Podcast Transcript

Introduction:
You're listening to the RSA Conference podcast, where the world talks security.

Kacy Zurkus:
Hello, listeners. And welcome to this edition of our RSAC 365 podcast series. Thank you so much for tuning in. I'm your host, Kacy Zurkus, content strategist for the RSA Conference. And today, I'm joined by our guests, Jerone Jones and Alexiaa Jordan, who will be discussing the current threat landscape, how threats can be exploited and how to defend against these cyber threats.

Kacy Zurkus:
First, I want to remind our listeners that here at RSAC, we host podcasts twice a month, and I encourage you to subscribe, rate and review us on your preferred podcast app so that you can be notified when new tracks are posted. And now I'd like to ask Jerone and Alexiaa to take a moment to introduce themselves before we dive into today's topic. Jerone, why don't we start with you?

Jerone Jones:
Oh yes. My name is Jerone Joseph Jones. I am the CEO and founder of JustOne Solutions and JOS Tech, our brand new non-profit. And thank you for having me on today.

Kacy Zurkus:
Welcome, glad to have you. Alexiaa.

Alexiaa Jordan:
Hey, Kacy. It's good to be here and thank you for the invite. I love to blend emerging tech, international relations and security issues into my work. I come from a bio and national security background. I love outdoor activities. I love my friends. I love cooking. I love hosting. And professionally now, I get to analyze really hard tech problems for consulting firms and other organizations, trying to merge the government aspect and the security aspect of what our landscape is facing.

Kacy Zurkus:
Excellent. Well, I am thrilled to have you both here. And this month, we're talking about all things hackers and threats, and we've certainly heard a lot about potential threats to both the private sector and government agencies, particularly in our critical infrastructure. So this question is for both of you, but Alexiaa, let's start with you. Can you walk us through what you are seeing as trends in emerging tech and how they correspond to forthcoming threats?

Alexiaa Jordan:
I think that if you look up this question, you'll see various lists or similar hits on things. But I thought about this question and I wanted to give some of my favorite threats because there are so many. The first one I like to mention is the race to quantum computing and its forthcoming implications. I'm pretty sure your listeners have heard of quantum computing and everyone speculating about how great it'll be, increased analysis, problem solving, etc. But it's a dual use technology. So there are scary things that it could be used for like breaking encryption algorithms, and these encryption codes threaten our most regularly used cyber protocols across governments and sectors. I'd love to talk a little bit more about that towards the end.

Alexiaa Jordan:
The IoT market is another fun threat landscape. The internet of things is projected to increase to 18 billion by the end of the year. [inaudible 00:03:14], YouTube, GitHub, and all these other knowledge based or code hosting platforms, teach learners how to quickly hack into these internet of things, cellphones, Amazon's Alexa, your refrigerator, all these types of things.And the fact that the code is readily available for script [inaudible 00:03:34] to practice and learn makes it even more accessible to hackers.

Alexiaa Jordan:
And the third thing I'd like to mention is ransomware. We all know that's like a household word now. A lot of different code is out there to practice ransomware on whomever one so chooses. As well as well orchestrated and categorized organizations. Given all the news surrounding attacks on hospitals, critical infrastructures firms globally we know it's a huge problem. Last year, there were more than 75% of attacks in Q2 of 2020, in the whole of 2029. There's a ton of ways that people are using ransomware to... Using employees or people or direct access to get access. So that's another thing.

Alexiaa Jordan:
And I think maybe two honorable mention should go to AI powered fiber and increase malware analysis.

Kacy Zurkus:
That's a lot. And it's funny that you mentioned quantum [crosstalk 00:04:34] because my husband and I were just actually talking about that at dinner the other night. And I was like, oh, so is that a cyber security risk because the algorithms can be decrypted or figured out so quickly? I'm probably not using the right language, but.

