A

Cybersecurity Today, we'd like to thank Material Security for sponsoring this podcast. Material Security provides faster, more complete detection and response for email identity and data threats inside Google Workspace and Microsoft 365. You can contact them at Material Security. Welcome to Cybersecurity Today's Month in Review. I'm your host, Jim Love. We have our regular panel, David Ship, CEO of Beauceron Security and co host of Cybersecurity Today. Hello, David.

B

Hello, Jim.

A

Laura Payne. Laura. Laura Payne from White Toque. Welcome.

C

Thanks, Jim. Always great to be here.

A

And Jeff Williams, who some of you will know if you watched last month. He's one of the co founders of OWASP and founder and CTO of Contrast Security. Welcome, Jeff.

D

Thanks, Jim.

A

Okay, panel, everybody here is experienced, you know the drill. And just for the audience out there, anybody's free to bring in a story, you outline it, give us a little bit of a foundation so that the audience understands the story itself, remembering they may not have seen the same news you did. And then we go into discussion and that's it's really the essence of the show and it's piles of fun. So there you go. I want to start out with one. I'm going to bring one out here. And that was this story that we covered and it was interesting and it was from Microsoft. And I called it Microsoft Puts the Hammer down on Revelations of Vulnerabilities. And I'll just give you the basic piece of this. A researcher named and I love the names Chaotic Eclipse, AKA Nightmare Eclipse. And for somebody who writes science fiction, the names are important because they're great character names. But apparently this researcher got a little bit tired of what I guess they felt the delay in announcing vulnerabilities or in getting through to Microsoft and disclosed the details of multiple zero day vulnerabilities affecting various Windows components, including Defender and BitLocker. And done that over the past month and said cited a breakdown in Microsoft's handling of vulnerability disclosure processes for anybody who's ever and we've seen this many times, people will disclose something to Microsoft and they'll say that's not a problem if they get back to you. So I guess that was whatever the frustration was. The tech giant was less than amused. I think we could the queen was not amused. David, you covered this. What did you think about this one?

B

So this has been going on for a number of months and the first time, the two zero days that were dropped were about affecting Microsoft's Defender platform. The chef's kiss for me for Every law firm around the country was a vulnerability in BitLocker where you. It was called Yellow Card, which I hope was a call out to doom, but maybe it's a soccer thing because it's FIFA World Cup. Doesn't really matter. With this magic particular piece of exploit code, you can unlock any BitLocker device if it doesn't have a boot pin code. So that means every legal defense that currently resists on your honor, that lawyer's laptop, that accountant's laptop, that doctor's laptop that was stolen, we can prove it was encrypted. So the harm is reduced because unless you're a government agency, you can't get in there. Not anymore, my fine friends. All of those defenses are burnt. So not that it was a great defense to begin with, but it was certainly one of the levers that people pulled. Now chaotic Eclipse Nightmare Eclipse. It seems to be the more popular name. There's a lot to this character. And so number one, they say they were forced into this. They say Microsoft burned their. Their Microsoft response, the ethical way, the pathways for them to report things. They then had their GitHub repo repos taken down and things started escalating from there. And Brian Krebs did some great legwork. Krebs B. Krebson. And he found out, hey, this person's got a little bit of a paper trail. They're a known researcher. They've done lots of. They may have in fact worked at Microsoft. So, you know, wise words from Brian. There may be more to this story. Fair point. But in the midst of this, Microsoft put out this blog post about a week ago and it lit the security community on fire. Just for those listening, nobody does drama like infosec cyber drama. And when this group gets on a podium. Wow. So everybody was trouncing on Microsoft over this vaguely threatening launch that was in there that was interpreted as a shot at this particular researcher, but also bringing flashbacks of 20 years ago, saying, okay, great, we're going to criminalize research again. Fantastic. And even internally within Microsoft, I'm aware that there were lots of people who were less than happy about that blog post. To Microsoft's defense earlier this week, they, on their social media channels, they began walking it back. We're not going to go to the cops on this particular researcher yet. Although there's still some vague sort of points about unless. Unless you're really clearly involved in criminal activity. So that seemed to have been their attempt to calm the waters. I think they kicked the hornet's nest and I think everyone's super strung out right now on all this mythos shenanigans and feeling overwhelmed and we're tired and we were always cranky and this was the worst possible time to, to poke the bear. I, I don't know how maybe Laura and Jeff felt, but I felt like everyone's emotions were 12 on at a 10 and it got pretty hairy pretty quick.

D

Yeah. My take is it's. These are really bad vulnerabilities and they're the kind of thing that you'd like to see disclosed responsibly or coordinatedly. But at the same time, I feel like really Microsoft is just striking the wrong tone here. I've had good and bad disclosure experiences myself. It's really disheartening as a researcher when you find something really important and you want to get it out to the world and, and that the company doesn't care or just slow rolls you or put it's a year later and you're still like, hey, come on, let's get this fixed. And so I guess I feel like I know it's never going to happen, but I feel like Microsoft should be appreciative of somebody doing this kind of research for as a volunteer for free. That's the only thing that keeps the security market working is the work of those free researchers. And it's just disappointing that we might be headed into an era of less support researchers. That would be really dumb.

C

I think it highlights a couple of things that I see. So one is researchers have, I think for a lot of cases, and this is kind of part of the culture of research anyway, but have really operated independently. And I see an opportunity here for some sort of organization of researchers and to really create a unified voice around what are the ethics of saying you're a good guy researcher. What are the expectations that you would like to see from companies? What are you willing to disclose up front? What are you not willing to disclose up front in order to establish that you are doing this for the right reasons and behaving ethically. But you don't. You'd also like to be recognized for the work that you're doing with some sort of compensation and also to have some, some kind of grouping to provide some support in these kind of scenarios. So there's more than just you funding maybe your legal defense and things like that. Right. So it's almost like a union, but nobody unionize.

D

You're like a labor leader now.

