A Fireside Chat With Jack Daniel and Chris Krebs

good morning campers and welcome to day two of security b-sides las vegas 2021. camp stay at home first a couple of announcements cabin 1337 is the winner of the macaroni pineapple tower contest way to go you little hackers you'll get to carry the spirit flag for the rest of the day and second this afternoon's canoe races i know you're all looking forward but they're cancelled due to an unfortunate goose incident i know i know but [ __ ] up campers it's tuna hot dish day in the mess hall so i hope you managed to work up an appetite in today's activities we have got another full day of great conversations and presentations lined up leading off with a genial teta tet

between our very own jack daniel and the man who was fired by a tweet kris krebs founding director of the department of homeland security's cyber security and infrastructure security agency cisa and now founding partner at the krebs stamos group a cyber security consultancy based out of alexandria virginia focused on helping organizations understand the threats they face and the role they play in the security of our wider society so let's all bring our best camp stay-at-home spirit as we find out what's top of mind and how many different topics jack can fit into a single question have a great besides day campers hey there welcome to camp stay at home also known as b-sides las vegas remote wish we were

together but it's not safe for us to be together especially in las vegas right now so we're going to do this the responsible way this morning we have a very special guest i'm going to have a little fireside chat with chris krebs chris you know chris but if not founding partner at the krebs stamos group the co-chair of the aspen digital commission on information disorder a former director at cisa and fired by a tweet and a couple of those bullet points give us a launch pad for this morning's conversation which is a commission on information disorder and fired by tweet social media is amazing b-sides was founded on twitter it was built and expanded on twitter

it was over a decade ago in 2009 when a bunch of us in the communities had a conversation about who was and wasn't speaking uh in 2009 at black hat and def con and we decided to do a little one-off thing and that one-off thing is you know closing in on 700 events globally but as i'm sure all of you have noticed and certainly you have noticed chris uh all of the stuff on social media isn't all good is it it is uh i tell you what let me you know the way i like framing this conversation or this this this topic is is that twitter for instance can be an incredible source of good particularly in this community

with open source intelligence um threat sharing you know when i think back to wannacry at least from the us government perspective the real first indicators that wannacry was happening we picked up through through twitter in fact a former senior official flagged it for me i kicked it over to what was then known as the nkick the national cyber security and communications integration center at dhs now at sissa um and and they ran it to ground the same thing happened effectively a month or so later with with not pecha you know we saw the indicators spilling out of russia getting in in ukraine being post on twitter and so it's it's just an incredibly powerful platform

for global detection of you know of interesting activity uh at the same time um a set of actors particularly if we think back to 2016 and the election uh the interference by the russians it was harnessed as a source for you know misleading and sewing confusion uh sharing propaganda undermining confidence in elections things like that and and so when you step back and you think about disinformation and propaganda in trying to influence people's minds and subsequent behaviors it's been around as a technique as a as an mo for ages the joke i make is that is that this info is is the world's uh third oldest profession uh we all know what the first oldest

profession is and then the second being uh intelligence collection third being this info so it's it's a problem that we've had to deal with for a very very long time what's different now is that social media uh the increase in velocity of information is something we've never quite seen before and so that has led to uh the this emergence of of really good behaviors but also some that are that are more uh detrimental um you know citizen journal uh journal citizen journalists can be a great thing but at the same time when you when you create these alternate realities that people do their deep dives i'm specifically talking about q anon here it can lead to outcomes that really

skew the perception of reality and then what you see is some of these participants um going full bore into that separate reality so you have you really what what you end up with is is the world where the majority of us live and then the world where others live and it's really hard to rectify those two and reintegrate and so in part what we're trying to do through the aspen uh commissions the information uh the commission on information disorder is try to look at some of the structural issues that have laid uh laid the foundations and groundwork for where we are right now and thinking about the collapse of local and regional uh journalism uh

the the emergence of social media platforms and the lack of transparency in these platforms i mean think about uh you know you you don't have visibility into the algorithms that some of the platforms use and why you're getting served up certain information we think that's something that's worth examining and perhaps certain requirements whether legislative or you know self-regulation to get to get that change get more transparency but then also what is the role of government we you know i'm a firm believer in the first amendment and my right you're right everyone's right to get out there and say what they say what they uh believe in say what they think but also the the the right to hear these things

