: not just the cyber national mission force, but services in particular. There’s some momentum on
289
00:30:30,826 –> 00:30:36,338
Frank Cilluffo: this. I’m getting asked more and more and more questions and including from skeptics and
290
00:30:36,394 –> 00:30:40,770
Frank Cilluffo: I’m having to become a little bit of, a little more open minded since I
291
00:30:40,810 –> 00:30:46,088
Frank Cilluffo: was a skeptic not too long ago. But I think it does have some legs.
292
00:30:46,234 –> 00:30:51,020
Cynthia Brumfield: Well, that’s interesting. You know, I think our mutual colleague, or I don’t even know,
293
00:30:51,060 –> 00:30:57,420
Cynthia Brumfield: I, none of you are my colleagues. You’re far more experienced. But Mark Montgomery has,
294
00:30:57,460 –> 00:31:01,708
Cynthia Brumfield: has really, he’s. Been beating the drum a long time. He has and he has
295
00:31:01,764 –> 00:31:09,868
Cynthia Brumfield: real, he’s got some very sincere and hard analysis and papers. And, you know, I’m
296
00:31:09,884 –> 00:31:15,312
Cynthia Brumfield: glad to hear that this is, this has actually got legs. There’s so many elements.
297
00:31:15,376 –> 00:31:19,648
Cynthia Brumfield: I mean, the one thing that you mentioned at the beginning of the conversation is
298
00:31:19,704 –> 00:31:26,240
Cynthia Brumfield: that there is a provision in there. The bill contains language. The NDA contains language
299
00:31:26,400 –> 00:31:35,792
Cynthia Brumfield: that essentially raises ransomware attacks which have been very problematic to address. There’s only so
300
00:31:35,816 –> 00:31:42,998
Cynthia Brumfield: many tools that the US can deploy in dealing with ransomware actors that are not
301
00:31:43,054 –> 00:31:47,830
Cynthia Brumfield: in the United States and particularly if they’re shielded by their home nation, which is,
302
00:31:47,870 –> 00:31:54,374
Cynthia Brumfield: for example, the case with Russian ransomware actors. They’re protected in essence by the Russian
303
00:31:54,422 –> 00:32:01,046
Cynthia Brumfield: government. What are you going to do? Years ago, I think one of the first
304
00:32:01,198 –> 00:32:06,320
Cynthia Brumfield: conferences I attended in FBI. Well, maybe not the first, but, but, but years ago
305
00:32:06,360 –> 00:32:11,360
Cynthia Brumfield: I attended a conference where an FBI agent said that ransomware is the perfect crime.
306
00:32:11,440 –> 00:32:16,160
Cynthia Brumfield: And it, it really is, it’s very hard to stop. And it’s, you know, the,
307
00:32:16,200 –> 00:32:20,128
Cynthia Brumfield: the easiest way to get out of it is to pay the ransomware actor money.
308
00:32:20,184 –> 00:32:27,744
Cynthia Brumfield: And so how do you deal with something like ransomware? Well, the intelligence bill that
309
00:32:27,752 –> 00:32:34,032
Cynthia Brumfield: was folded into the NDAA had this very long section that was ultimately incorporated into
310
00:32:34,056 –> 00:32:41,456
Cynthia Brumfield: the NDA as a sense of Congress kind of thing that basically said that ransomware
311
00:32:41,488 –> 00:32:51,104
Cynthia Brumfield: attacks are kind of the, like terrorist attacks. You know, it proclaims ransomware organizations
312
00:32:51,152 –> 00:32:57,722
Cynthia Brumfield: and foreign affiliates associated with them as something called hostile foreign cyber actors instead of
313
00:32:57,746 –> 00:33:07,082
Cynthia Brumfield: hostile foreign terrorist actors. Now the question becomes, you know, in my mind, you know,
314
00:33:07,106 –> 00:33:13,130
Cynthia Brumfield: does this mean anything? It might, you know, at least there’s something in the books
315
00:33:13,210 –> 00:33:20,746
Cynthia Brumfield: on the statute, in the statutes that kind of equates the two and might give.