C

But I think it's important. Right. We have a lot of people who are saying we are doing this for right reasons, to protect a lot of people. But nobody is there to have my back when somebody gets me in trouble for doing the right thing. And also, and I have an engineering background, so this is really key. If you're an engineer when you graduate, you declare to follow a set of ethics which includes making sure that you're not going to do harmful things. But here's the flip side. Let's say you find something like this that's really bad. You have the flip side obligation of making sure it gets addressed. It's not okay if you know the bridge is going to fall down to not tell anybody and not make sure it gets fixed right. So this is just. We don't see cyber issues the same way. We see weak bridges, but they have similar if not significantly larger consequences depending on what the problem is in the cyberspace.

B

And I think I give a lot of credence to Katie Musaris. Katie created the Microsoft vulnerability responsible disclosure processes back in the day. She was among those hackers heading to the Hill, those voices that I listened to very carefully and she was quite clear in her feedback she thought Microsoft struck out with their response to this and it was disappointing. And yeah,

A

oh, sorry, Laura, go ahead.

C

And yeah, so then part two of where my thinking was going is that just like any incident response and vulnerable ability management is basically just incident response, sometimes with a little more time before it's really a problem. But yeah, this will be a great case study in incorrect crisis communication. This is what happens. This is what happens when you let. I'm just going to kind of go general with this, right. When lawyers lead a conversation instead of executive leadership thinking about the bigger picture, these are the kind of communications that go out as opposed to leveraging people who understand public relations. It doesn't mean you just roll over and be nice about it, but you can approach things much better than this.

A

My father used to warn me about taking a minute to think before you say things. And to me this was the most tone deaf approach in a world full of tone deaf approaches to go try to slam some hacker. First of all, just as somebody who runs a cybersecurity show, I will tell you, don't piss off that audience. I routinely, and by the way, I will do this fearlessly. So I'm not going to do when we name somebody out there and we call them out on stuff, I've got a basic 100% DDOS happening on our site most of the time anyway. But it's just, it's a community. You don't Want to offend, first of all. And second of all, I think Jeff's point of these people are trying to do the right thing for you. So even if somebody doesn't have, and God forbid somebody in it doesn't have great social skills or doesn't do everything socially right, that never happens. You should be at least bigger than that with your $1 trillion company sort of thing. Anyway, that was a big disappointment on Microsoft. But the second thing is Microsoft has. I've seen so many of these stories where people have reported something to Microsoft and just been blown off and later on it's turned into be a real bug. So they need to start thinking about how they respond to people as well. Because I think, and I've seen that time and time again where we'll be reporting on a bug and somebody say, oh, I reported that two years ago, but Microsoft said it wasn't a bug.

D

Two quick thoughts. One is that this is probably the worst time ever for vulnerability response teams. They're overwhelmed with AI reports that are lots of garbage. A little bit of signal in there, but it really difficult for those teams right now. And the second thing is I can't get the picture of security researchers on a picket line out of my head, Laura walking around. But then I started thinking about it. I was like, but wait a minute, they don't work for Microsoft. So Microsoft might just not care. They're like, yeah, you can pick it all you want. We're not. We're separate from you. And I just worry that we're headed into this tech deregulation era that is going to make it really difficult to get things like you're talking about, like any sort of organization. Organization or certifications or professionalization of bug hunting. It's just, I don't know, it's probably not on the horizon.

C

Well, where it's a little different is it's not like when a union strikes, they're all striking from one employer.

D

Right?

C

And in this case, is it. Are they just going to strike from reporting things to Microsoft? Fine, you suck. None of us are going to help you anymore. Go pay people.

D

Yeah, but they'd probably be happy with Cole.

C

No more. Well, bugs being disclosed to them. Yeah, but maybe we'll just go disclose

D

zero on every metric. They'd be like, cool

C

until the bad guys are the ones benefiting. Or you know what, fine, we'll just go help everybody else.

B

Right?

C

Because we're talking about these are the actually helpful people.

B

But I think we're in honestly. And we've been in this era, for probably the last 20 years, it's the too big to care. You know, we talk about the banking crisis and the too big to fail and too big to care about really to Jim's. To sorry. To Jeff's point about deregulation. The fundamental problem that we have, and we talked about this a month ago and our last thing is that product makers aren't liable. Microsoft doesn't care about bugs. At the end of the day, if it has sufficient legal liability shielding from the consequence of, to use Laura's analogy, the failed bridge. Ain't none of them going to jail for a vulnerability that led to a hospital ransomware today.

C

And if they might be mad is if their government contracts, their major financial institution contracts all start to come under question because they no longer have an effective vulnerability disclosure program.

B

But what I would say is that's a requirement.

C

It's not effective if nobody else is. If nobody is willing to participate.

B

But other than France raising the stable,

D

I think it would be highly successful.

A

I think there is a flip side to this too and that is that and in fairness to Microsoft and not those words rarely leave. But no, I'm just kidding, I'm not that the idea that this whole system of bug reporting is breaking down. Linus Torvalds was, or Linus Torvalds, I guess is the proper pronunciation of his name was just freaking out and saying don't send me any more of this stuff because there is, there is a whole. If we're overloaded on the security professional side of this, the people who are receiving these things are also overloaded. So there is, there is some sympathy for that position as well. That and it really means, I guess the fact is, and maybe it goes back to what you were saying, Laura. You're saying Jeff is this is broken, we need to fix this or it's just going to become non functional.

B

But, but here's the bigger picture, like without product maker liability, the incentives are all wrong. They're going to vibe code themselves into infinity more bugs. Which great news for bug finding AI software companies. Like we said before, this is the closest to perpetual motion machine we may ever truly engage as humans. But it's a downward spiral of bugs until you say no man, you're liable. But the reality is besides France, which is saying we're done and we're trying to move away from a whole suite of US based tech products for pollution political reasons, then where are you going to go? Corel Word Perfect. Lost to word. If I hear that 2026 is the day or year of Linux on the desktop. I'm just to stop, please. Apple's having a moment but like really? Okay, so we got a duopoly. It's Apple or Microsoft.