as well but there does come a line where there are societal harms and people that do share these things should and can be held accountable when i think about that fired by tweet line that you mentioned i was fired for uh effectively uh disputing claims that the 2020 election was uh was rigged was stolen that a dead dictator from venezuela had managed to get into a machine and change votes uh and so i think that there are there needs to be additional potential legal mechanisms that that that harmed and aggrieved parties can use uh to intervene so so again stepping back we're looking at these structural systemic changes across you know reducing harms about increasing transparency and

platforms and elsewhere and then restoring trust uh or at least building trust i think that that that trust piece um is frankly going to be one of the hardest uh aspects of the commission i think to get really meaningful actionable recommendations i think transparency reducing harms we can we can work out uh trust is is really i think gonna be the thornier thing and i think that's echoed by a number of the disinformation researchers as well yeah that's a challenge i think um i don't know if this is a question or a comment but like your thoughts on this one of the the things that has been made clear to me is that some of the

disinformation is uh politically motivated but some of it is just uh trying to is basically ad fraud if you if we can get you to click on a story you're gonna land on a page the page is gonna have ad views and uh a t prophet i believe in an interview i did with him a couple years ago now um you know you said it's uh it's it's subverting democracy for pennies on the dollar or something i forget his exact quote but it's we're not just up against um yeah cyber warfare or whatever you want to call this or information warfare um there are some people who are just you know hey if we get if we get a few thousand clicks then

uh you know wherever they are probably in eastern europe um makes a difference in their life and they're the the fact that this is a multi-faceted problem makes it even more intractable i think but yeah what do you think i know i think you're you're spot on and kind of the way i think about it at least is there's at least five different sets of actors out there they're the groups that we always think about just natively on disinformation that's foreign intelligence services uh there are also political activists going back to propaganda and just election related i'm trying to get you to vote for my candidate um the third is the conspiracy theorist and that that goes to the q anon piece

the fourth is anti at least when you're talking about um the the vaccine space there's there's a vaccine anti-vaxx community that's separate uh from from uh the the conspiracy theorist but fifth and finally to your point is uh just the profiteers those that are looking to make a buck off a click and uh the the challenge though is that a lot of the times those five different sets overlap and you know the the venn diagram can be pretty hairy when you think about it and what what we're seeing i think is uh an emergence of law enforcement um interest and investigations into that uh profiteering piece and there was a there was some a report in the

washington post a couple weeks ago uh in the technology 202 where a former uh ftc federal trade commission commissioner had had written a letter into the current commission saying hey the pandemic profiteers you need to go look at these people they're uh they're actively spreading misinformation about cobin vaccines and they're they're selling their own wares and uh you know their their supposed therapeutics instead and we need to take a hard look at that and so my hope again going to that reducing harms piece that i mentioned earlier is that there are additional law enforcement mechanisms where we can curb some of the this harmful behavior in the disinformation space and really start isolating out what are

the harder problems to solve and if it just comes down to the hardest problem and disinformation is political speech then that's fine then then if we can just isolate and illuminate that and in the meantime we've been able to address the profiteers some of the nation state actors uh and some of the others along the way then then i you know i'm all about reducing attack surface i think just like everybody else yeah cool so it let's um change the direction of the conversation a little bit but something that that this has brought up in my head one of the things we talked about maybe discussing was uh you know how do we get ahead of this how

do we get people more aware of the the mechanisms for abuse and how to spot disinformation which goes back to you know where can can be uh and if so where can our educational systems um formally and informal you know starting in elementary school through high school and college what can they do to better prepare you know that buzzwords or whatever digital citizens future digital citizens make them aware of uh you know basic things like protecting their privacy basic security beyond basic security threat modeling things like that but also an understanding of this um this internet that we're going to or have already dumped them into with the lies and the threats do you where do you see opportunities in

education and what limits do you see on that day how much time we got i mean okay i i you don't have to answer all of that i just wanted to make sure that i gave you enough things where you you figured you could answer a thing this is just i mean jack you're just killing me with these questions because they're some of the most timely and thorniest questions um you know what the first off besides just as an enterprise is on the cyber security side is to me one of those really shining examples of democratizing uh partnerships democratizing education democratizing access into the community you don't have to shell out thousands and thousands of dollars

