Department of Know: Autonomous AI cyberattack, CISOs back to work, bus kill switches

A

From the CISO series, it's cybersecurity headlines.

B

This is Rich Stroffolino with the department of no. Rob Dunwood, host of Daily Tech News show is joining us today and I gotta ask Rob, as soon as I see on the screen there, I'm going to ask you, what is your priority this week?

A

Well, you, for some reason Rich asked a non security person to be on a security show. So I have been spending the last couple of weeks just looking up security stuff so I could sound somewhat intelligent. And I just hope that some additional news breaks this week so I can talk about it on another podcast.

B

Rob, Rob, you underplay your acolytes. You know the enterprise it dark magic here that undergirds everything that we're going to be talking about. So I am super, super excited to hear your take on all of our stories here. I'm also excited to hear Howard Holton, CEO over at Giggle. I got to ask, what is your priority this week?

C

Getting everything done before the holidays so my team can take a break. Right. You have this big shift as you leave enterprise and move into the corner office, which is still kind of new to me. So I'm trying to get everything kind of done and set up so we can all enjoy our holiday and have that kind of end of year push with the least amount of friction possible.

B

Have you already reached the point where you're responding to emails? Why don't we circle back in this 2026. Have we hit that barrier?

C

I'm waiting for 2027 already.

B

Okay.

C

Especially for the sales call.

B

You're not taking any emails next year.

C

Salesperson reaches out. I'm like, ooh, my calendar for sales calls is full until out of your kids. Yeah. When they graduate high school.

B

All right, well I want to welcome each and every person in our chat room to the department of know. It is your Monday cybersecurity. Stand up. Let us know what your priority is this week in our chat. We want to know where your mindset is at. Maybe we can help you get to an even better place. We're not saying you're in a bad place, but we can maybe get to a better place all together. Also helping us get to a better place is our sponsor for today, knowbefore number one trusted human risk management platform. And if you're listening in a podcast app later remembered, you can join us live Every Monday at 4pm Eastern on the CISO series YouTube channel or shoot us an email feedbackisoseries.com Quick reminder that all the opinions that are going to be expressed on the show today are in fact our guest's own opinion, not necessarily those of any employer. Let's dig into the news here. First up, we got a lot of stories here. There's always a bunch of stuff going on. So that's why we have our segment. No or no? You get a quick take on news items. Something that we need to know about or can we say no, thank you. First up here, Google intros private AI compute. Google's launching Private AI Compute, a cloud platform that lets devices run advanced AI tasks while keeping data private. It's similar to Apple's private Cloud compute and moves intensive AI processing to the cloud without exposing sensitive information to Google. Take Google's word for it. Google frames it as a secure way to handle complex AI tasks beyond on device capabilities. It looks like the AI people spent their evenings reading the history of the cloud. I got to ask Howard, know a little more or no thanks?

C

You probably should know a little more. You probably should understand. How does that fit into your strategy? Does it support your strategy? Is it something that your organization is even ready for? And I would say your organizational maturity and readiness is the most important question you should answer.

B

Rob, you were, you were there for the. For the days of the cloud migration. Does this remind you that know a little more or no? Thanks.

A

This is know a little more for a couple of reasons here. We heard in the last week or so that Apple will be using Gemini to power Siri at least for the next year and it's going to be running on Apple's private server. So basically it would be similar to this. It's running in their stuff and Google has no access. It only makes sense that Google does the same thing for its own customers, because if you are a customer of Google, it's like, well, I'd like to use your phone, but it's not secure in its own space. I can use an iPhone and actually get it secure in their own space. That's probably an untenable position for Google to be in. So I kind of assumed that this was going to be coming sooner rather than later.

B

Yeah, why don't we productize the thing that Apple paid us to develop anyway? It's not the worst business strategy I've ever heard. All right, next up here, SAP fixes hard coded credential flaws according to their November patch cycle. This included the fixing of a hard coded credential bug in the SQL Anywhere monitor rated 10.0 severity. It was sitting. I was sitting in an Uber the other day Wondering why have we hard coded credentials at all anymore? Rob, from you, is this know a little more or no thanks.