A

As sympathetic as I am to your point of view, David, and I am in terms of the legal liability, there's also the suppression of innovation that would happen were that to be univers universally applied. Because that means that if you are a two person shop putting out a piece of software and you are subject to an unlimited liability, basically entrepreneurship stops. It's one thing to tackle a trillion dollar company, it's another thing. And this is why the other piece that I find is that in the absence of legislation and we'll talk about this in terms of particularly AI legislation, in the absence of legislation, the courts with in lawsuits and these are pretty blunt instruments to deal with everybody. And like I said, if you're a trillion dollar company is one thing. If you're a 10 person company and you've mortgaged your house and you're trying to put a product out there and you're doing your best and you get slammed with a lawsuit the same as Microsoft, I just stop innovating.

B

So just one thing because I think I'm the only person here that has done military service. But we're not talking about unlimited liability. Unlimited liability in the true sense of it is I am willing to die for this thing. We're talking about some liability. I'm like so we're so out of whack with so much liability shielded. I'm not talking about go there and you could do it proportionately to your point, like when you look at what Europe is doing with GDPR and other things, they are proportionate responses, they're smart. And I remember the first, one of the first GDPR firms was one of those small SMBs. They didn't get a 20 million euro fine, they got a, I think it was like a 20,000 Euro fine that was proportionate to the size of the company and enough to ring their bell. So yes, and like I said the two person shop but completely able to. And look I'm a vendor, I recognize that I am, I benefit from the all caps giant limitation of liability section and I appreciate that in its truest form. But on Microsoft, these large ones, maybe it's time when they do enjoy this size market position. And so maybe your point Jim, if it is that it's proportionate, needs to be proportionate, so it's not any innovation, fine. But I think it called me crazy Doing the same thing over and over again for the last 30 years. No product maker liability.

D

That's an insurance problem. And so we'll see a different kind of cyber insurance if we create liability for vulnerabilities. But the good news here is we're going to find out because in six months the EU enacts the Product Liability Directive which creates no fault liability for harms that stem from defects in your products. Whether you're a two man shop or Microsoft selling in Europe, doesn't matter. So we're going to have a worked example here over the course of the next year and I for one am here for it.

C

Yeah, I think there's also, I want to caution a little bit on the whole, like a stifling innovation discussion, but B, just because you're two people, there are certain things that should not be done by just two people. And the problem with software is that it's enabling like a whole plethora of things. And just to use an analogy of a peddler from back in the day would take the cart around and they'd have these potions and concoctions and whatever on there, right. And they'd sell them to anybody anywhere and claim all sorts of crazy things. And if you were lucky, it wouldn't kill you. Right. But people would. You were allowed to just sell whatever you wanted off a cart and let people buy it, make whatever claims you wanted about it. Right. We don't let that happen anymore because

D

we know that it's called Instagram, Graham. Okay, well, fair.

B

We shouldn't let that. We don't let, we don't let that.

C

People sell stuff off of carts claiming things. Right.

D

Okay.

C

Most space anyway. So there's certain, like there are certain things that should be consequential if you are selling it and you really shouldn't. And, and I, and I know some direct examples, but I'm not going to disclose them right now.

B

I want to build on that for a second. So you can't build a car now as a two person garage shop and sell it to somebody el or 200 people. Even if you could magically make that car. Because we have Transport Canada, there are North American auto safety things. It has to be certified, approved and ready for market on that side. We've built an entire process. We had a hundred years to do that. Okay. Took us a while, by the way, to get there because it was people in their garages building cars that could explode on people. Some did. But we're 30, 40, 40, 50 years into the software era. And we're not even getting close to saying, number one, Laura made this point about engineers. Engineers are certified, they're legally accountable professionals. And I, and this is the one thing you ever talk to an engineer about, someone who calls themselves a software engineer and never did a software engineering degree. They have big feelings about that because they're a profession. And maybe we need to say we're going to have software engineers. If you're going to mass market a product that has the potential for harm or real risk of significant harm. I'm not talking about like a base64 app for selling your girl guy cookies. I'm talking about this is going to contain personal information or affect life safety systems. You're going to have to have an honest to God software engineer. And that person is going to certify

A

that code, which I will pipe in with. In the Canadian economy, you've just negated 95% of the businesses that are out there. That's the size of it. No, but I'm just saying, I say there has to be balance. I get that. But you can't dismiss the small entrepreneur as saying, saying that because that's how everything happened is Mike and Terry in their garage.

D

Not just how entrepreneurs, big companies are in the same boat here. We chose innovation over safety and we're doing it now. The new AI executive order in the US is massively favorable to tech companies to push this technology out so we don't get left behind. But this is a choice we're making.

A

I do want to recap this just because there are two points out of this. And I think regardless, and I don't think we're as far apart as I might seem in some cases here, but I think the issue is reporting is broken. And if it's not broken fully now, it's going to break over the next little while. And the other one is that we're going to find out in the experiment that is Europe because it seems to be the only jurisdiction that does any regulation. We'll find out in a very short period of time how this works out.

B

So, but what's interesting, China is regulating AI. I can't believe that I'm saying this. And they're doing it in a really intelligent ways because they're acknowledging the harm, but they're certainly not sacrificing their innovation edge on this. Between yolo, Freedom Town, deregulate everything you've got that you've got Europe, regulate everything. I think China's actually in the middle of this. But the biggest thing that I think we keep coming back to the FOMO on AI. AI is so off the charts right now. It is driving policymakers off of cliffs. And I want to go back to Jeff's point about this deregulation push, because the reporting around what was happening in the White House was fascinating. There is a camp that is very deeply concerned about AI, and they collided, and the deregulators want big tech, won big with that executive.

