Cyber Crime Junkies

Impact Of New Us Security Strategy on AI. Task Force Insight.

March 11, 2023 Cyber Crime Junkies-David Mauro Season 2 Episode 19
Cyber Crime Junkies
Impact Of New Us Security Strategy on AI. Task Force Insight.
Cyber Crime Junkies PRIME+
Support the show & get subscriber-only content.
Starting at $4/month Subscribe
Show Notes Transcript

Impact Of New Us Security Strategy on AI with Silicon Valley Think Tank, Task Force and ISAO leaders Carlo Brayda and Michael Thiessmeier.
 Topics: Artificial Intelligence And Cybersecurity Information Sharing And Analysis, Ai And Cybersecurity Information Sharing And Analysis, New Policies For Security In Light Of Artificial Intelligence, How To Protect Security Of Organizations With Artificial Intelligence, Ways To Protect Security Of Organizations With Artificial Intelligence, New Artificial Intelligence Us Regulations, How Will The Us Regulate Artificial Intelligence, New ISAO Info Gathering On Artificial Intelligence, Artificial Intelligence ISAO Info Gathering, and Top security Tips we all want to know.
 VIDEO Episode Link: 👩‍💻

To learn more about the National AI and Cybersecurity ISAO, visit

You can apply to join the Think Tank here:

/LETS CONNECT/ We Really want people to be able to Watch and Listen and we would love your help.

📲 📲 PLEASE CONSIDER SUBSCRIBING. It's FREE and it will help us to help others.
📲 📲   Our Channel @Cybercrimejunkiespodcast


📲 DAVID MAURO Linkedin:
📲 Cyber Crime Junkies Linkedin:
📲 Cyber Crime Junkies Instagram:
📲 Cyber Crime Junkies Facebook:
📲 Podcast Cyber Crime Junkies:   
🔔 Site, Research and Marketplace:     
🔔 Want 💎 EXCLUSIVE💎 Content? For only $4 💎 SUBSCRIBE to Cyber Crime Junkies PRIME  

Thanks for watching! -David, Mark, Kylie and Team @CCJ  

Support the show

Want EXCLUSIVE Content? For only $4 SUBSCRIBE to Cyber Crime Junkies PRIME

Please consider subscribing to our YouTube Channel for ALL Video episodes.
It's FREE. It helps us help others.

Our YouTube Channel @Cybercrimejunkiespodcast

Impact Of New Us Security Strategy on AI with Silicon Valley Think Tank, Task Force and ISAO leaders Carlo Brayda and Michael Thiessmeier.
 Topics: Artificial Intelligence And Cybersecurity Information Sharing And Analysis, Ai And Cybersecurity Information Sharing And Analysis, New Policies For Security In Light Of Artificial Intelligence, How To Protect Security Of Organizations With Artificial Intelligence, Ways To Protect Security Of Organizations With Artificial Intelligence, New Artificial Intelligence Us Regulations, How Will The Us Regulate Artificial Intelligence, New Isao Info Gathering On Artificial Intelligence, Artificial Intelligence ISAO Info Gathering, and Top security Tips we all want to know.
 VIDEO Episode Link: 👩‍💻
  [00:00:00] It's always in the news. Cyber criminals attacking great organizations wreaking havoc on the trust of their brand. We socialized cybersecurity for you to raise awareness. Interviewing leaders who built and protect great brands. We help talented people enter into this incredible field and we share our research and blockbuster true cyber crime stories.

This is Cyber Crime junkies, and now the show.

Well, good day everybody. I am David Mauro your host of Cybercrime Junkies. Welcome to the show. We are joined today by, two esteemed people in the cybersecurity and national security. Group, the [00:01:00] help that they've been driving is instrumental. We really wanna get the word out. Carlo Brayda who is the founder of the Tutorial Institute, the Silicon Valley Think tank that we talk about often.

He's joined us today. Welcome Carlo. Thank you very much. David, very glad to be back on your show. Always great to see you. And today we have a very special guest, Michael ts Myer, who's an experienced CISO member of the Forbes Technology Council, executive Director of the United, US National AI and Cybersecurity iso, and we're gonna get into that as well.

He also is a member of the Silicon Valley Think Tank along with us. Michael, welcome sir. Thank you for having. . No, we, we, we really appreciate it. So let's get into the ISO and how it originated. Carla, would you like to kind of explain some of the context? Yeah, I'd be glad to. As you guys know, we founded a few years ago this think tank based out of San Francisco [00:02:00] with the goal of.

Developing and refining, partnerships in the world of, cybersecurity and AI and cloud in general. And, and, and really we wanted to model something that was not too dissimilar to the World Economic Forum as a gathering of, leaders and, from private and public sector to come together and, and drive forward strategies that would actually make our world a better place, a safer.

 On occasion, generally on a quarterly basis, our think tank comes up with summits and these summits, during the pandemic anyway, we've been running them on a, on a virtual basis. And, during one of these summits that had AI as a focus, a number of, members and, delegates came up with, with the concept.

You know what? There is a, there's an area there, that really needs to be, developed further, and that's kind of the, the crossover between cybersecurity and ai the importance of delving into that, better into sharing best practices around AI and cybersecurity, protecting assets, [00:03:00] AI assets from a cybersecurity perspective, and using AI to, develop better cyber.

