Cyber Crime-Biggest Threat to Critical Infrastructure. Unmasking Top Cyber Threats Today To US Critical Infrastructure Artwork

Cyber Crime Junkies

Socializing Cybersecurity. Translating Cyber into business terms. Newest AI, Social Engineering and Ransomware Attack Insight to Protect Businesses and Reduce Risk. Latest Cyber News from the Dark web, research and insider info. Interviews of Global Technology Leaders, sharing True Cyber Crime stories and advice on how to manages cyber risk.

Find all content at www.CyberCrimeJunkies.com and videos on YouTube @CyberCrimeJunkiesPodcast

All Episodes

Cyber Crime Junkies

Cyber Crime-Biggest Threat to Critical Infrastructure. Unmasking Top Cyber Threats Today To US Critical Infrastructure

August 17, 2024 • Cyber Crime Junkies. Host David Mauro. • Season 5 • Episode 34

Panel discussion with international leaders part of the Silicon Valley Think Tank, Tortora Brayda AI & Cyber Institute Task Force. Find out and join the Think Tank: https://www.tortorabrayda.org/home

Chapters

00:00 Introduction to the Challenges of Securing Critical Infrastructure
03:11 Vulnerabilities and Weaknesses in Critical Infrastructure
10:03 Challenges Faced by Small to Mid-Sized Critical Infrastructure Organizations
17:05 The Impact of Ransomware Attacks on Critical Infrastructure
27:25 The Role of Artificial Intelligence in Cyber Warfare
36:15 The Interplay Between State Actors and Criminal Organizations
43:34 The Challenges of Attribution and CTI Sharing
44:45 The Power of AI and Threat Intelligence
51:51 The Importance of Public-Private Partnerships
01:00:52 Addressing the Challenges of Entry-Level Positions
01:08:50 Prioritizing Cybersecurity Efforts Based on Risk
01:14:22 The Need for Education and Awareness

Send us a text

Get peace of mind. Get Competitive-Get NetGain. Contact NetGain today at 844-777-6278 or reach out online at www.NETGAINIT.com

Imagine setting yourself apart from the competition because your organization is always secure, always available, and always ahead of the curve. That’s NetGain Technologies – your total one source for cybersecurity, IT support, and technology planning.

Have a Guest idea or Story for us to Cover? You can now text our Podcast Studio direct. Text direct (904) 867-4466.

A word from our Sponsor-Kiteworks. Accelerate your CMMC 2.0 compliance and address federal zero-trust requirements with Kiteworks' universal, secure file sharing platform made for every organization, and helpful to defense contractors.

Visit kiteworks.com to get started.

🎧 Subscribe now http://www.youtube.com/@cybercrimejunkiespodcast and never miss an episode!

Follow Us:
🔗 Website: https://cybercrimejunkies.com
📱 X/Twitter: https://x.com/CybercrimeJunky
📸 Instagram: https://www.instagram.com/cybercrimejunkies/

Want to help us out? Leave us a 5-Star review on Apple Podcast Reviews.
Listen to Our Podcast:
🎙️ Apple Podcasts: https://podcasts.apple.com/us/podcast/cyber-crime-junkies/id1633932941
🎙️ Spotify: https://open.spotify.com/show/5y4U2v51gztlenr8TJ2LJs?si=537680ec262545b3
🎙️ Google Podcasts: http://www.youtube.com/@cybercrimejunkiespodcast

Join the Conversation: 💬 Leave your comments and questions. TEXT THE LINK ABOVE . We'd love to hear your thoughts and suggestions for future episodes!

Cyber Crime-Biggest Threat to Critical Infrastructure. Unmasking Top Cyber Threats Today To Us Critical Infrastructure

Topics: cyber crime-biggest threat to critical infrastructure, top cyber threats today to us critical infrastructure, critical infrastructure , iot, ot, top cyber risks to critical infrastructure, cyber threats facing critical infrastructure, critical infrastructure in cyber security, critical infrastructure, cyber threats, vulnerabilities, threat landscape, state actors, criminal organizations, artificial intelligence, cybersecurity, AI, threat intelligence, cybersecurity, public-private partnerships, human capital development, risk prioritization, education, awareness, understanding critical infrastructure in us, defining critical infrastructure in us, cyber risk and defining critical infrastructure in us, critical infrastructure ransomware risk, ransomware risk, how ransomware can kill,

Sound Bites

"The chilling vulnerabilities of our power grids, transportation networks, and healthcare systems and OT devices, internet of things, right? Those things that aren't servers or PCs or no firewalls, the internet of things. They're clearly the weakest link."
"The small to medium-sized critical infrastructure sector is way different than, you know, like some small utility in Tennessee is not the same as a massive power provider, let's say PG&E in California, right?"
"Some of them are being attacked through social engineering, leveraging AI. And that's not even on their radar."
"The power of data processing with AI could really help."
"Threat intelligence data can alert organizations to potential attacks."
"We need to build useful AI-based tools that can help in defense."

Chapters

00:00 Introduction to the Challenges of Securing Critical Infrastructure
03:11 Vulnerabilities and Weaknesses in Critical Infrastructure
10:03 Challenges Faced by Small to Mid-Sized Critical Infrastructure Organizations
17:05 The Impact of Ransomware Attacks on Critical Infrastructure
27:25 The Role of Artificial Intelligence in Cyber Warfare
36:15 The Interplay Between State Actors and Criminal Organizations
43:34 The Challenges of Attribution and CTI Sharing
44:45 The Power of AI and Threat Intelligence
51:51 The Importance of Public-Private Partnerships
01:00:52 Addressing the Challenges of Entry-Level Positions
01:08:50 Prioritizing Cybersecurity Efforts Based on Risk
01:14:22 The Need for Education and Awareness

On panel Moderator:

Michael Thiessmeier

Executive Director,

National Artificial Intelligence and Cybersecurity ISAO

Panelist:

Santiago Holley

Lead Analyst, Crypto ISAC & Task Force Co-Chair for Critical Infrastructure, The Tortora Brayda Institute

Panelist:

David Mauro

Vice President of Business Development, NetGain Technologies council member of The Tortora Brayda Institute

And Proud member of INFRGARD

Panelist:

Christopher Hadnagy

CEO,

Panelist:

Ernest Wohnig

CEO & Principal CIP Risk Advisor, Wohnig | Chaman AssociatesSocial-Engineer, LLC

Dino Mauro (00:07.158)
Hey, everyone, how you doing? So what do you think of when we say critical infrastructure, massive, electrical companies, power grids, spanning as far as the eye can see? Or do you picture what it really is? Your local water treatment plant, a sanitation department in your village, suburb or town, protected by maybe one or two overworked

understaffed and sometimes ill prepared technology resources. Are governments really prepared for the cyber onslaught targeting the very backbone of a nation? Can our critical infrastructure withstand relentless threats? Welcome to cyber crime junkies. I'm your host, David Mauro And today we're going to do something a little different.

We're part of a Silicon Valley Think Tank as many of you know, and we joined them for a live and colorful and really surprising panel discussion. As moderator, had Michael Thiesmeier Executive Director of National Artificial Intelligence and Cybersecurity ISO, that's I -S -A -O, on the panel was the colorful and brilliant Santiago Holley. He's a lead analyst for a crypto

Doe ISAC and task force co -chair for critical infrastructure with the think tank, the Tortora Brayda Institute created by my good friend, Carlo Tortora Brayda. And I was on there because apparently they needed a clown to be present. I'm David Mauro. I'm the VP of Business Development at

NetGain Technologies, a fantastic MSP and MSSP. I'm also part of a council member of the Silicon Valley Think Tank, the Tortura Brayda Institute, and a proud member of InfraGard. On the panel also was Christopher Hadnagy CEO of Social Engineer LLC. He's a professional hacker, author of several of the books I've got on my bookshelf. We're also joined by Ernest Wohnig

Dino Mauro (02:25.581)
And he's CEO and principal CIP risk advisor of Wohnig Chaman and Associates. So join us today. Listen to the end in I'm not just asking you that because I want you to pay attention, but the insight that these like international leaders, especially some of the ones that see things from a global scale, it's, it's gonna surprise you. It's not what I was expecting. I learned a great deal. And I thought it was really good.

they uncover some of the things we talk about. The chilling, chilling is like the best additive I can think of the chilling vulnerabilities of our power grids, transportation networks and healthcare systems where IOT and OT devices, internet of things, right? Those things that aren't servers or PCs or no firewalls, the internet of things. They're clearly the weakest link.

And as ransomware grows more lethal, threatening to bring industries to their knees, we explore how these attacks can do more than just disrupt business operations. They can kill. This is the story of the top cyber threats today to U .S. critical infrastructure.