A

Let's cover the story. Let's cover the story. And I think if the one you're talking about just before you get into

D

that, because I just wanted to paint the whole spectrum of options here, we talked about the two ends of the rainbow, but I've always pushed for a middle position, which is much more about transparency and visibility than liability. And. And it makes the information to consumers available so that they can make informed decisions, and they are choosing the level of risk that they want without having. So it's kind of who decides what the right level of risk is? Should it be the government? Should it be the consumer who can choose from a variety of products and let their dollars do the voting? Or should it just be like, consumers can't choose, and there's an array of options here for how this gets regulated. I don't want people to just think it's like, there's one solution that we

B

got to go for something we can come back to. But just to Jeff's point, the challenge here is information asymmetry. It's also known as the lemon car problem. So the seller has way more information than the buyer. So Jeff's point, if I interpret it properly, is to try and level the information asymmetry through transparency. And this would be a classic sort of Adam Smith, invisible hand of the market kind of force, but we've seen the limits of that. So to your point, Jeff, I do think that there's a middle between regulate all and deregulate all. I think the market forces play a role in that. But I also think that these big frontier AI makers, they need to be regulated as, first of all, triopolies, duopolies, whatever that side of things, because their market weight and force is almost quasi utility. When I hear Sam Altman musing out loud that they want to meter intelligence, it sounds an awful lot like utility. That terrifies me. But there's gotta be. There's gotta be something in there that's that otherwise their power is just too large.

D

I think there is competition in the AI market, and so I don't think you could find that there's an antitrust violation or monopoly or anything like. I don't think that they would be able to regulate it that way. But I don't think we've tried mandatory transparency around security. We don't force companies to reveal how they built something, how they tested it, how they secured it, how they monitor it in production to make sure that it's safe. And those are the kinds of questions that you'd want answered if you wanted to actually, you know, create a market for cybersecurity, which just doesn't exist, I

B

think in Anthropic's case, because they just dropped this thing Friday where they're like, whoa, we need to put the brakes on possibly AI creating AI. Cause it's starting to get a little crazy. And then they're humble bragging in the middle of this. 80% of our code was written by AI. And yeah, and that's why you got a 1700 line print statement in your leaked version. We're seeing this moment where I don't even know if they know, know how their stuff fully works at this point or even if they care, but it just magically works and they just keep piling in the dollars. We're at the cusp of the greatest fleecing of the, of the average public investor in history with some of these.

A

A willing. But, but this is the, this is the fleeced fleecing of the willing. The. No, it's true, the. In terms of valuations, Xai came to market with a valuation of $1.75 trillion. And I forget the name of the name of the company will come to me. That does, that does a lot of the reporting in this area. What?

B

Pardon? Oh, no, but SpaceX IPO.

A

No, yeah, SpaceX and whatever they're calling it this week, whatever X it is that they want to get 1.75 trillion for. The best analysis from one of the better companies out there said they're worth half that. But. And this was the crazy thing, but people are going to buy it anyway.

C

And you know, just to comment on the fleecing of the willing, I think the challenge is that there's a lot of people in the market, but they don't control what they're doing in the market. Right. They've create. Handed their money into a portfolio and you have a lot of other people in the middle who are making these decisions and managing it. And I think, yeah, it's going to be more like subprime mortgage collapse. That's. That's. Yeah, there's a lot of people who did not Know that their money is flowing in this direction or how heavily their money is dependent on what's going on in that ecosystem, which I think

B

segues well at it. Jeff, the story of deregulation and the White House executive order, because it's always about the money, is it?

A

Or is it just out of control? The story was that the White House issued an executive order and they wanted to get 30 days access to any major model. The definitions are a little loose. I couldn't feed them, but they're getting a 30 days no instead of any sort of valid regulation. And this is voluntary, among other things. And I guess you have to do a pinky swear or something somewhere in there, but that's about it. Now, the problem is, and I've covered this story, and it is a legitimate problem, as much as I'd like to have a moral opinion on it, here's one side of it. The feeling is, if we stop this thing now, and it might partly because it may be a house of cards, it doesn't matter if we stop this thing now or pull back on the reins of AI at all. We lose to China, and that's what the threat is. And at the same time, when you realize how much of the American economy is being propped up by this bubble and the spending, you don't want to mess with that in an election year either. And in fairness to politicians, I wouldn't want to be the one who kicked that loose. But it does create. Create an issue, and there's a lot of issues in it in terms from cybersecurity aspect or protection from a model. And that is how much can they do in 30 days. I find that just astonishing.

B

But, Jeff, I want to get your thoughts because you had some thoughts around this executive order.

D

I was just surprised that there weren't basic cyber protections built in to this executive order. There's been a lot of talk about the kinds of harms that AI can cause. Things like the whole range of things from teaching people how to build bombs and make crystal meth, or the real dangers to children using AI and forming relationships and getting talked into suicide. And there's some real dangers associated with AI that I thought we could say something about in the executive order, say pinky swear, that you will put protections in your products for those kinds of harms. It's unclear how you do that exactly, but at least, least we could be telling them they have to try. And it was disheartening to see that none of those. We can't even regulate the tail end of the worst stuff that AI could cause. And we. There's really none of that in there at all. And that's really what caught my attention for the most part.

B

If I was to be super cynical. David, turn the dial up the side. It's like we don't care how many children we sacrifice to the race in AI supremacy. That's a known acceptable loss. At this point, I can't help but think that is the calculus that they're at, that they just don't care. And it extends, frankly, it extends to Canada. I was so deeply disappointed about our AI strategy, which frankly is about the equivalent of an executive order in terms of it's not legislation, it's an announcement, it's a strategy. There's some money attached with it, but it is so overwrought with fomo. We gotta fund our businesses, we gotta get them using the AI, et cetera. And then they're like, oh yeah, yeah, we'll deal with the safety concerns through an online harms act, which they're going to botch again because they overreach every single time from things that we all agree to, to niche issues for particular voter groups that look great in a campaign ad. So they're going to blow that up. And in the midst of this in Canada, and I said this earlier to a media interview because I got super fired up, we still don't have the chat trans script for what OpenAI's ChatGPT told the killer in Tumblr. Ridge, I want the chat transfer. How do we have a national AI strategy which is supposed to have safety and not have full knowledge now of what already happens? Not even the hypothetical we. You don't get Sam Altman getting out there publicly apologizing that company, admitting liability all over the place without something. What was said. And I've got to the point now where I said earlier on a Toronto radio station, release the file files, I want to see the files. If the RCMP is going to charge somebody, charge them. They're not going to charge them. Let's see the chat transcript.