And all of that is a very, very exciting hot area at the moment that really needs, further exploration. So, at the institute, we created a, task force and, , Michael Tis Myer was actually the person that instigated it and, elected leader, of the task force looking at, this particular area and this task force.

Eventually, it evolved into this concept because the members of the task force, came up with, with the idea of, of really, thinking to, thinking of, of creating is a, and information and sharing, an analysis, organization as opposed to an iac. Because an IAC is of course, looking at the verticals, whereas an ISO is looking really horizontally at this whole area.

Now. And I'm really, really very, very, very, very humbled and proud to have, , Michael Seyer, in this role, as an executive director of this, is a l Michael [00:04:00] has, an most incredible background in, , strategy around cybersecurity, cyber defense, , counterterrorism. and, and he's of course very active with, NATO and, has been, representing, us over at NATO on a regular basis.

Andas a number of NATO conferences and, you know, spent some time out in, the Baltics, also because of that, mission and, so that's really that, that's kind of the whole thing came. . So of course with the fact that yesterday the National Cybersecurity Strategy came out and, and it alludes to, outreach, partnering between allies, cyber diplomacy to such an extent that I, I thought, well, this really fits in so well with the mission of the is a and I thought that, today's, episode, with Michael, would be really, really fascinating and and exciting for your.

I would agree, I think, and, and especially in light of yesterday, and think of the, the [00:05:00] momentum that has been gained with the launch of Che G P T in the fall, how fast that's been adopted. You know, mostly for good, but there's also bad actors, threat actors leveraging it. And it's, it's really, really impactful.

And then with yesterday's report, we have the report, we can go through elements of it. As relevant. I've, I've read through the whole thing. I like the pillars, you know, the four main pillars. I think it's excellent. So Michael, can you, explain to the ladies and gentlemen, first a little bit about yourself and, and, and your background, please.

And then, and then let's get into, you know, what, what is an ISO and what is the, what is this iso. Of course, gladly. So, Carla already said, I have, I would say about 20 years in technology in general. I've served, before the AISO. I served on various working groups and committees.

, I was representing, ISAACA, which is one of the largest , industry associations for [00:06:00] cybersecurity. And then I was serving on the, US National Delegation to the International Standards Organization. I served on un working groups. Like Carlos said, , was involved with, some of the conferences and working groups of NATO, i e e, like a lot of different organizations just because I am really passionate about technology, so to say.

Right? And, and, and with that passion and my prior military background comes, I want to make sure that we safely introduce technology into our societies. to the betterment for all of us. Right, right. Equal access and, and all the good stuff. And, so that's where I'm coming from. I, have worked for PlayStation.

I've worked in Silicon Valley for a long while. I was a part of the PS4 launch, so there's, there's a lot of background there, but that's not, doesn't necessarily pertain to this, today's conversation. And as Carlos alluded to, like we said, we, we had a summit and during the summit we kind of.

Identified a need that there was a gap. And for me, this, this, this, this gap had been apparent [00:07:00] for quite some while when I was, as a delegate at the International Science Organization. I, I saw how China. Was acting right and China has pillars too. China has, five pillars to the national security strategy and one of them is called setting the rules of the game.

Setting the rules of the game, interesting, influencing international standards, frameworks and norms, and their approach. It was very clear, was very, very harmonized, hall of nation, very deliberate and it seemed. If I were looking at the western nations, the western delegations, that there was a lot of, how would I say, collaboration, missing a lot of, like, we, we were all acting independently.

And then once we realized what was happening, we started kind of pushing back and, and, and, and working together at Hawk. . Now obviously democracy. Can I, can, I can, yeah, no, can, can I dig down into that? Because I agree and I see the same thing. I'm just not sure if I see what you're seeing clearly [00:08:00] are, is it between the public and the private sector, or is it also that, and between various public sectors, meaning various countries, federal and state organizations, what are you seeing?

Like where's the. . So it's at all of those levels. You have to understand that, that, that, that the governments were primarily focused on national security. Mm-hmm. , and for some reason areas like international standardization weren't identified as of importance of that. Like if you were looking at, at the iso, what organizations were involved in that from the US it was.

but if you're looking at national security organizations, most of the people that were there were only people that had a background in them. There was no direct participation. Now UK it was a little bit different. Gch HQ was in there and, and it was then literally people just identifying the need that we need to somehow counter the influence of these actors like China starting [00:09:00] to collaborate independently with each.

to do that, but no direction from anywhere or no help or assistance from anywhere. At that point, it's very important. This is where we're now going back towards 2015. Mm-hmm. , and exactly that gap exists in general when we are talking about public and private sector collaboration. in cybersecurity. We do have ISACs, we do have ISAOs, we have the meps for the manufacturing sector.

But there's so many of those organizations and they're all fragmented, and they all seem to act a lot of times very independently rather than to be getting some kind of direct support or direction so they can emulate this whole of nation approach, so to say. And I think what we've now seen in the last few.

Is a shift towards in policy in the US where there's a lot more engagement. The state department now is talking about cyber diplomacy, and this is also, I think, reflected in this national security strategy. [00:10:00] Well, the same gap that I had outlined was what we identified when we decided that there's a need for an is a O because we looked at AI in the convergence of AI and cybersecurity and we identified that there is no organization like.

