CISA’s Positive Impact on Cybersecurity: Cyber Awareness Podcast, Thomas Pace, Netrise

Courtesy of Brett Sayles

When it comes to government actions on cybersecurity, there are definitely positives and negatives. If you’re hoping the government is going to step in and solve your problems for you, you’ll likely be disappointed; but the government can go a long way toward setting a solid baseline for cybersecurity, especially regarding critical infrastructure.

In the seventh episode of our Cybersecurity Awareness Month podcast series, we were joined by Thomas Pace, co-founder and CTO of Netrise. He talked about why supply chain attacks are soaring, how the government is taking some positive cyber steps and how Sandra Bullock is here to save us all. Listen to the full podcast here.

The following has been edited for clarity.

Gary Cohen: Cybersecurity Awareness Month generally highlights some key behaviors like multifactor authentication, strong passwords and recognizing phishing. What do you think people should be focusing on this month?

Thomas Pace: Yeah, I think those are always good elements. I think what’s important for something like Cybersecurity Awareness Month is oftentimes you’re catering to the lowest common denominator, for better or worse. Very rarely is Cybersecurity Awareness Month saying something like, “Here are the things you must do to reduce the likelihood of having lateral movement occur from a nation-state threat actor in your enterprise environment.” Right? That’s not what we’re talking about.

One of the elements that’s become much more front and center has been a lot of what’s happening around these supply chain attacks, which is really interesting. China has been responsible for a number of things that have happened recently. Now, the problem here, to frankly play devil’s advocate to the comment I’m giving, is that is not a thing that every user can necessarily play a role in.

But if we’re talking from a corporation and enterprise perspective, what you see happening is attackers moving away from targeting traditional things such as phishing and spam email as spam protections have gotten just really, really good. It’s not to say that phishing isn’t still a big problem. Of course it is. It will be forever. But you see that attackers are beginning to pivot into different areas for them to penetrate organizations. Essentially, the attackers are shifting left also, so additional observability there is important. Things like MFA are just absolute requirements at this point, and using application-based multifactor authentication, not using text messaging as often as that’s possible. Things like that. Really, there’s so many very easy and free solutions for these things that there’s just no excuse at this point.

Cohen: What trends or developments in cybersecurity are you particularly excited about heading into 2024?

Pace: The supply chain stuff is interesting. I really like a lot of what’s happening from a federal government perspective, especially around CISA. Now, I’m not necessarily a big regulation guy, which I know maybe some people would be like, “Well, wouldn’t you want regulation? Wouldn’t that be a benefit to your business?” In some respects, absolutely. In other respects, that’s not the reason you want to be successful. Sure, we’ll close some deals and all that, but more specifically the secure by design initiatives coming out of CISA and some of those things that are really going to drive in a positive direction this idea that we have to go back and set some line in the sand around where the requirements are going to change and we’re going to adhere to these requirements. Things are going to now meet this new baseline, whatever the baseline is, whatever the timeframe is are all TBD. We used to say in the Marine Corps, slow is smooth and smooth is fast. So you’ve got to take one step before you can take the next one.

I’m excited to see how that all pans out. And we have great relationships with these organizations, as well. We’re taking an active role as much as we possibly can. I’m typically not a big fan of public-private relationships, frankly. But I think CISA has done a really phenomenal job in just a number of ways. That’s like a breath of fresh air in many positive ways, in my opinion.

Cohen: I’m not going to lie to you. When I asked you that question, the last thing I expected you to say is, “I’m pretty happy with some of the government actions that are happening right now.”

Pace: Yeah. I mean, me too. If you would’ve asked me that 18 months ago or something — two years ago — that would’ve been an inconceivable answer for me. But having the relationship I’ve been fortunate enough to have with a number of the people at some of these organizations, they’re doing it, and they’re doing it for the right reasons.

Here’s what’s fascinating about some of this. Whenever you encounter a significant amount of friction, that is a good sign, in my opinion. That means you’re down the right road. If it was easy, it would’ve just been solved. It would’ve been addressed. Something would’ve happened already to address a particular problem or scenario or whatever it is. But as you, even with data, begin pushing down a particular road, and you are just assaulted with objections and lobbying groups — “This is going to be hard, and this is going to be expensive, and this is going to take too long” — aren’t those the exact problems we should be solving as an industry, and aren’t they the exact problems the federal government should be caring about solving on behalf of the American taxpayer? Of course, these are rhetorical questions. The answer to both of them is yes. So why I’m excited is you’re seeing the right people, the right strategy, all coming together here. That lends itself for me to have an optimistic attitude toward what’s happening.