D

I guess the US government isn't great at releasing files.

A

Yeah, yeah, yeah. No, that's true.

D

I did make one mistake. There is some mention of security in the executive order. It calls out the Telecom act from the 1950s and says if there's a breach of authorization, then that you have to do that, whatever that means for. Pretty unclear, but like it's. They're really stretching to just say no. Nothing changes about cybersecurity with this new technology. It's just whatever was in place before.

B

But that's what's hilarious about that is because we covered this earlier this year is after Salt Typhoon the then FCC under the Biden administration put in place a series of rules. And this was basic stuff. Mandatory MFA good vulnerability patching program. These were the kindergarten level cyber hygiene rules. Gentle parenting from a regulator on that side and all of that got suspended back in the winter. We're done. No, we trust the telecommunications industry that China rolled through like teenagers in an 80s mall movie to listen to your presidential candidates phone conversations using the wiretap system they were ordered to build to listen into Americans. But we trust the same one that we're now counting multiple breaches per telecommunications provider. But don't worry, we can trust them. And then to this point AI changes nothing.

A

And this is the problem is the momentum. And you've called it fomo, David. We've all called it, we call it a bubble. Whatever we call it is that. That we've gotten swept up in something where we've lost the thread of being able to both be to be transparent on what's happening or to have logical regulation. We've lost the ability to move for some reason and that has an impact on all of us. And it's not in the cybersecurity thing. But you've heard me speak on this. The fact that people are taking advantage of teenagers and lonely people and they're using AI to do that and these AI systems are distorting our young people. And there's no doubt about that when young men have. And I, we don't talk about these effective ways but young men are now being affected by having relationships with AI. I don't know what you call them. Girlfriends. Let's call them that. And you know and no, but it's, it's. And that is distorting how these young men grow, grow up. And there may be other cases and I may just be focusing on that. But I'm just saying. And we have suicides as a result. We have young women have been dealt with body shaming and with developed. We've messed that up with social media. Like I said, we started dumbing down our world in social media. This is just taking us for another leap in that. But we've lost control of this. And that's the thing that I find the most.

B

Here are the two studies that keep me awake at night. MIT Media Lab studied with EEGs, the effect of letting ChatGPT write your essays for you. I will grant that the experiment was 50 people, however, they literally hook sensors up to their brains. So let's give this a little credence on the side. People that use ChatGPT to write for them, do all the work for them had 55 less brain activity. On the fourth exercise when the ChatGPT only group was asked to do the writing, they still had decreased brain activity compared to the group that was brain only for the first three exercises. If you don't use it, you lose it. That was the first one. Second one, University of Pennsylvania thinking fast, slow and artificial found something absolutely terrifying. 1300 participants. Participants 9000 trials. This one's a big one. They found that when they purposely manipulated the AI, it was interesting. They gave the wrong answers. When the AI gave the right answer, 93% of people followed its reasoning verbatim. When they gave the wrong answer, 80% of people followed the wrong answer answer. They called it cognitive surrender. So we've got some real science happening now on the pro AI side because I don't want to just be like scare you all when AI is used as a coach, as a helper, as a tutor, but never always as the doer. Another study, which was a large scale study, showed that people didn't suffer cognitive debt on that side. They didn't have a performance decline. But these sycophantic relationship, praying, emotionally manipulative. I'll do the work for you. Things are going to make us dumber and you can't convince me that Sam Altman doesn't have that on his agenda when he's bragging about how they're going to sell intelligence metered on him.

A

I don't think they have it on. I'm going to push back. I don't think they have it on their agenda. I just don't think they care. They care about money, they care about the position, they care about going to Mars, they care about these things and that gets washed up away. This is the cost of doing business.

B

For the record, I'm on the pro you should all go to Mars team one way.

A

I agree with you, but I'm just saying that it's not, it's easy. The type of denial that people go through and work through has been part of what we've been dealing with for years and we'll continue to deal with. The problem is the humans are running this and that's as soon as our AI overlords take over, we won't have these problems anymore. Anymore.

D

So let me share how I think about this because we keep going in circles a little bit Here. And I think it's important to understand that there's levels to this thing and it's easy to think about the tech parts of it. Right? Most of us do that all day. We're dealing with cybersecurity problems. We're trying to make things work better. We're putting in access control checks and we're doing the work. But that operates within a market. And there's business reasons why you do things and business reasons why you don't do other things. And I think frankly, cybersecurity, the market isn't great for it because it's not really, it's not part of the market for a variety of reasons. And that brings you to the regulation level, which is most. Most cybersecurity activity happens because of regulation. It's because of compliance. It's not because companies are like altruistic and hey, I'm going to build it secure, although there are some that, that do that. But when you then you have to look at the market and think, okay, so well, what controls that? And ultimately I think it comes down to the political level where we decide as a nation what kind of policies we're going to put in place and where we're going to emphasize things. And that is a money question. In the US we've got laws that say, like Citizens United that say money is speech. And so money controls the elections, which means tech giants can control the discussion around the politics of it, which controls the regulation of it, which controls the market of it, which controls the cybersecurity we do every day. And so it's important when you're thinking about a cybersecurity problem, like hey, that doesn't seem right. You got to get it at the right level. What level are you thinking about and are you tackling the problem that within the level that you can attack it at?