That immediately raises some alerts and questions. Cause an ISAO is defined by presidential executive order, a NGO that's a community of interest that shares cyber threat related intelligence or information and best practices across that community. Public mention private. Yeah. Across it, it breaks down the barriers, right?

Between all of the different actors acting with all good intention, but they're all going in different, they're all, you know, the symphonies are playing from different music sheets all over the place, right? Yeah. . Yep. So, so, so in iso, what, what, how does it get implemented? Does it, is it presented to Congress or is it presented to the executive [00:11:00] body?

How, how, can you explain to us kind of how it gets implemented once you kind of come up with the strategy and you explain it co you want to take this, I know the part where we registered with the standards body for the Is a o set exists. Yeah, exactly. Yeah. You, you registered with the standard body standards body for the, is.

That's kind of the governing body. And then you go live and then you go live. And so we did and and it's it's, it's just incredible how well, how well it's been received not only within the United States but also within the NATO community. And I think that really says a lot about the need for this type of organization and the need for this type of dialog.

Because as, as you were alluding to just a moment ago, David, you know, there is yes, there is a need for, there's absolutely a need for better partnering between private and public sector in the United States, and that's something that is ongoing and I think is reinforced by yesterday's strategy announcement, but also at an international level because of course cyberspace doesn't [00:12:00] have borders.

Right. . Right. And and that is a real point. You know, we, you know, we can't think. In a sense of a country anymore. You know, in, in terms of its physical boundary, it's very, no. I mean, when I, I couldn't agree more. I mean, when we look at. We're part of Ingar and we do security trainings all over the country.

And when we do, we always talk about certain case studies and one of them involve the fact that it is borderless, right? And when the cybercrime gang, the Shadow brokers brought down the telecom system in Spain, they made a proclamation like we have no border or country. When you get online, you enter our world.

We're in control now. And when we hear that, We have to understand the mind of the criminal threat actors. And by doing that, then we're able to better defend ourselves. Exactly. Exactly. So, so what type of actions, like what can we see the ISO doing? Will there [00:13:00] be meetings that can be held between various government leaders of various countries?

Will there be a congressional hearing? What does it look. Okay, well there's, there's multiple things that, that are ongoing. At the same time, we are standing up so-called working groups internally at this point, right? So there's of course the internal member meetings. There's the executive advisory council that we have that we're still looking for additional members with for that currently meets monthly, and it'll move into like a quarterly quality type of meeting.

Together with tbi, the Tutorial Beta Institute, we are holding events similar to podcasts, similar to con mini conferences right now. Virtual about certain high topics. So we started a, a event series that was about a ai, ai impact, ethics and bias. And this event series is now progressing into.

Basically taking specialist communities and discussing what impact generative AI like chat G P T or other forms of AI have on their specific job. [00:14:00] So let's talk to offensive security people. Let's talk to Cecils. Let's talk to other job specialty groups and have them have a conversation about this. Yeah, on the larger scale.

I can just give an overview of the next few months. We have joined the overseas advisory Security Council Oh, excellent. By the diplomatic by the diplomatic Security Service. And we are actually in the planning comedy for the country of labia. By March 30th, roughly we'll host a or are involved, not host, are involved in a crisis management tabletop.

And that might turn after that into a tabletop that we'll spend three countries. Well, that's fantastic. I am such a proponent of tabletop exercises because organizations are all well intentioned, right. But they, but they create policies and then nobody practices them. And at a very rudimentary, and not to simplify things too much, cuz I tend to do that cause I, I think it's.

There's a level of sophistication that comes with simplicity. But when, when you think [00:15:00] about children in school, young children, right? They do fire drills, right? Otherwise, when there's a real fire, they're gonna be running in the hallways, going all over the place and bumping into each other and not get to the exit.

They're not gonna know where it is. We create these policies and then we put 'em in a drawer or we leave 'em on a digital file and nobody looks at it until boom happens and there's a massive data breach and everyone's like, are you calling the lawyers? Are you doing this? What do we do? Like, you know, like nobody really knows the actual reality of what you're supposed to do.

And that practicing of the fire drill is so important and here doing it internationally is it's brilliant to. Yeah. And, and, and like Carlos said, we are being so well received overseas because other countries are looking at the model of ISAOs and they love it. Just last year we were together, Colin and I were attending a, a meeting that's called Riga Stratcom.

It's by NATO Strategic Communication Center. Of excellence, which is in Riga, Lavia. And [00:16:00] we had people come up to us all the time. Maybe Carla, you wanna talk about some of the people that, that approached us? I think, yeah. I mean, I was astonished by how warm we were received, for example, the Swedish defense Research Institute.

And of course that was really at the time when Sweden was looking to join NATO at the very, very beginning of the conflict with Russia and mm-hmm. . And and they were saying, look, we have the same concerns for instance, around critical infrastructure. How do we safeguard our critical infrastructure?

Let's talk about civil defense. You know, w it's a top priority for us. What are your experiences? What are your best practice? We'll share, happily share ours because we'll be stronger together. And so you know, let, let's, let's, you know, let's carry this on. And so very, very warm reception by, by organizations such as that one in multiple countries.