Alexiaa Jordan:
No, actually you are. What people are trying to figure out. Well, at least some people are trying to figure out. The quantum computing space is still in its research phase, still in its execution phase. Right now in terms of countries and organizations, China, and the US there, our private sectors are leading the way. And we are very far, oh, I shouldn't say very far, we are a nice way away from everyone having access to this type of technology. However, we used to think that, for example, it will take 20 million cubics in a quantum computer to break some of our harder encryptions. And right now I think China's leading the way on about 70 cubic quantum computers. I just don't think that by, I don't know, 2040, we're going to be that far away. And plenty of organizations, governments embassies, etc., have secrets that need to be kept for more than 20 years. So what is going to be developed and what is going to be able to break in the next decade or two needs to be prepared for right now. So I would totally consider that a cyber threat.

Kacy Zurkus:
Yeah, yeah. Jerone anything to add there?

Jerone Jones:
Oh yeah. Most definitely. I guess I would go back just a little bit and talk a little bit more about our critical infrastructure. If we talk about something as recent as the colonial pipeline cyber attack and different things of that nature, I would go more into more SCADA systems. When we're talking more of our electrical grid, our power plants, our infrastructure. We have to think about these things were built many, many, many years ago. Way before we had this advancement within information technology and cyber.

Jerone Jones:
So now going back and looking at these things that we deemed very critical. Power plants, water treatment, etc., and being able to bring them up to date with some of our emerging threats and threat actors that we have currently. I think that's a huge undertaking in bringing down that threat landscape and making sure that it's still able to serve the purpose that it was built for, but then be able to be very resilient to a lot of the attacks that are emerging. So I would go back just a little bit to think about that because now critical infrastructure is becoming a big talk amongst government, etc., to make sure that it's cyber resilient, that we have people and support systems that are able to get it up to date.

Kacy Zurkus:
Yeah, it's definitely monopolizing headlines for sure, across the industry because those threats are so relevant to national security. So Jerone, I want to look at this a little more and ask you how these threats can be exploited. Because if so much. If everything, is a threat landscape, that definitely makes it all the more challenging to track attack methods and Whac-A-Mole is a really hard game to win. So can you share with our listeners what you're seeing as the latest TTP attack methods and tricks?

Jerone Jones:
One of the biggest things is making sure that with any system that we're implementing, that we have a baseline that's based off of security. And sometimes it's hard because it's adding a cost, it's adding more processes, etc. Usually our defense system was on a lot of times we were air gap systems and that's just basically separating the physical target and then it's a support systems not having connection to the internet or the outside world. But now these days, that's almost impossible. So it's a lot of progress that's been made, whether it's been financially, etc., through different things as AI machine learning. And again, Lexi went into quantum based and quantum based cyber to make sure that we can defend and put together different systems to be able to defend those types of attacks that are targeting those physical assets, as well as the digital assets.

Kacy Zurkus:
So Alexiaa, I want to talk about the role of public private partnerships as it relates to stronger defense. How can governments better protect industry and citizens?

Alexiaa Jordan:
I think there's still a lot of work to do. Much like after 9/11 we saw the restructuring of our IC landscape to enable more information sharing. I would definitely say after the 2016 elections, we're seeing something similar. The federal government has been trying to prioritize sharing more meaningful threat information and security recommendations to help different organizations manage cyber risks. [inaudible 00:09:33], the FBI and the entire IC fleet to one extent or another have created these various programs, phone numbers, methods of outreach to the private sector and state and local governments. And while I don't purport to have the catch all answers, I do think that DODs to the FBI Homeland in Congress should streamline the federal rules to reduce state government compliance costs, to really work on information and communication sharing.

Alexiaa Jordan:
And specifically I do want to talk to the broader defense industrial base.The government spends at least the third of our GDP on government and this trickles down to many nooks and crannies of the US. So I think that would be helpful is also solidifying clarity about CMMC rules and needs in the certification. Helping these small to mid-size contractors be safe and remain in compliance, which largely speaking will help keep our country safe.

