Exploited: The Cyber Truth,  a podcast by RunSafe Security. 

[Paul] (00:04)

Welcome back, everybody, to another episode of Exploited: The Cyber Truth. I am Paul Ducklin and I’m joined as usual by Joe Saunders, CEO and Founder of Run Safe Security. Hello, Joe. You’re looking forward to this one, aren’t you?

[Joe] (00:21)

Greetings, Paul.

Very much so. We have a great guest today.

[Paul] (00:28)

Yes, we have a super special guest today, that is Madison Horne, who is National Security and Critical Infrastructure Advisor at Worldwide Technology. Greetings Madison.

[Madison] (00:43)

Greetings, Paul and Joe. I’m going to go back and listen to more of the podcast to see if you guys call everyone a special guest.

[Paul] (00:49)

Remember the thing about words, like best is you can have equal best, two people can win a gold medal. It’s only when you say better that it kind of by being relative it becomes absolute. Please don’t panic about that. Today’s topic is collaboration in cyberspace. Madison, I hope you don’t mind if I start off by asking you to tell us about your background and in particular how you came to see cybersecurity as the thing you think it is today. Basically something that it’s not just a product that you need to buy, it’s almost something that we need as part of a well-functioning society.

[Madison] (01:31)

Yeah, sure. I love the way that you shaped that intro. I think everyone is like, tell us about your background. But I appreciate the “why the hell are you passionate about the space?” Because for me, it certainly is personal. I think it’s personal for a lot of people that work in cyber. We don’t dedicate our time and make the sacrifices at home purely to make money. And so I would love to hear more people within the space of like, why are you actually passionate about cyber? So thanks for the question. Long story short, been in cyber for the past 17 years and have had several like bends and turns in my career. Started out doing basic project management slash assessments in the critical infrastructure space. Absolutely fell in love with the world of critical infrastructure. Obviously why I’ve stayed in it. Helped lead a red team, build out an incident response team, was in the startup space, went through Accenture, PWCs.

I found a lovely home at Siemens Energy and then did this wild thing. And I joke at saying that I took a sabbatical, but I ran for the U.S. Senate and I ran for Congress really to help elevate the need for a national conversation around the importance of cyber, but one that is rooted in the industry and also has a technical background just because of the intersection of technology, policy, but social impact. And I don’t mean social impact as it relates to what people typically go to or where their brains go to. But I mean that if the electric grid goes down, then the hospitals that potentially could be impacted, the people’s lives that are going to be impacted by it, it’s personal to me. 

And the personal element and to put a bow on it we don’t get stuck here is that I come from a place that is very, very impoverished where the system is so fragile that you create any type of little hiccup and you’re talking about potential loss of life or real human hurt. And so for me, cyber is really about that defensive posture and remembering that we work in cyber to protect people. So that’s why I’m passionate about cyber. I don’t see it as a product. I see it as something that is in the nation’s best interest from a security perspective, economic, human life, societal, all those things.

[Paul] (04:00)

Yes, I agree, because when you think about political arguments and elections in almost any Western democracy in the world, the things that come up are, well, I want better roads, or I want cheaper electricity, or I want better health care and all of that stuff. But behind all of those separate issues is the fact that in the modern era, thanks to the way our critical infrastructure works, if we don’t get cybersecurity right, It doesn’t matter how clever you want to be about any of those issues, they could all be threatened in a similar way, couldn’t they?

[Madison] (04:34)

What we are seeing and have been seeing since 2014, we’re seeing real lives example, you know, for the first time within the critical infrastructure space. Sure, we can talk about Stuxnet perhaps, but what we have seen is almost a test bed in Ukraine around how important it is to defend our critical infrastructure. It is now a basic maneuver in warfare and a play against our enemies, whether it’s around pre-positioning or something during active conflict. We don’t have to ask the question, is this important? No, we’re seeing it in real time.

[Paul] (05:13)

So do you want to just say maybe a little bit more about how technology, policy and geopolitics have kind of woven themselves into each other and the changes that that has made to the attitudes we really need when it comes to cyber security?

[Madison] (05:31)

Sure, mean this could, my heavysides because my god.

[Paul] (05:36)

When I’m laughing there, I’m laughing out of anxiety rather than because it really is humorous.

