Patrick Spencer 0:00
Hey everybody, welcome to a kite works conversation with Michael Daniel, this is going to be a great discussion. If you’ve taken a look at his background before viewing today’s podcast, you’ll see that he has, like 21, 22, 23 years of experience in the cybersecurity space primarily on the government sector. So, you know, it’s a plethora of experience and background that he brings to this discussion through the government lens. But now he’s the last four or five years has been the president and CEO of the Cyber Threat Alliance. Michael, thanks for joining us today. It’s going to be a pleasure speaking with you.
Michael Daniel 1:04
Thank you for having me. Really appreciate the opportunity.
Patrick Spencer 1:08
My co-host Tim Freestone has us on the phone Tim. Glad to have you as always.
Tim Freestone 1:12
Yeah. Thanks, Patrick. Good to see you. Nice to meet you, Michael.
Michael Daniel 1:16
Good to meet you as well.
Patrick Spencer 1:17
So, Michael, can you talk a bit about the cyber threat Alliance, we might talk a bit about your background and the OMB and so forth, at the same time. And then the almost five years you spent as a Cybersecurity Coordinator for the federal government, but cyber frontlines are doing some really cool things. I’ve been watching you for the past four or five years. You know, what is it for those who are listening to podcasts, you don’t know who you are, and then we’ll talk a bit about some of the cool things you’re doing.
Michael Daniel 1:45
Yeah, so CTA is a threat intelligence sharing organization. And what really makes us a little bit different is who we’re focused on. We are a membership association. So, companies, you know, join the Alliance, but our target audience is really cybersecurity providers. So, cybersecurity companies, you know, the security arms of telcos, platform providers, anybody who’s providing cybersecurity services more broadly than then to just themselves, that’s our target audience to encourage and enable threat intelligence sharing to occur between those organizations. We currently have 36 different members from about 11 countries, headquartered in 11 different countries around the world that actively participate in the alliance. And of course, we’re always looking, we’re always looking for more and you know, trying to expand and grow the Alliance. But that’s really what we do.
Patrick Spencer 2:41
And different organizations can subscribe to the data that you’re aggregating. You talk a bit about that process, or what does that look like?
Michael Daniel 2:50
Sure. So, we really talked about our sharing happening in two different modes. One is our automated mode. And so, this is where our members will share technical indicators of compromise and the associated context that goes with that. So, you know, hashes, binaries, URLs, domain names, ports, mutexes, registry keys, any of the stuff that, you know, are the technical indicators that something bad has been happening to you. And along with the, you know, context that helps situate those indicators in time and space, if you will, sort of date timestamps, you know, process flow attack, MITRE attack patterns, those kinds of things. And all of this is shared through a proprietary platform that we built. And so, when you share into CTA, you then get access to what everybody else has, has shared. And so, you can then take that data and use that in your products and services. You can use that for your research, you can use that to test you know, things, I found this to somebody and did somebody else in CTA see that. So, there’s a variety of use cases for that, in addition to that automated sharing that we do, and to give you some sense of the scale, we’re operating somewhere between 325,000-375,000 indicators are day that go through the platform, sometimes it’s as high as 400,000. So, it’s a you know, it’s a pretty solid volume. In addition to that automated sharing, though, we also try to build trust among our members and develop a human sharing community as well. Because what we’ve learned over the past five and a half years of running CTA is that you need that automated side for certain use cases, but you also need the human-to-human interaction for other use cases. And so, we also have tried to build a way for our researchers and analysts among our members to work together to collaborate to come to know each other and trust each other so that they can share at that human speed as well. So those are really the two pillars that that CT the two-sharing pillar Is that CTA rests on
Patrick Spencer 5:01
What’s an example of a human-to-human use case that you just cited?
Michael Daniel 5:06
Sure. So, you know, for example, one of them is that we have what we call our early sharing program. So many of our members will share pre-publication versions of white papers or blogs before they go live. And so, and they might share the associated indicators that go with that. So, you know, the value of that to the community is that the broader array of the community gets a heads up about something that’s coming out, that’s identifying malicious activity, they have a chance to position their products and services, their company to be ready for that. So, it has an even bigger impact when it comes out. Because there’s more companies already implementing the protections against those kinds of threats that are identified in that report, for example, what I remember is love it too. Because then, like, you know, when the CEO calls down to the, you know, to the research lab, or whatever is like, hey, have you seen that thing from the blog? In our yet boss, we’re already on top of it, got it, you’re covered? We’re covered. Good. Yeah, that’s a much better answer than we’re madly scrambling to look for that, you know, it’s, everybody likes that. So, it generally works, works much better that way. So that’s just one example on the on the human side of, of what we do. And like I said, it’s very popular among our members.