Alexiaa Jordan:
For example, I remember meeting a woman who was a third party or so contractor her to the Air Force. And she's this small business out of Alabama that provides this one specific thing to the Air Force, again, small business, about 20 employees. And the government is trying to tell her like, "Hey, CMMC is a new thing. You need to have all of these procedures and security rules in place." And one, that's just hard for any small to medium-size business, which again makes up a large chunk of our defense, industrial base. And two, if you're talking to any other small and medium-sized organization, maybe a locality of state, there's just... The way that cyber threats work is all you need is an entry. All you need is one. All you need is... You know what I mean? So if we could just do, the federal government could do, a better job of helping streamline the process, reduce compliance costs, but also help these organizations that quite literally are not [inaudible 00:11:31], they're not [inaudible 00:11:32]. They don't have the $20 million budget to have a IT OT, synchronous system in place.

Kacy Zurkus:
Yeah. So one thing that I can take away from that that might be meaningful is the need for more security training.

Jerone Jones:
Correct.

Kacy Zurkus:
Jerone, can you talk a little bit about security training and what should organizations be doing to ensure that they have a strong security training program? Not only for their own organization, but as Alexiaa mentioned, these smaller businesses are part of the industrial complex. And so their relationship with their vendors and partners.

Jerone Jones:
Most definitely. I think the one thing that we have to note is that most cyber attacks are going to rely on some human form of interaction in some critical juncture to be able to exploit some type of system. So our weakest link, but then also our strongest link, is always going to be the person, it's going to be the human. Proactive cyber training, I think, is going to be the biggest help and uplift for the cyber community. And we partner with different vendors and different companies, whether it's Pearson [inaudible 00:12:55] to be able to give this type cyber training based off certification. However, the need, especially within our government military sectors, is going to be more proactive and more simulation. Whether it's a cyber range where you have an actual simulation of an attack and how do we deal with those types of attacks. What are our mitigation techniques? What are our incidents response? What things are we getting from US cert every day and how do we respond to them in a proactive manner instead of as a reactive manner?

Jerone Jones:
I think our biggest asset always is going to be the human workforce. Now, there's different ways technically to force a system. However, the education of a engineer and analyst, or even your desktop support, or even an assistant that's just working for an executive that is security trained and security aware, can stop the beginning of a major cyber attack. So I think moving to a more proactive education based off of hands on skills, meaning more simulations, more cyber ranges, etc., is what's going to lead our cyber community within our nation to become more cyber ware and make our system stronger is by having more proactive. And different things that they implement within different parts of the military, different parts of the government, such as POAMs, plan of actions and milestones.

Jerone Jones:
If we're having proactive meetings to say, if this happens, if we are a victim of ransomware, what is our first step in the incidents response? And having this before it happens. A lot of times we do so much work that we don't stop to say, "okay, let's have a planning exercise" or "let's have a cyber exercise to go over something as if it happens". It's just like when you were going to school and everybody had to do a fire drill. We all have to line up in the hallway, hold your hand to your buddy and walk out to the specific areas to make yourself safe. I think the same thing, at some point, is going to have to happen in cyber and in cybersecurity in our nation.

Kacy Zurkus:
Absolutely.

Alexiaa Jordan:
Yeah. Kacy, if I can like build on that. Jerone made an excellent, excellent, excellent point about tabletop exercises and POAMs. But to add a super asterisk onto that, organizations need to invest in their security departments. A lot of what Jerone is saying that needs to happen is correct and smart. But you have organizations that want to let entry level IT jobs go unfulfilled because they don't want to pay the talent. It's expensive, it's cumbersome, blah, blah, blah. I definitely just want to put that plug out there to pay professionals what they are supposed to be paid to ensure the security of their organization stays intact.

Kacy Zurkus:
Absolutely. Right. And it has to come from the top down.

Jerone Jones:
Most definitely. I think a great point that Mrs. Jordan made before is speaking towards a different program, such as CMC. I think if it's led by state local federal to start to help small businesses be able to pass their different audits and get to that level of securing CUI and different parts of data, I think that would help. Whether it's a subsidy, whether it's a grant. To be able to help those different organizations. Because a lot of times they're on the red line when it comes to budget. So if there's some type of help, some type of lift, to say, "okay, we're going to get your guys trained. We're going to help you pass your audits. Make sure that you, one, can compete against other businesses for these particular contracts or whatever have you. And also just to make sure that you're keeping your business running and that it's secure." I think that also could be a great help going forward.