Dino Mauro (04:12.791)
Hello, thank you for joining us today for our conversation on securing critical infrastructure. I'm going to be the moderator and your host today. My name is Michael Thiesmeier. I'm the executive director of the US National AI and Cybersecurity, ISAO, a program of the Tortora Brayda Institute for Artificial Intelligence and Cybersecurity that focuses on critical infrastructure protection and cyber threat intelligence at the intersection of cybersecurity and artificial intelligence.

I'm also a VC, so which means I have done the actual work in industry and I am an executive advisor to the Cyber Eagle Project a critical infrastructure protection project that is geared to Mike, $25 billion in transactions, securing our critical infrastructure sector across NATO member countries and in the United States. Our topic today is the protection.

of the very critical infrastructure that our societies rely on. That is not an easy or light conversation. Unless you have lived under a rock over the past two years, you are likely aware of the deluge of attacks that our critical infrastructure has been under, both from foreign nations as well as criminal organizations. Today, I'm joined by a fantastic panel.

that will guide me or guide you through this conversation. I hope it will be a lively conversation. So let's start and give the panelists the opportunity to introduce themselves. David, why don't you introduce yourself to the audience? Thank you very much, Michael. Glad to be here. I've been involved in cybersecurity for around 24 years. I'm currently serving as vice president with NetGain Technologies.

And I also serve as creator of the Cybercrime Junkies podcast. I'm a member of the TBI think tank and a proud member of Infaguard, which is focused on helping the critical infrastructure. Thanks for having me.

Dino Mauro (06:18.893)
Thank you for being here. Chris, you're next in line. This is no particular order. It's just arranged based on how you're showing up on my screen. Good morning, everyone. My name is Chris Hednagy. I'm the CEO and founder of Social Engineer LLC, as well as the Innocent Lives Foundation. It's a nonprofit that works closely with the US government in order to geolocate people who traffic children and create child abuse material. I've been doing this, I don't know, boy. I feel like old since 2010 when I started this company.

and we focus just on the human element of security and critical infrastructure is one of our main focuses. I'm also part of the TBI group here and really happy to be a part of that and doing some great work with these folks here. Thanks for having me today. Thank for being here. Santiago, you're next in line. Hey, Michael, nice to see you again. My name is Santiago Halle. I have 15 years of experience and 360 degrees perspective.

across the DoD, the IC, the FBI, Fortune 100 companies and startups, we are focused on protecting critical infrastructure. I'm a proud member of the TBI, I'm the co -chair of the Critical Infrastructure Task Force and happy to have a conversation on how we can move forward on protecting these critical assets. Thank you for being here. And last but certainly not least, Ernest, tell me. Thank you, Michael. Like everyone here, have, let's just say, a significant number of years in the industry.

I've got everywhere from information warfare with the Air Force as an intelligence officer through government and commercial space. I'm currently heading up Wanting Chalm and Associates, starting up a small nonprofit institute myself in regards to emerging technology and AI and its impact on operational factors like what we're talking about here as well as working with TBI on a number of issues. And then I basically

you know, not to pound the chest too much, worked in the industry across government commercial, a number of different activities over the years. You know, feel free to check out my LinkedIn if you're really interested in all that. What I would like to do is put a couple of stakes in the ground in terms of thesis in regards to SIPP. I know, Michael, you have your questions, but also in terms of where I'm coming from in regards to all this, tend to think that SIPP has a, we have a high, low problem.

Dino Mauro (08:37.985)
By that I mean we have a high tech, low tech problem in terms of critical protection, in terms of IT, but also we have a more basic issue in terms of low, in terms of organizational structure scale. Because in a lot of cases, at least with clients and working in the industry with multinationals, they have money, government has money. A lot of cases it's the bids and smalls that are the ones that we're most concerned about. And then I would also like put one stake in the ground in terms of, I would like to hear about

from Vestal Group about what actually is critical infrastructure. The reason I say that is who knew CrowdStrike would turn out to be critical infrastructure six months ago? So I think some of us had a hint of that, but to turn out the way it did, I think is a factor. And then the final thing is in terms of I'd like to really talk about at some point the solution sets in regards to do we have too many helpers, too many chefs in the kitchen in terms of government and private partner.

cooperation. And the reason I bring that up is because colonial pipeline, for a prime example, where we had in the case of that system, not knowing where to go. So that's more of a process procedure issue. So anyway, I'll stop now. I just wanted to get all those out so people can start thinking about them because I really would like, I think that'll help a lot in terms of what people need to know from an operational standpoint.

Absolutely noted. And for the other panelists, maybe we can tie that into the conversation as we go along. I think what you brought up is 100 % valid, right? First off, the small to medium sized critical infrastructure sector is way different than, know, like some small utility in Tennessee is not the same as a massive power provider, let's say PG &E in California, right? The other piece is the too many chefs. Absolutely.

And then my personal pet peeve is the definition of critical infrastructure because with supply chain attacks and everything around it, it seems this definition has to grow and grow and grow and grow and expand. And we're ending up again as like, okay, that's now all of society, but how's this workable? Because didn't we define critical infrastructure in first place to have a workable risk based scope set. So super interesting. Let's go back there.

Dino Mauro (10:59.885)
The first thing I would like to have, I would like to do is I like to start with framing the challenge. So this means the first question is going that I'm going to ask you is one of these like really big questions from a 40 ,000 foot view. the other ones will be more specific, but I kind of alluded to that. We're having certain problems at this point, right? To the amount of attacks, scalability of our systems.

resourcing for certain as well. Maybe Santiago, let's start with you. Give me kind of like the 40 ,000 foot view of the state of infrastructure protection, the primary issues that we're seeing. Thanks, Mike. And I would actually start by saying, and my own definition of what's critical infrastructure is those things that we take for granted in the US, right?

Like we go and we turn the water and the water comes, we're not worried about the infrastructure behind it, right? We turn the electricity, electricity is there, we're not worried about that. It's these things that we take for granted that have just been left in one way not protected and built to substance the 2024 cyber vector, right? All these technologies were designed 40, 50, 10 years ago, they never thought about how...

they were going to be impacted by a cyber event. So how we can do that at scale, it's going to be very challenging. As you mentioned, the resources, only 16 % of current infrastructure is the DIB. And the Fed's industrial base, get all the law, they get all the resources. What about the other 84 % more water utility plants and systems that do not have any resources? That's probably going to be the biggest challenge that we need to address is how we can help at scale.

for the meat market and the small folks. Absolutely. Ernest, do you want to expand on this? Yeah. And I definitely agree that the boundary issue is what concerns me because, and the cross -matricing. For example, one of the things that when I was in the electric industry, example, one of the big problems that you have there is electricity underpins so much.

Dino Mauro (13:21.837)
For electricity, if you have outages, part of the problem is that you need comms to reclay the outages. Well, if you don't have electricity, the comms don't work. Same thing with water. You know, the fact of what underpins, and I'm a little biased here because I've worked in industry predominantly, is energy and electric. But the fact is that we don't have a good definition anymore of what is the basic critical infrastructure.

and what mechanisms we determine, whether that's risk, whether that's prioritization based on say fundamental social support, how important it is to maintaining the veneer of society that we like to have, which is two or three days away from not having power and water, in terms of how we bring those things back up, in what order.

I don't know that I have a good answer for that. Like I said, I'm biased in that regard. But I think that if you're a CISO sitting somewhere, for example, let's talk about it from a multinational standpoint. If you're a CISO sitting somewhere, you're concerned about what makes revenue. And so you're concerned about ensuring that those things that are going to manufacturing, research production, whatever, are up and running. Those are the critical aspects.

And to a large extent, that then bleeds over to a national concern standpoint. Santiago mentioned the DOD aspect. My earlier days as an analyst at DOD, we were basically looking at, well, power because you can't generate force, i .e. aircraft and or transport without power, or you can't do it very well for moving things like the 82nd Airborne unless you have

100 power. If you don't, you have to go to other backup and it takes much longer. You're talking about weeks versus days. So I've talked myself into a circle here, but the fact is that, you know, no one has really, I would say within the last 10 years, done a good analysis across the nation in regards to what critical infrastructure is. And I think that survey or report or whatever is critical

Dino Mauro (15:47.543)
that it be done not in a silo, but across industrial complex, its national defense complex, the basic social services complex. We've been so concerned about the silos of this or that boundary that we haven't really looked at it from a matrix standpoint. So I'll stop talking now, otherwise I'll occupy way too much time. David, your view on this.

Yeah, I think what you just said was spot on personally. mean, defining critical infrastructure is not unlike other industries. In my opinion, there's the larger enterprise, the massive power grid organizations and infrastructure, right? But that's generally not what critical infrastructure is that everybody relates to. I mean, it's really the local water treatment plant, the local

facilities management organization. And so I think that is where it struggles, the industry struggles just like other industries in that small to mid tier market, right? And it has to do with resources, it has to do with capital, it has to do with aging infrastructure, all of those things. I mean, why it's so

critical because it's the foundation of other industries. When we think of critical infrastructure, it is the foundation. So I always look at it as if we were under a military attack, what would be needed now? And you can think healthcare, hospitals, government, some social services, law enforcement, transportation, electricity.

