Unknown Sponsor Voice (13:41)

And now a word from our sponsor, knowbefor. It's all connected, and we're not talking conspiracy theories. When it comes to infosec tools, effective integrations can make or break your security stack. The same should be true for security awareness training. KnowBeFor, provider of the world's largest library of security awareness training, provides a way to integrate your existing security stack tools to help you strengthen your organization's security culture. KnowBeFor's security coach uses standard APIs to quickly and easily integrate with your existing security products from vendors like Microsoft, CrowdStrike and Cisco. 35 vendor integrations and Counting Security Coach analyzes your security stack alerts to identify events related to any risky security behavior from your users. Use this information to set up real time coaching campaigns targeting risky users based on those events from your network, endpoint identity or web security vendors. Then coach your users at the moment the risky behavior occurs, with contextual security tips delivered via Microsoft Teams, Slack or email. Learn more@knowbe4.com SecurityCoach that's knowbe4.com SecurityCoach and we thank knowbe4 for sponsoring our show.

Dave Bittner (15:15)

Joe Saunders is co founder and CEO of Run Safe Security. I caught up with him to discuss the complexities of safeguarding critical infrastructure amid the looming threat of cyber attacks and military conflict.

Joe Saunders (15:29)

Well, of course, protecting critical infrastructure is a complex problem. There's a whole subcommittee in Congress dedicated to funding critical infrastructure protection in general. And naturally, that's where CISA's budget comes from. And I think the challenge, of course, is that a majority of the critical infrastructure is not government owned, it's commercially owned. And the technology provided to critical infrastructure is provided by commercial organizations, which isn't necessarily a bad thing when it comes to security. It just means more coordination needs to happen. And with that said, if you look across all the sectors, there's 16, 17, depending on how you count them, critical infrastructure sectors. And there are industry groups, government agencies, technology companies, and all the like that are sort of focused on making sure critical infrastructure is protected. And of course, the problem is there's all sorts of legacy code, you know, hardware, software that's been deployed in energy grid or power stations or everywhere else that's been around for 5, 10, 15, 20, sometimes 30 years. And so it's a complex problem where I think we're only scratching the surface in terms of really doing a good job protecting security, given the variety of technology, the complexity of who's involved, the agency, of who has an interest in ensuring security. Is it a national security issue? Is it good business practice? All of the above. So with that said, I think it's a complex problem and we're only scratching the surface to really solve it in a good way thus far.

Dave Bittner (17:18)

Well, in your estimation, what are some of the things that could be done to move us in the right direction?

Joe Saunders (17:26)

Well, there's multiple things that can be done. You have to think about the workforce, you have to think about the education and awareness of the problem to the owners and operators of critical infrastructure. For example, if you look at water utilities, there's 10,000 water utilities in the U.S. which means there are some really big ones and there are some pretty small ones. And yet, you know, if, if those systems that operate the water systems are compromised, then of course that's a bad day from a cyber event perspective. It could deny people water. It could be doing a lot of things. And so you can imagine there's a lot of education, a lot of coordination, and a lot of technology that has to come to bear. And so specifically, I think what can happen of course is education of the workforce, even enhancing the workforce. But there's also room then for programs like Secure by Design, which CISA is promoting obviously very well, and its counterparts, Secure by Demand, where it's, you know, looking to identify ways asset owners and operators can demand or ask their suppliers for better security posture, the technology that they deliver. And then there's, you know, of course, understanding the nature of the problem itself and assessing the risk in the software and in the assets that you deploy. And so if I think about the workforce, the programs and the awareness and then the nuts and bolts of really understanding the nature of the risk, all three of those things have areas where we can do some work, but also where some work has been started.

Dave Bittner (19:06)

Can we talk about China specifically? I think we see a lot of reports about China kind of staging their presence within some of our critical infrastructure here, you know, preparing battle space, preparation, as one of my colleagues likes to say. What is your take on where we stand with that? And I also want to touch on the looming presence of China in Taiwan.

Joe Saunders (19:32)