to to a conference to go network and meet people and things like that besides has always been globally an example of the one of the best ways to to immerse yourself into the into the ecosystem and when i was at cisa i would encourage our field force and so it's well known that that sissa has uh representatives across the country uh to to attend is many different uh b-sides events present set up a booth engage talk to people hang out cards recruit you know expose folks to some of the training uh you know that's that's one way but but more broadly um you know we do as you point out we haven't we have a challenge right now on

the way that we i think educate i've got five kids that are in grade school uh and so you know i think about this a whole lot because i see what they're learning in school um and it's just simply it's it's not enough it's certainly in the public school system in virginia where i live there's not enough digital literacy being provided to the kids and you know the numbers don't lie that when you provide opportunities earlier on that opens up pathways including you know just having an ap computer science class available tends to put people of color and women into uh specializations in college and on uh on on the technology side which is which is

you know i i'm in the middle of building a company and trying to hire a very diverse uh uh organization that i think should be representative of the community and where we all need to go and it's really hard um and we we all have to do better so we have to make more opportunity available in the grade school and if that's a community issue rather than a school issue then we need to tackle that as well but it also to kind of the earlier conversation on disinformation the the the kind of the the magic and the alchemy of technology uh and some of the the systems that we use to support our daily lives

the fact that they're not transparency and they seem to look black box allows for a lot of mischief on the edge as well so we have we we not only have to educate so that we have uh people with more opportunities we have to educate so that we can reduce some of the harms that are happening elections alone i mean most people unfortunately think that the election process is that you show up the morning of the election you vote and then you turn on the tv that night to your preferred network and you find out who won but it's a it's a system of systems there are processes that happen before during and after election day and we

have to continue educating or else people are going to take advantage of that you know mysteriousness uh for their own uh you know their own malicious intent um so how do we get there i you know i think for one again it's through the k-12 system we have to have more digital literacy we have to have more awareness campaigns uh from from from the government from our community leaders uh one area that that i've really been paying attention to as well as communities of faith you know you have faith leaders that engage on a weekly basis and are seen as trusted uh advisors and to the extent that we can bring them into the conversation

uh about a beneficial way i think i think that can also help um but look i you know there's there's no single solution here and that's really the challenge the whole society uh issue and again i'll close out on the disinformation piece one of the one of the things that that that we did at cisa this was in the summer of 2019 uh i think it was really one of the first uh at least here in the us one of governmental awareness and education programs on disinformation how to spot it uh we released a uh an infographic and a bit of a public engagement campaign called the war on pineapple and really what it was was a five-step

you know primer on here is how an influencer runs a influence operation you know the first thing is they they identify the issue that they want to manipulate the second is they get the accounts in place the third is they start amplifying the issue the fourth is they get it to go mainstream meaning they get it picked up by a network a paper or something like that or someone uh that is an influencer and then and then fifth and finally they get a real world they get it into a a protest a counter protest they really start driving it on the streets and uh you know the challenge that we had at the time was educating

in a way that was engaging that wouldn't immediately you know engage the lizard brain and get people uh turned off or or uh you know angry about the issue and so uh we tried to find what's the most kind of like binary thing um that you either love you hate we went through things like whether you like salt and vinegar potato chips whether you like cilantro you know texas barbecue north carolina barbecue where we landed was uh whether you like hawaiian pizza whether you like pineapple on your pizza and that seems to be an incredibly binary decision uh in it and it took off and it's still i swear every time something comes up uh on

on the twitterverse uh related to pineapple or hawaiian pizza i get tagged like it just happens a couple weeks ago was national pineapple day and my twitter mentions were a hot mess that day uh so it it you know at the same time though it's a great thing now we've you know we've got this association people think like wait what was that about it and you can start digging back in a little bit on disinformation gives opportunities to learn cool cool yeah the poor pineapple it used to be the gift you gave or it was it was a symbol of welcome and hospitality hospitality it was it was great and uh yeah no that's that's that's a

fun one yeah the only thing that i think pineapple belongs on cooked is uh taco soup store okay i'm with you there i'm with you there i'm not a purist on pineapple on pizza it's not my favorite but i i won't i won't reject it if i'm if i'm hungry you know three three or four in the morning in vegas if we were together uh and you put it in front of me i'd probably go for it but it's it wouldn't be what i ordered yeah that's one of those moments where i think most rules are yeah most of the most rules are you have vegas uh man i miss that i miss seeing uh