Tim Freestone 6:29
You know, one thing I’ve always wanted to ask now that I have the opportunity to ask you is, I’ve been fascinated by the fact that this alliance brings together so many business competitors, let’s clarify. What’s the secret sauce there? And do does conflict arise? Is there any level of data hoarding? Or is it pretty altruistic, and everybody’s in the game for the greater good, so to speak?
Michael Daniel 6:58
So, I would argue that it’s somewhere in between? I mean, yes, you know, there’s always that level of altruism. But one of the things that our members have learned, and that we very much promote is that sharing like this actually makes you more competitive, because really, the value that you bring as a security company is not the raw indicators. Right? The value you bring as a security company, is what you’re doing with those indicators. What are you doing with that data? How are you helping your customers? How are you analyzing it? How are you processing it? How are you transforming that data into information and knowledge? So, a lot of it is that we’re very much focused on that data layer. And that, by focusing on that, we actually avoid a lot of the competitive conflicts. The other piece is that we very much just to comply with us antitrust law, but also, as a matter of practice, like we don’t talk about products, services, prices, any of that stuff where the competition is occurring. We’re focused on the bad guy. And we’re focused on enabling our members to work together against the adversary. And so that really helps create a space where the collaboration can occur, and can still enable the competition to occur. But actually, my argument is we’re helping the competition occur at a higher level of the value chain, because instead of trying to compete on I know, something the other guy doesn’t know. Which if you actually think about it, since no one has complete view of the whole ecosystem is actually my inadequate pool of data is bigger than isn’t adequate pool of data. It’s not a great argument. So instead, we’re pushing that competition up to a different part of the value chain. And that’s a much better place for the ecosystem as a whole, for that competition to be occurring.
Tim Freestone 8:52
Yeah, sure. Makes sense.
Patrick Spencer 8:53
Is it easier to capture attack data versus actual data around reported intrusions? Are they more reluctant to report the latter?
Michael Daniel 9:04
Well, sure. I mean, you know, we, we were very careful to actually say, whenever we talk to potential member companies, like you don’t want to share customer and for SEO specific customer information with me, and I don’t want it, right, I don’t want to have to protect it. I don’t want to have to deal with it. I don’t need it. So, and you don’t want to send it to me. So, like, you know, it’s in everybody’s interest to not have that happen. Yes, we do try to actually collect a lot. And we encourage our members to actually share as much about the MITRE attack categories, for example as they can, because that’s actually very useful data for our members to for the other members to have. So, it’s really kind of interesting how that started to evolve, you know, and what we’ve discovered is that, no matter how hard we might or has worked at defining these categories, and no matter how hard we worked at pre populating, you know categories, we still have these edge cases and things where we’re trying to figure out how to fit things into the categories and stuff like that. So, it’s not easy to do. And it’s not easy to do at speed at scale. But our you know, that’s something that we’re constantly learning and trying to get better at
Tim Freestone 10:17
So obviously, there’s the threat vectors, the threat actors, the threats themselves, sometimes that’s all wrapped up into just people just going about their day job, you know, the, the human attack vector, I guess, do you collect information on just people being people and kind of what’s happening with, you know, social engineering on a broader scale? Or is it? Is it primarily focused on digital threats?
Michael Daniel 10:48
Yeah, so it’s really more about the digital threats, you know, we really focus on those on that technical data layer. Sure. And it’s not that the things that you’re talking about there aren’t important. It’s just that’s not our specialty, you know, now, I do think that, you know, what, where you would see that inside CTA is, again, more on our analytics side, you could definitely see, like a group of our analysts sitting together and, you know, we maintain the equivalent of a Slack channel, right for our members, and you could easily, uh, frequently we see discussions about like, hey, we’ve seen this phishing campaign, you know, anybody else seen this thing? You know, those kinds of questions and sharing definitely, definitely occur.