Cohen: Going back into the memory banks here, can you share a memorable experience, something that sticks in your mind or a case from your career, that highlights the importance of cybersecurity?

Pace: There are a few elements in this story that I think are probably worth mentioning. I was working on a business email compromise case with a decent-sized, maybe a medium-sized financial institution. As was the case back then, they didn’t have multifactor authentication turned on for the people involved. Now, notice, I say for the people involved. As we started going down this road, you have a questionnaire at the beginning. It’s like, “Do you guys have MFA turned on, blah, blah, blah?” And they’re like, “Oh, yeah, we’re good.” And I was like, I’ve heard this before. So as we got into the case, what we figured out was, yeah, it was a policy that MFA had to be enabled for everybody, but who was it not enabled for? Two C-level people who just so happened to be the only people who could approve wires. So the very people that were the target of this attack were the very people that were incapable of preventing it because they were special. “I’m an executive, and I am so smart that I don’t need multifactor authentication.”

Cohen: “Nothing bad can happen to me. I’m important and powerful.”

Pace: That’s right. And the attackers definitely take that into account, right? They say, “Wait a minute, is he the CFO? OK, let’s not go after him because he’s important.” It’s such an insane mentality. I take that stance here at NetRise. The amount of things I have access to is so funny from a limited perspective. I don’t want access to our source code. For what? Let me tell everyone a secret: If I’m writing a source code at NetRise, things aren’t going good. You know what I mean? I do not need access to these things.

So I think that there’s really two stories there. No. 1: MFA is for everyone. No. 2: You actually approach it the other way. You don’t say, “Give it to everyone except the executives.” You start with the executives, and now you have the buy-in from on high, and now you can push it down and say, “Guys, I’m doing this. What makes you think you shouldn’t have to do it?” That’s just what a leader is. To me, there are a number of elements there that I think are worth spending some time with from a lessons-learned perspective.

Cohen: It’s such a logical thing. Obviously, the most important people with the most sensitive information probably should be taking some precautions.

Pace: Crown jewels assessment. Who and what, and where are the people, things and data that matter the most to this organization? If you as the CEO are determined to not be one of those things, maybe that shouldn’t be the job for you.

Cohen: There have been a bunch of major headline-grabbing cyberattacks in the last few years, whether it’s SolarWinds or JBS or the city of Atlanta or whichever. What have we learned from this most recent slate of major attacks?

Pace: All of the attacks you just laid out are either significant supply chain attacks or ransomware attacks. I think there’s two lessons to learn here. Attackers are obviously financially incentivized. You really have two different motives here that you’re talking about. You have, in the case of SolarWinds, just massive espionage, frankly, which can lead to intellectual property disclosures and all this other fun stuff. From a ransomware perspective, you have this just really misaligned set of incentives from a monetary perspective. I have a pretty strong opinion on cyber insurance, frankly, that I think it has been one of the worst things that ever happened to cybersecurity. It’s basically given attackers a guaranteed paycheck, in many ways, where a lot of organizations would not or could not make the payments.

You can’t know this, right? Maybe someone has data out there that just totally proves that I’m an idiot, which is probably not that difficult to prove and can show, “Oh, no, this did make a meaningful impact.” That has just not been my experience. The attackers feel a lot worse — and I know this sounds like a crazy statement — if they know they’re not getting money from an insurance company. It’s just a totally different psychological impact on everybody. If you’re the end user, you’re like, “The insurance company’s going to pay for it.”

It just creates this set of circumstances that are not positive, in my opinion. It had some other downstream effects, too, around incident response and lowering the rates for everybody. Now you have people who were making $500 an hour on incident response engagements making $200 an hour, and you expect them to still do the same level of work and give up nights and weekends and holidays and all of that. Those people are just like, “How about no?” So now you have a group of people doing that work that are willing to take that much money, and we can just infer what that means on our own. I was one of those people. I was like, “I’m not going to keep doing this work. Why would I? I’m going to go do something else.”