I mean, those to me are the main core components. And then from there, there's subsections and things like that. Some of the biggest risks that we have is raising the bar for those smaller critical infrastructure organizations. Because frankly, I mean, let's be candid here, right? Some of them are being attacked through social engineering, leveraging AI deepfakes, right? And that's not even on their radar.

Dino Mauro (18:11.405)
we're still trying to get them to have multifactor authentication, right? Like we're still trying to get them up to five, six years ago, what mid tier and enterprise organizations were doing, right? And that's evidenced by, know, 16 people meet the DIB standards. So that's my perspective on this.

Excellent point though. recall a recent study that said that this was across industry, not just critical infrastructure, but it highlights the problem, which was that only 18 % of companies that were surveyed in the study had the capacity to address 50 % of the critical and high -rank vulnerabilities within a justifiable timeframe, which was, think, set to 30 days. 18%. yeah. Right. That's not great. So Chris.

Your perspective. I think everyone answered it. So I'm going to just take a minute to tell a story that I think may solidify all the things that were said. of my job is I get hired to break into places to see if there's a tack that is possible. So we got hired by a small city's water plant to break in and see if we'd be able to poison the water. Of course, we don't actually do it, but we simulate. So while we were in there, we got

up to where their SCADA system was, their computer, that was running everything. And it was so old that they had some new technology that they needed to run. They needed to have a Wi -Fi card that was USB on it. But there was no USB on this computer. So what they had was a serial port that went to an adapter for an LPT -1 adapter that went to another type of adapter that went to another adapter that went to a USB. And later on, when I asked, because we took pictures of all this, you why are you not upgrading this?

No one can figure out like if I, if I have to take that offline, no one has water for a day. No one has water in the, in the whole city for a day. So how do we upgrade this machine and not, you know, make everyone go dry for a day or two. And then what happens if when we boot it back up, it doesn't work. And I'm like, but what if someone unplugged that USB, you know, or what if the serial port dies because of dust? and I, and that's not, that's not a singular case. I've seen that so many times in the places that we work with.

Dino Mauro (20:33.579)
that technology that is there is so old. And why don't like David said, why don't they use MFA? They're not even there yet. not even there. They're not there. That's the problem. And the the threat actors know it. Right? Yeah. Yeah. This is not news to them. think this is where we're coming to the scale problem. Right. Another another couple of things that I want to like throw out as knowledge nuggets from industry perspective.

a ton of see -saws are so burned out that they're looking at switching into other industries. At the same time, one thing that I'm hearing that always devastates me when I'm hearing it is that young people that have entered our industry and have been cyber security, mean, have in it for like, been it for like two years are saying, I have no interest in raising to the top of the of my own vertical. Like, that is devastating. When I think about myself, like when I started this job,

I was like, of course I want to race to the top and become whatever the best is in this field, like in terms of like experience or like career level, right? Like when you're like young, you should have this like naivety in you still, but they're observing everything and they're just demotivated. And I think the scale issue flows directly into that. Santiago, I was going to ask a little bit about the threat landscape.

were the threat actors, the vectors that we're seeing, specifically the evolution thereof, targeting critical infrastructure, and those motivations. And I think there's a thing that flows into that, which is you're having one person sitting in that small water treatment facility that's supposed to be dealing with an entire unit of adversaries sitting somewhere in a nation state. Santiago, I would love you to start giving your perspective on that.

Yes, Mike. And one of the reasons I joined the task force is I see the threat happening closer and closer, right? We've seen Iranian compromising water facilities. We see the PRC with all Typhoon touching the perimeter. have the Russians touching Canada and the Gulf of Mexico as well. In my mind, that's already in motion. We just need we have not opened our eyes and realize that

Dino Mauro (22:59.145)
in my mind, we're already in a place that we need to act. And that's why I joined this task force to act now. Yes, tell me what other industry besides cyber do you have, like you mentioned, an IT manager, a system admin on a water facility in Pennsylvania that it's trying to fight someone on the other side that's actually an Iranian uniformed service member with a mission and the resources.

to cause malicious or catastrophic effects, right? That in my mind, it really blows my mind. If there was any of these adversaries were to come through any other means like air, space, land or sea, they would suffer immediate and catastrophic consequences. But is this whole freedom that they get in cyber that makes it really challenging?

Yeah, I'm just asking. Yeah, go ahead. I'm still is just we need to. Right, like we need to we need to do a lot more. I fully agree with you here, David. Yeah, my my question is when we think of the the industry of critical infrastructure, it seems to me that they are more reliant. Maybe equally as reliant as manufacturing, but on a lot of

IOT devices or OT devices too, right? And that is a major threat factor. that itself is a major vulnerability because the level of security placed on OT devices and things like that are by far even lower than the, I'm sure, big and tan box that Chris saw when he went there. Right, David. And I'm thinking about that.

Maybe one of the solutions, right? Maybe one of the opportunities here is as technologies develop, they're more, you know, software based, right? There's more digital components in digital grid products. Why do companies need to have two separate security teams? One for the enterprise and one for the product side. When the threat actor is pushing against both from the same office, right? So in one way,

Dino Mauro (25:19.765)
Marry those capabilities, right? Why you need to have separate, just have a holistic picture of the threat. Help divide the bridge between business and operations, the product side and the enterprise. The enemy doesn't care. They're sitting in the same office, the same room. One of them is building customized EOS malware while the other one is trying to break in the network.

Absolutely. Chris, talk to me a little bit about the evolution of threat actors. So it is, it's kind of scary because, I've always said that in our industry, are a reactive, not a proactive industry, and it's designed that way, right? So we wait for the threat actors to figure something out, and then we figure out how to defend against it. And what I've seen over just, if we want to just talk about the last 12 months, is 550 % increase in vishing attacks. So that's voice phishing, right?

David mentioned it, the deep fake AI stuff is everywhere. mean, you could, for $4, you can go make an audio deep fake. It takes no time and no talent anymore. It's not like it was two or three years ago where you had to have massive machines and talent. With ChatGPT, I was at a conference in Spain and there was a couple of federal agents from Japan there. And they were saying that when ChatGPT got launched, phishing went up hundreds of percent in Japan. And what they found out was that previous to ChatGPT,

Russia, which was their main adversary, didn't have really good translation into Japanese. So the fishing was failure. But now with chat GPT, perfect translation into Japanese and the fishing went through the roof. And I want to add something to your comment, Michael, because I have the same thing. teach at a professor at University of Arizona and I hear young people all the time say that, you know, I don't even know if I want to ever hit that level. And I was had a chat with some of them. And the reason that they say that

is look at a CISO's job. I I feel for all of you folks who were CISOs before, you guys are given a budget that usually is not big enough, and then you're told, fix it and make sure we don't get hacked. And then if we do get hacked, you're the one getting chopped, right? You're the first guy going down. So who wants that job? All the pressure, not enough money, and then all the punishment when things go bad. And a lot of times when we work with clients, we'll come in and we'll say, okay, look, we found these eight vulnerabilities. This one is super critical. Here's what you need to do.

Dino Mauro (27:43.009)
We trust that they're gonna do it next year we come back and it's still there. We're like, hey, whoa, whoa, this is like mission critical. Like what are you talking about? And again, they're just like, I didn't have the budget for it. It wasn't important to the board. They said no. So you take all of that with the advancement of threat actors and the threat landscape and it feels, I don't wanna be such a downer, but it feels like a no -win situation if we don't do something to change it.

I share that view. It definitely feels like it. And this is why we, I think, need to find novel solutions and better ways of dealing with the situation that we're in for certain. Going back real quick to the impact of, for example, CHED GPT or similar JNI technologies and new vectors or new attack methods, right? We were talking about phishing. This brings me to your on this because of your background in inflammation warfare, right?

I mean, if info warfare, cyber warfare, some people were seeing it as a different thing. So, mean, it's like two sides of the same medallion, right? And I would love to get your insights on this. Well, used to talk about the acceleration of threat. And what I used to talk about in terms of that was, well, you have nation -threat

nation -state threat actors capabilities, first tier, if you will, and that the second tier, third tier, the individual hacker were four, five, six years behind in terms of capabilities. And then for the last couple of years, I've really rebalanced that in terms of, well, maybe it's a couple of years. AI brings us to a point where we're talking about weeks and months potential, and in some cases,

based on access to the large language models, there may be cases where non -state actors, individuals with access to large scale computing are actually gonna be a, God forbid I say this, but ahead of the Fort, Fort Meade, on the NSA side in terms of the US capabilities. And that in itself should probably frighten all of us more than anything else. That's why I talk about that sort of low high issue.