A

As a story, this is no, a little more. So way, way, way, way back in the day, I used to actually run a team of basis administrators for SAP and we were doing this stuff in the 90s and the fact that they're still doing this ST it's like, but why, but why SAP?

C

Why are you doing this?

B

I just need that as a reaction. Gif. Why? I mean, maybe this is hipster SAP being just pure hipster gloriousness. So good there, Howard, for, you know, a little more or no thanks.

C

Oh no, a little more for sure. Like we keep doing this stuff because product teams are always told to focus on the new features, not the old fixing the old. Right. New hotness. And we really need to focus on what are the traditional problems that we've been hearing. What does that tech debt look like and how do we manage it? And it's really, really important when these things are fixed that we ramp our update cycles and make sure we put these things, get these updates into production as fast as we reasonably can.

D

Producer Steve Prentice just stepping in here while Rich does some adjustments to his microphone. Our next story here is that UK cyber insurance claims triple, according to a new report from the association of British insurers. UK insurers paid out over $197 million for cyber insurance claims in 2024, up from 60 million in 2023. Ransomware related claims accounted for 51% of that total, up from 32% in 2023. The association also reported that the number of cyber insurance policies in the UK increased 17% in 2024, which is still quite a lot. So what do you think? Is this no, a little more or no thanks?

C

Oh, definitely no more. I mean, well, maybe, maybe this one falls under no thanks. The reality is like this growth is just going to continue to happen. We're not really like, cyber's not getting easier. AI has made it much, much harder and much faster. Every company now recognizes they have to carry cyber insurance. So I'm not sure that there's a whole lot here. This might just be a kind of, kind of nothing burger, you know, state of the union kind of thing. I don't know that there's, that there's anything to look deeper in here.

B

All right, Rob, for you. Is this no, a little more or no thanks?

A

It's a no, a little bit more. Here's the thing, this is something that's kind of expected for two reasons. Number one, cyber threats are increasing. They're not going down. There are more of them than there were last year. And then number two, there are more companies that actually are insured now to actually do claims. So the fact if you take both things, there are more threats and there are more companies that are actually submitting claims, you're going to see the claims go up for both reasons.

B

All right, next up here, this was one of the big stories that I saw blown up on socials in September. The threat actor. Threat actors use CLAUDE code AI from Anthropic to automate and execute cyber attacks in a sophisticated espionage campaign. These were China backed hackers, or at least China linked. They may be. They made use of its advanced agentic capabilities rather than using AI only for guidance. So this allowed the attack to execute itself autonomously. Experts describe this as an unprecedented shift from AI as advisor to AI as operator. Rob, know a little more or no.

A

Thanks from you so know a little more. And since I'm just interested in this now, I don't know the ins and the outs and the ones and the zeros of how this works, but the fact that you actually have threat actors who are using artificial intelligence not to just figure out how to do something, but to actually go do the something that is figured out, that is a big deal. And I think that this is just another area where folks who are security specialists are going to have to think about how do we keep this stuff from happening in our environment.

B

Howard, how about you? I mean from a. For your security teams, they come to you. I'm terrified of this story. Know a little more or no thanks here?

C

Know a little more for sure. And I will say every tool has good and bad capabilities. So lean into what Rob has to say. But then also look at how do you take advantage of the tools to do the same thing from the defender side? How do you get ahead of this? The best way to get ahead of this is to leverage the tools. I also think it's kind of interesting they used claude, not Deep Seek. But that's a different conversation.

B

In a weird way, does Anthropic like when they, I mean this was from their own research, right? To Anthropic's credit, they are more transparent than most of these other companies when it comes to this. I don't want to say they're very transparent, but they're more transparent than a lot of their competitors. And it's almost like a sales slogan. It's like, listen, if you're a state backed actor and you need to automate some threat campaigns. Thanks for choosing Claude. Like, you know, you chose the best. You chose the best, basically, is what they're, what they're trying to say. All right, our last no or no here. Five US based individuals plead guilty to helping North Korean IT workers infiltrate companies. These internal agents hosted company issued laptops at their residences so the North Korean workers could give the impression they were working remotely within the U.S. they also helped with passing employer vetting procedures, including appearing for drug testing. Howard, know a little more or no thanks here.