And so therefore, I really think that there is a lot to be said, and, and this fits so perfectly. Like, it's like it's this yesterday's cyber security strategy is kind of written in in a perfect a. to this vision, [00:17:00] right? And it, it, it really is. If, if, if you guys are open to it, why don't we kind of crack it open just a little bit, you know?

If, if you're okay doing that I would love to just kind of, you know, take a look at it. Obviously we have the first couple I've gone through this. I know you guys have it's hot, literally hot off the presses. Right. What we have is several different pillars. And Michael, you had mentioned that China has.

Does, does anybody kind of wanna walk us through some of these pillars? What, what I found is they were really, really interesting. I mean, the language used here was pretty powerful. I mean, it was pretty you know, , we saw one of these in 2003. We've seen them since 2008, 2012. We, we've seen iterations of them, but this one seems to go quite mu.

It, it seems to be much more of a roadmap, in my opinion than before. And it looks like there's, there's legislation in movement that can actually make a lot of these ideas come to fruition. [00:18:00] What are, what, what are your thoughts? What are your, what's your initial. . Well, I think, I think jump in very briefly.

I, I think it's a, it's a very powerful document and I think it's a very clean document. It's very obviously very well thought out. Mm-hmm. , and it hits all the spots. Now the first pillar I'd like to comment on because it's dear to my heart, the one of re relating me regarding critical infrastructure.

Yeah, I'll pull it up right here. Yeah, yeah. Pillar one, right? Yeah, right here. Pillar one. Infrastructure is, yep. Is something that is you know, it's vulnerable. It's vulnerable across the world. Cybersecurity is still, let's say, in its infancy, relatively speaking, because at the end of the. In fact, I was listening to a, a speech by General Sison just the other day, and he said, well, I would actually give the uni six months ago I would've given the US critical infrastructure, a C minus and as a grade.

Because there were just, you know, there there's a lot of work that needs to be done. Oh, yeah. Comment as to, you know, what grade he would give right now. But I dare say that critical infrastructure is [00:19:00] a lot bigger than people see than people think. At first it's not. The big, big organizations, there is a whole supply chain.

There's a whole massive pyramid beneath it, and that massive pyramid is generally nowhere near as secure as it ought to be in order to guarantee no. We've discussed this in the past, right? Like when, when you think of critical infrastructure that includes water, and that include, I mean, we're not talking the, the, the national in, you know, transportation and, and electric.

We're talking about like local water companies. What's their, what do you think listeners, right? Their cybersecurity policies in resilience is prob probably pretty weak in general. Right? Well, Yes, because a, a lot of these organizations are also they, they don't have professional, we have a cybersecurity talent gap, which is something we'll talk about to him.

Absolutely. There's not enough skill really to go around and cover and fill all these holes. And so when it comes to organizations that are perhaps state level or local council, [00:20:00] municipality level there are gaps. There isn't enough personnel and there are you know, policies are not properly implemented.

then there is a whole idea of where you know who should be liable and who should bear the burden and the cost, right. Of cybersecurity development. And that's something that this cybersecurity strategy begins to address extremely well. It does, and that's really interesting. And I think that was, was that pillar.

oh no. Pillar two was interesting. We can come back to pillar two, or why don't we address it since it's up on the screen, but then let's get to the liability, the shifting of the burden, because that's gonna change things a lot, you know, with, with safe harbors being created, et cetera. But pillar two is pretty powerful, isn't it?

It's saying the U, the US government and private sector in alliance with the US government isn't gonna just sit in the sidelines. It's gonna be proactive with offensive. . Absolutely. Yeah. I think that's very, very powerful. I mean, this entire concept of hunt forward that we are already right now seeing where mm-hmm.

[00:21:00] US cyber experts are deployed overseas in, in Eastern Europe, both contractors as well as US government individuals to deal with the current, I'm gonna call it global crisis that we find ourselves in. This is just a reflection of this, right? I think overall and, and we saw it with recently in healthcare, right when they took down Hive, I think it was the Hive ransomware.

That was pretty, that was pretty powerful. Yeah. I think, I think this entire strategy is a reflection of the situation we find ourselves in. Yeah. Ai, AI has been there, but what is right now is, is, is different, is it's being commoditized. It's being, it's being democratized, right? Like everybody is starting.

Everybody from school, children on up, to teachers, on up to professionals, attorneys, physicians. A lot of people are, are engaged in it every day. Yeah. Which means we are collecting data, huge amounts, vast amounts everywhere. Way more than we've had before. Great opportunity. But this brings massive. [00:22:00] And this means the things we have been talking about specifically in an environment where we are dealing with cyber warfare, actually a land war in Europe.

Mm-hmm. , they now matter. Right. And I think this, this strategy is a reflection of that. Things matter now and we have to fix the issues that we we're all aware of for the last five years. And I think absolutely this is, I see the first steps. Oh yeah. And there, there's, there's been recent investigations that have done, like if people think cybersecurity is just for the, for the IT people involved, like it's coming to crim local criminal gangs.

There was just an investigation I saw. involving like just criminal gangs, like typical gangs like the Crips and the Bloods that normally would be dealing drugs or things like that. They're getting into account takeovers, credit card fraud, dark web things. And because the penalties aren't there, [00:23:00] right?