Dino Mauro (30:02.049)
We have a basic issue in regards to we can't get people to do two factor authentication. But now we also have this high tech issue in terms of the capabilities of the adversary. And it doesn't need to be a state actor. It can be some guy sitting in Eastern Europe who goes online and basically somewhere in the dark web buys a vulnerability that someone has discovered via an AI analysis of code set ties it into say some sort of deep fake

capability or some sort of human vulnerability factor manages to tie that all together for a thousand bucks and suddenly you have something like the colonial pipeline issue times 10.

Dino Mauro (30:52.205)
Join us as we go behind the scenes of today's most notorious cybercrime. Every time we get online, we enter their world. So we provide true storytelling to raise awareness, interviewing global leaders, making an impact and improving our world, translating cybersecurity into everyday language that's practical and easy to understand. We appreciate you making this an award winning podcast by downloading our episodes on

Apple and Spotify and subscribing to our YouTube channel. This is Cybercrime Junkies and now the show.

Dino Mauro (31:42.249)
because where basically you have a ransomware that locks down an entire, for our purposes, this critical infrastructure component. Who knew at the time that Colonial Pipeline was the critical infrastructure for the Southeast, but it was. So my concern is just the acceleration. mean, military wise, there's always this race between offense and defense. And cyber, we have that same side. I'm, my...

Nightmare is that AI what AI will be enable others to do my somewhat calming solution set is that AI will also provide some of the defensive factors Capabilities that we need in the long run DARPA for example is using AI right now to do code analysis. So for all of the Literally billions of lines of code throughout the US government that will be you know a game -changer because that was one of the issues we always worried about when I was working with

Department of Energy, for example, because the concern was we didn't know where the code was coming from. Some of it was being developed in places we didn't like, but the fact is the supply chain was such that you couldn't tell and no one was gonna pay to have some poor engineer sit there for 10 years to go through, you know, how many millions of lines of code. AI will do it for us in an afternoon now or potentially. So the fact is that we are seeing a readjustment of that.

offensive versus defensive capability. And it's gonna be exciting. It's also gonna be scary as hell, to be quite honest. And for those individuals that, going back to the education piece, I really would like to talk more about that later. But I think that is one of the more exciting aspects because for the workforce, yes, they're overworked. Yes, the benefits often are not as, and my own story is in that regard, as what you would like. But...

The fact is that one of the biggest problems I had when I was the deputy CISO at a multinational energy company was that I couldn't offer the more interesting aspects of cyber. mean, that would CrowdStrike and others had the sort of the, is where the talent's going. Well, maybe with AI, I might actually gain some of that back. anyway, we can talk more about that, but that's kind of my impression in terms of the offensive versus defensive mix right now.

Dino Mauro (34:07.117)
I think when we're talking about information warfare, I do spend some time usually at NATO's STRATCOM Center, COE, which is in Riga, that deals a lot with info warfare. And what you can see there is also how JNI kind of like has enabled the threat actors from a capability standpoint. And one thing that stands out to me as well that affects directly critical infrastructure protection is that our threat actors are using information warfare to undermine the trust, the public's trust.

in the capabilities of our public institutions, including the agencies that are supposed to protect us, to make us look basically incompetent and unable to deal with certain things. And then they don't start trusting our advisories anymore. So I think that is something that's happening. On the scale side, there's a story I would like to tell, and then would like to get from David and Santiago's kind of like their opinion as well.

I used to serve on the US national delegation to the Interstance Organization. And there was a one -time opportunity in 2018 where our summit was hosted in Wuhan, China, where their National Security Technology Center is, that is capable of, I forgot what the numbers were, graduating, I think, 60 ,000 operators per year. Now, when you mentioned this in 2018, people were like, okay, well, what's the quality? Well,

Now with Gen .Eye in the mix, okay, even if the quality would be subpar, which I don't know, I can't judge that. But again, if you take that operator that might just be average or whatever, and you enhance their abilities with AI to do code analysis, vulnerability analysis, and everything else, then those 60 ,000 per year, that's a massive scale advantage right there. Santiago, David, David, anything like either of you want to add to this?

I, here's, from my perspective is it is a, it is a lopsided battle in the sense that while let's say monetarily driven Eastern block, you know, ransomware gangs are certainly targeting, critical infrastructure, small to midsize, you know, utility companies, water treatment plants, et cetera.

Dino Mauro (36:32.085)
the, I believe it seems to me anyway, that this industry, this vertical has more of a target from a nation state attack, which is what everybody's been talking about, right? And they are the most advanced, the most well -funded, the most researched and capable foes. And so you have a segment of a lot of countries, organizations that are behind

behind the trend, right? And that struggle to have a baseline security control set up and yet they're being targeted by some of the most advanced. Yeah, I remember I remember sitting in the front row, maybe 12 feet away from FBI Director Ray when he made the announcement that if he was to grab all the FBI personnel and compared to China, they'll be a number 50 to one, right? And that's just one of the adversaries.

Now, yes, Mike, think AI is really a force multiplier for those that know how to leverage correctly 20, 30 X output of what you put into it. Right. And so those 60 ,000 now times 20, that's, 1 .2 million equivalent. Right. And then, you know, having that, having that, you know, abundance of knowledge in your fingertips that allows you to do things, research things that you are not technically capable.

That used to be a reserve for the people that have been on that space for 20, 15 years. Now we take someone that's very ingenious, someone that has a distinctive mindset and you can craft some pretty good queries out there. No, it's definitely challenging, but I believe we need to adopt that as well if we want to accelerate our security. All right. The last question or the last topic I want to touch upon as it relates to the threat landscape briefly,

is the following. I think that Russia's illegal and brutal attack on Ukraine kind of has shown that there's an interplay between state actors and criminal organizations as well, because they offer their services for hire. And one thing that I started observing is that, of course, the criminal organizations started aligning themselves along the conflict lines. I would love to know whether anybody here on the panel is comfortable

Dino Mauro (38:58.605)
speak a little bit about this, this has played out over the last 12 months, 24 months, this interplay between state actor and criminal organization. I can start with that. Let me start real quick. Everybody that could have left Russia has left Russia already, right? Those that were unable to leave Russia, now they are working for the government. That's why it's not

that, we're gonna hire you to work for us, like, hey, now you have to support the state mission and the state mission is X, Y, and Z. And in one way, I'm optimistic that a lot of the, for example, custom ICS, destructive malware that we've seen being deployed in Ukraine has not accidentally or directly gone to Poland.

Dino Mauro (39:51.2)
Thank

I think we lost him. He was just getting wound up too. If I could interject a little bit on that. Go ahead. Somebody heard me what I was saying and they decided to jam my signal. Just to add a little color. The fact is to what Santiago was just saying.

The FSB and the GRU, the intelligence functions within Russia, both the government and the military, have used front groups of non -state actors, quote unquote, although in reality heavily funded by the state for the last 20 years or more, as a means of having an ability to sort of saying, no, no, that's not us.

sort of hands off, if you will. So the fact that those actors are only gonna become more active in a situation like this is kind of expected, but it does make cybersecurity more difficult for us in the commercial side, because again, explaining to someone that pick a bear vulnerability capability.

advanced capability, persistent capability, and trying to explain that no, no, that's a nation state attacking me, not some hacker group sitting off somewhere, is an issue because it makes it more difficult for me to claim resources from, say, a state agent, from my own governmental agencies, for example. So it does definitely complicate both the operation from

Dino Mauro (41:47.917)
a state standpoint and from a critical infrastructure standpoint, as well as from a commercial operating entity standpoint. And if you add on to that something like as simple as fraud GPT, I mean, we've all heard of that, 1800 euros a year. And you have access to a tool that can build your own viruses, make malware, actually go scan a website and find vulnerabilities in it, help write fish, send fish. mean, what the threat actors have

the most advanced tools and in the places that I'm working, we don't have that advanced tools to help defend. So I'm, I agree with all of this. I think that we, we do need to use AI more to develop some of these more advanced tools to help defend against the exact same. It's like we're going into a modern war with knives, you know, and it's where we're going to lose. You know, you can't go into a gunfight with a knife. You're, you're going to lose. And that's what we're doing. Well, it's like an arms race, isn't it?

I mean, it really is when you think of AI and deep fake and how all of those are being leveraged in social engineering campaigns, it's remarkable how effective they are and how they're able to do things live, right? But the deep fake detection abilities for live capture and things aren't really where they need to be yet. So they will be soon, but they're just not there yet.

I think when we're talking about how this comes and relates to the current conflict that we're seeing and Russia specifically, I wish I had this graphic that I could bring up right now. I have this graphic that shows kind of all the aspects that come together for hybrid warfare, right? And what you see on there, cyber operations, special operations, and criminal actors or organizations are part of that diagram.

because it's one way, one entity that you can leverage or influence as you plan your operations. Now, when we talk about Eastern Europe, I actually get to spend a lot of time in Eastern Europe, about like usually half of the year, every year. And I'm doing that because I wanted to experience things directly on the ground. And I got to be little bit careful about what I'm going to divulge here. I'm going to keep it like to things that are publicly known in the city of Riga.