C

Know a little more for sure, right? You need to be aware of what the downsides are of a remote workforce, how to manage it, how to look out for it, and really how to mitigate this risk to your organization. I believe at this point you should at least do one interview in person and really dig in with that person on if they have the capabilities necessary to fulfill the job or if they're just filling a seat for some third party.

B

All right, Rob, for you, is this. Know a little more. No thanks.

A

No, a little more. So I still have friends who are in corporate and you know, to Howard's point, if, if it's not going to be an in person interview, there's got to be a 30, 60, 90 day prohibition period to where you just out of the blue say, we are doing a video conference right now. Not in five minutes, not in 10 minutes, right now. Turn your camera on, let me see your face. Now, AI probably is going to help with that as people start to think about it, but at least for right now, when we, when I can't think of AI that would solve this right off the top of my head. You have to actually see the people that you're working with. Because it is not uncommon to literally have someone who works for you for years that you've never personally met.

C

The reality is it's like $1,000 to fly someone in for an interview. You know, I mean, you fly them in, you put them in a hotel one night, it's $1,000. The risk of getting this wrong. Hundreds of thousands or millions of dollars. Like spend the thousand dollars down, select three, four people, and before you send them the offer, let her fly them in and meet him in person.

B

Is that something like as a, as a ciso, as a security leader, stuff like that? Like, how do you have that conversation, like to make that pitch, right, of like sync the cost into the interview process versus the risk that we could have North Korean laptops on our systems. What does that. I like, what does that look like?

A

Show them examples. Show the examples to the folks to make the decision to buy the tickets. This is what happened when you didn't do this. We need to make sure this is not us. So, you know, scaring people tends to help sometimes.

C

Well, and my job as CISO is as the advisor to risk. I don't make the decision. I'm the advisor to risk. Right. I tell you what is wrong, what the risk is, and then I tell you how to mitigate it. If you choose not to mitigate it, it's fine. I've done my part. Now it's back on you. So no problem whatsoever. You don't want to spend the thousand dollars. No worries, no worries. Just know the primary call of a CISO is good documentation. I've kept that letter, the response to my email that says, no, we've declined that. With your name right at the top in the file marked when goes poorly. Just know when we're in the news and the board goes, hey, how did this happen? I go, well, we decided not to spend $1,000 on these finalists. I mean, it's $100,000 roll. $1,000. Not a lot of money. Costs us $300,000 to onboard them between, you know, all the costs of, of interviews and process and recruiters. Seemed like a thousand dollars was easy, but, you know.

A

It really sounds really inexpensive the way that you lay that out. Right.

B

I think one, here, keep your email audit trail extraordinarily explicit and organized. Thank you, Howard, for that. And two, also book the flight through American Express. Maybe you can have, you know, going back to our pre show conversation, you know, you can have one of the American Express agents, you know, vet them to make sure they're. They' Koreans anyway. And then it's American Express's fault and.

C

It'Ll be, I mean, a smart CISO puts it on their amex so they can get the points.

A

All right.

B

And as if the stars didn't align up. Just a quick reminder, kind of on the same vein, that we have an AMA going on, the cybersecurity subreddit going on right now, all about CISOs that have dealt with insider threats. Some crazy stories in there. One from Andy Ellis that my jaw was on the floor while I was reading it. So make sure you check that out on the cybersecurity subreddit. Really cool thing that we're happy to work with them to organize. Super. Super awesome. Before we get into our main convers, just a quick moment now and a quick word and a thank you to our sponsor. KnowBe4, your email gateway isn't catching everything and cybercriminals know it. That's why there's KnowBe4's Cloud Email Security platform. It's not just another filter. It's dynamic AI powered layer of defense that detects and stops advanced threats before they reach your user's inbox. Request a demo of KnowBe4's Cloud Email Security at knowbefor.com or visit them this week at Microsoft Ignite Booth 5532. Get started at knowbefore.com that's k n o w b e the number4.com all right, we've got some deep dives here. We got to get into this one. First up here, CISA reauthorization people are maybe getting back to work here. Let's dig into it. One of the impacts of the prolonged US government shutdown was the expiration of the 2015 Cybersecurity Information Sharing act, or CISA, at the end of September. One provision in a deal to reopen the government would reauthorize that law. However, this is only a temporary stay of execution, as that reauthorization would Only go through January 30, 2026. Howard, from your perspective, what can we make of the perpetual tug of war over this cisa, the Legislative act, also CISA as the organization, and the end of the shutdown as it applies kind of to the broader cybersecurity landscape. You know, the still has its fingers in quite a number of pies.