Kacy Zurkus:
And I love that because it leads right into my next question. Because that is something that organizations can do to avoid being the next cyber attack victim. But what are some other steps that organizations can take to help strengthen their defenses and mitigate cyber attacks? Alexiaa, let's start with you.

Alexiaa Jordan:
As we have harped on, investing in talent across the board. I said across the board on purpose. Because a lot of people think that you need the PhD in quantum computing from MIT to ensure that you don't get whatever. Like you need this high level of formal education and you need to have all these degrees behind your name. And that's literally not true. You can get certifications and training while in college, while in community college or on your own while working. And those are just as valuable. Because we need people to staff the entire board. We need people to track logs. We need pin testers. We need program managers. We need the administrative folks that speak both the language of the organization, but also the language of the engineers and the technicians. So when I say across the board, I really do want organizations to not have a biased look at who they should hire because you can't have one type of mind to keep our country and our organizations safe. You definitely need a diversity of opinions and thought processes and education. So that's in those space of investing in talent.

Alexiaa Jordan:
I mentioned not letting entry level IT jobs go unfulfilled. I'm not sure if you've seen this before Kacy, but on social media, there's all of these IT IS information security or whatever groups, Instagram profiles, whatever. And they like to make jokes, but these jokes are very serious. If you go to LinkedIn or ZipRecruiter or any of these websites, they will ask for this high level of education and be able to do all of these things and have five to 10 years of experience in the field for $15 an hour, or $20 an hour or something absolutely insane. So now companies are thinking they need all of this and they're only willing to pay this. And people simply aren't going for it, especially post-COVID or during our endemic state. There is a revolution happening in the workforce that I personally believe is beautiful. The power of employment is more so in the hands of the people now, and they're demanding what they need and what they want. So it's not just come here and make us safe. It is this mutual exchange of needs.

Alexiaa Jordan:
Cyber hygiene. Pay for the training, pay for black box tests, test your employees. Mr Jones spoke about that earlier. The federal government has tried to make meaningful steps in this direction by enacting legislation that mandates different levels of reporting, cyber reporting, incident reporting, exercise programs. So I think that is a very, very important step. All of these things definitely need to become law. And I think that this isn't just a necessary as a federal mandate. Because often those types of things, even if it's federal, they are shot to the larger organizations with more infrastructure. I think that this should definitely be a state-by-state implementation process as well. So just like every state has their own department of transportation, their own department of health and human services. States should look to what guidelines the federal government is coming out with and mimic those within the confines of their state and their bureaucracy to ensure that they are testing their own organizations, nonprofits, institutions, etc.

Alexiaa Jordan:
And to that point, just greater collaboration with security and government officials. Even if organizations... I know tons of small business owners, friends, sorority sisters, etc. that just think that they are a neutral party in this. They think that, "I sell jewelry on Facebook. Leave me alone. I have nothing to do with any of these cyber policies or whatnot." But the truth is that if you're online, then someone wants to attack you. It really doesn't matter what you do. More than 70% of our threat spaces are the private sector and small businesses. So I think that to avoid being the next cyber victim, I think everyone needs to put on their collaborative hat and put in the work to build a bridge between organizations and the government.

Kacy Zurkus:
I love that. Jerone did you have anything to add there?

Jerone Jones:
I would say always resource inventory. And what I mean by that is from a company standpoint, human resources, as well as your hardware and your technical resources, making sure for the human resources to start with training and awareness. Physical logical network and security to make sure that they know where the safest parts of the building is the same thing as knowing where the safest parts of the network or security. Making sure that they understand why they have a complex password policy. Have simulations to show them how easy it is to hack a password that might be 8 characters or less.

Jerone Jones:
I think the education around those resources and showing them why they have to do a security awareness training every quarter and why they have to learn new parts of the building and where different network equipment is and why they have multifactor authentication. Giving them that education empowers them. And it empowers the actual resource to actually care about security.