316
00:33:20,898 –> 00:33:25,046
Cynthia Brumfield: And you probably have a better sense of this. I don’t might give the US
317
00:33:25,118 –> 00:33:32,998
Cynthia Brumfield: Government a little more latitude to go after. Some of these ransomware actors without getting
318
00:33:33,054 –> 00:33:40,326
Frank Cilluffo: in depth. I think it could unleash authorities and tools that could have more than
319
00:33:40,398 –> 00:33:43,702
Frank Cilluffo: a little net effect on some of the outcomes. But at the end of the
320
00:33:43,726 –> 00:33:50,390
Frank Cilluffo: day it does raise the bar. And for years we didn’t name or shame. Now
321
00:33:50,430 –> 00:33:54,942
Frank Cilluffo: it not only names shames, but, but what I felt was most interesting about that,
322
00:33:54,966 –> 00:34:00,570
Frank Cilluffo: and you touched on this, is countries that we lack extradition treaties with or any,
323
00:34:00,950 –> 00:34:08,302
Frank Cilluffo: any law enforcement cooperation beyond just extradition have provided safe haven for a number of
324
00:34:08,326 –> 00:34:15,214
Frank Cilluffo: these ransom. And, and, and there is, I mean even when you deal with terrorist
325
00:34:15,262 –> 00:34:19,262
Frank Cilluffo: organizations, you have state sponsors, but you also have non state sponsors and it can
326
00:34:19,286 –> 00:34:23,162
Frank Cilluffo: bring about different sorts of tools that can be brought to bear so more to
327
00:34:23,186 –> 00:34:28,538
Frank Cilluffo: follow on the net net impact and outcome. But I, I think it’s, it’s something
328
00:34:28,594 –> 00:34:34,394
Frank Cilluffo: I’ve spent some time thinking about, writing about, supporting and testifying on and others. So
329
00:34:34,482 –> 00:34:38,490
Frank Cilluffo: I don’t want to, I don’t want to shed the, the conversation there. My, our
330
00:34:38,530 –> 00:34:42,090
Frank Cilluffo: viewers have heard me on this one. I want to touch on one other point
331
00:34:42,130 –> 00:34:46,568
Frank Cilluffo: though that you brought up and that is, and, and, and it’s sort of the
332
00:34:46,634 –> 00:34:53,916
Frank Cilluffo: role AI will play in cyber operations. And in particular there is an AI security
333
00:34:53,988 –> 00:35:01,580
Frank Cilluffo: center that is being funded out of the national security. Anything there, do you think
334
00:35:01,620 –> 00:35:05,740
Frank Cilluffo: that could have some positive effect? I think that is, I mean, it’s getting hard
335
00:35:05,780 –> 00:35:11,148
Frank Cilluffo: to delineate AI from cyber, just like physical and cyber are all converging. But I’d
336
00:35:11,164 –> 00:35:15,486
Frank Cilluffo: be curious what some of your thoughts are there. Well, I mean, it’s a good
337
00:35:15,558 –> 00:35:24,238
Cynthia Brumfield: development because I was really not aware that there wasn’t anything kind of on the
338
00:35:24,294 –> 00:35:31,758
Cynthia Brumfield: military side of things dealing with AI at this level. But the NDAA directed the
339
00:35:31,814 –> 00:35:39,842
Cynthia Brumfield: NSA to establish an AI security center within the agency’s collaboration center to do a
340
00:35:39,866 –> 00:35:45,474
Cynthia Brumfield: lot of interesting things that need to be done, such as develop guidance for the
341
00:35:45,482 –> 00:35:53,922
Cynthia Brumfield: military and presumably the intelligence community on how to prevent or mitigate counter artificial intelligence
342
00:35:53,986 –> 00:36:03,602
Cynthia Brumfield: techniques and otherwise kind of promote secure
343
00:36:03,666 –> 00:36:11,670