C

I mean, I love the message to the world that the United States doesn't take cybersecurity seriously. Right? The number one global world power, as we like to claim. Just think, cybersecurity is something that should be handled by the private sector alone, who doesn't share anything and is constantly buried and underfunded already seems like exactly the opposite message when we're constantly hearing about state actors and nation states taking charge in the cyberspace. So we sent our defending team home for the reigning champions to take it without a fight. I'm very confused by this move and think there are some things that should be beyond politics.

B

Rob, I mean, you've been watching this kind of covering some of this on the DTNS side. I'm curious, where are your thoughts with hey, CISA could get reauthorized. There seems to be a lot of leverage to renew it for another 10 years. Again, the Information Sharing act, not necessarily CISA, the organization. It's not confusing. Q Spider man pointing meme But I'm curious What are your thoughts here of, hey, at least we're starting to share again.

A

At least we're starting to share again. But my question is, why is this happening? So you said this is a tug of war. It's more like a tug of Rand Paul. It's. And I haven't really even found any reason as to why he's against this because it seems like there is bipartisan support to actually do just a clean ten year bill. Just, hey, what we were doing, let's just continue to do that for the next 10 years. And you had support on both sides of the aisle that were with that. Rand Paul is the one person who's like, no, I'm not good with it, so wouldn't let a actual yes, no vote just, you know, just kind of happen during the shutdown. So I'm, I'm, I am aghast as to why are we in this situation. This seems like this should have been one of the things that we absolutely should have been figured up. I don't know, it's like my memory's not great, but it seems like, I don't know, four or five minutes ago we were just talking about a really ridiculous cyber intrusion using AI and stuff like that, and we're just. Nope, we're good not having, you know, our, you know, our public sector and our private sector talking to each other until we get stuff figured out. So I, I am, I am at a loss for words. I don't know why Rand Paul has held out on this.

B

Yeah, Howard, go ahead.

C

Do you know what the budget requirement is? Do you know what the request is? How much money we're actually talking about from the Fed?

B

I do not.

C

Can't be a lot. It can't be more than, I don't know, 50 or $100 million, which to us is a lot of money, to them is not even a rounding error. The decimals don't go that far.

B

Yeah, well, that's the worst part for me. Going back to our conversation. It's the spend the thousand dollars, right? Do the table stakes things. I am all for like, hey, is this the best way to do something? Maybe it's not. You know, can we improve on this? Do we need to keep perpetually renewing this specific piece of legislation? If we need, if we need a much broader information sharing or we need more focused, or we can make, you know, if you are making any kind of case as to why this either needs to be reformed or refined or anything like that, but there's not. It's Just the government shutdown and oops, we didn't get this done in time. So now we just have this giant. Like, that's what's frustrating for me. I have, I have no problem saying the way things were done was. It was not the ideal way. We can do better. Maybe we can be more cost efficient. Let's, like, I'm open to all those conversations, the fact that it was just shrug emoji and maybe we'll renew it for 10 years. Yeah, I mean, Howard, to your point about leading the world there, we also don't do better. We also don't do better. Yes.

C

That's the other thing we constantly. It's the talking point that this doesn't work. Take the aca. It's a much bigger topic, but it's exactly the same conversation. So we're just going to. We're going to end the extension. Okay, cool. What's the alternative? Oh, no, just end the extension because we don't like it. Okay, cool. So what's your alternative? Remember, guys, you are Congressman. You are paid to solve these problems. To simply say no is not you doing your job. Any one of us did that, we would be fired summarily. We'd be called into the office of the CEO and they'd go, so we hired you to do marketing. Your solution to marketing was just no. So we fired you. Today will be your last day. Please enjoy your severance package. And yet Congress continues to get employed when their answer to everything is, can we have a conversation about it? No.