Yeah. When, when they distribute things like fentanyl and somebody dies, they can be charged with murder and go away for life if it's credit card fraud or things like. It's five years in a federal pre penitentiary as opposed to this. So they're evaluating their own risk. It's, it's a, it's a different time now than we've seen when these strategies have been issued in the past.

So I think it, it, it, this one will be much different. and, and furthermore, David you know, most of these criminal gangs are actually based outside in different legal jurisdictions where the United States hasn't really got the power to go and implement any solutions. Absolutely. And so that's, especially the ransomware gangs, you know, lock, lock bit 3.0, all of those.

Gangs, right? Yeah. Yeah. The, like, the I plus Steeler things. Mm-hmm. , just it's incredible what's going on out there and it's it's it's scary. So that, that's one of the things that maybe it's a bit too early to mention, but Michael and I have been investigating as part of what we want to offer members of the, is a the ability to actually do dark [00:24:00] web assess.

of their organization to be able to detect potential threats coming in from dark web early preventatively, you see. So I think that's that's the idea of, again, they're dismantling and disrupting cyber crime criminals is kind of part of something that we are also interested in in supporting in terms of the emissions of the.

Absolutely. I mean, exposing more and more light on the dark web is really critical because as we understand the mind and the behavior, the behavioral ana, you know, analytics of, of the criminal organizations, then we can better defend ourselves. Well, and right now it's really scary because I've seen, I've actually seen outputs from dark.

as many of us have, I guess, in our profession. But it, it's incredible. You, you, you have you know, for some of the listeners that aren't aware, cyber criminals have a full scan of your machine a full scan of every website you visited and all the passwords are collected, and it's all offered up for sale on the dark web for like [00:25:00] 20 to 30 bucks each

Absolutely, absolutely. And, and oftentimes we don't even know, like. , we could, we could give our information to a trustworthy site, but we don't know that they sold the information to a third party. That company over there gets breached, and then now all of a sudden our data, unbeknownst to us, which gets back to regular hygiene, right?

It gets back to fundamentals. It gets back to not using the same passwords on every single app, no matter how strong that password. . You know, what's particularly concerning to me is that now these cyber criminals are able to keep your session alive. Mm-hmm. as they sell you credential. , right? So you don't need to worry about the, the, there's, the multifactor authentication doesn't always protect you anymore, right?

No, no. We saw that with the recent Uber breach, right? The, the social engineering that occurred there. Even though they had multifactor authentication, it was just, you know, it was fatigue, right? They just kept bugging 'em un until they clicked. I think there's an [00:26:00] interesting segue here, by the way, into AI as.

Right. When we're talking about social engineering and we're talking about these, these aspects of how to defeat multifactor authentication, which came in the end down to the human, there's this concept of AI nudging. I'm not sure whether every anyone who is familiar with this ai nudging means I'm changing your environment that is surrounding you to many people.

Your influence you to take an action. That is the action that I want to see, right? Nudging is used in information theory, marketing or whatnot. But now we're using ai, right? Mm-hmm. . And just imagine, again, all the information I can get about a person on the dark web. Combine it with something that has the abilities of generative ai, like chat, p t maybe some of the technologies that we've seen for deep fakes for voice and oh yeah, video.

Yeah, we, we've seen that the FBI recently came out with an announcement last summer about deep fake being leveraged in hundreds of companies here in the us for remote jobs. People were [00:27:00] applying and, and they, they didn't even have to hack into the company. They were hiring them in the company and then stealing the data.

Yeah. Interesting. So, interesting. I think, I think this. AI will hear create. Actually, for us in this way, it's a threat most, mostly because it will significantly enhance and make social engineering and make it more scalable. Oh yeah. It's like, it's like technology to be simplistic again, it's like technology on steroids, right?

Like one person can do 20 person's job, or the speed at which one person with a bad actor can act becomes exponentially. Yeah. You know it's really, really interesting. So let's go back to the US National Cybersecurity strategy here. Pillar three, shape market forces, and drive security and resilience.

I think this is a really powerful pillar, right? Because they talk about shifting the. on software manufacturers, product manufacturers, [00:28:00] service providers, potentially away from individuals and small businesses, which I think in theory is a great idea. Right. Create. The one thing that confused me, and this is why I'm happy to ask you guys this, they, they were saying they're gonna create new standards in which to apply, almost like a standard of negligence, right?

Like, if you're gonna put a product out there, you can't be negligent if you're, if you comply, will give you safe harbor, right? They can't have private causes of action against you. You can't be held liable, et cetera. But if you don't, right? You know, it's, it's like mandated insurance or mandate. Regulation like HIPAA and healthcare.

If you don't, there's gonna be liability. I think that's great. Don't we already have those though? I mean, is it nist, this seems like it was relying like a NIST led framework, but are they, are they gonna enhance nist do you think? So, I think, I think we're standards, right? We, we have a lot of standards.

We have ISO 27,000 series, which I worked on n we have the s o C reports. The problem [00:29:00] is a standard without enforce. and oversight is, is a piece of paper, and we're seeing that It's just so much ment many. Right, exactly. And how many companies find a small audit company that will create such a narrow audit scope, right?