Tim Freestone 11:32
Yeah, I got I, it’s, I’m always, I’m always pressing that question. Because it’s, it’s just one of the hardest ones to answer, right? How do you solve the people being people problem? And what kind of data is out there around that? But sure,
Michael Daniel 11:47
I mean, you know, my, my standing joke is that like, once you get your organization to a certain size, you are just going to have somebody in your organization who is going to click the link. It’s, you know, it’s I almost referred to it as like, the monkey reflex. What is that? You know, it’s sort of like, you know, it seems to be sort of baked into primates or something, we just have to, you know, go explore whatever. And so, the truth is that, like, you can’t engineer that away entirely. And so, you have to just be prepared. And that’s why we talked about that defense in depth and other things, because you just have to be prepared that it’s going to happen some of the time. I mean, and you know, the bad guys, I think they’re constantly trying to get more sophisticated at that. But, you know, in many ways, that’s, you know, that’s old school stuff, right? I mean, that kind of social engineering has been around for a couple of 1000 years of really trying to swindle other people and that sort of thing. So
Tim Freestone 12:43
just a new vector for emergencies.
Patrick Spencer 12:46
So, when you were the Cybersecurity Coordinator for five years, you saw a lot learned a lot. What are some of the elements you took from that experience, like two or three or four that you took over into CTA that are making me more effective as an as an organization?
Michael Daniel 13:03
Well, I think there’s, you know, there’s a couple of things that I really took from that. That experience, I would say, one is, you know, information sharing is hard. We talk about it a lot. And we act as if it should be easy. But my standing joke is that like, you know, information sharing is the anti-field of Dreams, just because you build a platform doesn’t mean they will share right, you know, that it really takes a lot of investment and commitment to make it happen. I think the other one of the other key lessons that I very much brought, based on my experience, both in the government and now, you know, validated by my time with CTA is really, we need to also think much more about where comparative advantage lies. I mean, this is a long-standing economic concept, right. But, you know, when you look at the comparative advantage of the government in the private sector, cybersecurity firms, right, the government’s comparative advantage is not in finding technical IOCs. In fact, in the five, seven years that I’ve been here at CTA, we have yet to get a technical indicator from the government, that somebody somewhere in my org, you know, in the Alliance didn’t already have. But what the government does bring to the table is context. That indicator is important versus that one. Why because that indicator is associated with this actor, this actor is particularly active against your sector, right? The government’s comparative advantages, they can bring in intelligence capabilities, law enforcement capabilities that the private sector just doesn’t have, and can do those cross correlations to give you the context of why this versus that. And I think really focusing the government on its comparative advantage, and focusing the private sector on its comparative advantage, I think is not something that we’ve done an Nothing. And it’s definitely something that we need to push harder on to make the ecosystem more, you know, much more effective. I would say the other thing, of course, and, you know, one of the any of the people who have worked with me during that time know that one of my favorite sayings was never attributed exclusively to evil when stupid is still available as an option. True today, because sometimes things are just an accident, and you shouldn’t always leap to the nefarious conclusion until you’ve actually ruled out the accident option.
Tim Freestone 15:35
To that point, Verizon, their data breach report that they put out a few weeks ago. You know, it does. What’s a few months ago? It lists, obviously, all vectors and, and threat actors that the record, but the you saw, interestingly enough, the accident and lost assets sort of trend down a bit in as an aggregate but system intrusion go up. And there are a lot of drivers to system intrusion. But the one of the biggest ones was partners, if not the, I think it was number one was in your partner ecosystem. And that, I mean, at the core of that is information sharing. Right, right. It’s, it’s your information moving through your business process ecosystem and their information moving through yours. Yeah, it’s just interesting how this, this changes, and how challenging it is to predict, you know, what, what next year is going to look like and where to put the effort? And obviously, intelligence, like the comes through the cyber threat Alliance, is one step closer to predicting that I suppose.
Michael Daniel 16:54
I mean, I think part of it is also like, you know, if there ever was a network perimeter, right, which is, which is arguable, if there ever was a network perimeter, it’s certainly gone now. Right? Between, you know, between work from work from anywhere to these partner relationships to the way that you have to be embedded in the digital ecosystem, like the idea that you’re going to be able to sort of have this neatly contained network that you can enumerate every single device on it every second, and it’s going to be static, right? It’s just, it’s a, it’s a, it’s a falsehood, right? It just doesn’t work that way. And so, you’ve got devices that are, you know, your network is constantly changing it, it’s, you know, your assets are constantly, some assets are coming on, they’re coming off, typography is changing as people move around, and their connections come in. So, you know, it’s a much more dynamic world. And I think your point about the partnerships, right, now, you’ve got different people coming in, and they’ve got different levels of permission about how they hook into you. And, you know, it just makes it much more, much more complex. But we’re not going to unwind that, right, we’re not going to decomplexify that to in terms of those relationships, now, you can try to remove some of the complexity from your security. And you can, there are things you can do there. But I think trying to go back to this idea that, you know, we’ll have this nice, neat perimeter with this highly enumerated static network inside is just, you know, that’s just not reality.