folks those of you uh catching this i miss you really i do uh but let's not die let's see each other hopefully next year so let's let's head in a different direction and um i want to talk about supply chain for a little bit sure so this is nothing new right supply chain attacks are not new i think the scale and scope may be new a lot of a lot of these things that cranky old men like me say this is nothing new um we have to i have to remind myself to say but it's different now or it's worse now uh yeah and once uh once there is a motive um a lot of what we

now call cyber security whether it was information insurance decades ago or whatever it was a whole lot more fun until people realized they could make a lot of money at it and the consequences became a lot higher it was everywhere you add in um political subversion you add in um the various other motives when opponents or adversaries find motives for things and supply chain is just right for attack and it's a real challenge so the the cranky old man question is why do we keep talking about it over and over and over and uh less cranky old man thing is um you know what do we do about it what are the what are the first steps to make

this less terrible why do we keep talking about it um because we haven't we still haven't done the basics i think and the basics are so hard uh thank you the the we haven't done the basics of something we could said a lot the basics are hard is something that a lot of people who haven't faced it in real world environments that don't always believe um so thank you for saying that the basics are hard yeah and then you so you know we kind of have to break down the economic mechanisms here that are involved to get to why the basics are still hard and i think a lot of it is you know we

we outsource we over the last 10 plus years we've really i think kind of specialized and siloed and outsourced and once you start shifting that third party risk you start shifting your risk management to a third party and you say well it's not my problem it's theirs but you you know that risk all you've done is transferred it and if that third party is not taking it seriously then then you still have that exposure um i i think what what has really happened over the last five years is that the adversaries have gotten either some it's probably some combination of smarter lazier and more efficient and they understand that that if they want to go

and it's kind of like the willy sutton thing so willie sutton famous bank robber was asked willie why are you robbing the banks because that's where the money is same thing about supply chain same thing about msps same thing about you know enterprise software what they're doing is they're going after the one-to-many points of leverage so that they can conduct breakout attacks that's what we saw with solarwinds um you know cassay i think is still a little unclear about exactly what that was about it seems instead it was just a uh it was a zero day and a product but you know you think back to uh not petcha um me doc the the ukrainian

uh accounting software that was a supply chain uh compromise and so it just makes it easier for the adversary to get a broader broader reach and and i think what what we're really probably seeing with the more sophisticated adversaries the svr of the russians the mss out of china is they're shifting their technol or their their intelligence collection techniques towards a kind of is one of my uh one of my employees calls that you know access everywhere they are looking to turn the global software uh the enterprise software and service uh industry into their own collection infrastructure they are looking to harness it uh to the so that they can have access to whatever target they want at any time and when

you think about it that way and it's like galaxy brain stuff it's like oh my god they have they have enslaved this entire i.t industry uh to to that they can do anything they want at any given time and you can continue kicking them out here here and here but but we're really chipping away at the edges so we have to do a much much better job i think um on the intelligence collection side for the for the for the government the uh the us government our allies to try to get ahead of uh get ahead of them before they get there you know find it you know if we can't uh take advantage of their c2

infrastructure but back here we really have to shift hardcore into that detection investigation and response mode uh and and really take you know the hard part here just like you know we're still not doing the basics and uh the basics are hard dividing out signal to noise is is also really hard and uh in the case of solarwinds when you think about what blew that entire operation open was you know a sock analyst at fireeye investigating an alert on a device enrollment i mean that blew up an entire global collection intel uh infrastructure so it shows you that the power that we have in the sock but how do we move that detection uh further to the left

you know really move it hard left to boom and so they don't get that deployment so related you mentioned software and software uh eating the world is is an issue but so here in the u.s and there are other agencies around the world uh underwriters laboratories make sure that the lamps here are safe and other appliances are safe and i mean do we need something like that for software there have been a couple of attempts and if we do who is it do we ask ul to do that do we ask mudge to go back to to crank up that program and uh in the tradition of giving you a lot to pick from let's

let's add the um the tangentially related um acronym s-bomb where does the s-bomb fit into that and does it so there there's another wide open path for you so yeah i mean software product liability discussions have been going on for quite a while i think what's really different here about ul and some of the other compliance and attestation regimes on product safety is that in this case we have an intelligent adversary on the other side of the product and there will always be use cases where the designer development deployer and maintainer will be like i there's no way i ever would have thought that that could happen i mean that is a crazy use case