Mm-hmm. , we're basically the standard is just assessing the tiny component of the entire system. And in the end, you still get the same paper, the same passing grade, but, but it's this reflective of actually the entire system that the product or services that you provide that. in this case, then not. So it all depends on is there oversight and then is there enforcement for when things go wrong without those components?

I, I don't think standards are, are necessarily a solution here. So I'm, I'm, I'm looking forward to seeing like, then some enforcement of these standards because coming from Silicon Valley, I've seen a lot of companies act basically with almost unlimited risk appetite. Mm-hmm. . Cause from the engineering functions we have to, we have, we have.

[00:30:00] Break things fast and fix them faster. Right. Well, that's great if you're not you know, Theranos selling medical diagnosis to people or Yeah. We, we have several episodes on Theranos. We did a deep dive on Theranos, including having somebody attend the trial. Yeah. Theranos is just a story Ondo itself, but that's a great, I it's a great example, right.

Of, of if that's the mindset, how are you gonna implement? . How do you think, just speculating here, we won't hold you to any of this. How do you think they will begin to enforce this? Like, how, how, like who do you think would be enforcing it? Do you think the s e C will get involved? Do we think the F FTC will drive it, will be the FBI led or will it be a new agency?

I don't know. That's a really difficult question. That's Above my pay grade. . . That's ok. Ok. That's why I asked you cause it was well above mine. I was just curious. Like, so I don't know. I mean, I, I've listened to an [00:31:00] Berger, the f NSA leader recently. Mm-hmm. Speak about. You know, in terms also shifting the burden, right?

She made an example. She said, well, you know, typical users cannot always you know, we cannot shift, expect them all to be cybersecurity capable. You know, my grandmother couldn't do that. Right? Right. She, she wouldn't, you know, necessarily know how to handle her security on her devices, right?

So that's part of it. The other thing that she mentioned was. that, and this is about oversight oversights of standards implementations is it, it would be a very good thing to have visibility on where everybody's at with regards to their cybersecurity posture in the same way that when you go to a restaurant, this is an Anne Berger's own words.

When you go to restaurants, you can see there's a, a label there says the food hygiene. Yeah, food hygiene. Exactly. Because we all kind of agreed there are some basic, there's a basic threshold that you need to, to make if you're gonna hold yourself out for the, to the public and cook for people.[00:32:00] 

Right. Exactly. Exactly. So I'm expecting a lot to come out along those lines. Correct. And I'm sure that it will be instigated by the office of of the cybersecurity director. But it will probably be done again in partnership with with a number of organizations you know, including csa and probably including.

A number of private sector actors and civil society actors, including potentially even organizations like ISOs and Iacs. So that's all. I would think so too. Yeah. But I think it's gonna happen fast. I think it's gonna happen fast because there's a, you know, it's, it's clearly a top priority. Yeah.

In relation to two, to, to the critical infrastructure. I also wanted to mention that we've had a vision over the last couple of years. We called named cyber Eagle which is around let's say, and it really fits with this idea of shifting the burden, right? Because part of it is a financial burden.

And I think that you know, reading the strategy, listening to what the various commentators and what has officials had to say [00:33:00] there's gonna be government funding going into this, to, to make sure that cyber, cyber security postures improve and increase across the board. And now our vision was, and it still is, why don't we create a system whereby companies in critical infrastructure, and there's hundreds of thousands of them are able to avail themselves of like a , like a forgivable loan, A T P P P type as we've seen to bol up their standards and their compliance and their, and their, their systems, their tools, their, their practice to be able to, yeah, to be able to afford a, a a tax.

Yeah. Whether it's by tax incentives or, I mean, there's, there's several different ways they could do it. Right. Several different ways where that, that they could, you know use to be able to, to afford it. But it ought to be done. It ought to be some. You know, the, the orchestration of that ought to be done you know, by the government.

And then implemented through agencies and different outreach organizations and then and, and this this program I, I think would go a long way and really helping to turn this vision into a reality because [00:34:00] you know, strategy, strategy, it's all about how you go about implementing it.

That makes a. You know, and that's that's where we're concerned is you know, I'm, you know, I, I just want to make sure that at least we on our side as the, is a, as the institute do everything that we can to support the implementation of the strategy. Absolutely. If I might extend on this I think, I think one thing that we mentioned before, right, is that the, IS AO is very broad.

Their focus of ISLs is very broad and expands AC beyond the critical infrastructure sector. Now, when you're starting to hold companies towards standards and, and, and, and, and you're starting to involve liability beyond what has previously been done, the immediate question is, are you empowering those companies to actually fix what they're having, the issues you're having?

And of course, CTP loans or similar things fall into. the primary challenge, of course later on in one of our pillars that we find, this is the workforce, the gap that we have when it comes to cyber talent and the fact that even a small [00:35:00] company might sit on large amounts of data nowadays or be involved in, in, in, in important projects, but they don't have the funds to staff cybersecurity, and they certainly don't have the funds to employ a dedicated threat intel analyst or even a.

And that is where the I S A O is, is is able to provide similar services or that to fill that gap. For example, for such companies, because I've, I've had these conversations mostly in Europe so far, but even here, we just recently started it about this concept of civil cyber defense. And with that, I really mean it from an old school perspective where, I don't know, in the 1920s, 1930s, like people were worried about roads and, and, and all of this stuff.