A

Yeah. The public sector and the private sector, they should be working together all the time. The private sector understands this. Even though they legally were no longer supposed to be reporting information, there were reports that, hey, this happened. We need to let the government know, whoever's there, you need to know about this. So part of the resolution that we have to go through the 30th of of January is that we're going to give those companies cover. That's ridiculous that we have to give a company cover for doing the right thing. Why can't our politicians get together on this?

B

All right, well, let's move on to something that frustrates no one. Windows 11. All right. Windows 11 supports third party passkey apps. Microsoft's November Windows 11 update adds native support for third party passkey managers, starting with 1Password in Bitwarden that's currently in beta. The update introduces a new Passkey API developed with these companies to expand password authentication options. Users can now store and manage passkeys through Windows hello or supported apps and protected by Azure's hardware security modules. Microsoft also integrated its own password manager from Edge directly into Windows. Rob Passkeys seem to be growing in terms of their presence, kind of the ecosystem around them. I think this is probably a major step in that direction, which tends to help nudge public acceptance and awareness, quite frankly, of this technology. I'm curious, what are your thoughts about the corporate adoption and rollout of passkeys? Is that moving, moving the needle from what you've seen in cybersecurity?

A

I am a fan of passkeys. I think this is the technology that is going to be the next thing. Where my concern is is that where there are passkeys, there still are passwords. And two factor authentication is just horrible. So when I think of it, and I'm no longer in the, in the, you know, in the, in the corporate world, but when I think of this from, from the public, you're seeing Best Buy at Amazon and these companies are using passkeys and they're offering it up front and center. The problem is that they still also give you the ability to log in with a username and password. Until we can actually say we're going to replace passwords with passkey, we're going to have all the password problems that we've ever had, maybe even more, because now people aren't really used to using their username and password and they forget what it is and it's like they don't realize, oh, this is no longer your username and password. So there's a lot of issues with not the pass keys but the fact that we still have to the keep the legacy systems running because no company is going to say, I'm not going to let somebody log in on Black Friday to buy something from me because they don't have their passkey or have, have their phone right next to them. They're just simply not going to do that.

B

Howard, I see you shaking your head there. Are you, are you in accord here with where Rob's thoughts are at?

C

Funny enough, I had the conversation last week and it's, it's kind of the same problem. Sure. I've switched to passkeys. That just means my password, you know, the terrible one that I chose that I really paid no attention to, that's just going to age forever as a terrible password. As it gets easier and easier and easier to guess passwords, especially mine, that password is still sitting there, totally valid as a way to log in. That's a bit of a problem for me. For the same Reason, God forbid it's shared, God forbid it's in an exploit, whatever. Until the tools can actually force the change of that passcode. Hey, you just signed up for a passkey. We have that same integration. We'd like to go ahead and execute and change your password to a secure password, which we will store in your vault so you can still get access to it. It's 128 characters that you'll never need to know. Whatever, whatever, whatever. Until they do that, they're literally just aging the bad habit. They're not solving the bad habit.

B

But is this a situation where we need to build out? We need all the. Microsoft's integration, we need all the LastPass and 1Password. We need all those integrations to be well established, trial tested by, by everybody before we get to like, is this okay, in five years we'll be at that point, or is this something where we're always, I mean, Lord knows with Microsoft and legacy systems, right? Is this always going to be something that. Well, if you really want to, we'll still opt you into having your terrible, you know, your terrible password that you manually enter in for all of time and someone is going to keep that, that on as a default.

C

I mean, SAP just changed the heart of the task. So, you know what I mean? Like, I think it's going to live for the next 140 years.

B

Years.

C

I think our grandchildren will fly into the stars in a wormhole still using a password set by their great grandfather hard coded into the console from. You know what I mean, we're terrible at. That's the problem that I have though is we're so bad at this. We just created a band aid for something we're never, ever, ever going to treat. Because we created the band aid, we didn't actually create a full ecosystem to solve the problem. We just went. We're now sticking this thing on top and it's fine, it's fine. Just don't look over here. We just created the wizard of Oz.