Cynthia Brumfield: artificial intelligence adoption practices for the Managers of National Security Systems. This, you know, we
344
00:36:11,710 –> 00:36:16,950
Cynthia Brumfield: were in a new administration. Now, I don’t know that I have any more recent
345
00:36:17,070 –> 00:36:22,198
Cynthia Brumfield: insight into what has happened with that. I mean, have they begun work? I don’t
346
00:36:22,294 –> 00:36:27,414
Cynthia Brumfield: really have any information yet. I imagine that a lot of things are kind of
347
00:36:27,422 –> 00:36:33,624
Cynthia Brumfield: on hold while the dust settles as the new administration kind of finds its footing
348
00:36:33,672 –> 00:36:38,792
Cynthia Brumfield: and figures out how it’s going to deal with a lot of this stuff. But
349
00:36:38,976 –> 00:36:47,016
Cynthia Brumfield: AI for sure. I mentioned that there’s some topics that come up every day, spyware
350
00:36:47,048 –> 00:36:54,344
Cynthia Brumfield: is one of them. But AI and it’s AI with its potential to. In fact,
351
00:36:54,512 –> 00:36:59,362
Cynthia Brumfield: today a study came out, not a study, but a report came out from a
352
00:36:59,386 –> 00:37:06,082
Cynthia Brumfield: major cybersecurity company called CrowdStrike, which you know and your readers all know, that found
353
00:37:06,186 –> 00:37:15,570
Cynthia Brumfield: that AI generated phishing emails have a higher click through rate, which is
354
00:37:15,610 –> 00:37:24,168
Cynthia Brumfield: 54% compared to human written generated emails. Phishing emails, the ones that are intended to
355
00:37:24,354 –> 00:37:32,988
Cynthia Brumfield: implant malware inside of computers or devices. That to me was astonishing that a human.
356
00:37:33,124 –> 00:37:37,340
Frank Cilluffo: And they’re probably learning based on who’s not clicking how to get entice those that
357
00:37:37,380 –> 00:37:46,012
Frank Cilluffo: are. So yeah, it’s constant forever learning model too. Yeah. Cynthia, unfortunately, the tyranny of
358
00:37:46,036 –> 00:37:49,628
Frank Cilluffo: time requires I be a bit of a tyrant. But before I let you go,
359
00:37:49,684 –> 00:37:54,756
Frank Cilluffo: what questions didn’t I ask that I should have? I mean, you’ve covered a great
360
00:37:54,828 –> 00:38:00,628
Frank Cilluffo: set of issues in all sincerity, you write, you’re a prolific writer and I hope
361
00:38:00,684 –> 00:38:06,292
Frank Cilluffo: our viewers, I know many already follow you, but I hope everyone does from here
362
00:38:06,316 –> 00:38:10,276
Frank Cilluffo: on out. But what didn’t I ask that I should have? Oh, there’s so many
363
00:38:10,348 –> 00:38:20,190
Cynthia Brumfield: questions. I mean, Don, who organizes these talks from the logistical and technical and
364
00:38:20,310 –> 00:38:26,270
Cynthia Brumfield: planning perspective. I kept sending him, I’m like, oh, have him have a mask about
365
00:38:26,310 –> 00:38:31,758
Cynthia Brumfield: this, have a mask about that. And we didn’t get to all of them. But
366
00:38:31,894 –> 00:38:40,510
Cynthia Brumfield: one thing, just broadly speaking, is the Chinese threat. And one of the things that
367
00:38:40,550 –> 00:38:45,692
Cynthia Brumfield: Don mentioned to me in our discussions ahead of this talk talk is you know,
368
00:38:45,716 –> 00:38:50,380
Cynthia Brumfield: the threat of pork cranes, which is actually a subject that I kind of took
369
00:38:50,420 –> 00:38:58,476
Cynthia Brumfield: on and perhaps made much more public first before any other publication. And that is,
370
00:38:58,548 –> 00:39:07,388
Cynthia Brumfield: you know, pork crate, Chinese mostly video technology inside of tight. Vision and the like.
