TECH INTERRUPTION

Rachel: Welcome to Tech Interruption, where we break up your day’s routine.

Beau: Join us as we discuss five industry disruptors in just ten minutes.

Rachel: It’s the ultimate tech talk challenge.

[3, 2, 1, Here we go!]

Rachel: I’m Rachel Douglas. I am the Director of Operations for our Federal, Civilian Cyberwork here at ECS.

Beau: And I’m Beau Houser. I’m a Cyber Director here at ECS.

Rachel: So when I first met, I know you were on the…on the federal side, and I was on the corporate side. We’ve had a lot of cyber conversations over the years.

Beau: Oh, yeah.

Rachel: But I think today’s challenge is going to be staying within two minutes.

Beau: Yeah. I don’t know how we’re going to do that.

Rachel: You think you can do it?

Beau: …no.

Rachel: We’ll get there. We’ll do it. So, Beau, I know with right now, with all of AI being used by adversaries, we’re seeing a significant decrease in the amount of time it takes adversaries to find vulnerabilities and exploit them. From weeks just to find it…to now down to five days.

Beau: Yeah.

Rachel: Recently there was a DARPA study that actually found through competition, different types of AI that were able to create and be able to find the vulnerabilities and patch them. Did you see that?

Beau: Yeah, I did see it. It was fascinating. The competitors, they announced the winners at… DEFCON and the… They were in a controlled environment, and the competitors found up to 77% of the vulnerabilities that they knew about in this, in the controlled environment. And they were able to patch those vulnerabilities. And the timeframe was about 45 minutes. So it was really promising. But the thing that was most surprising was they found 18 Zero-day vulnerabilities that no one knew about in the… in this test environment. And they were able to patch 11 of those. And so now they’re working with the vendors to say, “Hey! There’s some zero days here that we discovered.” So…

Rachel: That’s something that takes weeks and months with our current… with current, traditional structures.

Beau: Right. Vendors take weeks to to figure out the patches and then release that. And then organizations have to go through their patching processes. It takes a long time. So, imagine AI leading the way and patching it. We know the bad guys are using it. And so this is an example of the good guys using it to to keep up.

Rachel: Yeah, I was going to say it’s kind of scary because if we’re using it to find vulnerabilities, that also means that adversaries are using it to find those vulnerabilities themselves and to be able to exploit them that fast.

Beau: Right, right. And the other thing about the competition, the competitors were required to share all their code, open source. So you can get it. You can go to DARPA’s website. And you can get that code.

Rachel: That’s awesome.

Beau: So, Rachel as a federal CISO one of the things that I saw firsthand was just how difficult cybersecurity is all the time. You know, we know that technology is always flawed. We know that there’s no such thing as perfect protection. And we know that AI is going to help us. And one of the areas specifically that I’ve seen, maturing is the role of a virtual SOC analyst using AI. The pressure on SOCs today and the alert fatigue that SOCs face is just… too high. And I think this virtual analyst is going to go a long way to relieve a lot of that pressure and allow the SOC analyst, the human SOC analyst, to focus on those serious alerts that that they need to be focused on.

Rachel: Yeah, cause it’s terabytes a day. I think on the other side of it, though, we’re also seeing a lot more AI being used in adversaries, right?

Beau: Yeah.

Rachel: I mean, we have the usual, like we talked about, finding vulnerabilities, you know, very quickly. But then also AI is being used to create voices where you can create a voice to use for social engineering and use that in phishing attacks, not just… not just emails, but the voices of individuals.

Beau: Right.

Rachel: Which recent study found that less than 1% of people were able to tell a difference between the real voice and the people they knew. They also have data injection. Right. We’ve getting to data poisoning.

Beau: Yeah.

Rachel: Not only are we seeing AI being used against us, but we have to protect our own AI.

Beau: Yeah, I saw an attack recently. You know, adversaries know that vendors are adding AI to their tools… and even, the security tools. And so one of the techniques that’s being used is the adversary is attempting to inject AI prompts to see what they can get back from the security tools.

Rachel: So putting your CISO hat back on, what would you want to see?

Beau: Well, I mean, it’s obvious that AI is going to play a key role across the spectrum. Adversaries are using it. So we got to keep up. So, you got to have your SOC analysts doing the investigations. You got to have your pen testing teams simulating attacks. You gotta have your threat hunters looking for bad stuff. And AI is going to accelerate all those fundamentals.

Rachel: Yeah, that’s how we work it together.

Beau: Yep.

Rachel: So Beau, today we talked a lot about AI and the future of AI, where we’re going with it. But looking backwards… Do you have anything that you can remember like from childhood of like where AI was versus like where we are today?

Beau: Oh, yeah. Absolutely. As a teenager, there was this show on TV. The actor was David Hasselhoff. He was so cool. He had this awesome car. The car did everything. He had conversations with the car. The car could come and get him wherever he was. He could summon the car with his cool watch. And the only thing I could think of at the time was, “Man! How many girls could impress if I had that car?”

Rachel: Was it a Tesla?

Beau: No, it wasn’t a Tesla.

Rachel: Was it a Cybertruck??

Beau: It was a Trans Am. It was Knight Rider. It was so cool.

Rachel: When was this? When did this movie come out?

Beau: It was… in the 80s.

Rachel: Ohhhhh… So, the 1900s.

Beau: It was… uhh, yeah. [laughs in Gen X]

Beau: But they got it right. They got it right. So that’s, that… That was one of my favorite shows.

Rachel: I was thinking more along the lines of Jarvis and Iron Man, where Jarvis starts out, you know, it’s progressive. It starts out talking like a talking to your watch. You can ask Jarvis to do something. And then eventually moving to vulnerability detection within the suits like we do for cyber where they’re able to scan for issues and be able to fix them. And then eventually, running all of Stark Enterprises, you know, being able to run a whole business off of AI. I think we’re pretty close. I think it’s pretty similar.

