Too much of cybersecurity response is just triage. When an attack hits your systems, you respond to that attack, but little forethought went into incident response before that. Given the expanding threat environment, it’s essential to consider cybersecurity before you become a victim, especially when it comes to critical infrastructure.
In the 12th and final episode of our 2023 Cybersecurity Awareness Month podcast series, we were joined by Madison Horn, CEO of Critical Fault and Oklahoma Congressional candidate (OK-05). She discussed the need to move from reactive to proactive cybersecurity, the value of the shared responsibility model and the rise of quantum computing. Listen to the full podcast here.
The following has been edited for clarity.
Gary Cohen: October is Cybersecurity Awareness Month. We’re always highlighting some key behaviors, like multifactor authentication, strong passwords, recognizing phishing and updating software. What do you think people should be focusing on this month?
Madison Horn: I’ve been doing talks recently and talking about how we’re seeing the industry move from more reactive security to proactive security. While I love the fact that you listed a couple of things, whether that be phishing or multifactor authentication, then I want to get folks out of the trees and look above them and really think about areas that perhaps they’re not thinking about proactive security measures, whether that be in supply chain or third-party risk management.
In the industry, there was a while that we would walk the RSA floor or Black Hat, and everything said “detection and response” or “real-time monitoring.” All those things are fantastic, especially from someone who is in the incident response space. We have to have the monitoring pieces, but I think the lack of education and the lack of the maturity in this space when everyone was buying some type of EDR, and then there was the misconception that that is not a level of protection, and so I think we have to continue to focus on proactive security measures.
Tyler Wall: What trends or developments in cybersecurity are you particularly excited for heading into 2024?
Horn: Heading into 2024, there was so much chatter — no pun intended — around ChatGPT and what it was going to do to cyberspace and what it meant for artificial intelligence (AI), but I’m really curious what we’re going to see within quantum computing. What does post-quantum encryption look like? When I think about quantum computing, I always think about “Tron” and when they’re in the streets and you see the red — I’m a nerd — the red and the blue lights in the streets. That’s what I picture as quantum computing. I’m looking forward to seeing what developments come out, at least in the commercial space, and then what new attacks we’re going to see.
Of course, obviously, ransomware is becoming more and more prevalent. I think this current administration has done a really great job of getting more and more engaged. I saw more folks in the three-letter agencies at DEF CON than I ever have in my life. I don’t know if that’s terrifying or a good thing, but I’m going to lean on the good side. Looking to see more how we’re going to move forward in the policy space, and within AI, are we going to talk about values? Are we going to talk about privacy? Are we going to talk about more about copyright infringement? That’s kind of where I’m curious about.
Cohen: We’re not asking you to name names here, but can you share a memorable experience or a case from your career that really highlighted for you the importance of cybersecurity?
Horn: It was very early on in my career, and so maybe it was because I was still in “ooh” and “ahh” of the cyber field. It was still when we were calling it security. I’ve always worked within the critical infrastructure space to some degree, and we were doing an assessment on a training center, and that’s all I knew. It was, like, four hours away in a rural area, and the entire drive I’m like, “OK, cool, this is a training center.” We get closer, and I start seeing this smokestack, and I’m like, “Oh, that’s kind of cool.” We’re getting closer, and it’s getting bigger, and I realized that we’re doing an assessment on a training center for a nuclear power facility. I was like, “OK, I’ve seen Chernobyl. Are we safe? I guess we’re safe.”
After we did our assessment, then we were able to do a small tour, of course, not entirely through the facility, but we got close enough that you could literally feel the vibration from the amount of energy that was being produced. It was really this humbling experience of understanding the power and the magnitude, but it also kind of highlighted and underscored the importance of what we do in the critical infrastructure space and what we’re protecting, and the mass destruction that really could come following an attack. It was a moment of humility, responsibility and, like, “Crap, why am I so close to this damn thing?”