371
00:39:07,444 –> 00:39:13,074
Cynthia Brumfield: Yep, yes, yes, actually. And that’s, that’s a sanctioned entity. But, but they’re all, all
372
00:39:13,162 –> 00:39:20,030
Cynthia Brumfield: connected. All those video conferencing technology companies in China are all kind of the same
373
00:39:20,490 –> 00:39:24,898
Cynthia Brumfield: in the sense that, you know, they’re all protected by the Chinese government. But that,
374
00:39:24,954 –> 00:39:32,514
Cynthia Brumfield: that’s a huge threat. But, but more recently there has been this sort of idea
375
00:39:32,562 –> 00:39:38,620
Cynthia Brumfield: that TP link routers are also a Chinese sort of supply chain threat. And I
376
00:39:38,660 –> 00:39:42,780
Cynthia Brumfield: actually did a real deep dive on that in the fall and it turns out
377
00:39:42,820 –> 00:39:50,092
Cynthia Brumfield: not to be true. But it’s an idea that has not gone away, despite the
378
00:39:50,116 –> 00:39:56,044
Cynthia Brumfield: fact there’s no evidence that TP link routers made in China are any more of
379
00:39:56,052 –> 00:40:00,268
Cynthia Brumfield: a threat than any other router, including Cisco and Netgear, which are made by US
380
00:40:00,324 –> 00:40:08,564
Cynthia Brumfield: companies, but probably manufactured and the same regions as, as, as crowders. So what’s important
381
00:40:08,732 –> 00:40:15,988
Cynthia Brumfield: when we’re talking about Chinese supply chain threats and espionage threats to, to sort of
382
00:40:16,044 –> 00:40:21,012
Cynthia Brumfield: separate the wheat from the chaff? There are some serious concerns. Obviously. We went through
383
00:40:21,036 –> 00:40:28,320
Cynthia Brumfield: the, all the typhoons last year, Silk Typhoon and Salt Typhoon, Chinese threat groups which
384
00:40:28,630 –> 00:40:36,862
Cynthia Brumfield: provide varying degrees of threats to US infrastructure. Those are real, some are not. But
385
00:40:36,966 –> 00:40:40,478
Cynthia Brumfield: we have to have a much more sophisticated grasp on what are the true threats
386
00:40:40,494 –> 00:40:45,614
Cynthia Brumfield: and what are not really true. We will have you on again talking port security
387
00:40:45,702 –> 00:40:53,246
Frank Cilluffo: and supply chain. That is a evergreen topic for us. And as you can imagine,
388
00:40:53,278 –> 00:40:59,030
Frank Cilluffo: the Communist Party of China and their intentions is also an evergreen set of issues.
389
00:40:59,070 –> 00:41:04,262
Frank Cilluffo: And I just might note, Flax Typhoon was the Iot and that got into a
390
00:41:04,286 –> 00:41:09,910
Frank Cilluffo: whole host of different issues. I think there’s something brewing in the medical side right
391
00:41:09,950 –> 00:41:16,902
Frank Cilluffo: now that’s got in healthcare side in particular, causing some significance. Cynthia, thank you for
392
00:41:16,926 –> 00:41:22,038
Frank Cilluffo: taking so much time with us today. We will have you on again. I really
393
00:41:22,094 –> 00:41:28,344
Frank Cilluffo: appreciate all the good work you do and thank you so much. Thank you. Frank,
394
00:41:28,392 –> 00:41:33,432
Cynthia Brumfield: thank you for inviting me. I enjoyed it. This was awesome. Thank you. Thank you
395
00:41:33,456 –> 00:41:37,400
Frank Cilluffo: for joining us for this episode of Cyberfocus. If you liked what you heard, please
396
00:41:37,440 –> 00:41:42,840
Frank Cilluffo: consider subscribing your ratings and reviews help us reach more listeners. Drop us a line
397
00:41:42,880 –> 00:41:46,872
Frank Cilluffo: if you have any ideas in terms of topics, themes or individuals you’d like for
398
00:41:46,896 –> 00:41:52,650
Frank Cilluffo: us to host. Until next time. Time stay safe, stay informed and stay curious.