Dino Mauro (44:08.561)
Russia is acting through a variety of ways, through information warfare, through cyber warfare, but they're also going directly physical as well. We had a grenade attack on a bar where we had journalists. We have harassment of individuals that are happening from where they're targeting like people from the US or whatever, and they're harassing them. And this is not happening to random individuals, of course, right? Because...

Keep in mind, when we're talking about cyber threat and protection of critical infrastructure, one thing that we said is our threat actors do not care about borders at all. in answer to that, we have forward deployed individuals, we have people working in cyber capacity building, and our threat actors have even started to target those individuals to a certain degree. So that then shows us is that we're basically dealing with a multi -spectrum, multi -dimensional strategy that is targeting our critical infrastructure sector.

and that we're dealing at the same time with this interplay between criminal organizations, useful idiots and state actors. Now, Santiago, yeah, it's, think, actually really the term that is being used in the lectures. Santiago, attribution, how does this work when you're dealing with, I don't know, state actors?

criminals and useful idiots. How are going to achieve that? Where are the boundaries there? Yeah, getting goosebumps. That's the $70 ,000 question, right? How can you distinguish if you have a state actor leveraging a commercial access broker to get food holding an organization? Unless it's really customized malware, then you have 100 % accuracy that it's them.

we need to do a lot more work when it comes to CTI sharing. We need to be more able to not just wait for a government to publish a report that's 12 months old. We need to be able to connect all the European search, all the ISA, all the ISACs to share that information. And that's probably going to be the only way we can really accelerate the actionability of some of these data. Yeah, attribution, good luck. Unless you are an expert on NetFlow data,

Dino Mauro (46:31.393)
then it's gonna take you a while to figure that out.

Anybody else? to say about that? I will just, in support of what Santiago just said, add the fact that even when you're able to establish the fact of who did it, let's be honest, by the time you do that, in most cases, it's too late, especially in anything resembling an actual operational theater.

And even if then you're getting the useful idiot, which doesn't know much or whatever, if it was something like that, and the actual actors are not in a country that will cooperate with you, because why would they hand over their own operational assets? That wouldn't make much sense. Okay, so we described the threat landscape, the general challenges. Now I do have a couple of questions from the audience, and I think we can kind of like mix them together.

We talked about how artificial intelligence enables scale on the attacker side. Obviously, it must be doing something for us in the defense as well. Maybe if anybody wants to take this and just talk a little bit about how we can leverage this better.

Yeah, I think I can jump on that a little bit. Right now, there's a lot of tools that are being developed that are trying to analyze data. think Santiago or Ernest mentioned this, giving millions of records and now it can just do it in a matter of moments. Data processing, the power of data processing with AI could really help. And then what Santiago said about CTI sharing, there are dark web forms that are being scraped every day.

Dino Mauro (48:20.609)
by companies that use AI that could alert you to your industry, your piece of critical infrastructure being targeted by threat actors. It might not say this company or this state or this critical infrastructure is what's being attacked, but when they start selling credentials, credential brokers on the dark web will start saying, I have credentials for a water plant somewhere in America worth this much. And that's a time when anyone that's in a water plant should be like, my God, we got to...

that might be us, right? So I think leveraging the threat intelligence is something that we need to do more of, making it easier for folks that don't have access to this, to be able to afford it and to use it. And then also working on, and this is a hard one because getting funding for this, I know personally is not easy, but trying to fund and build really useful AI -based tools that can help in the defense.

and and protection of the organizations And I could just add to to what chris was just saying had A couple few years ago one client who actually was a state ciso and left I won't mention the state but the problem was in his mind that Which I believe is true. He was under he had a budget of two million dollars for a state Okay so

Part of the issue obviously is that I think we have a concept of funding issue in terms of organizations, at least in that regard. And this is probably going to be a little less popular. am basically, or a little more controversial. I do not think that the federal government is spending money where it needs to. We have way too many organizations that are shocking, again, siloed all over the place. Okay, I'm sorry, but...

I don't really need to have a bunch of people from CISA going off to Black Hat this year. Okay, one or two, fine. But for the amount of money for that trip, probably could have funded a firewall upgrade for X, Y, or Z agency across a state. Those are the kind of things that I think we're not necessarily spending money in the right place. And I think that's something we definitely need to take a look at.

Dino Mauro (50:46.365)
as a country. I think this goes down to prioritization and resource allocation, right? Which then brings us to a question the audience was vulnerabilities and data centers, right? So going back to what I said, which is vulnerabilities are basically companies, organizations have a very low capacity to actually address all of the vulnerabilities they have. I would imagine that with artificial intelligence, we'll be in a position where we can actually contextualize the risk

of a vulnerability better and understand better what the actual risk of a specific vulnerability is in a complex environment like a data center. Santiago, like anything you want to talk about this or anybody else? I'd like following what Ernest said. think there's a, we have a resource allocation problem, right? And I think the challenge of that is we have 10 ,000 security vendors out there with billions of dollars in marketing, very good at bringing people's fears and hopes.

Right? So a lot of these folks were trying to the ocean when in reality need to have a, you know, diagnosis on the risk. And based on that risk, prioritize your budget and stack against that. You do not need to ball the ocean. Many companies might have a hundred thousand vulnerabilities in their database. They will never get to all of them. Identify the four or 5 % of the critical cascading. your resources there. Right? In a way, this will make your budget stretch. So instead of putting two millions of blanket,

You get two million. know, those two millions can be worth a lot more if you can reduce the risk. That's what I think we need to educate more. And if I can add one thing to what Santiago said and using threat intelligence data to do exactly what he just said. Right. Because you're like, again, as a CISO, you're sitting there. Where do I spend this budget so I don't get my head chopped? Threat intelligence data will tell you where threat actors are pointing their their targets at now. And that's where you spend your money.

Like, you know, again, something that's probably going to get me in trouble. when Okta was getting blown out of the water, why were there still companies who were not out there updating Okta? Right. And then we see change healthcare. Right. But it's like when you see it in the news, if you have Okta in your network, you should have been like, my God, I got to everything else goes to the second tier. Patch that now. Right. And that's if we can get that mindset, I think we could have a fighting chance. Well, and if if I may just add one thing to that.

Dino Mauro (53:14.795)
When you think about the threat Intel that you were just talking about, the organizations that are providing the dark web scraping, right? If they know that a certain type of water treatment plants, they may not know the exact location, but if you know these types of water treatment plants, they have credentials that are for sale on the dark web. The current today, nobody in the water treatment plant knows that, right? But if they could see that

then they could at least as a matter of principle, like go and change all of the credentials today, like go and submit or move that initiative up rather than make it every six months or every annual or every quarter, right? Like knowing that can make them be a little bit more proactive.

Dino Mauro (54:03.341)
Absolutely. The last 10 minutes, I would love to speak a little bit about public private partnership. I think this was a topic that was brought up or a theme multiple times during this conversation. And I want to wrap around to that a little bit. And I'm going to be careful here because I don't want to plug our information or organization too much. But we went in and basically bootstrapped a public private partnership. That was

incredibly difficult to do. We started it in, I think it was 2018, right? Government support was incredibly difficult to obtain. And we've had to do it all by ourselves. And now we're an organization that talks to NATO, talks to United Nations, talks to various US government entities, sits on various committees, Congress, Science and Technology, committee talks to White House OSTP.

and so on and so on and so on, but it was incredibly painful as a journey. Right? And if I look at some of our adversaries, obviously, is that our autocratic authoritarian nations, aligning public and private industry is a lot easier, right? Because I can go in and can say, do this, and if the answer is no, I will either point you to the closest balcony or to the closest working camp. And that's the end of the conversation. me, right?

That's all it will take and you will say, I have a family. Yeah, I'm going to do exactly what it is. But that's not this experience. Yeah, go ahead. No, Mike is spot on, man. was last week. Not black. I was the first half. The second half was the Crypto Simulsion sponsored by the FBI in Austin. Right. When I was a panelist and the number one question everybody asked me from the public side of the house, right, is what's an Isaac?

I'm like, they do not know what an Isaac is, right? We need to do a lot more educating both ways, right? In the public side, on what capabilities, mechanisms exist already to share information and bridge that divide between the public and the private side, I can almost say 100 % certainty that nobody wants to receive a phone call from the FBI saying you have a big notification, right?

Dino Mauro (56:29.035)
Probably you would be more receptive to answer the phone call from one of the Isaacs letting you know, hey, we have these product information, go ahead and help, right? Breaking some of these silos and then friction that exists between public and private. And at the same time, educate private on what capabilities services the government has to offer. For example, the NSA CCC just opened up older services for small and medium government contractors, right?