Tim Freestone 18:31
The, the modifier of network perimeter is certainly gone. But and then the last five years are the perimeter, which is, you know, people and devices and IoT, right, it’s kind of less network and more endpoint. But you know, even that, is not trying to tackle that problem at an infrastructure level is, is just beating your head against the wall. But the piece that seems to always get missed is, nobody’s actually trying to secure the network or the devices for the security of those network devices sake, it’s for the data that moves around it. So, you know, I’ve been on the soapbox for, I don’t know, a little while of the that we did it all backwards. Like, why don’t we, we should start with the data and where the data goes and where it, you know, at the data level, because then it doesn’t matter the infrastructure. So, if you’re, you know, applying risk frameworks, and you’re applying zero trust and down to the data, well, your perimeter there then becomes wherever your data goes. And if you’re controlling and tracking and protecting the data. Regardless, not a word of where it goes, then you actually might have a fighting chance.
Michael Daniel 19:54
I think that’s right. And I think that the you know, you or, you know, it becomes a much more complex problem. But if you focus again on, you know, what do you actually care about? That’s the other piece of it. Right? You know, I’ve got comparative advantage. But that’s another principle in there is what do you actually care about? Because there’s some things that you don’t care as much about. And, you know, one of the other badges, if we go back to, you know, one of those questions that you asked, you know, sometimes we, you know, people would talk about an intrusion, and they had data leakage. And we’d say, well, what leaked? Well, name, phone number address. Okay, so the stuff that we’re used to be what we call the phone book, Alright, got it. Yeah, you know, like, sure it was a data leak, but do we care? I mean, you know, the, not really. And so again, it comes back to what is that information? Why do you care about it? What’s the data that I actually care about?
Patrick Spencer 20:56
What data is a big deal? I assume in that case, from your perspective,
Michael Daniel 21:01
That’s right. And you really have to think about what your critical assets are what you’re, you know, how do you how would you prioritize when you actually care about, you know, the, I mean, even in like, CTAs case, right, obviously, we care about the platform first, right? Because that’s our, you know, that’s our crown jewels, right? I mean, we care about our financial data, because that’s, we’re a business, right? Do I care about our website? Yes, because it’s important for communicating, but like, you know, some, so I wouldn’t want it to get defaced. But like, that’s lower down on my priority list. Right. Compared to the platform and our financial data. We’ve got a pretty good idea, you know, within CTA of how our data assets sort of, you know, stack out, do I have this down to every single file that we have? No, but we’ve got, you know, a categorization of how we think about our data. Now, for us, it’s relatively simple. And we’re a small organization. But I think most organizations have to have to think that through. I mean, the other lesson that I took out of my time in government, two was you cannot assume that communication is happening. We had this really interesting experiment towards the end of my time in government, where we, we actually went out and we asked all of the Chief Information, security officers or CIOs, officers of like the major cabinet agencies and things and we said, tell us your top 10 critical systems. And we got the lists back and I remember we were sitting in the Deputy Chief of Staff’s office, going through this, we’re going through the list with, you know, senior people in the White House and looking at some of the agency responses. And we’re like, this is crazy, like, there are things on here that nobody’s ever heard of, and there are systems that we know about that are missing, like what, you know, like, what is the deal? And so, then we, so then the deputy chief staff, he was like, okay, well, let’s go ask the secretaries, you know, and the agency. So, we went out, we asked, we asked the same set of questions to the secretaries of the agency heads, and we got back those lists. There was not complete divergence, but there was a wide divergence between the two lists for these agencies. And so, then we started saying, okay, well, clearly, there’s not enough communication going on between the senior policy level and the technical level. Now, it did not always mean that like one was right and one’s wrong, because sometimes you had Secretary saying, like, look, okay, I know that this system is not as critical to the functioning of the agency. But it’s the system that if something happens to it, I’m going to be on the front page of the Washington Post,
Tim Freestone 23:47
Right, it’s the definition of critical and that’s right,
Patrick Spencer 23:50
Either contained or can be accessed through that system.