that results in a really bad thing um so so i think that's that is at least from where i sit one of the the really complicating factors of a of a of a product liability perspective that said we can absolutely demand better of our of software developers of software engineers and i'm not talking about the individuals i'm talking about the companies right it's the companies that are rushing to market they're focusing on features and they're subordinating security we've got to address that um and so that can either happen organically through the private equity space the venture capital space and the leadership space and i and we're seeing i think i think we're seeing glimmers and glimpses of that but at the

same time the u.s government has one of the most powerful tools here and i'm not talking regulation i'm talking the power of the purse so the u.s government is one of the largest consumers and buyers of software products in the world i mean the data that at least that i recall um it's dated but you know like the department of the of defense is i think what is the single largest customer uh for for microsoft at least uh back in the old jedi cloud days it was uh but but i mean think about the sort of influence as a purchaser that you could in you could have over someone that's delivering a product when you set the

terms like i need something that does this this this and this and so what you saw back in may was the buy administration issue an executive order that had all sorts of software supply chain security measures you know you talked about s-bomb it was the first time we've really seen that uh it's not codified but in an official document said this you know this is the way and so we're going to go down this path it's also going to have uh build environment requirements testing requirements it was really a a pretty strong flex the challenge though is going to be at what cost and and b you know if this can we can we uh can can we

verify can we attest can we can we validate this um and in a timely manner and i think you know some of the some of the pushback some of the feedback is like oh it's going to cost x amount of money so the government's going to have to figure out how to sort that out through contracting the second is that oh there's no way that small businesses can do this and so you're going to stifle innovation you're going to push all the money back up to the bigs like microsoft and all that which i don't know if i i buy into that i think we'll also always have to have exceptions and edge cases and figure out

how to continue to push for innovation but nonetheless you know there's going to be a cascading effect there that when the government says thou shalt to the big software developers they're not going to have government skews where the code base is entirely different and so that that code base is going to be shared with commercial products it's going to be the same thing effectively there may be some some bells and whistles and widgets on the end that are different but but it's it's going to have a cascading effect in into industry so we'll see i think safer more secure products being rolled out to government to industry and so there should be security uplift across the base that

doesn't necessarily help on the implementation the deployment maintenance side so you've still got to figure out that but then to the broader question how do you label there are some pilot programs uh in that same executive order that the i think the department of commerce is is leading on where they will look at what a security score card like rating would look like uh so that you can in a standardized uniform way you know differentiate on security i think that's a huge thing because uh you know the brits have kind of dipped their toe in the water on this uh their their dcms which is the digital sports and media uh agency over there uh tried to pull

together a similar sort of thing with a labeling regime uh and it you know what what it would really take i think here domestically is a massive retailer like walmart like amazon like target to say full board every single product we sell has to have this sort of labeling so that uh so that when when you know shoppers come in they can they can pick up two things and compare it say okay this one's five dollars more but it has this kind of security compared to this thing that's what we're going to need and so like i said earlier you know we're going to need some leadership out there in industry and i'd love to see

uh see a big box retailer step up and and uh and change the game that would be that would be fantastic you used the word labeling a couple of times which which tickled a thought to which you know one of the challenges we've faced in the field forever if like me i'm sure you've go back to some of the old reports uh the where report in the anderson report rights let's report these these other old things and coming forward today we've struggled with a lack of a common lexicon we have words and acronyms that don't mean the same thing and i'm not i'm not just picking on the the sales people on the show floor trade shows who

abuse our language but as an industry we don't have a common lexicon and i this is one of those places where uh at the risk of betraying myself i'm actually a little bit optimistic i think that um the cyber security framework that was initiated at nist was uh was an interesting and good step i think miter's attack framework goes a little further i think there's hope uh what do you think about that because if we're if you go you know to go back and now let's make fun of the the people in sales if you go to the trade show floor and ask them can you um just very quickly and simply explain to me

threat risk vulnerability exposure you know a couple of these really basic terms we kick around can you do it and if they struggle that's fine but if they completely conflate risk and vulnerability or threatened vulnerability exploitation then people are making buying decisions based on listening to sales people because you know and don't make fun of people for doing that as having been the harriet administrator i had to find resources where i could and sometimes that meant well nobody else is talking about this publicly so i'll ask the sales guy um so what do you think about that that common lexicon the challenges we've got and our chances of moving forward i i think it's a