A

The clock doesn't even start officially until you have companies saying that you are using passkey and there is no password. This is the only way to authenticate until that happens. The clock doesn't start until that happens. That's years out. We're years from now. We will still be using passwords in the2030s, I am certain of it.

C

Well, but then the problem is single vendor buy in, right? So passwords at least allow me to back out of whichever one. One password, fine. Allows me to back out of that and choose another bitwarden as an alternative or vice versa. If you get rid of passwords now, all of a sudden, that vendor lock in is that much tighter, is that much stronger. I totally agree that we need a solution. I'm just not sure. I'm not like. I know. I just know this one is an it.

B

I. I'm. You just made me think that. As a rule, I believe that all technologies at their base become an ad tech play when you play them out long enough. And Howard, you've just assured me that somehow pass keys are now an ad tech play because I can't leave one password and I have to watch a Verizon ad or something like that with Jeff Bridges and I don't understand why he's there or why I'm seeing anything. So thank you for that. I appreciate you validating my. Also, I'm just calling this as a, as a, as a theme for our. We now have the SAP rule for our show. It's like, has SAP been struggling with this for decades? Okay. It's an intractable problem in cybersecurity. Okay. Turns out, who knew? All right, and our last story here. Denmark and Norway investigating electric bus kill switches. Recently, a bus company in Norway investigated the connected capabilities of two of its bus models. One from the Dutch manufacturer VDL and the other by the Chinese firm Utong. It found that because of how Utah buses receive over the air updates, Utah has direct digital access to each individual bus. A similar situation was found in Denmark, and Danish COO Jeppe Gerd clarified that this isn't a Chinese bus concern, but rather something to account for with any connected vehicle. Utong said that all of its vehicle data is stored in the region. All vehicle data in the region is stored in an EU based AWS data center protected by storage, encryption and access control measures, which doesn't necessarily rebut any of the reporting. Rob, from your perspective, a lot to unpack here. As an Iot concern, what about this kind of stands out to you.

C

You?

A

Well, to me, this is a. The headline is probably worse than actually what is the case. We've known that this was the case going back into the 70s and 80s when we're watching Sci Fi and they have the smart car of the future and there's a kill switch to the police. We've known that. You know, there's, there's like horrible Tom Selleck movies where we see this happen when we were kids. So there's that. The other part of it is that if you have firmware being pushed from the cloud. There is the potential either by, you know, by intention or by omission, which is probably going to be more so the case that something could happen that would shut something down. So as long as you're able to connect to the Internet and get firmware or updates for vehicles, this is always going to be the case. And I think the headline just got out there and made a lot of alarm for a lot of people. Oh, well, you can, you know. You know. You know, the. The bad actors can set down the bus when it's in the middle of the. You know, in the middle of the road. Technically, yes, that's possible, but that's possible for literally everything that can receive updates over the, you know, over the air.

B

Howard, is this just a case of someone in the government actually read the manual?

C

Oh, no, no, no. They still haven't read the manual.

B

Someone on their staff asked someone to read the manual and they used AI to tell them.

C

Yeah, no, they stumbled into some dark place in AI and AI went, hey, by the way, your buses can be remotely detonated. And they went, I don't understand. We have buses. And then launched the whole investigative committee. No. So it kind of reminds me of, like, the story of a friend of mine who was a pilot in Vietnam, and they were initially using sensors attached to their planes that would smell for the presence of Viet Cong. I'm not going to tell you what they smell. It doesn't matter. They smelled business. And so the Viet Cong figured it out almost immediately and just did their business elsewhere. They didn't do it at camp anymore. Next thing you know, not effective at all. Or Predator drones in the Middle east, we didn't think to put encryption on them. Why would that be a problem? And then somebody figured out how, for 100 bucks on the dark Web to sell the plans to make a receiver. All of a sudden, Predator drones aren't effective anymore. Why? Because they know exactly where you are. This is another case of, hey, we probably should have thought about this really early on, because, you know, even people who aren't actively malicious trying to kill people, like, I don't know, your traditional hacker is still an infinitely curious being that every time they see something that looks like a digital red button pushes the digital red button, Right? So, yeah, if it could possibly go wrong, it absolutely does. And I'm sorry, but telling me that AWS does things that are required by SOC2 or FedRamp does not give me any security whatsoever. That you've designed your application in a way that follows any. Any reasonable security Procedures, especially when you only mention the ones that come built into the cloud.