Michael Daniel 23:54
You know, and then in other cases, it was like, the technical people were like, yes, I know, the Secretary put that on the list. But we’re retiring that system in three months. I, you know, like, it’s not critical from that sense, because we’re already shifting to something else. Right, and so, the, you know, so I’m not going to put any more money on that system that were retiring. And so, the lesson, the fundamental lesson that I took from that was you can’t assume that even inside these organizations, that that level of communication is happening. And the business version of that is the C suite actually talking to, you know, the technical people, the, you know, the business lines, or the security people actually talking to the business people about what systems they actually care about what actually matters. And you know, is that actually, in fact, lined up so that you got the priorities in the same spot? Sure. It’s easy to see how that happens in giant, you know, cabinet agencies, but it happens in even, you know, medium sized enterprises to Trump and it changes over time, so you can’t have that covered. Yeah, we had that conversation back in 2017. Okay, great, but you know, Like, you know, things are different now post pandemic. And so maybe some things have changed since 2017. If you had that conversation recently, you know, that sort of thing.
Tim Freestone 25:09
It’s almost like internals, security ops, or not the operations of the security program or the infrastructure, but the operations of the security personnel and, and how information is shared up and down and left and right. And, you know, definitions come into play significantly, to your point about one person thought critical meant this another. So, the complexities are on every level, right?
Michael Daniel 25:41
Absolutely. And you always have to be thinking about that. And, and that’s not a, you know, that’s not a technical problem. You can’t solve that with like, you know, a shiny widget or something you’ve got to actually have, that’s an organizational problem. And it’s a management problem. So
Patrick Spencer 26:03
When it comes to information sharing in incidents, you know, organizations are typically reluctant to talk about those, but there’s some new federal mandates that are being passed that you can no longer get away by failing to disclose an incident we’re, what impact do you think that’s going to have in your CTA play a role in that at all?
Michael Daniel 26:24
Well, I think the impact is going to be huge Cyber Incident Reporting for Critical Infrastructure Act, which I think we’re all still trying to figure out like, is that CIRCIA, like, I don’t think anybody knows how to pronounce the acronym, but a good acronym. Yeah, you know, that piece of legislation basically says, if you own or operate an IT system and credit in a critical infrastructure sector, and you basically meet some criteria that DHS is going to have to define you or you are mandated that you are required to report a significant cyber incident to says, DHS is going through the process of actually writing the regulation to implement that law. And so, it’ll still be a while before that comes fully into force, but it’s coming. And I think that that’s going to be a big, that’s going to make a lot of difference to the government, because it’s going to enable the US government to get a much better sense of the scope and scale of the problem, from a baseline that we actually know what it is. And the you will be able to start identifying trends, you’ll be able to start identifying, you know, campaigns at a different in a different way, it’ll provide the government with just much more fidelity on what’s happening in the ecosystem more broadly. And I think it will really help us enable much better policy. And it will enable the federal government to also think about how to focus its disruption capabilities, where should it actually put its time and money to have the big, you know, the greatest impact on the adversary and the best return for our national security or national economic security and our public health and safety? And so, you know, I think that, you know, it’s going to be a big, it’s going to be a big advance. Now, one of the things that we need to be mindful of is, and this is, you know, the role that CTA is sort of playing in this area is trying to help think through how you how you actually set up the process so that it’s actually workable, right,
Tim Freestone 28:34
You know, process in terms of reporting
Michael Daniel 28:37
Literally, how do you actually build the reporting process? What does that look like, if you are a user, or you’re a business owner of a critical infrastructure asset? And you, you know, you are the, you know, CEO and CISO of the, you know, 11 hospitals, you know, and 24, doctor’s office chain in Oklahoma City, right, and the surrounding region? And you’ve had a significant cyber incident, what does it look like for you to actually go and report? What does that look like? And how do we do that in a way that like, because, you know, you’re going through a significant cyber incident, you’re having a really bad day, have a really bad month, things are really crappy. And that you got to go file this report with the government. So, it can’t be the equivalent of the IRS 1040. Like, they cannot look like that, right? That’s not going to be workable, it can’t be something that is only findable by, you know, the four guys at Mandiant that actually understand the thing, right? Like, that’s not going to be workable, it’s going to have to be much more like the base form is going to have to be much, much simpler, much easier, much more user friendly, you know, probably online so that you can fill out in 15 minutes, you know, and then you know, when you’ve had like a month to actually analyze the incident, you can do the follow up report where you actually get whatever firm you actually, you know, engage to help you through it, then they can go in and provide all the, you know, technical details later on, and like the adjunct form, you know, but these are the kinds of considerations that we want to get out there. And we want to try to help, you know, DHS think through this, because I think it’s really important to get this right. It’s important for the government to set some expectations, right. When you file, you know, when you file a police report, because your car got broken into, you don’t necessarily expect the police to actually show up. Right? Because like, it’s, you just don’t, you don’t expect them to send like eight squad cars, because you know, to your neighborhood, like, that’s just not how it works. And so, you file the report, because your insurance requires you to because you also want maybe you want to be a good citizen and make sure that the crime statistics are updated, or, you know, other things like that. But you don’t necessarily expect a huge law enforcement response. And I think the government also needs to set that expectation for critical infrastructure of like, hey, just because you reported does not necessarily mean and yeah, I fly away team is going to show up at your doorstep. Yeah. Right, like, you know, certainly
Tim Freestone 31:21
Be a deterrent to facilitating the participating in the submission. Right. Yeah, that’s right. And are they still working on the definition of significant as well as this kind of all, it’s all a work in progress at this point?