i mean let's let's give ourselves either a little bit of credit or a little bit of room to run and that this is um this is still a pretty young nascent immature field and a lot of people are are still just like the field is growing up then it is growing up i think that people are still growing growing up in it and to your point the cyber security framework which was a uh a product of executive order it wasn't thirteen 13636 anyway it's an obama administration thing i was a part of the the mitre team that helped develop got to go across the country back in the the the glory days where we traveled

uh all across the country holy workshops and extracting uh feedback and that's just just to point out like nist didn't just it didn't just spring from this head what the cyber security framework was it was a series of workshops all across the country uh and the feedback or the the the framework came from practitioners said these are the five areas that you need to uh focus on and here are the sorts of sub functions that you need within the framework and so that is that's exactly how this should work it should be stakeholder driven consensus based that's that's you know it's not immediately actionable but at least it starts orienting in the in the thing that i've

seen the most is that boards of directors now are at least seeing things through the lens of the of the framework and that's a great thing now implementation it doesn't go far enough and so the miter attack framework again solves a different problem is trying to look more at on the adversary side and how we cover down the thing about the attack framework that i like is it helps start to rationalize security product investment and the impact of a security product and can you cover down on this technique and as techniques develop what additional products i need and that was the funny thing about when when we were i was in usg in the government

was you know there wasn't broad widespread deployment of edr and xdr solutions really until just recently and that was in part spurred by um some of the missed opportunities through i think the solarwinds compromise where you probably could have detected some of the the host space and network anomalous activity if you'd had a solution like that but you know i remember about this time last year maybe even it was in the in the spring where we were we had we pretty much mapped up uh the 101 federal agencies and the amount of red out there across the framework was just like but as soon as you drop an edr solution on top a lot of it

went to a much healthier uh yellow or even green and so that's you know those are the sorts of of techniques and frameworks and ways to at least map things out a little bit uh that will help continue driving uh you know the the the blue team as well as communicating to leadership forward so what's next right i mean you you i saw made mitre uh just dropped a uh a framework for ics for control systems which i think is the other space that you know if you think you know if if we think we're nascent here um that community is still in diapers and i don't mean that pejoratively at all it's just their

the investment the you know when it's it's when the eye of sauron of the of silicon valley and the vc community starts looking at you that's where you you really start seeing acceleration so uh you know in in my concern more than anything is um and you're seeing it i think now and you know in some of the ransomware uh uh situations is that is it the adversaries are starting to shift because there are more adversaries the adversaries are starting to shift away from just data exfiltration they're going to start moving towards uh functional disruption and in fact there was an alert that the us government issued last week about uh chinese or two weeks ago about

chinese pipeline the chinese cyber actors targeting u.s pipelines and that was all about control systems and that was all about down the road if they needed to pop off uh you know a a gasket on a pipeline to disrupt something locally that they would be able to do it so control systems is is i think going to be one of the most important areas uh that we focus on going forward but again it is an area that that needs much much more investment um it needs much more democratized security training so i'd love to see a b size equivalent uh for control systems or at least tracks them you know i'm sure there are some out

there but that's a that's an area where we need a significant amount of security uplift because uh the investment you know when you think about rural water or at least you know municipal water facilities they're like 30 000 of them uh and they're rate limited uh it's you know that is a space we need a lot of uh work yeah absolutely being down here in small town georgia and driving through uh the rural south a lot you know that we still have the rural electric cooperatives the local water and sewer people and uh they're under resourced and uh i'd love that if anybody uh watching uh wants to help make something happen there reach out to me i'm easy to find

on that internet thing and it doesn't have to be a b-sides i uh i'm about building communities so if we can if we can connect with people let's do it so where to go from here you know let's um let's have a little more fun um there's a question i asked on a podcast to do with a friend but uh do a different version of it here for for you um it's a two-parter where do you get uh your news where do you enjoy getting your news favorite sources of news and things and also uh related is there a recent book you've read movie you've seen podcasts you've watched audiobook tweet whatever something that has