B

I know we're running long and we've gone into this a few times and around things. So if you want to guide to a public policy win. So in Canada we've been working for four years to pass a critical cybersecurity law for critical infrastructure. Banking, telecommunications, finance, energy transmission. Started off in 2020 and we are the last G7 country to finally get answer. This is basic stuff instant respond. This is stuff us had with the creation of CISA and the cyber reporting law since 2018. So we're six years behind the United States the last night. So Thursday night, June 4, the Senate of Canada finally on third reading passed Bill C8. And I joked earlier before we started the call. I think I may have been the only live web streamer of that. It is worth noting that the Public Safety Minister, Gary Andersetti, showed up in the person to see that, which some senators I know were like, we've never seen a minister show up. That was nice to see. It kicks off 18 months of regulation, but for once we finally got it across the line. And for those who follow policy at a nerd level, we almost got this law passed in 2024, 2025. Sorry, but there was a typo and we, we saw it go all down the drain because the government at the time under Prime Minister Trudeau fell. Because that's to. To Jeff's point, that's how important cyber was to government. Whoops, let's do it again. We have lots of time. And I can tell you that battle over that towards the end was fascinating. You had groups lining up like Citizen Lab, Open Media, calling this some kind of surveillance legislation by stealth. It's not. And then you had folks like me transparently, I was lobbying for this law to get passed. I testified before the Senate committee a week and a half, two weeks ago ago on this to say get it done. So finally something for banking.

C

It's.

B

I'll let Laura chime in. I don't think it changes a thing because Office V was pretty on banking and banking is pretty aligned on protecting their money. Telecommunications generally. Okay. In Canada, they were voluntarily working together, doing all kinds of things. Energy transmission, like Zaria, the Russian D group almost blew up one of our pipelines. And transportation, like airlines have a hard time keeping flights scheduled without a cyber disruption. So as much as I'm David the dystopian about AI finally got a win in Canada on policy.

C

Yeah. And so I think that brings me back to where these strategies and executive orders are going. And we're going back into dystopian land. But AI adoption has pretty much gone the same way that all other social media services has gone in which sadly, in a lot of ways AI services are basically just like a new weird sort of social media. But it's all about engagement. Right. Because that's how we're going to get. These companies are banking on going from free to monetization is you need somebody who's so engaged that they're willing to open their wallet. And we know individuals. That's hard to get going. There's a lot. There's a lot more individuals and businesses, but it's harder to get people out of free. So you find other ways to commoditize individuals. But with businesses, what I find really interesting is how the government directives are already on and like blatant engagement. Engagement. Engagement. They don't use that word. Right. They use adoption. But it's engagement without purpose. There is no. There's very little talk about making sure it is purposeful, that it is driving some benefit for your company, that it is not costing more than it is delivering. It's adoption for the sake of adoption option. And that drives me nuts.

D

You're right that we have to think about how this plays out. I don't know. I was just thinking of this Calvin and Hobbes cartoon where Calvin asks his dad, he goes, hey, dad, how do they know the weight limit for bridges? And his dad goes, they keep driving bigger and bigger trucks over the bridge until it collapses, and then they rebuild the bridge and they know the limit. And that's exactly what we do with technology. Right. And so I don't think we are capable of being as proactive as what you're suggesting, Laura. I think the way we secure things is we deploy them like AI and like HTML5 and like the web. And there's all these technologies that we just push out well in advance of the security research. For all the talk about secure by design and shift, all that crap, the way people secure things is they put them out there and then they drive the trucks through them and then they fix what broke and then they're like, okay, now it's secure. And I don't think we're anywhere close to breaking out of that cycle because again, it's the levels that are holding us in that position.

B

So I want to jump in a couple of quick things on this. So number one, my greatest fear with this adoption fear push is right now we know that the cost of AI is massively subsidized. Let's just be generous and say that we're currently paying one tenth of the cost of an actual token to break even. That's not even like looking at what these companies have to generate for profits to justify the valuations they're actually at. So let's say for the sake of argument, that Canada's AI strategy, the U.S. fOMO executive order, are wickedly successful and 99% of small businesses adopt AI, notwithstanding the labor impacts. Let's just say they come to depend on AI for their competitives. We won the race and then the bill comes and it is going to be the greatest economic shock we have ever felt unless the cost of AI plummets. But if the cost of AI Plummets. I posit to you, what exactly again, is Nvidia's? Everyone's going to need more chips faster. Based on. And what exactly is this data center build out based on? So something is wrong. Something is either fundamentally misaligned. We either have the greatest bubble ever, or if the stock is right, and it has to be right, or we are getting our ETFs to Laura's point, are getting pummeled on this. So. So there's that point, by the way, just for the. Because I'm the resonant culture critic. The episode of Futurama that warned about Jim's point about the AI Paramores, I refuse to call them girlfriends. I refuse to give them that acknowledgement. But the Paramores, as it were, is called I Dated a Robot. And in that episode, Fry downloads a holographic representation of Lucy Liu. And it has a video very vivid depiction of what happens to society and collapsing because of males in particular. Because, frankly, I shouldn't stereotype, but men in particular have a problem where they think that this is intimacy. We'll just leave that alone. So I just want to say, if you want to get dystopian, watch I

A

Dated a Robot just to go back from Robot Paramours and go through. We are in a bubble. There's no doubt about that. And the question of what's going to happen with AI is an issue. We will build smaller. We don't need a huge honking AI to run most businesses. Most businesses are dull. Most businesses are very simple. You can run that on. And Google is merely giving away small functional AIs that do business properties. There is a use for large models, and some people say that even these models will be able to cope with that, or they can scale. There's all kinds of opinions on all of this, but there's no doubt that there's no economic argument that justifies the investment we have right now. It's just not possible. And so we are going to go through a bubble in this piece. But as Jeff pointed out, that's how we develop technology. We go crazy. We break it. We did it the last time with the Internet. We had a great Internet bubble and it broke. We did this in 1929 when elevator employees were advising people on how to buy stocks. That's how we roll. And that's. So the fact that's going to happen is not a problem with me. And I think I could make a reasoned case for that.

C

I think it's the scale of failure. Right? We're not talking about driving one truck over the bridge. We're driving everybody over the bridge.

A

Exactly. There comes a time when you have to decide. Now, for instance, instance 1929, the Internet crashed and all this sort of stuff, the atom bomb, you don't want to make a mistake with that. And the question is, with all of the things that can happen with AI, and they don't necessarily mean that it becomes embodied like it is in my books and things like that, you can have a real disaster happen. And right now I think we're steamrolling towards that. And that is just this whole idea of keeping anything secure.