Now, what are those services are? A lot of people don't know, for example, secure DNS. There's a lot of capabilities that are out there. In one way, it feels like we need to have like a page, like a front page on a website that says, if you need this help, talk to this agency. If you want to do this, talk to these guys. If you're looking for this, you talk to that. There's no single source of truth on capabilities.

and partnerships that we already have access to. You also have one pager, like the Jell -O pages on simplified.

Yeah, I would agree with that. There's an ISAO standards organization, but even that, it doesn't really help you define yourself as an ISAO or help you with the outreach to .gov or anything related. Anybody else would like to comment on public -private partnership?

Dino Mauro (57:57.597)
Yeah, I I see it. kind of, don't have anything new, so I don't really want to just reiterate. I think I agree with everything Ernest and Santiago said. I mean, it's a really good way of thinking about it. Education is really important. Yeah, I think one thing that we discovered as well at the NAOCI, so was that initially we started looking at threat intel, right? But to get access to threat intel, you have to be someone and you already have to have certain connections.

So we actually had to start a different way, which was with cyber diplomacy and cyber capacity building, which are as crucially important if you're saying you want to support the national security of a country and help with the critical infrastructure sector. That then gave us the relationships to actually go and start having closer conversations with certain DOD or IC entities to a certain degree, right? So that's as well. I don't think there's a good framework necessarily. And nobody, I think, really owns this.

Supposedly it's under CISA, if I'm correctly, but I'm not 100 % sure. Santiago, want to say? Yeah, no, no, no. You're right. I try to stay positive on everything that I say, especially when I'm public. So what I'm going to say might not be very positive. I'm not quite happy with the approach that the government has recently mandated everybody in clearly infrastructure to report. Executivity within the next amount of days.

In my mind, whenever we implement the stick approach, companies, industries do the bare minimum, right? We should open the door to offer incentives, offer, you know, exploration of ideas, innovative solutions, creativity solving. And unless there's a maybe meat in the middle, right? Maybe it's not the carrot, maybe it's not the stick, maybe something in between. I think that really help industry come together and innovate, not just work based on compliance and regulations.

Yeah, to follow up on what Santiago just said, as an example, CMMC in the DoD environment, where basically now we're expecting, you know, every mom and pop who is in the supply chain to meet a very, I won't say difficult, but definitely a higher level of security than they've been used to, which in itself would not be a bad thing, except for the fact that they're, as both think Chris and Santiago just mentioned, there's not a good incentive structure.

Dino Mauro (01:00:26.221)
or a way of recomp, you know, of compensation for the dollars that are going be associated with that. The electrical sector has this issue, has had this issue for 20 years now because you have to go to the rate payer, you have to go to the, to the, to the board and ask for a change to the actual rate payer rate in order to fund a lot of the cybersecurity efforts for the electric sector.

And large companies have been able to do that. lot of it because they've taken a lot of it out of, out of hides and speak smaller companies, cool co -ops and so forth have a much harder time. Same thing. Like I said, in these DOD environment with the CMMC compliance requirements now, which is going to be interesting over the next few years as, as the hammer comes down on that. I would also add, speaking of ISALs and ISACs, the energy sector ISAC, I think I've worked with them a few times. It does a very good job, but again,

budgeting issues in regards to their ability to support the industry. And quite honestly, again, I'm not going be very popular with CISA, but the fact is I would divert a fair amount of budgetary amount from certain aspects of CISA directly into the ISACs and the ISALs because the bang for the buck with a public -private partnership is much higher than some of these other programs, let's just say.

So now that I've shot myself with ever working with Sissa again, I'll turn it back over to you, Michael. Well, mean, budget definitely is always an issue, right? this is a uniform issue that you can find in many different places. For us, it's a constant issue as well. We were very fortunate that based on who was involved in founding the ISAO, everybody.

had a stable and secure background, we could basically self -fund it, but that's very unique, right? You had like a bunch of people from Silicon Valley and a bunch of like very, very well experienced people from the government sector coming together. That was kind like a match made in heaven, which I think is also why we were able to grow so much on our end, but other organizations, I really, really feel for them. And now you're bringing CMMC into the loop, right? And with that, we're now looking again at this small medium size.

Dino Mauro (01:02:45.421)
critical infrastructure sector and a lot of people might find themselves accidentally in that position. That is so, so difficult. So one of the things then that we started looking into was, it's this project called CyberEagle, right? Where we're going in and we're saying like, okay, can we address this issue? So we're having...

increasing regulatory requirements and standards being pushed onto organizations that can defend themselves. And we did like this analysis that came up with I think across NATO and the US there's 1 million companies that fit into this bucket. 1 million. my god, think about go back to your government times and think about the mission scope here. That is absurd. And why does this matter for the US that there are other countries? because all of these organizations work with each other.

All these companies are working with each other and there's information flow happening, which of course the threat actors will exploit if it is of their advantage to them. So we decide, okay, so we did this analysis and we went in and came up with, okay, there's 1 million companies. And now it came to leveraging an AI to analyze the vulnerabilities, making them aware of them and then find good vendors and good, well, federal funding.

identify federal or state -level funding, existing funding, to help them pay and address this. But this is super, super difficult to do. So I know that some of us are all involved in this project. Let's just take the pieces of this and talk about the challenges in pulling something like this off. Let's talk just about the aspect of going in and creating a data lake of vulnerabilities of a bunch of critical infrastructure organizations.

Who wants to take this? Like maybe you Santiago? that a... And I think, I think we do not need a silver bullet, right? We do not need something sexy. We need to do the work that nobody wants to do, right? Like, like several resiliency, for example, like do these organizations have an IR playbook, right? How quickly can they get back online?

Dino Mauro (01:05:01.367)
Do they have the basic standards? they identify the risk and where they need to allocate their resources? Before anybody recommends a solution, they need to identify first what the problem is. You're not going to go to the doctor and the doctor is going to recommend you something that you do not need, right? There's need to be a prescription or a diagnosis. So being able to provide organizations a quick diagnosis on where the highest risk is, then

Go ahead, it's up to you to decide which way you want to go, but at least you have identified where you need to apply your security budget. As much as I would like to build something sexy. Yeah. I think the work to be done is the basic resiliency practices. For example, do your team members know how to respond? People are great at answering questions and interviews and crafting resumes, but...

Do they really know how to do Handsome Keeper when it's needed? Do some trainings paid specifically to entitle your industry. Help you understand what's a PLC, how can I see movement in a PLC? Anything that you can do to reduce the time for you to get back online, I think that that's multiplicative compared to deploying a solution.

Yeah, I mean, when I talk to clients now, from an advisory standpoint, my background's in risk management to a high degree. that's, know, first of all, know what you got, obviously, and that's still an issue, believe it or not, for some of smaller organizations. the low -hanging fruit, as we say, risk assessment, audit, inventory of your assets,

two factor authentication on everything that goes into the network, encryption, if you can, of everything at rest and in transit. And then finally, a contingency planning and then train your workforce. I mean, those are all the sort of the low hanging fruit. The nice thing is looking at the technology aspect, AI is going to help with a lot of those because it helps with the process pieces. So like we talked about.

Dino Mauro (01:07:12.919)
Someone's gonna come along and it's gonna say, okay, we can now certify that your software is secure because the AI has run through everything. Yeah, as secure as can be, or far more than it was when we had Joe in the back room trying to go through two million lines of code. You're gonna have some sort of algorithm -empowered capability sitting on your network that both knows what's there and will know what's crossing it from a behavioral standpoint. Those capabilities are out there, they're gonna get cheaper. The access capability.

The nice thing that we're talking, TBI is already talking about this, is post -quantum encryption. NIST just released their quantum resistant, let's put it that way, standards, FIPS, I can't remember the numbers anyway, just today or yesterday. So all these things are going to get better. We painted a very dark picture, so I'm trying to give people hope. These things will get better. Technology will help us.

For example, electric sector, was a guy who did co -intelligence sent out a tweet on social, talking about, sorry, on social media, talking about the fact that for an analysis of NERC's requirements for a sector, there was an analyst who basically used ChatGP to assist with that. And basically the analysis that would have taken

weeks in the past was done in basically a couple of days. So just the ability to use AI to reduce the work footprint associated with some of these more, to be honest, mundane or painful processes is going to allow us to then shift resources to the places where we need them. So those are some of the more hopeful aspects, I think, in the long

Yeah, think actually I was trying to find it, but I think DARPA just announced that they're holding a contest or competition for AI based analysis of critical infrastructure vulnerabilities, which is $2 million that they are offering for that, if I remember. I wish I could find it, right now, here we go. Just one second. Working off screen. Yeah, it is DARPA.