B

That, that, that was the most stock non answer that I have possibly ever heard. I mean it was, it was almost kind of like, like a beautiful sofa story. When I thought about this. I guess when you, when you get these kind of stories and Rob, you're rightly pointing out the headline is, is it leads to down an interesting path, right? Like these are things that, that as, you know, as city planners and city architects and as we're building out connected cities or we're building out city services and stuff like that. These should probably be on our mind before we've invested, you know, hundreds of millions of dollars in buses and stuff like that. When you get this type of. Again your CEO reads this headline and then all of a sudden now he's concerned about every IoT connected device on your network or he's concerned about his EV that's getting over the air updates and stuff like that. Like, like what is the. How do you provide some context, provide some oxygen in the room to add like to properly contextualize this without going full when they come in hyperbolic like this.

A

You know what? We have way more people using phones and laptops than we do riding those buses. Last time I checked, Apple does over the air updates to their phone. They could, they, they could brick your phone just by doing an update. I mean it's the headline. Yes, this is, this is what we trade for the convenience of not having to bring it into an office and have somebody physically do an upgrade that we can just push the upgrade to it. This is what we trade that yes, there is potential that something bad can happen, but I think that we always jump to that negative that it's a bad actor sitting in a dark room that is basically I'm going to destroy this bus and blow it up right when it's next to, you know, the, the middle school. And I hate to be, you know, gory like that but, but that's ultimately where we're going when we're thinking about this. When it's. No, the computer gets an update over the air and if that were to, you know, be faulty, then it could ca that bus not to run as intended. That's what we're really talking about.

C

I mean kind. I'm not sure I agree with you. Right. DEFCON has a whole car hacking village now because this is.

A

Because that is true. I was thinking that as I said.

C

Also my phone, the absolute worst thing that could happen. And I don't know how you would technically do it. Let's say you could get the thing to run at 100%. Ignore all of it. Its temperature, safety protocols. It catches on fire and it injures the person holding the phone. Little different when it's a, I don't know, 70,000 pound bus, you know, full of passengers. I'm not trying to go to the worst thing possible. That's not. I don't spend any time there. But it does make me wonder like, guys, these buses aren't that old. What did your RFP look like? Mike?

A

That's a good question. And I would also say this, I would hope that we're talking about the firmware, not the actual drive system. So can you send a code to lock brakes up? Can you send a code to, you know, rev the engine? If those are the things. Right.

C

By wire. Right. Like they're. An electric bus is drive by wire. The braking is controlled by a combination of things that includes one, one pedal driving. Right. So like it still includes using the engine for engine braking. That's how you get the efficiency. So if the engine and the drive motor is controlled both for starting, stopping and going by an ECU that's controlled by the firmware, then I would imagine so. Right. An electric car doesn't have an accelerator the way we'd normally think about it. It has a button or a potentiometer attached to a sensor.

B

And to answer dropoutpl in our chat room here, in terms of the intended purpose, the investigation was purely into the capability. Right. Of a remote update to deactivate. Right. To make the buses inoperable, essentially. Like the, the concern here, we're getting into some of the higher level concerns which are 100% legitimate. And as you rightly pointed out, we are seeing security researchers focusing in on this for all sorts of malicious intent here. The specifics of this report was simply to make these inoperable. So like in the event of, you know, an advanced persistent threat wanted to disrupt civil infrastructure and stuff like that. Like literally like the buses wouldn't run, people couldn't get to places and stuff like that. Producer Steve Prentice. Jump on in here, whatever is on your mind with this story.

D

I just want to contact Keanu Reeves and tell him I have a script for Speed three.

B

Speed three Slow Stop.

A

No.

B

Speed three Kill Switch. Actually that's an awesome name for a movie.

D

Would be a great Speed three Kill Switch.

C

Love it.

B

We got it, Sandra.

A

It was set here first. Yeah.