B

I want to jump on your point about steamrolling. We are steamrolling security and software programmers trying to keep up with the patch deluge. Right now you're seeing it. Microsoft's patch quality is noticeably declining. We are in a race and it's crippling security teams. Honestly, they're heroes right now. I don't know how many pizza parties and late hours and everything else they're putting in. Not sustainable. And I don't see. And maybe, Jeff, you're in the best position given the work that you do specifically to go and find and validate vulnerabilities. But I don't see how we're going to sustain the marathon of the next couple of years, because I think it is going to be a couple of years.

D

You're right that certainly the appsec part of cyber is changing dramatically and companies I talk to are worried about it. They're seeing a flood of vulnerabilities coming from CVEs and so on. Their teams aren't ready to handle it, so their backlog is going to get bigger and bigger. They're worried about how to handle that. They're hoping AI can help, but from what I've seen, that's pretty early. On the helping side, I think, though, ultimately AI is going to help us do better. Right now, companies are trying to use AI to solve. Yes, to solve yesterday's problem. Like yesterday's approach of let's throw it out there, let's bang on it, let's break it, let's fix it. That sort of penetrate and patch cycle, trying to use AI to do that, which is, okay, maybe we can make something that was already broken work a little better or faster. But where I see the big advantage is in using AI to do those things that we were never able to really do at scale, like threat modeling and security architecture and secure by design, like those kinds of things. AI can streamline those processes and make them scale. And if we do that, then the calculus changes because now you're not chasing, like, every vulnerability. You're using AI and security effort to make sure that the right defenses are in place, that they're correct and effective. But you're not testing for every kind of vulnerability in the world. You're testing, like, did you use the right defenses based on your threat model? And that's a much simpler, smaller problem than testing for every possible vulnerability in the world.

B

I think you're absolutely right. But Lauren will appreciate this. I've spent the week here in Toronto, so I started at a CISO forum outside of the greater Toronto area where, you know, this concern over nation state hacking and what are we going to do with this explosion of AI and then I've spent a lot of time on Bay street, which is Canada's version of Wall street, or where all the big banks are and Mythos has consumed them. It's consumed the regulator. It is every conversation is somehow going, going back. And I think they're obsessing to your point, Jeff, over the old model. Ship it, break it, patch it, break it, patch it again. And I think we're in a lot of trouble. But, Laura, you've been in this scene for a while. You've been in the trenches on this scene. What are your thoughts about, like, where everyone's head's at?

C

I always get worried when people start running around like chickens with their heads cut off. Over Chicken Little. Right. He had his head still on, but he was running around telling everybody the sky was falling.

A

Right.

C

What comes to mind is. Is it though? Is it?

D

Yeah, that's a good question.

C

There's a lot of ash in the sky. It's hard to breathe a little bit. But are we on the volcano?

D

There are a lot of people that say, hey, we've had huge vulnerability backlogs for years.

C

Yeah.

D

And adding more to that backlog doesn't really change that much.

C

I think it's all about, and it always has been like with vulnerability management, you have to know how to pick what you're going to a fight. Right. And I've said this before, architecture helps. Right. Other defenses help. Right. Don't leave it all up to getting a patch on it in time because there's the one that you don't know about, or there's the one the patch isn't available, or the patch is available but it breaks some other stuff. Or that patch kind of fixed it but didn't really fix it. So there's another patch to still to come, you got to have more than just hoping you're going to patch it fast enough. And, Jeff, I know you've been working on that problem a long time, Right. But I think that it is if all people do is focus on Mythos, which is a brand, so it's. I don't know if we want to compare. In fact, I'm going to enjoy this comparison. Mythos is like Kleenex, right? There are a bunch of AIs that are doing this right now. So do you care whether the thing you blow your nose in is Kleenex or Scotty's or whatever? But we call it all Kleenex now. So that's what Mythos is.

A

As long as you use one of them, I'm good.

C

So, you know, if all we do is focus on this concern about this one thing, we're losing the plot. Security has never let you focus on only one thing and get away with it.

D

I think that's a great point. I went to the Gartner cybersecurity forum last week, and every AppSec talk made that point. They said, you gotta be looking at other things to do. You can't just try to fix all these vulnerabilities. So they talked a lot about runtime security, putting protections in production and things like that to minimize the risk from this flood of vulnerabilities.

C

Well, that conference in 2017 is where we first met Jeff.

A

There you go. I'll leave us with one piece of this. Because my catchphrase has always been, just because you can't do everything doesn't mean you can't do anything. I've been in some crises in my life, and one that I won't discuss the matter of it, but it froze me and it threw me apart. And I've been as close to being as depressed as a human being can be, where I thought there was no way out of this situation. Situation. And it was a terrible thing. And I learned at that point to do the next thing and the next thing and the next thing and try to get yourself to the point where you can see where things are important. And I share that. Not because I'm keen on sharing my private life, but because I think it's an important piece for all the people who are working out there right now, is that keep some perspective. I keep hearing about tools, maybe think about the things that are the most important to protect and put them in a list of 1 to 10 and save the top one. Like I said, don't get frozen, because every step forward you take is a good one. And that's just been my advice to everybody in this because you can't change the world, but you can change the next thing you can do.

B

And Jim, for those listening, we had the chance to hang out together in person, which may have been the first time we've actually hung out in person at an event that my company did for large enterprises. And something that you said, Jim, really resonated. We need to focus on the outcomes. What are the things that we need to accomplish right now? And to Laura's point, it's never insecurity, just been about one outcome. And I think we need the security awareness. Folks who are listening, you need to be talking about AI's impact on employees and the importance of developing, reinforcing and supporting critical thinking skills. Because the social engineering side of this is terrifying. AI powered phishing is 4.5 times more effective, 12 to 54% at the same time, I've already mentioned that cognitive ability can decline by as much as 54%. So AI getting worse, humans getting worse. Not the combo we want to be heading towards. And not about patching your stuff from Mythos. It's about the full spectrum of this. And it's also about, to Jim's point, there are real productivity gains to be made with some AI tools used in the right way, helping people do more, more effectively. I cannot deny that even the some of the studies that I quoted showed that people using AI as a tutor improved 127% in test practice sessions. And when it didn't do the work for them, they had no decline in their baseline tests compared to the brain only group. There is a place for AI. As much as I get frustrated and much as I think that we need to be careful, and as much as I don't trust the people pushing AI in certain ways, I think that there's a balance on that. But we gotta get back to outcomes. What are the outcomes we want? And when it comes to public policy, what are the outcomes we want at that level? What are the outcomes we want at a personal level? What do we want for. For our businesses?