And society was involved in protecting that and it was everybody's job and everybody was supposed to have a part in it. In cyber, like we said, no, not everybody can be a cyber expert, but if we really want to protect society, we need to understand that we [00:36:00] have a soft belly, soft under. and that the critical infrastructure programs can never be expanded to cover all of that.

That's that's, that's not scalable. So we have to be okay with some risk, but we'd have to harden this soft underbelly to a certain degree as well because our societies become more and more connected and we see that in supply chain attacks. Things start outside of the critical infrastructure structure, SE sector, and then move inside of it.

And I think this is where ISAOs and public private partner. Can play an extremely valuable role in support of pillar one and pillar two of the national cyber security strategy. Absolutely. And I think also it's a case of cyber resilience, right? Largely right. So you know, how, how, and this is something that again, I'm, I'm sure that the i c will be able to really address in a big way is Helping member companies to develop the best the, the right cyber resilience best practices.

So, because you're right, people are gonna get hits and people always do, no matter how amazing your defenses are. It's, it's [00:37:00] largely, the play is largely about cyber resilience and making sure that when you are hit, it doesn't hurt, you know? Yep. . And again, I don't know how how the ISO is going to go go about doing that, but I'm sure there's gonna be some really powerful best practices that will be available for members.

Yeah. Well what what I found really refreshing here was the the shifting of the burden from small businesses, and that directly addresses what you guys were just talking about in terms of the, the skills gap, right? Because the small businesses don't really have the. to, even if they want to, right.

But they, they may not even have the awareness of what their needs are in terms of what, what is needed, because they might not be in a regulated industry, so they haven't had to in the past, but then they don't have the financial wherewithal or the skillset to be even to address some of these concerns.

Yeah. Very valid. I mean, I, are we expecting that every 50 person shop starts hiring a Cecil ? [00:38:00] Right. It's not real. That will never happen . That's true. It's not realistic. So in relation to, for example, the cyber diplomacy efforts, right? And this willingness from the United States government to have an outreach to, to allies and improve cross-border, let's say implementation.

There's obviously a big opportunity there for us companies also in terms of a commercial opportunity that I think I, I think there, there ought to be that, that that roadmap if you like, the commercial roadmap is also important. Right. And is that something that, that you think will also be part of what the ISO will be providing to member.

Absolutely. So think about it this way, right? Our approach was a little bit different than, than you would traditionally see for an organization involved in the threat intel space. On purpose. We, we do have the national security communication channels behind the scenes, right? Like the US has exchange methods, allies.

whether we are [00:39:00] talking about f, fbi, nsa, there, there are communication channels that are there. What we don't have are those for the private partnerships primarily, or those that don't pertain to true national security hot topic issues. And so when I started, well, I mean I've been involved with, with, with NATO before that, but when I started reaching out, I actually on purpose chose the American Chambers of Commerce because by doing that, we.

We reached out to American companies that are working abroad, many of them not in critical infrastructure sector, and tied them into our protection umbrella. And B, we are establishing the commercial relationships as well, not only into the markets that exist. . So let's say for example, this case, the Baltics, which is a very, very strong technology market, very innovative at this point, very much growing.

So there's opportunities of course to get resources there as well. But on the other hand, also the ability then, because of the reputation that we have [00:40:00] and how much people come to us, that there, that if there's solution providers, that these solutions can then be offered to our partners overseas as well.

Yeah, because they become aware, of course, through information exchange, through networking of. Partners that work with us or if a, if a technology provider, like you mentioned the Dark Lab solution we're talking about, wants to talk to us about a more deeper partnership, they can become part of our direct offering.

And with that then reach the exposure not only in the US but start getting our exposure overseas as well. So definitely it's part of our strategy. Yes. Absolutely. I mean, I, and I, I, I, I love the idea of the timing of all of this, right? I mean, it just seems like AI gets kind of, you know commoditized.

It, it becomes in the mainstream. this fall, this winter, right? And, and now you have this very powerful document that really [00:41:00] is, is a roadmap to next steps. It'll be really interesting to see the legislation that comes from this and the and the efforts through. Through the ISO in terms of getting the international community engaged with the us.

Can I ask something cuz I'm sure listeners will, will have this question. You were talking about there's a great reception from Lafia and there's involvement from from Lafia. Can you explain why do you think, like, why that country versus, versus others? Okay, so I mean, I have my thoughts, but so it started.

It was. It was part of my strategic formation process. So first off, you have already, you have NATO's Cyber Defense Center of Excellence sits in T and nato stratcom, which is basically AI and information warfare sits in Riga. Why is that? Well, the reason is is that these countries are bearing the. [00:42:00] of information warfare and of cyber warfare for years.

Mm-hmm. since the 1990s because of their relationship. The close proximity with Russia. Right. So if you want to talk about a place on the planet that is literally like the, the front lines. The front lines, they're, they're the front lines of cyber warfare. That's, that's, that's what I was thinking. So yeah, hearing it from you makes me think that I'm not totally out of the loop, so that's good.