Sure. So there's no doubt, as we've seen with Volt, typhoon and other APTs and threat actors that originate from China, that as you say, the preparation that battlefield has already commenced, that China has technology pre positioned inside critical infrastructure to pick a day of its choosing when it may want to administer, let's call it a payload, a cyber payload to disrupt service or operations. And that threat is always real, whether whether it comes true or not. The fact that there are, there is pre positioning means that there is risk in basic services that the US provides. And so, you know, I think about telecommunications equipment being compromised, you know, if you're Verizon or AT&T and you know, some of the embedded software deep into the telecom equipment and network infrastructure, it's very scary to think that that is pre positioned and could be exploited, but also water utilities like I already mentioned and you know, in other sectors. So China, you know, I like to think of China as a very persistent, aggressive adversary. If you look at the historical track record of its prowess in stealing intellectual property, I think we can think about their tactics in the same way when it comes to cyber attacks themselves. If this is the new phase of some of their cyber operations, you know, China, given a well determined, well funded, you know, sophisticated adversary who thinks long term, is no doubt pre positioning technology, you know, in preparation of the battlefield. And it may not be a kinetic battle we're talking about, but it could be some of these gray zone matters, you know, cyber attacks here you know, that that can just be disruptive. It can, it can cause confusion in the US it could help focus the US government internally instead of externally on other matters like Taiwan, if we want to talk about that. But you can see that a very determined adversary with a 51 manpower advantage in cyber warfare. As Director Ray from the FBI said last January, February, before the Select Committee on ccp, that we need to take it very seriously. And it's not just China, of course, it's Russia and Iran and North Korea and others. But China, you know, seems to be very aggressive in its long term view of disrupting infrastructure with the pre positioning they've already done.

Dave Bittner (22:07)

Well, let's talk about Taiwan specifically. I mean, where do you suppose Taiwan finds itself right now? I'm thinking of both their ability to defend themselves, but also, you know, looking at the broader diplomatic picture of, of who has Taiwan's back in this particular case.

Joe Saunders (22:26)

Right, yeah. If you think about Taiwan, at least from a cyber perspective, from some counts I've heard up to 30 million cyber attacks a month take place in Taiwan and that seems like an outrageous number. And with that said, you can imagine a lot of testing of, you know, ability to attack. And if you think about the ability to disrupt core sectors in Taiwan that, that matter to, you know, a well functioning society for them, certainly communications, certainly energy, certainly financial system. If you think about their ability to communicate as an island, they need, you know, redundant systems. They need the ability to communicate. If you think about, you know, their dependence on importing energy, then the storage and the distribution of that, of those of the energy sources within the island are essential. And certainly the financial system, you know, people need to be able to move money and conduct transactions and do commerce. And so those are the sectors I think about when I think about, you know, helping protect critical infrastructure in Taiwan. And naturally those are just subsets of a broader geopolitical consideration as you say. So if there was some kind of kinetic attack on Taiwan, some people have said, including Director Easterly at CISA and even Director Ray at FBI, that there could be a simultaneous attack in US critical infrastructure. So that's a second level of, of thinking. And then the third level of course is you know, what if there's a blockade, what if there's, there is an all out war, who, who comes to, to defend China or defend Taiwan in that case. And naturally those are a lot of open questions I don't think I can answer. They are complex. There is the historic strategic ambiguity in terms of US policy towards Taiwan and, and China but nonetheless, there's a lot at stake in the region. You think about what happens if Taiwan is not supported and China were to integrate Taiwan back into China. Then you think about what does that mean for Japan, what does that mean for India, what does that mean for Singapore and others in the region. And so I think there is a lot of interest from India, a lot of interest from Japan, from Australia to come to Taiwan's assistance, as there should be from the U.S. i mean, China projecting further power out, taking over, you know, a free, democratic society that is a major top 20 economic powerhouse with strategic technology like semiconductors. There's simply a lot at stake. And so I think in particular how to support Taiwan and cyber needs to be elevated. You know, just as we think about how to protect U.S. critical infrastructure, I think protecting critical infrastructure in Taiwan is essential.

Dave Bittner (25:39)

That's Joe Saunders, co founder and CEO of Run Safe Security. And finally, our classic gaming desk tells us that Guillermo Rosch, CEO at web platform provider Vercel, spent the holidays doing something a bit more intense than sipping eggnog. He created a captcha that requires users to slay three monsters in doom on nightmare mode. Yes, instead of squinting at blurry traffic lights or clicking on crosswalks, you'll need to channel your inner demon slayer. Captchas have evolved from distorted text puzzles in 1997 to Google's Recaptcha, which works quietly in the background. But bots are now better at solving captchas than humans. Rauch's Doom captcha, announced on New Year's Eve, might be the most entertaining workaround yet if you can survive the nightmare level difficulty, where enemies are relentless and your health drains and your health bar drains faster than post holiday enthusiasm. It's a fun tech demo, though admittedly unlikely to gain mainstream adoption. And while bots may one day conquer doom, for now, it's a captcha worth trying if you dare. And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing@thecyberwire.com be sure to check out this weekend's Research Saturday and my conversation with Carlo Zanki, reverse engineer at Reversing Labs. We're discussing their work. Malicious pypi, crypto pay package, implants, infosteel or code. That's Research Saturday. Check it out. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com we're privileged that N2K Cyberwire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies. This episode was produced by Liz Stokes. Our mixer is Trey Hester, with original music and sound design by Elliot Peltzman. Our executive producer is Jennifer Ibin. Our executive editor is Brandon Karp. Simone Petrella is our president. Peter Kilpy is our publisher, and I'm Dave Bittner. Thanks for listening. We'll see you back here next week.