had a profound impact on your view of stuff whatever that stuff is and it doesn't have to be cyber security it can be it's changed the way you deal with your children or it's uh change your perspective socially or politically so let's start with that specific one is there something that has really moved you in the past year or two that you've seen or read or heard yes um in this i you know some people might say that i'm you know uh cheesy here or some other you know kind of a little too close to the pop culture themes but i'm telling you one thing as a as a at the time when i was so this was

right at the beginning of of covid um you know i'm running an organization it's the first you know it's 2500 people it's the first time i really had a significant leadership role and i just you know i didn't come up to the military i came up in the policy space i went to you know law school and you know there aren't a whole lot of opportunities out there for 2500 uh people teams and so i was you know doing everything i could but first just to build a management team around me that would help uh cover on some of the spaces where i was weak uh on the administration side on hr things like that

um but uh you know at the same time trying to learn as much as i could you know and so like you know i'm on the plane all the time so i'd grab harvard business review listen to the learning leader podcasts and things like that um but what what really shook me the most and this is i swear you know this could be either um this is like clickbait or or i'll just go with it ted lasso the ted lasso tv show from a leadership perspective is some of the highest quality tv that i've seen in a long time like just don't don't focus on anything but how he leads that team he doesn't know anything

about soccer he's an american football coach he goes in there he doesn't know anything about the techniques but the way that he was empathetic and he got the most out of all of his players throughout it was you know there were little moments where i was like that isn't that you know i need to do that how do i do that what more can i do to be a more empathetic leader and it was funny because the timing because the timing of that as we went into coveted lockdown and then on the heels of that with george floyd's death and uh some of the the protests and civil unrest over the summer and then going up into the election it

really challenged i think every single leader out there how do you make that transition how when you know that your workforce is scared when they're worried about dying when their relatives dying and not just about covid it's because they're people of color you know how do you meet them where they are and give them the information they need and you're not going to save the day nobody believes that but how can you listen how can you learn how can you help and then you figure out those opportunities to lead so it you know i think last year and even through today right i mean it's been a really really challenging year and a half going on two years for

everyone and so it's those little glimpses those reminders of how to how to help how to be a good leader and so so yeah ted livestock for me and you know they've got the second season i haven't watched it yet but uh it just that that was that was something that i really took to heart during the jared kobit cool very good that's a good insight in that that um some people will will bristle at the idea that the manager doesn't need to be an expert in what the team does but i think there's a real value in enabling your people getting out of the way or you know whatever management jargon you want to

use um if you it also means you're not going to micromanage their technique you're going to make observations like you know when you do it that way it works better for you and for the team and when you do it this way it doesn't work as well for you and doesn't work as well for the team that might actually be easier to see if you're not an expert in that thing whatever that is so that's that's an interesting on the more general um things i'm sure you consume a ton of varieties of media just trying to keep up as as we all try to you know fall behind as slowly as possible i think is

the way to look at our field you know where where do you turn for for quick hits and for deep dives it is uh oh wow um so i you know i used to have the benefit again being in government of a really uh tightly packaged intelligence update on a regular basis we had clipping services where i could get all the all the top uh top events and and be able to kind of roll that in and quickly digest so in the meantime uh twitter i tell you what if you can curate a a good list of uh twitter follow you know people you're following it is it particularly because a lot of a lot of you people out there

are prolific in commenting and um getting information out there in a in a type so i tend to i tend to keep a a pretty uh a frequent review of twitter and and some of the commentators podcasts are another really good way uh risky business and patrick gray's podcast is just outstanding i've i've been known to make a cameo uh on his show so he's great graham clearly tends to run through things pretty quickly as well and there's just a really good set of uh commentators out there and then when you do the deep dives you know some of the uh the reporting on wire for instance is great dan goodin's a a great reporter anything that andy

greenberg writes i think is is just outstanding um but but you know beyond that i you know i do caution people um whether it's twitter whether it's the major media is is you sh still you should read everything with a skeptical eye that there are other sides of the story and i'm not saying that it's this is of both sides as a thing or anything but there are there's information you know everyone has to deal with imperfect information and we make imperfect decisions based on imperfect information so you've got to allow for the fact that there may be additional information that you would have to adjust so so don't you know don't read an article and