[Madison] (05:42)

My role right now at WWT is three things. And I sit within this triangle, which allows me to give this perspective. So at the top of that triangle really is being an advisor to our critical infrastructure sector on all things, regulation, emerging threat, emerging technology, how it’s being implemented, what are the new risks being introduced, et cetera, et cetera. The other side of that is helping liaison a little bit with a different capacity within the think tank community, our nonprofits that are helping push healthy policy as it relates to critical infrastructure and that intersection that you’re asking about. The other part of that triangle is the cyber product landscape. And I get to advise our cyber product friends and fellows of, what do we need for the critical infrastructure sector? Are we going to take advantage of the fact that the public sector is reaching, reaching for the private sector and saying, what do we do? Now we have to accept there is bureaucracy in place, but it is an opportunity for us to really play that liaison to the public sector and say, hey, this is what we need and this is our perspective. But from a technology landscape, we’re almost reaching this same paradox. And let me say the word AI.

It’s almost as if we’re creating the internet again. And we didn’t try to regulate the internet in the beginning of time. And I think that we need to treat it very, very similarly. And we can kind of see the current administration is really leaning in and saying, Hey, we’re not going to try to over-regulate this space. What we’re going to ask the private sector is how do you want us to regulate it? And if I was a business owner, I was like, I don’t want any rules. I want to make up my own rules.

Let me be very clear. There just needs to be some type of guard rails in place or otherwise that’s a crazy train heading towards a dumpster fire driven by a feral animal. I think that is a very, very different approach than what we have seen in the past where we have more so been told that this is what we are going to do from a regulatory perspective versus the heavy leaning into industry. It’s just, the industry going to lean in?

[Paul] (07:59)

The leaning in that you talk about, guess that’s a sort of metaphorical way of talking about private companies that don’t actually need to cooperate or have no regulatory reason to cooperate deciding to do so because actually that will make them better competitors and in general probably have a better result for society. Would you agree with that?

[Madison] (08:23)

I wouldn’t say yes, but I want to flip that just a little bit. Again, I work within the critical infrastructure space. Yes. There is no way to say that anyone operating with a critical infrastructure space doesn’t have skin in the game to participate. Good. I think what we have to flip is what is their responsibility? You want to invest the time, but what are we going to get out of it? And let me create an example.

When CISA was first established, then there was a lot of excitement around the potential of what CISA could become. And so regardless if there has been a perception that perhaps CISA hasn’t been the most effective governing body, let’s lean in and let’s say why and how we would like to see CISA mature. And so when I say lean in, lean into the spaces that the industry hasn’t been happy with. And if we don’t lean in, then we’re going to continue getting the same thing.

[Paul] (09:28)

Joe, if I can just ask you at this point, this sounds very much like we really need to concentrate on getting the IT industry in general and embedded security in particular into what you might call the post-checkbox compliance era, where people are not simply doing the minimum that is required, they have to come at it from a different angle and want to comply because of the way they run their businesses.

[Joe] (09:58)

Yeah, and I think compliance is part of it, but I also think it’s the alignment of the economic interest. Yes. Critical infrastructure in general. Part of the goal is to ensure that the economy thrives and we do have a well functioning society and water is delivered and energy is delivered and data centers operate. And with all of those things, there’s an economic interest and a consequence of a cyber attack. And so if you look at it from the consequences perspective and look at it from what can we all do to ensure that critical infrastructure continues to operate as expected, then you start to look at what the economic consequences are and what the economic interests are. I think there is an alignment of interest in the spirit that Madison’s been describing.

Certainly coming back from where she grew up in Oklahoma when things don’t operate, but also just more generally with business, depending on energy. And if you think about AI and Madison brought up artificial intelligence, I like to say there’s no AI dominance without critical infrastructure resilience. And that includes the energy infrastructure and the data center infrastructure that powers AI. I come back to your question then Paul and say the alignment of economic interests means that good practices in your software development, good practices in the product development that you deliver and good practices to share information with your ecosystem, with your customers, and yes, with the government so everyone can benefit ends up being good business for everybody and ensures that we do have reliable infrastructure in the end.