I think the thing to learn really is that the attacker is always evolving, and things are always changing. Obviously, the method of infection vector has pretty much stayed the same forever. Removable media through the website, through a website, through email. Those are the three most common attack vectors. Now, that being said, as the defenses for those things have gone up, the level of effort for attackers has also had to go up. What that has indicated is, “OK, what are other attack vectors we can go after?” And that’s what I think points people toward the SolarWinds of the world and finding what is a common element of the organizations that I wish to compromise. Once that is determined, let’s go compromise that instead, because we compromise once, infect many. That’s just a much more attractive set of circumstances for obvious reasons.

Cohen: Definitely. Interesting though, the point you just made about insurance. I hadn’t thought about it that way, but insurance is insurance for the attacker, as well.

Pace: Yeah. I’m sure somebody could model this somehow. It would be really interesting to see if cyber insurance just didn’t come to be, and we could somehow model it saying — I don’t know, these are all made up numbers — 80% of all ransomware attacks that happened were just unable to be paid for one reason or another. Would we be where we are? It’s hard to imagine you would be, but maybe we would. I just don’t know. But to me, the incentives that has created have just been not positive. Now you look at all the talk that’s going on from insurance companies just in general with all the natural disasters happening across the country at the same time, and reinsurance costs and all that … it’s interesting.

Cohen: What emerging technologies do you see impacting the field of cybersecurity in the near future?

Pace: Obviously, everybody is all fired up about AI (artificial intelligence) and ML (machine learning), which it’s just a funny thing to me. This idea that this is a new phenomenon. I don’t get it. It’s not even an AI and ML phenomenon as much as it is a large language model phenomenon, right? I was at Cylance almost 10 years ago, who used AI and ML to do antivirus. There were other companies before that doing large scale data analytics.

Things have obviously matured in a way that I don’t think really anybody was ready for from a large language model perspective. We’re using large language models at NetRise for a handful of things. You can realize really fast, “Wow, this would’ve been magnificently difficult to develop and create without a large language model that you can feed all of this input and get out results that are magnificently accurate.” So I think that’s a big one.

I think having the ability to find and make decisions is going to be incredibly automated in probably the not-too-distant future. This idea that we need tier one SOC (security operations center) analysts for much longer seems unlikely. There’s always going to be a need for humans in this space. That goes without saying, probably in my lifetime at least. Maybe not. If a robot can take my job, man, please do. Have fun at the board meetings. But I think that’s a big one.

The quantum stuff, I haven’t paid a ton of attention to it. I do find it fascinating and interesting, but more from just a physics perspective more than a computing perspective. You did see that NIST recently, I think, announced a handful of quantum cryptography-resilient algorithms that are being pushed out.

I just find that to be a difficult thing to even prove, right? It’s not like when we were doing this for AES-256. We could test it real easy. How hard is this? Once again, I’m speaking out about a thing I don’t know enough about, but everyone doesn’t have a quantum computer. That I’m sure of. Of that, I am fairly certain. Obviously, NIST probably does. How many even are there? That’s all pretty interesting because when that becomes a thing that everyone does have to care about, no one is going to be ready for it. No one. So, yeah, it’ll be fun.

Cohen: I’m going to ask you one dumb question to end this podcast. We debate this all the time: Are there any good cybersecurity movies and TV shows? What is your favorite movie or TV show that has something to do with cybersecurity, good or bad?

Pace: What was the show on USA that everybody loved? “Mr. Robot.” I couldn’t get into that show for some reason, and I don’t know why. It doesn’t even make sense that I wasn’t into it, but I just couldn’t. It just went off the rails too much for me at one point.

I guess this is what I would say: I loved the movie — and this is before I was in the Marine Corps still, so I didn’t know even 0.1% of what I know now — but I loved the movie “The Net.” I loved it, which is just a funny thing to say now.

Cohen: I remember that one.

Pace: And I love Sandra Bullock.

Cohen: Who doesn’t love Sandra Bullock?

Pace: What are we talking about here? Yeah. If Sandra Bullock can’t save you, who can? That’s my motto.

Cohen: I don’t know that there is a better way to end the podcast than our shared love of Sandra Bullock.

Pace: Hope you see this, Sandra.

YOU MAY ALSO LIKE

GET ON THE BEAT

 

Keep your finger on the pulse of top industry news

RECENT NEWS
HACKS & ATTACKS
RESOURCES