Jerone Jones:
And I think the same thing happens when you speak of hardware and your networking and security tools. Looking to see when the last time it was pinched. What are the vulnerabilities out there? What are the teams or the vulnerability assessment teams? Do they have enough people for the hardware? And a lot of times it is resources. You don't have... You have one guy that might have a thousand servers. So something's going to... He's going to miss something. It comes with just being human. We all make mistakes. So making sure that person has the team, that we have the teams and we're filling the teams. As Mrs. Jordan spoke of those entry level jobs, mid-range jobs, they could do a lot of the small task that might bring down your threat landscape or your attack landscape. Those little things. Making sure that you're doing an inventory of your resources, whether they're human, technical, logical, etc., and then putting around the different things that it needs to grow in security. And just to make sure that your company is safe.

Jerone Jones:
And again, being proactive, tabletop exercises, cyber simulations. I think that is needed. And I think the last part, that we really miss people on and Mrs. Jordan talked about it a little bit. I think at some point we're going to have cyber in elementary schools and middle schools, etc. Kids are walking around with phones, tablets, laptops, they have cyber devices. So at this point with math, science, reading, etc., you're going to have to put cyber at some point. Because again, they can be victims of attacks, just like we can.

Kacy Zurkus:
Absolutely. Yeah. I actually just bought a book this morning by Zinet Kemal. She wrote 'Oh no... Hacked again!'. It's a children book that has a companion coloring book to go along with it. So I just got that from my two daughters who are eight and 10 years old. So I agree with you. It's hugely important to get young kids speaking the language of cybersecurity and understanding what that is and how to protect themselves. And just awareness of the reality of the digital world that they live in, I think is so important.

Kacy Zurkus:
So before we wrap up, which by the way, this has been such a great conversation. I'm so happy that you were both able to join me today. And I would love it if before we wrap up, do either of you have any parting words of wisdom for our listeners?

Alexiaa Jordan:
Kacy, I just looked up 'Oh no... Hacked again!'. This is so cute! I love this.

Kacy Zurkus:
Right?!

Alexiaa Jordan:
This is adorable. Yeah. I want to second, third, fourth, what Jerone said. And you know what's also crazy, if you spend time on YouTube or you have kids to spend time on YouTube, these babies are the script [inaudible 00:25:25]. Now some have more access to intelligence and information than the others, which I do think is a problem that we should address. However, kids are actively trying to learn in this space just from what they see other kids doing on YouTube. So I love this and yeah, we should totally prioritize children's education.

Alexiaa Jordan:
But last words, I'm thinking about your are your listener base. And I hope that if I have not been overly annoying already in trying to speak to the business leaders about paying well and hiring well, I hope that they can re-listen to what I've said and hear how much me and Mr. Jones are trying to emphasize this. Humans, as he said, are the best and worst line of defense in our companies, in our country, across the world. And we just simply need to invest in them. And any excuse past this as to why we're not is foolery, it really is. We could talk about the new cool program, the new organizations on the FBI list. We can talk about the new code that hackers are coming out with and what criminal organizations are doing and how they're money laundering Bitcoin or what Treasury's [inaudible 00:26:42]. We can talk about all of the technicalities, but literally every drop of this has to do with humans, what they've learned and how they have learned to either shield themselves or protect themselves. So I think those are my parting words.

Jerone Jones:
I think mine is just a... It is very simple. It's proactive education, proactive community, proactive security. If we're able to educate young within our different communities about cyber, about security, about IT. I think that we're going to lift our whole society with cyber. It's something that we use every day and I think if we're proactive about it and we're getting our resources out to everyone, especially through education, I think that it could do a great lift within our country. So proactive education, proactive community, proactive security.

Kacy Zurkus:
And I think those are the mission of RSA Conference where our goal is education. And I am so appreciative that both Alexiaa and Jerone that you are here to help us share your wisdom with our community. Thank you so much for joining us listeners. Thank you for tuning in. To find products and solutions related to hackers and threats we invite you to visit rsaconference.com/marketplace. Here, you'll find an entire ecosystem of cybersecurity vendors and service providers who can assist with your specific needs. Please keep the conversation going on your social channels, using the hashtag RSAC and be sure to visit rsaconference.com for new content posted year round. Thanks so much to everyone.