[Paul] (11:31)

And it’s not particularly difficult, is it? It doesn’t have to cost a lot to start doing this. And when you start doing it, you’ll probably find that a lot of things that used to be expensive for you, like producing patches every few months even for devices that are hard to patch, suddenly get mitigated and everybody benefits, including your own business. It’s almost like self-serving altruism, if you like.

Madison, maybe you could give us some examples of what you might consider best-in-class collaboration between government and the private sector from the past. Or examples where that sort of partnership has not worked out well and what the critical difference is between them.

[Madison] (12:17)

So I’m going to lean into the financial sector. Maturity or investment chases money. And this sector is by far, I would say, the most resilient. They are not necessarily quick for adoption of new technology, but they’re not scared of it. And so they lean in in a really interesting way that has a level of sophistication. But I think that it is because of the fact that historically, It was the first air quotes critical infrastructure sector that demanded interaction between the private and public sector. I would say an example that doesn’t work or didn’t work traditionally, I think is the one that we’ve already talked about a little bit. And I don’t mean to beat a dead horse and I don’t want to call anyone out doing something for the very first time is hard.

And the example that I’m talking about is the relationship with CISA and I would say the energy sector. The energy sector, it has so many problems with the legacy equipment that we already understand, but no one wants to say, hey, Congress, we need $1 billion. And I’m making this number up. No one wants to go to Congress and say, we need $1 billion to actually protect just the utility grid.

Who is going to go do that?

[Paul] (13:44)

That number sounds quite cheap to me. Totally! I bet you it would be a lot more! If you just decided let’s throw money at it instead of bringing about a long lasting change in the way it conducts itself if you like.

[Madison] (13:58)

I don’t want to blame it on the way that they’ve conducted themselves because there are incredible people who work within the critical infrastructure sector, again, within the energy sector specifically. It is they’re operating with a very, very, very thin budget that is based on rates that are capped. And so how can you continuously increase a budget when you can’t have rate increases? Your hands are tied. So sure, in the way that we operate, in allocating funds. But I think we’re just getting to a point, we being the collective public sector. Okay, now we understand the problem. It’s all this outdated legacy equipment that was never intended to be on the internet. And holy crap, how do we rebuild the entire energy grid around the United States and ensure that China can’t be sitting in it on a database basis? I mean, that’s what we would have to do. Yes.

[Joe] (14:54)

Part of the issue is the legacy code is a massive problem, as you describe. In the practices that went into the development of the legacy code and then the constrained resources to defend that legacy code is a very, very difficult problem to solve, particularly in interoperability software to connect grids to other sources. Those happen to be areas I think that could get attacked. Nonetheless, I do think your point is valid that these systems were not built to be defended. They were built to ensure energy got from one point to the other and exactly that.

[Paul] (15:28)

From the energy sector point of view, feel sorry for the experts there. If you drive past, say, an electrical substation where high-tension lines come in from power stations and then get redistributed, sometimes it looks like a terrifying dystopian industrial landscape. But if you look at the shapes of things like conductors and insulators and how that power is managed, that is art, science and engineering at an extreme level.

I guess if you’re working in the energy sector you’re going, we are handling 1 million volt DC power lines. That’s what we’re good at. They don’t see cybersecurity as something that ever used to be important to them because they’re already in this fascinatingly complex industry anyway, just like rocket scientists. So I guess that’s a barrier that we have to break down, isn’t it? Suddenly, because these things, as you say Madison, are on the internet, they require a whole lot of extra art and science and engineering that was never traditionally part of that discipline.

[Joe] (16:32)

And especially with constrained economic resources.

[Paul] (16:35)

Absolutely.

[Madison] (16:36)

Our security teams have always been saying, hey, a major breach is possible, but it would be an act of war. Let’s be very, very clear. That’s where we are. And that’s why the energy sector hasn’t seen a major outage, in my opinion. It’s a little bit of this argument of likelihood and a hoping that it doesn’t happen and that we don’t get to that point. We’ve known it’s important. How do we do it in a manner based on priority and with the budget in which we have right now and evangelize what is cybersecurity and ensuring that they understand that it’s not an insurance policy.

[Paul] (17:18)

Well said. So where does AI, the elephant in the room if you like, fit into all of that? These are huge changes and they’re being adopted by almost everybody, sometimes apparently without much thought at all. It’s just, hey, this is new, we should try it.