Beau: But it’s not perfect. Jarvis got hacked. You remember that? That was tough for the Avengers.

Rachel: It did. They didn’t have a good cybersecurity team. Or it becomes The Jetsons and it starts vacuuming your house for you and buying your groceries for you. I think we have we have the robots now right there that can vacuum your house and your pool.

Beau: Yes… I love my robot.

Rachel: Still working on grocery delivery, but very close with the Amazon delivery trucks and the drones.

Beau: Amazon drones.

Rachel: There’s a lot of benefits to having it.

Beau: Well, yeah, it’s all good… unless it turns into The Terminator.

Rachel: So, welcome to Q-day, Beau.

Beau: Is it Q-day already??!

Rachel: Not yet, but it’s coming.

Beau: …oh. [reeling in quarkiness]

Rachel: Are you ready?

Beau: We’re getting ready.

Rachel: Yeah, I know it sounds like Y2K all over again.

Beau: Yeah, that was out of order. [guffaws in engineer]

Beau: You gotta explain what it is.

Rachel: Oh, I do. [tone of the redo]

Rachel: So, welcome to Q-day, Beau!

Beau: Is it Q-day already?

Rachel: Not yet, but we’re getting there. [smiles in cyber satisfaction] [back on track]

Rachel: So we know Q-day is the day that our current encryption will be able to be broken by quantum computers very quickly. Right? Our encryption that we use in our daily lives, in our work lives, from corporate information to banking information, government data…

Beau: …shopping

Rachel: Shopping. Yeah, I think that’s going to have a pretty profound impact.

Beau: Yeah, that doesn’t sound like a happy day. That sounds more like a…Quantum Apocalypse.

Rachel: It sounds like Y2K, right? All over again.

Beau: You know, those of us working Y2K, I felt like we saved the world.

Rachel: So what’s your plan here? How are we saving the world here?

Beau: Well, there’s a lot of work to do. I think, NIST has some stuff.

Rachel: Yes, they have standards. They’ve updated their standards on it. They also have some quantum resistant algorithms they’ve been putting out. We’ve been seeing those, be piloted and tested and implemented at different places now.

Beau: The risk is real, and it’s here now. So, people have to really pay attention to this. What’s happening is that our adversaries are hoping that they can decrypt this information in the future. So they’re stealing the information now encrypted. Right. So it’s secure now, but they’re hoping in the future it won’t be once we get to Q-day. And so organizations have to prioritize their data based on that shelf life value. Right? So if you have information that’s going to be valuable… valuable in the future, you got to accelerate the transition to quantum resistant algorithms.

Rachel: That sounds scary!

Beau: It IS scary. But there’s a lot of factors that complicate it too. Because, you know, we have legacy systems which are always a problem. There’s all sorts of dependencies, you know, and downstream effects when you change things that are fundamental as encryption. So there’s a lot of work to do.

Rachel: Yes. I’m glad we have a lot of smart people working on this problem, just like Y2K. [nervous laughter]

Beau: That’s right, that’s right.

Rachel: Beau… When we talk about cyber, one of the items that’s at the forefront of a lot of people’s minds is supply chain management with a number of tools and relationships that we have with different companies. So we’ve talked about it from the relationship side for different vendors that we rely on, but then also from the software aspect, right? Of different… like Log4j, SolarWinds…Different tools that we rely on software.

Beau: In a recent hack of a healthcare payer really brought the point about the relationships to the surface. No one expected the impacts that happened to the healthcare sector when this one healthcare payer was impacted by ransomware. The estimates that I saw rated it at $1 million a day of… of losses. And then the overall losses were in the billions literally.

Rachel: And that’s the financial side. Right? It’s also healthcare. So you have patients’ lives that were impacted.

Beau: There were hundreds of…of millions of patients impacted by this. Think about the nation’s healthcare sector and a third of it being impacted by this one vendor. So, I think understanding the vendors that you rely on is critical. And I think this brings that to light. And also the risk that they may be introducing into your processes that you may not be aware of.

Rachel: This sounds like very…like needing a very strong supply chain management relationship plan, like how you manage relationships and how you track them. But on the software side, that’s seems like an even harder problem. I mean, we have code that has… from multiple different places, like how do we dissect that code and be able to trace that back to one vendor or one person?

Beau: Software vendors, they want to go to market as fast as possible. So they grab pieces and parts that are available from… from many sources. Many of them are open sources. And so it’s really hard to manage. And then you end up with these invisible vulnerabilities within your system that you’re not even aware of. Luckily, modern software development practices really emphasize the need to account for this. And so they do things like SBOM, so you have a full inventory of your software, and you’re able to bring these things to the surface and manage it the way it needs to be.

Rachel: Sounds like the importance is that we plan for it though… It’s not an afterthought.

Beau: Absolutely!

Beau: Oh, look at that. Rachel, we are out of time.

Rachel: We did it. Two minutes.

Beau: Thanks for watching.

Rachel: Join us at ECS, where we have smart people doing cool things and having cool conversations.

Beau: Cool.

[laughter of cool people]

[3, 2, 1, Here we go…]

Rachel: We did the two minutes!!

Beau: Yeah!

[high-fives in dings, boinks, doinks, and pbbbbbth]

[sparkles in engineer]

Rachel: Be excited!

[boing, boing, boing]

Beau: This is the one topic that we really know!

[laughs in expertise]

[eeeeeee!]

[techs laugh after being (ironically) interrupted]

Beau: Stream of consciousness!

Rachel: …scary!!!!

[Jarvis apparently takes over]

Rachel: I follow the rules! I stopped!!

[defeated “Wah wah”]

[outtakes play]