Michael Daniel 31:36
So, you know, it’s interesting, because the federal government, they are still working on the definition. And the reason why is because the federal government has a definition of what significant for the federal government. But that’s not necessarily what is significant or material for an individual company. And the statute is written such that it’s actually from the company’s point of view, that it is significant. And that is not always going to line up with how the federal government has defined significant in the past. So, one of the things that we have done is we’ve been talking about how you kind of define that. And for CTAs purposes, we sort of define significant is for one, something bad has happened to you, meaning you’ve had some sort of, you know, your security is failed in some way. So, like, an attempted intrusion and attempted ransomware attack that failed. That’s not an incident. Right? You know, the, your snort flag later caught it at the, you know, caught into the firewall and killed it. Yeah, that’s not a that’s not an incident, right? The incident is something happened, that you didn’t want to have happen. And it caused some sort of material impact to you as a business, right, you lost trade secrets that you care about, you lost money, you had a business interruption, you, you know, and that’s going to be a little bit subjective, it’s always going to be a little bit subjective, but I think we can sort of narrow it down to be a little more, you’ll have a little more rigor to it. And, and I think that’s going to be the kind of definition that that says is going to have to use in order to actually get the we want enough reporting that you can set the baseline but not so much that they’re flooded.
Tim Freestone 33:30
Sure, and I think, you know, to your earlier point that you made about the sort of commercial sector, having data in the federal government and the government sector having data and trying to bring that information together to for the purpose of cybersecurity, like this seems like a forcing factor for that. Right. Yeah. Getting commercial entities to submit information to CISA and DHS, and then now we’ve got the start of an aggregate, right?
Michael Daniel 34:06
Yeah, no, I think that’s right. And you can start to actually put together the baseline and you can start to figure out like, then you can start to have some statistical validity to the conclusions, right of what’s you know, what’s happening, because you’ll know what the baseline is. And you’ll be able to start measuring and you can also start, then you can start seeing whether or not things actually, you’ll be able to start seeing, you know, whether or not certain things really make the difference that we’ve always said. And I think that’s, you know, there’s just a lot of different things that you can do with this once you actually start to get that kind of data in with regularity and with consistent definitions. Yeah.
Patrick Spencer 34:49
Thanks. Before we run out of time, I wanted to make sure we touch on the Ukraine war because CTA and you in particular have been quite involved with Some of the reporting around that and aggregating data and watching, you know, attacks, they ramped up to incidents ramp up at the same time, you know, give us an overview of what you guys have done in regards to the Ukraine war, and you continue to watch it. It’s not simply, you know, the first month and you’re done, you’ve continued to work.
Michael Daniel 35:22
When, you know, I think we’re involved with a consortium of companies that are trying to work together to help provide defensive capabilities to the Ukrainian government. Many CTA members are also involved in those in those efforts. And I think what you can see is I mean, so what’s been very fascinating to me is cyber has very much played a part in cyber operations, cyber-attacks, and very much played a part in the Ukraine conflict. But what’s been fascinating to me is some very key things that I think you can draw from this. One is that they have not had the level of strategic impact that I think a lot of people thought they were going to have. Now, I think there’s several reasons for that.