[Madison] (17:37)

Part of my media training, we never get in an argument, Again, keeping it to the world of critical infrastructure. And this is where we have to make the delineation between IT and OT. Part of your statement was there’s this adoption of AI and it’s just the wild, wild west. That is just absolutely not the case in the world of critical infrastructure. Because if you did that, then I mean, the risk is a widespread blackout in DC. They have to be methodical. Adoption is naturally going to happen quicker on the IT space, your traditional enterprise, HR processes, email systems, et cetera, et cetera. But in the OT world, when we’re talking about operational technology, then AI is still very much and I would say that R&D phase, that use case and development phase. It’s a lot around monitoring, understanding normal in the environment, helping with maintenance windows and doing some predictions on that front. In the OT space, you can’t deploy something and get it wrong. You just can’t. If Instagram goes down for 30 minutes, I mean, there will be people who panic. It’s a whole different type of panic if the power goes down in DC for 30 minutes at 1 a.m.

[Paul] (19:06)

Yes, there’s a very big difference between a Windows update taking a little bit longer than you expected and making you five minutes late for a Zoom call compared to the flaps deploying on your plane as you’re landing coming five seconds too late. It is a very different world, isn’t it?

[Madison] (19:24)

I don’t mean to go immediately to doom and gloom, but I create these extreme scenarios so that we can understand the potential.

[Paul] (19:34)

Madison and Joe, if you had to challenge one old assumption about cyberspace and collaboration, where would you start? What would the first change you wanted to make be?

[Madison] (19:48)

I don’t know if it would be a change more so in like continuing the path.

[Paul] (19:54)

That’s a better situation to be in, isn’t it, than having to stop people doing one thing and start doing something different.

[Madison] (20:00)

I am a glass half full type of gal, right? Good. Great. Don’t care if my house is on fire, I am gonna see something good about it.

[Paul] (20:09)

No more cockroaches.

[Madison] (20:11)

Sure.

So yeah, that’s hysterical, actually threw me off for a second. The World Economic Forum comes out with a survey every single year of what CISOs, what executives, what industry leaders believe is one of the major problems. One of the major problems still in our space is that we cannot articulate the risk times the likelihood and the impact, which is the investment discussion. That’s still one of our major problems, but society is starting to understand cyber. It means that we’re making progress.

[Joe] (20:46)

From my perspective, I think communication between operators of infrastructure and suppliers of technology is a strong opportunity for improvement. Just as Madison talked about the risks and the consequences and the economic costs of cyberattacks. One of the big challenges I think in critical infrastructure we have is that the organization that bears the risk ends up being on the operator side. Whereas the technology in the cyber defense could often come from the supplier side. And so there’s a disconnect on an economic agency level. There’s a couple of factors at play. Part of it is that product manufacturers try to upsell organizations in order to derive benefit from cyber enhancements in their products. And that’s not necessarily in the interest of the operator. And the organizations that purchase the technology are usually making long-term capital investment, and they want that technology to last 10, 15, 20, 30 years. 

So that’s one big area. I think another big area is that there’s been a lot of talk about memory safety and memory safe languages and the issue there, of course, in infrastructure. Just as we talked about maybe web enabled applications and the software infrastructure and enterprise IT, it can be swapped out more easily. Rewriting software and deploying that across critical infrastructure is a non-starter also. And so for me, I see ultimately there is a national security aspect, there’s an economic question here, and then there’s a technological question here. And in my view, that collaboration between the operator and the supplier is a key one to help really understand what the shared security concerns could be, and are there more economical ways to produce an outcome that prevents exploitation or some really grave consequence.

[Paul] (22:38)

So this is a sort of Secure by Demand, Secure by Design, co-operation or combination, isn’t it? And that’s not Secure by Demand that you bash your hand on the table. It’s basically saying as the consumer of a product, you will try and draw the market in a way where it takes you where you want to go. Because, Joe, you did a survey recently about automotive consumers, didn’t you? Where a very large percentage of people said expect cyber security to improve, but a very small percentage said, and we’re prepared to pay extra for it. It was quite clear that they said, it’s your job to build it in the first place, which is quite a warming thing to hear, isn’t it? It sends quite a clear message to the industry itself.