D

You keep coming back to the the study of 54%. And when I hear that, I just think we're trying to use AI to solve yesterday's problem, that we shouldn't teach writing and history that way. We should. But I do believe AI can be very effective at teaching people how to think and how to write. It's just, it's not the old way where you force people to write a 10 page essay on some just regurgitating facts that you just read. That was never a great plan in the first place.

B

But yeah, counter some of the old things are actually important. So cursive writing, we've dismissed that in wide education, but there are some US states that have now legislated to bring it back. Why? Neuroscience studies showed that we form better, stronger neural connections by using the motor functions of our brain to take notes physically and we retain that knowledge better. We're a species that's evolved over a long period of time and these connections matter. We can't just replace them. And go back to my point. No, no, just the ChatGPT study here. That should matter to Jeff's point about new ways of teaching us. When people let that thing write its essay, 18 of them were asked to recall a single line from that essay and none of them could do it. So our brains are not wired to the speed of this technology. That's all I'm saying. We have to find a way to get the best out of AI, but we can ignore that we're human. There are gaps.

A

Yeah. Remembering that we're a cyber security show. I'll go back to the piece of this though. That's to say that yes, there's all kinds of things we could do better, but the critical thinking is, and this is what I mean about what the things you can do. We run a two person office. We're under constant attack just on all those sorts of things. My wife is not in any way a computer literate person and she does not want to be, but she doesn't fall for fishing because she knows to ask a question. And all I'm saying is in the simplest and smallest of places, you can make a big difference by emphasizing some of the, not the rote of whether they write cursively or whether you like AI or whatever you do. It's getting back to that basic of saying if we can't give up on critical thinking. And I'm going to push back on the AI thing because I think we stopped the bandwagon of critical thinking a long time ago and AI is an accelerant of that. But we need to get back to that, particularly in cybersecurity. And we need to find a way to make that work with the population we work with.

C

I want a super grounding in security for this. Right. So if we just go back to the very, very fundamentals our CIA track, confidentiality, integrity and availability. Right. And if you just apply those. And again to the training point that David was Making sooner or earlier. Right. Confidentiality. I think a lot of training about AI right now is focusing on confidentiality. Right. Are you only giving it things you're allowed to give it? But we don't talk a lot about integrity, which is the how are we checking our work or making sure that what's come out of it is trustworthy and reliable. How are we challenging it back? By the way, this is an awful lot like what happens to people when they become managers. This isn't a new problem. Right. It's just it was harder for MIT to study people turning into managers. Right. And then the last piece is availability. Right. If that tool's not available to you for some reason or they release the latest model and it is not going to do the job anymore, whatever it is. Right. Have we thought about how we feel back and if we train people on those things and start emphasizing and practicing that, I think there's a good chance of getting the positive outcomes we're looking for. But right now we don't really. We're not there. We're not doing it yet. Yeah.

B

And Jeff, I fully agree with you that using AI tools to build better software to get out of the patch, break, patch cycle, to do this and build it and use these tools in new ways makes a lot of sense. In that particular example, I think that is the way. I just think that we have to find a way to not throw the baby in bathwater of all human learning just because we love the new and shiny we. That is how we're wired. So I just think that sometimes holding something things.

D

So I'm an optimist about almost everything and I see a future where education is completely disrupted. People learn with an individual AI teacher that knows their skills and knows their weaknesses and works with them and challenges them and pushes them. If you had a team of teachers just designed to make you into the best human being you could possibly be, and that's just education. I think we'll see almost every field get transformed. The legal field is ripe for transformation and you can just go on down the line. I think there's a lot of things that will happen. Maybe we'll be able to justify the valuation and the subsidies that we're investing in making AI happen. Now, I'm not sure, but I. I do know we're kind of on this boat already. And I think of that scene from the Martian at the very end when he comes back and he's teaching the class and he goes, space. When you're out there, it's outside you, it's just trying to kill you the whole time. And your job is to identify the next problem and fix it and move on to the next one. And if you keep doing that, you make it home. And we're in that process right now. There's nothing we can the bus has left the station.

A

And if we've discovered one thing on this, it's that all of us as professionals and I think we can hear it in our discussion and we're pretty everybody's at a different level of intensity right now. And I think that's reflected in the world that's out there. And once again, I will just add my piece to it is try to be part of the calming because you can't learn when your back's against the wall. And Sun Tzu, the great writer on war, always said turn that situation around so that you can never put your adversaries back against the wall. And we have to try and work with that. That's what we got to work with. Thanks to David Shipley, CEO of Beauceron Security and co host of Cybersecurity Today. Thank you, David. Laura Payne, always a pleasure. Laura from White in there still my white toque. There it is, still sitting there waiting for next winner. Yeah. And Jeff Williams. Welcome, Jeff, thanks a lot for coming in and see you again. That's our show. David will be back with the cybersecurity news on Monday morning. Here's a question worth asking. What happens after a phishing email slips past your filters? Most email security tools only guard the front door, but attackers are already inside. Material security is different. It's a unified detection and response platform purpose built for Google Workspace and Microsoft 365, protecting email files and accounts all in one place. We're talking automated phishing, remediation account account takeover containment and sensitive data protection without alert fatigue. Find out why companies like Figma, Reddit and Lyft trust material to stop the threats. Other tools Ms. See Workspace security in action at Material Security. That's material security. And if you do contact them, take a second and say thanks for sponsoring cybersecurity today.