go hardcore on this thing or that thing you know allow for the fact that that they're either external conditions or other pieces of information you don't have um so so again and again that's about that's a little bit about humility that's a little about empathy uh and you know you know i i'm as guilty of this as others but spares the hot takes sometimes yeah yeah it's um one of the the keys for me for um sources and um you know not to fanboy out but you we we both respect uh pat and what he's done with risky business and there are several others and the people who come back in the next episode or next article and say

well we got that wrong um are i'm way more likely to continue to listen to um those who double down uh or just kind of hope that you don't remember what they said two weeks ago um you know that's that's a challenge but like different sources so we're winding down and i want to end on a um on a better note and this is also a borrowed question but i really like asking it um so as we look at the the cyber security landscape as we look at the state of supply chain security and ics security and we look at the state of social media and disinformation um we're obviously screwed but but i'm not arguing

it's just you put it out there so starkly but what gives you optimism where do you see progress uh opportunity for progress that's realistic what gives you optimism in spite of this uh situation that we're in i've touched on it a couple times but what i am seeing is this is primarily through some of the the speaking i do but also uh some of some of the consulting engagements is that the companies the leaders the business leaders the ceos that own that run the day-to-day manage organizations those that understand that security is important and can be a differentiator actually really achieve the the outcomes that that we all want and so it's not about um you know you talked about marketing

earlier uh there's a difference between saying security is important and actually delivering on that and and so a ceo that says we are going to take security seriously here and then just tells the team and the team's like hey i got a day job boss i got to go do my day job that doesn't get it done you've got to have the follow through so whether it's having someone that is empowered to pick up the ball and run with it or you know you elevating the ciso or a product security person into a position that they can actually go toe-to-toe with uh the product feature team it's those sorts of decisions and evolutions that we're seeing

really what's happening is is cyber it's it's it's emerging from the basement of technology risk into business risk and i'll say this i think colonial i think jbs i think those two events are gasoline in our hamburgers i've said this before i've been made fun of for saying it but it really resonated in uh i think the american people and relatedly by the way you know we the the question you asked earlier that i didn't fully answer that you know typically the question is like what do you like better you know uh hackers or sneakers um you know the the problem is all of those movies are so dated when was the last time there was

actually a decent cyber security related movie you know when was last time there was a decent cyber security related tv show you know mr robot was pretty good it still wasn't accessible right it was still a little too uh technical there's enough we have an opportunity right now i think particularly with ransomware where everybody's like i was impacted by that that means something to me we can unpack how complicated this stuff is from a business perspective show some of the trade-offs in the boardroom and in the c-suite you can show how complicated it is on the actor's side and and you know to your point about those when we were talking about dis info and

the ad clicks and it gives you know a couple bucks to somebody in eastern europe that's exactly what's happening in russia right you've got these ransomware crews that are making money when otherwise they would probably be in the streets protesting and so it helps you know it helps kind of tamp down on some of the discontent those are the sorts of things i think we can tease that out really show how cyber security about how technology is a part of everything that we do and you know are we screwed i don't know if we're screwed we're just going to be dealing that with this for the rest of our natural lives and probably probably as long as the human race

continues to exist technology is here and it will continue to evolve and the risks associated will continue to evolve so how do we manage that risk it's not about eradication or elimination it's about management yeah cool well we're almost out of time but i do want to ask you is there anything you want to say promote uh are there something we've missed or something that is popped back in your head from our conversation and uh if nothing else where can people uh keep up with you and what you're doing and things like that we covered a lot of ground today so i appreciate your your uh skillful uh navigation of a whole range of issues here

i just want to say thanks to uh to you guys to to jack you and damon i mean that the the b sites community uh again this is this is about democratizing access democratizing education and engagement in the community and it's it's it's all over the country it's all over the world there's you know about besides tel aviv uh a couple weeks ago so you know keep it up i would you know i love to be a part of this and so thanks for having me you know how do you stay in touch with what i'm doing uh you know check me out on twitter see underscore c underscore crabs uh you can check out uh my my company's

website and that's pretty easy it's ks dot group ks.group we use the group tld which was kind of fun um but also keep track of what we're doing over at aspen with the disinformation commission there's going to be a number of recommendations that that just that hopefully that everyone can pick up and run with and and you know where i want to be is uh part of the solution team and uh there are no single single solutions there are no silver bullets it's going to take an entire community so uh you know again appreciate the opportunity and look forward to seeing everybody in person next year all right great thank you so much for joining us and

with that that's a wrap