[Joe] (23:23)

It does. And then I point out that in the healthcare ecosystem, health providers are starting to really discriminate when they buy new medical devices. Yes. Those that have security protections built in versus those that do not.

[Madison] (23:37)

I love that you brought up security by design. I’m obsessed. I think it is again, a huge, huge sign of maturity within not just the product space, but in the cybersecurity field in general, and really ensuring that we understand as an industry that cyber resilience, dare I say the term, is a shared responsibility. It is not just a customer’s responsibility, but it is also the vendors, individuals who implement the technology and also our end users.

[Paul] (24:12)

I agree with that very strongly. It really is something for all of us, isn’t it? It’s not just, well, some industry expert must do it or some government body should mandate it. We all have to care and we all have to make it happen.

[Madison] (24:27)

The problem and the threat are too large for us to go along.

[Paul] (24:30)

Absolutely.

[Joe] (24:31)

With China having already pre-positioned, I’ll call them cyber bombs, in US critical infrastructure, there is a risk here from a national security perspective also to add to the equation. There is a government interest. do see critical infrastructure as an extension of national security and finding that mission to ensure we maintain a well functioning society and critical infrastructure operates is then an extra dimension here that has to be factored in there has to be ways that the government can enable or help industry enable themselves to adopt secure by demand and Secure by Design principles.

[Paul] (25:10)

So, Madison and Joe, to finish up because I’m conscious of time, what bold steps, if that’s not too bold a term in its own right, would you like to see government and industry leaders agreeing on to improve safety and security and critical infrastructure over the next 10 years or more?

[Madison] (25:28)

I do think within our space, ego and ownership and the bureaucracies get in the way. And so going back to the initial beginning of this conversation, when you asked me around, what do you think that we could do more of in the public private partnership, continue to lead in and to do it from a place that is based on that initial mission and why you’re dedicated to the cyber landscape. We all get so exhausted from the conference calls, from feeling like we’re constantly saying the same things over and over again. But I think what we need to continue to do is own our space, advocate for our space, and always have a perspective that is void of ego. And I think that we can achieve whatever we damn well please.

[Joe] (26:22)

In my view, and I’ve talked about this in the context of Taiwan in the past, and I think it’s true in the US today, if there is a form of deterrence that takes the shape of a couple different layers, one is to punch back. And if there’s information sharing that critical infrastructure can use and the US government can punch back, that’s a form of deterrence. I also think that there may be some form of incident response that can be enabled across the US to help.

Some form of cyber force in the US to train people and get people up to speed further. And then a third one I have, which shouldn’t surprise anybody, but I do think there’s a form of resilience in software, a level that needs to be adopted. And when we talk about the legacy code, I envision a way to prevent exploitation of legacy code in general. In my mind then, if you think about those three areas, punching back, having a form of incident response, and then having software that protects software that’s already deployed so you don’t have to rewrite it. Those are three forms of resilience that I think matter and make a difference and ultimately will maintain a well-functioning society.

[Madison] (27:28)

I feel like you’re talking, you just created three other podcasts.

[Joe] (27:33)

HAHAHAHA

[Paul] (27:34)

You’re not wrong.

[Madison] (27:36)

One, conversation around deterrence and obviously the fact that it is now being discussed as a new tool within the diplomatic toolkit, which I have some questions around and we could talk about the US government’s role in deterrence and what that looks like with our energy sector. And then cyber force, obviously with the launch of the new commission of cyber force.

That could be a whole other conversation. I think we should spend the first five minutes that we hope the uniforms are not just black hoodies, awesome additions. And I look forward to conversations ahead as we see both of those areas, I would say over the next two to three years, really teased out and real action put behind both those areas, Joe.

[Paul] (28:23)

Madison, I think that’s a really upbeat and positive way on which to finish. So I’d like to say at this point that that is a wrap for this episode of Exploited: The Cyber Truth. I think you have shown, if I may quote a truism, that things work better together when we work better together, and very definitely that is the case in cyber security. So thanks to everybody who tuned in and listened.

If you find this podcast insightful, please don’t forget to subscribe so you know when each new episode drops. Please like and share us on social media as well. Don’t forget to recommend us to all of your team so they too can benefit from Madison and Joe’s insights, wisdom and passion for cybersecurity. And remember everybody, stay ahead of the threat. See you next time.