B

Yes, Yes. I love it. The modem can't go so fast because otherwise the Kill switch. He has to do it over a dial up. I don't know how it works. Somehow we have to work.

C

If he gets less than one bar.

B

Yes, yes.

C

He's got to stay on a route that maintains four bars or something. So I do think there would be a lot of value in, as government agencies look at expanding their services into these kind of next gen buses and trains and whatnot, that not only is a kill switch built in, but that they have control of the kill switch. And it's at a very low firmware level. The worst thing that could happen is a supply chain attack. Right. We talk about those all the time. If they, if they were able to maintain a kill switch, even a physical one in the bus, they at least would have some control over stopping the rampage, you know.

B

All right, well, we are just about out of time here on the department of note. Before we get out of here though, we have to close. We have to close up the stand up here. We've been standing for too long. We're starting to. And my knees are hurting. I can't do this anymore. But before we get out of here, Rob, I got to ask you, what was one story or one trend that you've seen over the past week that you know, you reacted strongly to? Just has been on your mind. Just. Has there been any news story either in our rundown or just in the news that's just been really rattling around the old brain?

A

I can't think of a security story that we didn't talk about today that's on my mind. But one thing I am a big proponent of children not using phones in schools. And there are reports out about where there are schools that are literally that are taking the phones away from children as they're in schools or putting them in those bags. Like when you go to a comedy club, you stick them in there and they get them at the end of the day. And the side effect is that the actual noise in the lunchroom has gone up because you now have children talking to each other and having one on to one or one to many conversations through the air and not through a device. So that's something that stood out to me over the last week or so that I'm pretty happy about. Hope more schools pick it up.

B

Howard, how about you?

C

Identity has been a big kind of conversation piece and attention piece for me. We keep talking about AI Identity like it's an nhi. It's not an nhi. It's the first time. It's a non human identity and a Human identity because it doesn't. Quite a bit of impersonation, right? Use cloud desktop. You've got the AI working on your behalf. The AI is actually working as you. The AI is not working as a service account that is duplicated from you. So it is, it is a non human. It is a non human. As a human identity. We don't actually have a category for that. And it really kind of bothers me. And the reason it bothers me is we're really bad about assigning permissions, especially to humans. We tend to give too many permissions. Well, we know that Susie in accounting is going to act a certain way because Susie in accounting has done that every day for the last 25 years. She clicks on the things she needs to click on. She does the things she does. We don't actually have that reliability with the AI. And it becomes a real problem as we continue to move forward that we really haven't solved this problem. And almost all the talking heads are talking about it as though it was one of two things. It's not. It's both things at the same time, depending on context, depending on usage and whatnot. And it is a completely unmanaged risk at this point.

B

That is completely fascinating. And yes, that's the first time I've ever heard someone address that in that way. So I will repeat that, Howard, and sound smart and not attribute you next time I need to do that. So thank you for that. I deeply appreciate it. I also deeply appreciate everyone that was in our chat room today. Of course, we had Darius Jung, who's one of our regulars on Super Cyber Friday in there. I got to see his gamertag on YouTube so that was cool. We also had dropouts pl. We had Ruben in there as well. The big boss man, David Spark, Kevin Farrell and a bunch others helping us have some fun there, giving us some good thoughts there. You can join them too. Join us next Monday, 4pm Eastern. Get in and have some fun with the live show. A big thank you to Rob Dunwood, host at Daily Tech News Show. You can check that dailytech news show.com and Howard Holton, the CEO at Gigaom. Thank you both so much for being on the show. I deeply appreciate you being here anytime.

A

It's been an absolute pleasure.

B

All right. We will also have links to all of their LinkedIn stuff as well, so that will be great. Thank you also to our sponsor, Know before, the number one human risk management platform. Join us again next Monday at 4pm Eastern for another edition of the Department of Node. Do so go to cisoseries.com for more information. Look for that events page. Until the next time we meet. For myself, for the big boss man, David Spark. For our glorious producer, Steve Prentiss. For all of us here with the CISO series, here's wishing you and yours to have a super sparkly day.

A

Cybersecurity headlines are available every week day. Head to cisoseries.com for the full stories behind the headlines.