Patrick Spencer 36:11
Dropped when the Ukraine war started. And we heard all the all the hyperbole about cyber-attacks, and then the shoe hasn’t really dropped yet, or at least heard about it.
Michael Daniel 36:23
That’s right. And I think some of that is because I think there are multiple reasons for that. Right. I mean, some of that is because the Ukrainians actually turned out to be better on the defense than people were giving them credit for. They’ve been dealing with the Russians for seven years. So, they, you know, they’ve had some time to practice. They’re getting help from, you know, the A teams of, you know, cybersecurity companies from across the planet, which, you know, that makes a difference, too. I don’t think the Russians were as prepared as they, you know, as they probably could have been, they were also making some strategic calculations, right. If you think you’re going to win this war really quick, and you’re going to have to own all this infrastructure, why the heck am I going to burn it down only to have to rebuild it? You know, so I think there’s, you know, there’s a, there’s a lot of reasons for that, but for the results that we’ve seen, but the result is that it has not, cyber has not played a strategic role, it certainly has not played a role in deciding the conflict one way or the other. And I think that’s important to keep in mind that cyber as a tool is a very useful foreign policy tool. And it can be used for a lot of things. But once you have a hot war, it may not be the most deciding factor that you can out there. But I also think it’s important not to over extrapolate from what has happened and not sort of, you know, then say, oh, well, cyber is not going to play a role in conflict at all, because I don’t think that’s what the data shows, either. The I think it’s, it’s, you know, entirely possible that if Russia, for example, decides that it is not going to win, and that it has nothing to lose by being more destructive, you could see it try to go down that, that path,
Tim Freestone 38:14
Just like not a doomsday cyber warfare launch sort of a deal,
Michael Daniel 38:19
Right? You decide, well, I’m never going to be able to own that infrastructure. So now I don’t care about it.
Tim Freestone 38:27
Michael Daniel 38:29
Right. Digital style.
Patrick Spencer 38:31
Tensions for future conflicts, Michael, we have the China-Taiwan issue that’s percolating out in the Pacific Ocean right now.
Michael Daniel 38:40
And I think, you know, that’s going to be I mean, so there’s all sorts of interesting, you know, ramifications. I mean, so there’s a few other things here, if you think about it, too. So, like, you know, the Russia Ukraine conflict has some interesting aspects that our might not always hold. Right. One is, it’s about as clear an example of just like, unprovoked aggression that I’ve seen, like, it’s, you know, in decades, right, like, there’s not really a lot of question about what happened there. And so, you kind of got that moral case is pretty well, yeah, that’s, you know, solid. And then, like, who nobody is really heavily invested in the Russian economy from a Western sort of technology standpoint. Right. Most Western companies are not. They don’t, yeah, you have now lost access to the Russian, you know, to the Russian market will be there. Like, I mean, you know, it’s like nobody, like nobody noticed. Right, you know, that they lost access to the Russian market. And so, I think that, you know, in other situations like the one that you cited, like China and Taiwan, right, for a lot of industries, that’s a completely different story. And deciding to cut ties with China is a very big difference than cutting ties with Russia right. Now, interestingly, you have a weird sub case with the cybersecurity industry, which is that At the cybersecurity industry realized about five years ago that it was not going to get access to the Chinese market. And so most cybersecurity companies don’t have this fantasy that they’re going to suddenly get access to these billion people, this billion-and-a-half-person market, because the Chinese government made it pretty plain that they weren’t going to get access unless they basically partnered with, you know, some Chinese company that was basically going to steal all their technology and then use it against them. So, like, most of most western cybersecurity firms don’t have a whole lot of presence in China. Unlike a lot of other sectors, they don’t have a lot of partners, they don’t you know, so that’s a little bit of a wrinkle there. But I think what you see is that because of that, we’ve got to come all the way back around to the point that you made Tim, at the very beginning about that digital interconnection, right, we have all these digital interconnections that we don’t even know where all these digital interconnections. And, you know, you get you get, you get a hot war, or even a, you know, give me even a simmering conflict someplace. And we can have all sorts of weird, you know, unexpected consequences from that, that we just weren’t anticipating, because we didn’t know that X was connected to y, which was connected to the kumquat over here, right? I mean, like, you know, we just didn’t see that, you know, our priori, and the, the conflict exposes it. And so, I think, the inevitably, though, the broader principle is that cyber conflicts in the cyber domain are going to go along with conflicts in the physical domain. And the, inevitably, that means you’re going to involve the cybersecurity industry in those conflicts, whether they like it or not. And, you know, the, it’s just going to be part of the, it’s going to be part of the landscape.