Dino Mauro (01:09:33.293)
is giving seven teams $2 million to Hone Tools for scrutinizing the open source code that underpins like banks and water and water systems. So yes, it's bleak, but there are things being done. it's, again, on the one hand, we like to say like, AI has been around for a long while already, because to everybody else, it's like, it just came to happen in the last four years, Realistically, 1950s or even way like the, what's it?

or whatever it was called, like way beyond if you just talk about counting machines, this kind of stuff. But still, cybersecurity and AI in the overall picture is a young industry, right? This hasn't been around for hundreds of hundreds of years in its current form. And I think what we're seeing is partially the growing pains of that as well. We're trying to figure out, given the speed of innovation and development, how to use this and do all of this actually in modern societies

without coming at everyone with draconic measures. But again, from our audience, the question then is, we have to figure it out, and it seems to be this giant elephant. And we know this metaphor, you eat an elephant piece by piece. Where do we start? The basics? Okay, the basics, we just said this. But still, even if we talk about the basics, we are just finding another elephant hidden in the first elephant, right? Because then this goes back to...

Bob, the IT admin that is sitting in a hidden closet somewhere, responsible for everything. Maybe I'm going to make a, I'm going to say something. I want people to expand on this. Maybe the basic thing, the first step is to have conversations like this with people coming from a different background, to raise awareness and push this messaging, the awareness of where we are to the right stakeholders. Is it as simple as that?

first step. I think it is actually because I don't think that that it's happening enough right now. I mean, there's, there's so many conflicting agendas and, and motivations. And I think that that's where it needs to begin. And I think when we talk about, especially if we get into the smaller size organizations and critical infrastructure, there's going to need to be a lot of handholding in tying

Dino Mauro (01:12:00.311)
potential funding to the needs right like there's gonna need because there again They're not even at a baseline right now. And so there's gonna need to be kind of What but what Santiago and Ernest we're talking about is is understanding Diagnosing properly and that's exactly right and then when that happens what will happen, right? Will they will they do it? Will they get the funding needed?

to do it or will they just push it off another year? And so there's going to need to be some, some triage there. And I think, you know, when I go out and I, and I do, let's say security awareness training and I say a word like, how many of you experienced smishing? I can't tell you till now this day and age, some people go, who, what is that? I don't know what that is. Right. So when you say things like vision, I'd never heard that term, right. So how can they defend against something that they don't even know exists?

So I think your point, Michael, is really accurate, is that it is vital for us to start right. This is the basics. Like, get people like all these folks that have joined us today to come in and ask these really hard questions. You know, like, where do I start? That's an amazing question, in my opinion. Someone coming in here and saying, OK, I'm hearing you. This sounds like impossible. Where do I start? That kind of thought process is going to help that person achieve what he needs to achieve to be secure. But we have to start with the basic conversations first.

Right, and those conversations are both internal and external. How do you eat an elephant? You get help. So from an internal organizational standpoint, when I talked to a CISO at a small and mid -sized company, first thing I asked is, okay, when was the last time you talked to the CFO or the CEO or even your own CIO? Because if the only time you talk to the CEO or the COO is when, you know, the network just collapsed because of, you know, some sort of a compromise or an attack.

That's not the conversation. That's not the lead conversation you want to have. And a lot of times part of our issue from a human capital standpoint for CISOs is we grow up CISOs. tend to grow up from the technical side. We don't grow up on the business side so much. don't have the chops as as a group in terms of executive leadership development that a lot of our peers in those other functional areas get.

Dino Mauro (01:14:22.337)
That's one of the things we really need to work on from a human capital standpoint. The other side to this in terms of getting help in terms of eating the elephant, managed service providers. If you're a small business, Bill shouldn't be handling your cybersecurity by himself in the closet. You should have some sort of managed service provider. quite honestly, in terms of your IT, your CIO shouldn't really be a technical guy. Well, he should be a technical guy.

in terms of chops, but he really shouldn't be doing technical work. He should be managing a managed service provider and basically going, okay, you're my workforce, you're my guys. You've got the, you know, now I only get Bill as a part -time, you know, three hours out of the day, but he's now been trained and capable and has the experience that I can't afford to provide on my own. So those are the kinds of things we need to be thinking about and that the

The guys sitting in the trenches need to be thinking about, we need to help.

I have a hundred percent the same view of this as a VC. So when I walk into a shop and I talk to them, the first thing is, look, I can get you tools. I can build your processes. I can get you those tools as I'm at a big discount from some kind of aggregator. But the expectation has to be there needs to be people that work and live in those tools. And my.

My intuition tells me these can't be full -time employees because otherwise you would already have them or we could do this easily. So you have to get an MSSP, an MDR, whatever it is, it doesn't matter, but you have to have an external help in order to do that. then people are not familiar with this still, like even now in the current time. So if I go in and I'm like, what's the difference between MSSP and an MDR? Like where is this? Like they have no idea what an MDR is, example, I've never heard this.

Dino Mauro (01:16:20.683)
What are the advantages of one versus the other? And that goes back to human capital development. That goes back to education. And I think there's a term that we use when we talk about the global south or the less developed world, cyber capacity building. We have cyber capacity building to do for ourselves on our own nation. Like we act as if everybody is like so literate as if we have this high level of digital literacy. We don't.

I can only imagine what would happen if the public would know that there are entire cities, it doesn't need to be like smaller cities with like whatever, like 80 ,000, 100 ,000 population where it is Bill in the closet who is responsible for ensuring you get your water and who is fighting against, I don't know, the GRU, wherever else you want to put in there and is left to his own devices.

That's incredible. Santiago, human capital development. I think you brought this part up. I would love to hear what else you have to say about this. Yeah, human capital development, not just on the technical skills, but on the communication skills, collaboration, the soft things that are needed to work better. One of the best parts of working in Fortune 100 was being a member of all these ISACs.

And the analogy that I'm going to use here is the reason the British defeated the Germans was radar technology, right? But the Germans had way more advanced weather technology than the British did. But what the British did is they connected all of their radars and then they have a bigger picture, right? We need to be able to do that across companies, industries, across industries, with the government. We need to leverage each one of these as a sensor.

and be able to utilize the resources and capabilities that the big players have to help protect the ones that do not have the budget to start a security engineer or a third intelligence program. In one way, broadcast the bad signal for everybody who jump on it. honestly, in my mind, think we need a probably... When there was polio, there was a huge vaccine campaign to take care of polio. Now there's no more polio.

Dino Mauro (01:18:39.241)
I feel like an effort like that for educating people and companies on cyber is needed. It's probably going to be maybe a whole of government effort at this point. it's across industries, not just across infrastructure, where they really partner with industry to break that silence between public and private. But I don't think there's a unified vision from the highest levels on how to do this.

And without a good vision and core values and strategies, irrelevant. That's just me. If I had a magic wand, that's what I would like to do. Interesting that you brought this up. think like in 2016, for the first time, I was talking about this like civil cyber defense thing, right? Because I was like, hmm. On the one hand, we're saying not everybody needs to be a cyber person. All right. Yeah. No. Okay. I understand. Not everybody needs to be a cyber expert. Technology should be built so that people can use it. But

In so many other critical areas, we expect everyone to have a base level of knowledge and training so that they are allowed to do their job, their professional on a daily basis. I wonder, given that, first of all, I want to know whether you agree with that. Number one, we are under attack. Critical infrastructure is under attack. Are we all on board with this? Yes. So we are under attack. So if this was a different

a different dimension. If this was a different spectrum, would be, if this was kinetic, kinetic, we would be like, okay, here are things we would have public messaging to our citizens. This is what you can do, how you can prepare, how you can protect yourself and all these kinds of things. To a certain degree, this is happening, but I think we need to be more formalized here. says, do people agree with me here?

Dino Mauro (01:20:31.403)
I agree. Yeah. Okay, so then who would drive this? It's a whole -of -government effort. I agree. It's a giant challenge, I've seen some Eastern European countries start tying cyber security concepts into, I think it was as early as like elementary school, the first levels, with storytelling.

Like basic things, right? Like you wouldn't talk to a stranger. Okay, so why would you do extra Z? Like basic. Then you start building up on this. I think this is crucial. Yeah, then one of the challenges, is that there's no entry -level jobs in cybersecurity, right? It's like, let me go join the LA police department and I'm going to go patrolling the next day. No.

there's a whole training program that you got to go to understand the skills that you actually need to be on the streets. Right. We need to have that exactly like you mentioned that baseline as a hiring manager. I would much rather hire someone that knows how to use Plunk Elastic that understands Windows logs and someone with a four year degree that doesn't understand, you know, that part. Right. So how can we probably address these challenges? A lot of more.

OJT mentorship opportunities to be be sponsored by anybody and everybody To hey, let you ride along, know, like the police departments across the nation. They do that Hey, you wanna you wanna ride along program come right along now you learn more about it We can figure out a way to do that on cyber I think we'll enable to people get the skills that are actually in need That's my sense. I'll jump in on this one because I have a lot of very deep

passionate feelings about this because I agree with Santiago 100%. I mean, you see entry level cybersecurity must have five years experience. Right. And a CISSP. And what entry level does that ever occur? Right. So when I, when I got asked to become a professor of social engineering at university of Arizona, I said, I'll do it under only one condition. And then that is if I can have a practical hands -on class. And they're like, what does that look like? I'm like, I want to partner.