Wall: There have been plenty of cyberattacks recently, from attacks on critical infrastructure to mom-and-pop shops to unspoken attacks. What have we learned from these major attacks?
Horn: There are a number of things. I think that we’ve realized that there really is this joint responsibility model. Let’s just keep it in the critical infrastructure space, so let’s talk about our PG&Es, our Southern Companys, our Dukes. They have obviously a responsibility, but so do those vendors, and then so do the three-letter agencies, nonprofits, that help do information sharing. I’ll give one example to make this a little bit more crystal clear of what I’m talking about. Recently, with the Cyber Trust Mark coming out, that’s actually the requirement for vendors to ensure that not out of the box — it’s password 2023 or summer 2023, whatever the most generic thing that can possibly come out of the box — that it’s actually something that’s enumerated and that every single port communicates with everything, so that we ensure that these devices can actually be managed, as we’re throwing hundreds of Internet of Things (IoT) devices out in the field.
It’s just that shared responsibility model, that we all can secure our part of that entire value chain. I think that’s been phenomenal, and I’ve appreciated the policy pushes in this area. The fact that we have to look at our third-party vendors and understand what we are connected to, what are the downstream impacts? I always talk about dark thinking. I do this with my hat, like almost as if you’re putting a hat on and it’s injected into your brain like, “OK, now I’m in this place where I’m just going to talk about the worst things that can possibly happen.” So, just understanding what your risks are, understanding impact.
Cohen: Especially when you’re talking about being at a nuclear facility. Data security is obviously important. If a company like Target gets hacked and loses a lot of credit cards, there’s reputational damage. There’s all kinds of bad stuff that happens. The stuff that really scares me is this proliferation of IoT, more things being connected. Suddenly, OT and ICS is connected. If you’re talking about the energy grid or nuclear power or the Stuxnets of the world, that’s where things can get really scary.
Horn: Oh, absolutely. There are not many things that keep me up at night. I feel like that’s always the question: “What keeps you up at night?” And I’m like, “Nothing. I’m exhausted at the end of the day.” But it certainly is something that we’ve been predicting, a widespread blackout or a major attack on some type of critical infrastructure, and we make this prediction every single year. In some ways, I feel like I do not want to call anyone ignorant or not taking responsibility, but it’s such a big problem. It’s decades and decades of equipment that we’re trying to secure that was never meant to be online. I don’t necessarily think that people understand how complex the problem is, and so there really needs be a lot more education around how complex this issue is.
Cohen: What emerging technologies do you see impacting the field of cybersecurity in the near future?
Horn: We’re going to see more around AI. We’re going to see more around quantum computing. Because of global polarization and this isolationism that’s happening, we’re unwinding that isolation a little bit right now, because of the fact that we’re being forced to cooperate with our allies with the conflicts within Russia and Ukraine, and obviously, power balances are shifting. I’m really curious what this is going to mean for isolated environments like that in North Korea. Are we going to see the opening up of systems between North Korea and China and Russia? I don’t know. The reason why I can’t put my thumb on it is there’s something weird happening with these three relationships, and I don’t know what the impact is going to be to technology. But because of how future-thinking in some ways that they are, then I’m just curious what’s going to happen.
Wall: By far, this last question is the most important question of your entire career. What is your favorite movie, TV show, musical, play or song about cybersecurity?
Horn: Maybe this is a cliché, but I feel like this was a movie that I had to see because all the guys that I worked with were like, “You’ve seen ‘WarGames,’ right? You’ve seen ‘WarGames’?” And I’m like, “No,” or, “Yeah, I’ve totally seen it,” and so I had to go watch ‘WarGames.’ I did. I’m not going to say it’s the best movie in the world. I definitely found it very interesting with some of the predictions and the dangers of AI and some of the nuclear arms race that was happening, and just, I think the early hacking culture. It’s a really interesting movie.
Cohen: And you get to see Ally Sheedy and Matthew Broderick when they were like 18 years old.
Horn: Yeah. You’re like, “Who are these children?”