Patrick Spencer 42:03
Makes a lot of sense,
Tim Freestone 42:04
is this, there’s probably a whole other podcast on this, but he’s got me thinking about a few things. What is there beyond CISA? Is, is there anything commercial ask happening in the government to build out its own security, cybersecurity, proactive force and technology? Yeah.
Michael Daniel 42:27
Yeah, I mean, you can see the federal government doing a lot of things to, you know, actually try to adapt to this new, this new domain, right, and this new way of working? And yes, the federal government is moving has moved, not moving as fast as a lot of people would like. But I really also think people should keep in mind that a lot of companies don’t move as fast as you know, their employees, and they should. You know, and adapting to this new environment is tough. And one of the things that, you know, when I was Cybersecurity Coordinator, one of the things that people would say is like, well, so who’s in charge of your cyber for the government? And I would say, okay, well, what do you mean? Do you mean, the federal government’s own internal cybersecurity? Do you mean, the federal government’s interaction with the private sector to try to raise the level of cyber security across our ecosystem? Do you mean, our cyber capabilities that we use to reach out and touch the bad guy, like, those are all very different things, and they’re different missions, and you’re not going to be able to just sort of smoosh them all together. And so, I think what you’re seeing is, and this is, incidentally, I think this is true, this is why organizations out in the private sector, this is why we’re we are trying to deal with these organizational issues across the private sector. And you’ve got all this like, you know, dotted lines and cross teams and matrix positions. It’s yeah, you know, come from, yeah, you know, and it’s actually everybody trying to figure out, like, how do we organize ourselves in a way that’s effective for the information age for the digital age? That’s different than what it was in the industrial age. Right. And the government’s doing the same thing. And I don’t think that anybody should be surprised that it’s taking us a little while to figure that out. Right? What I see, Tim, is the federal government really trying to say, okay, how do we actually want to line these things up so that we can actually have the impact that we want to have on the adversary? And, you know, there’s some really interesting challenges in there for the government because, you know, we want the government to be fair, right and how it deals with the private sector. But yeah, we all know that some parts of the press some entities within the private sector kind of matter more than others for certain things. Right. But kind of painful for the government to come out and say that yes, I’m sorry, flowers flower shop, we don’t care about, like, right, you know, even though that’s the truth, that’s really painful to say, right? And yet that could change over time. Because like, you know, I mean, if we were caring about if we cared about social media in the same way that we do now, back in the early 2000s, would we still be trying to like, you know, have relationships between the federal government and Myspace, like, you know, like that it changed to exist. For all I know, and I’m sorry, that if I’m human to their honor, but you know, the, you know, these things change over time. And so, you’ve also got to have the ability to, you know, adapt, and, you know, change, but yet, and we’re not, the government’s not good at doing that, we kind of set up the rules to say the government shouldn’t really be trying to do that sort of thing. And yet, we know that they have to have relationships with certain parts of the private sector, that they don’t have other parts, if you actually want the cybersecurity to work well. These are some really interesting public policy questions that it’s going to take us a while to wrestle with to figure out what formula works for us. And I should know that, like, what works for us, and our political context may or may not work in anybody else’s political context, and what works in their political context may not work here. So, while we should also be looking at how the UK has done it, and Germany or Brazil, or any of those other countries, like it may or may not be applicable here,
Tim Freestone 46:48
Right, and you’re just unpeeling this onion, layers of complexity, because we’re still figuring out how to get information from the commercial to our federal government. But it’s a global enterprise. So yeah, what a country to other country and their commercial entity that they’re federal to their, you know, yeah. Well, you just ruin my weekend.
Patrick Spencer 47:10
That’s why we, yeah, you’re right. And the community that it’s building between countries as well as all these different, different companies at the same time? Well, I think we’re, we’ve we have touched on our next three podcasts with Michael, as always. I love talking to Michael, because I learned so much about the space, I find what CTA is doing quite intriguing, and being able to tie it back to actual real-world events and activities, like the Ukraine and the new incident reporting laws and so forth is always, always very useful for myself as well as I think our listeners. So, Michael, we really appreciate your time today, and we look forward to our next conversation.
Michael Daniel 47:52
Thank you for having me.
Patrick Spencer 47:55
Thanks a bunch. Well, for our listeners, make sure you check out other Kitecasts at kiteworks.com/kitecast