Dino Mauro (01:22:44.193)
with a company or a government agency that wants free cybersecurity training. What that means is they're going to give me all your employees and we're going to attack the heck out of them. We're going to OSINT them. We're going to Sphish them. We're going to, we're going to Vish them. And my students are going to do all that work under my guidance. And then they're going to write a report that's going to go to the CISO. So we partnered with the government of Sierra Vista. They give us all of their employees and my students get to leave university with actually having done the work and having written a report.

Right. So they did it and they did it ethically and morally. And then they had to write a report and make a presentation video for the CISO. Now that someone comes into my company and says, I have this experience. Okay, great. You interest me now, but I'm a sonny. you come and say, look, I got a four year degree in computer security. And then you say, well, can you at least tell me, you know, anything that you guys that you have done? What's your experience? do do threat hunting? Right. Right. Right. I read a book.

Do you know who the lock bit sup is? Right? ask them exactly like something that is relevant. So I agree. Experience certifications, people who take part of CTFs. Those are the things that excite me about the people coming in this industry because they're going to come in with actual experience. But I also agree with what you were saying, Michael, a lot of countries do this. They start their kids in tech very early and we're starting them in high school now.

I mean, that's just, that's not good enough. We have to, we have to go earlier. Yeah. Let me be devil's advocate here for a second. Okay. because I think I want to, I want to expand on this because I want the audience to understand why we are saying certain things. So first of all, I agree with all.

the adversary had not adversary, but the devil's advocate on. there are a lot of people that in our industry that say that when you say that cyber is not entry level, that you're gatekeeping, that that's not true, that cyber absolutely can be an entry level profession. For me, I always looked at that as like, well, if you're in a massive company that has a three tier sock and whatnot,

Dino Mauro (01:24:51.767)
then maybe with like the tools or whatever and AI assisted. Yeah, you can take like a green person and then they're basically a log wrangler and they will also be replaced by AI most likely in the next three years, but whatever. But I would like you to challenge me and say, why is this not a entry level profession? Beyond just like, okay, experience, but what makes it so different than let's say just being an IT support person or like.

You said it, Michael, we're under attack. We're in war. So it's kind of like Santiago's example. You wouldn't just say, I want to become a cop. And the next day without any training, they hand you a gun and put you on the street. You wouldn't do that if you went to war. You say, okay, I want to be a soldier. You go through bootcamp, you go through lots of training. You go through all of that. They don't just say, okay, here's your gun, send you over to the desert. It doesn't work that way. So we're bringing these guys and gals into the industry where they're going to be attacked.

by some of the most advanced threat actors on the planet, the second they're hired. And what's their training? A 20 minute CBT on phishing, right? Well, exactly. And looking at it from the opposite end of if you will, pipeline, the fact is, for example, my son, there's actually, a cybersecurity requirement, there's a technology requirement, which he'll meet with a cybersecurity class.

graduate from high school now. There's beginning of pro you know, people beginning to look at this, I said I've sat on a number of different work, working groups and advisory boards, I've taught at Thomas Edison University in terms of, of cybersecurity at the undergrad and graduate level. And so there's a bunch of different programming programs available, if you will. But there's no consistency. The programs are

in a lot of cases funded on a temporary basis. There's not a long -term vision or strategy in terms of how you're going to build this cyber workforce, first of all. The second part, I think we, which goes to what Chris was talking about in terms of, you know, war and risk. 20 years ago, as an example, I had a client who we used to talk about, he was running within government, his program ran the

Dino Mauro (01:27:17.549)
Ready, color, P.

I can't remember the exact name. Basically, he was responsible for ensuring fuel oil in the event of an emergency in the Northeast coast of the US, back when fuel oil was a big issue for New England. And basically, his response when I told him, your system's got this problem, this problem, this problem, because my team says you're not doing this, this, or this, his response to me at that point was, OK, we'll just go back to using fax machines. OK.

20 years ago, aging myself, that was the answer. Sounds like a visionary. Exactly. Well, he was a nice guy, visionary was not in his title. But more importantly, bringing to today, name me a business that can operate if their IT infrastructure ceases to operate. Correct. Almost zero.

Whether it's critical infrastructure like we're talking about here or airlines as Delta found out with their issues more so than anyone else with CrowdStrike or something as basic as the fact is freight transport in the US or the rail system. We haven't talked about logistics really or transport really. The rail system in the US is highly automated now. We laid a lot of fiber -optic cable in the

the 80s and 90s and basically centralized everything. So you can, I don't think you can give me a major company or a major organization, including manufacturing even, where if you took out, tore out the IT infrastructure or bricked it for several days, for example, where you would not have a major impact or bankruptcy. Yeah. And you're now putting that on bill.

Dino Mauro (01:29:12.109)
who like as Santiago was just saying, just graduated from college somewhere and saying, okay, by the way, if you screw this up, the company's doomed. Are we really wondering why no one wants to take that responsibility? Especially in regards to Gen Z, because that's who we're really putting this on now. Yeah. Just real quick, just simplifying this down, it seems to me that the industry has,

one of several, but there's a couple of branding issues that cybersecurity has. One is you have all the vendors that are like, buy this box. You will be secure, right? That's not real. And then you also have the, people trying to get into it, not really knowing what it is and saying, I want to go into cybersecurity. Well, that's like saying I want to go into business, right? Like it is as broad, like red teaming, blue teaming, social engineering. Like what, what is it? It, because

Once somebody that knows where they want to generally wind up, I'm more of a red team or I'm more of a blue team or right, or more of a GRC person, policy person, like then they need to take the advice from mentors. They need to ask, how do I get there? And then go do it, right? One of the challenges that I always have with mentoring people or that

people have have said that have been mentors that get frustrated is people ask what we're supposed to do. And then we go tell them and we never hear from them again. Right? Like they need to literally go do the pushups and go do the work and get the certs or do whatever is needed, depending on where you want to wind up. But until, you know, just coming out of school, going, I'm going to be in cyber security. Like, okay. Like that's right. Like, mean, like the jungle, right.

Welcome to the jungle. It's part of the problem that our education institutions, our higher ed institutions have. And that is, you know, the career guidance needs to be pretty, you know, customized for, for, for them. need to, they need to ask a few more questions to really point them in the direction because then it's not, it's not that hard to get it. There's clearly a need on the other side from the employer's end to have people, but you can't just say, you know,

Dino Mauro (01:31:35.551)
I want to be in business and then we're going to put you in charge of the nuclear reactor business, right? Because that's essentially what this is, right? Like this, has to be something that is balanced. So sorry, I didn't mean to make it so long -winded. But I think that broadness is going back to why it is not a good entry level profession. Because going back to what we're having,

Bob and Bill are the only two resources with the task of protecting the organization. Let's transfer this to the military. If I have a regular army, okay, everybody's a rifleman, but then I have my specialists. I have my marksmen, my automatic riflemen, my grenadier, my whatever, right? Okay, but what if I only have a team of seven dudes? we call that special forces, right? And those seven dudes are all expected to be able to do every

job that exists in that larger organization. They all need to be able to be grenadiers, medics, and whatever. Yeah, there's like death specialization, but they the expectations that can do all of these jobs and the special forces and entry level position. No, I just go directly to the recruitment office and say, dude, I'm going to be a green beret. Yeah, I want to be a green beret, By tomorrow. I be one tomorrow? Like every sailor is a firefighter, right? Right.

It's those core things that you need, those baselines. And the biggest difference here, and I think we can probably use an idea from the Department of Defense, is very powerful. There's something called the commander's intent, right? The commander's intent at the highest level, let's say it could be a general, says, my commander intent is go take over that area. The intent is that everybody below them understand that that's the objective.

They're not going to tell you how to go, right? If you need to go to the right field, the left field, wabba nuvr, to take everybody's going in the same command as intent. And I feel like sometimes even organizations internally, they're not under the same seesaw intent, right? Security intent. If some of that vision that really needs to be redeveloped, you know, have an identity that we're firefighters. Probably the last thing I wanted to say.

Dino Mauro (01:33:56.461)
Yeah, and I have to wrap the conversation up right now. We only have 20 seconds left. So I would love to continue this conversation because I think I think there's a lot of knowledge in the room and a lot of things that we still need to discuss. But I would like to wrap this up. Thank you so much, everybody. Thanks to the panel and thanks to our audience. I hope this was informative for the audience and go connect with us on LinkedIn.

and go find out more about the organizations that have brought to you this podcast. Thank you. Well, that wraps this up. Thank you for joining us. We hope you enjoyed our episode. The next one is coming right up. We appreciate you making this an award winning podcast and downloading on Apple and Spotify and subscribing to our YouTube channel. This is Cybercrime Junkies.

and we thank you for watching.

People on this episode

David Mauro

Host