No, you're not. You're not. And that's why, that's definitely why we picked them. And, and, and I think that is also why they are so interested in working with the US and why they are so receptive of, of talking to us. I, I can give you an anecdote. Three weeks before the renewed invasion of Ukraine, I was in the Lithuanian cell Senate at a forum, civilians Defense Forum, and nobody knew me there.

And we were talking, talking, talking like people were presenting. And in the end, public private partnership came up as a topic and I requested to be allowed to [00:43:00] speak. And once I announced we were the entire Senate and silent. and everybody just stared at me and was like, well, what are they doing here?

Oh, wow. And then after that, everybody started coming up to us. And in those two years we've, we've, we've built relationships up to the deputy prime minister level of certain countries in the Baltics, secretaries of defensive defenses like the f Secretary of Foreign Affairs. It's, it's, it's the US carries an excellent reputation right now.

That's fantastic. So, so what, what is, what is coming up? What's on the horizon for the for, for the iceo? So, like I said in March we will host a we will, we will be involved in a tabletop crisis management exercise. The next step there is a tabletop spanning three Baltic countries. And we will be attending two NATO conferences as well.

STRATCOM and c, the conference on Cyber Conflict. And we'll be Reaching out to the we just recently had an [00:44:00] ambassador change in Latvia, and we'll be reaching out to the host country governments as well as a new ambassador to establish better relationships there and to start really integrating the partnership as a communication and information channel back into the is a o that's internationally.

We also have started reaching out to the global form of cyber expertise. There are some research projects that, that we wanna get involved in for a ransomware accountability building model for countries to adapt. That's hosted by cisa, the us state Department and and, and some other actors.

Domestically, we are starting to build relationships specifically in the space related to AI ethics. We are building a LA a a a. A partnership for. Communities of interest with migration background or with with minority backgrounds. We are starting to reach out to members of Congress to establish deeper relationships there for the per, for the purpose of, of, of, of course starting to influence policy [00:45:00] and, and, and, and the regulatory process to a certain degree.

We have submitted comments, for example, on Nest AI risk management framework as well, so there's a lot of reach out happening there and, and, and, and we are in a membership drive. Right. We are open for business and we are attracting members and we are building out our threat intel platform. So those are our domestic priorities at this point.

Carla, did I miss anything? I'm sure I did. There's, there's no, that, that is, that, that is just a great roadmap of next steps. That was really impressive. Yeah, and we'll have links to all of this in the show notes, so please check this out. Carla, do you wanna speak before a as as we wrap up, do you wanna speak about the Silicon Valley think tank and the I.

And, and we will have links to that in the show notes. We encourage our listeners to get involved, right. To, to absolutely join the Think tank. Join some of these sessions. It's, it's open. You, you will, you will learn so much. I've, I, I don't get to attend as many as I want. I wish you had them every week I would [00:46:00] attend.

So they're really, really interesting. I, I come, I'm always blown away by the people in the room. I'm like, wow. Yeah. I'm like just the leaders. , every aspect you can think of are there. Yeah, I, I completely agree, David. I'm, I'm blown away by the quality of the people in the room. . I just cannot believe it.

It is just phenomenal. How somehow we've been able to aggregate such great minds. I'm totally humbled by that. Every time that we have a gathering, I learn a lot from the members. And yeah, I would welcome anybody who's a listener to join our think. There's I think the, there's no cost to joining.

Or if there is, it's totally negligible. And so it's, it's not a, it's we're a nonprofit. We're a California nonprofit, and it really is about gathering the best minds we can at every level. So it's not only leaders of industry and, and leaders of of in, in the political. We're, we're talking about also grassroots cybersecurity talent.

Everybody that shares an [00:47:00] interest in cybersecurity in AI and in wanting to make the world a better place should absolutely join us and and participates in the various activities that we have, ranging from the, the types of discussions that we've had today in this session to discussions that we have around the cybersecurity talent gap around AI ethics and, and ai.

Around you know, how AI is used in the recruitment process to to how AI could be used to create a better, stronger democracy in various countries. The topics are, are far reaching. We like to look well ahead. So although many of the activities that we do really relate to the world as we see it.

A lot of our work is really futuristic and it's looking at right how we want to see the world in 30, 40, 50 years time. And so we need everybody's you know, neurons and brain cells to come and help us forge a better planet. For Absolutely. Yep. And, and we, we encourage everybody, we will have special promotion [00:48:00] se segments on, on joining the think tank as well.

And we'll have links in the show notes. Carlo Michael, thank you so much. We hope that we can speak again soon. We really value your insight. Thank you for all that you do for our country, for the world, for the securing individuals. You know, when, when we get online, it's, it's individuals, it's our families that we wanna protect, and it's the organization's, brands that we serve at work, and, and just helping care about those.

It matters so much. And thank you guys for all you do. I'm so glad you guys are taking the lead. Like it's really, really, Makes us all feel, feel great about it. Well, thank you. Thank you so much. thank you for, Hey, well that's a wrap. Thank you for listening. Our next episode starts right now. Please be sure to subscribe to our YouTube channel.

It's free, and download the podcast episodes available everywhere you get podcasts. To support our show and get exclusive pre-release episodes [00:49:00] and bonus content, please subscribe to Cybercrime Junkies Prime Lincoln, the description and show notes, and thanks for being a cyber crime junkie.