David Moulton (14:53)

Hi, I'm David Moulton, host of the Threat Vector Podcast where We break down cybersecurity threats, resilience, and the industry trends that matter most. What you're about to hear is a snapshot from a high stakes conversation between Michael Sikorsky, CTO of Unit 42, and Tom Bossert, President of Trinity Cyber and former US Homeland Security Advisor. This episode isn't about theory, it's a wake up call. In this episode, Tom and Sicko pull the curtain back on the next evolution in cyber defense. Proactive interference, not just blocking attacks, disrupting them in real time. If you've ever wondered how to shift from reaction to resistance, from alert to action, this is it. Because if you're still relying on last gen perimeter models, you're already behind and the attackers know it.

Michael Sikorski (15:51)

I'm Michael Sikorski, the CTO of Unit 42 at Palo Alto Networks and I'm stepping in as guest host. Today I'm joined by my friend Tom Bossert, President at Trinity Cyber, distinguished fellow, Atlantic Council, and former US Homeland Security Advisor. Tom's been a policy powerhouse and now leads one of the most innovative cybersecurity companies out there, focusing on proactive threat interference. Think of it like messing with the attackers mid operation in a way that changes the game entirely. There's been a lot of talk lately about the concepts of more offensive security, more interference, more technologies that are kind of getting back at the attacker. I mean, you've heard a lot of rhetoric like that in the last few months even. Do you have any sort of where do you think that's going and what is going to be the impact of that, do you think for the next four years longer, do you think there's going to be a lasting effect to that kind of talk? Is there going to be more action taken in the private space with that kind of thing?

Thomas P. Bossert (16:55)

Yeah, I think you have a really technical listening base here to this podcast and so we'll just kind of jump into it. But one of my biggest fears is the massive disconnect between those policymakers that say that and what you know to be the case and how the tech works and what it really means. So what does offensive mean? What does defensive mean? You get into these debates, but yeah, listen, at this level it's easy to say. At one high level, people can't see me. I'm saying at the 30,000 foot level, I'm all for not just cyber induced, but any kind of policy lever inducing a change in the incentive structure. So listen, there are bad actors out there. Do things to them to punish them, to impose consequences, all for it. You don't have to limit yourself to just offensive cyber. I think one of the things that troubles the United States and Western countries on the offensive debate is we say, I'm mad. I want to get back at these guys for taking advantage of us. Check, check. Me too. And then, well, so let's start hacking them. Well, what do you mean? What do you want to hack? Do you want to just hack in general? You want to shut down?

Michael Sikorski (17:58)

You kind of have to define what that is. Right?

Thomas P. Bossert (18:00)

Once you get into that debate, this is what I used to do for you. Once you get into the debate of figuring out what's the target, how much is it going to cost? What effect are you going to achieve? Are you actually going to change the behavior of that country by hacking into more of its private businesses? Do they care about their private businesses? Is there a fundamental misunderstanding about how we can.

Michael Sikorski (18:19)

It's harder to be tit for tat. Right. Because China's hacking every single business that we have. Everything we're doing. Like, would they even care if we.

Thomas P. Bossert (18:26)

Did, if we did the same to them? And the late Ash Carter said, I'm soaked in gasoline and you want to get me into a match throwing contest. And I thought, that's pretty good, right? So there's a lot of parallels to the tariff debate that we're having right now. But, yeah, listen, in targeted, useful way, I don't shy away from offensive cyber operations if they have a meaning and a purpose. But you know, for me, tell me how to frame it better. But what I just described about what Trinity's doing is. It's here. I'll direct this to the current president. It's reciprocal. Okay, it's reciprocal. The idea here is that we're not going to do anything to impose any consequence on you unless you first start it. And for us, we're only interfering with that, which. It's like judo, where you take the energy of the attacker back on himself. To me, we have to get better at doing that. That's a starting point. Because offensive operations take a long time. They are executed in a different place with singular authorities. And often it would be much easier and more effective to use a different lever or a different type of national power to change the calculus of the adversary. You want to hack all the Chinese businesses to get China to behave differently? I don't know. I don't think that's the best way. It's anyway. But it's got to be in a mix of all the other ways that you've got going for you.

Dave Bittner (19:45)

But.

Thomas P. Bossert (19:45)

And the US Has a lot of power. We don't have to sit around and just hack people back. At some point, we reserve the right to use bigger force.

Michael Sikorski (19:53)

Yeah, that's interesting. I'm wondering where. If things could get more privatized, at least I think of it as like, you got to go work for an agency or something like that to really do the offensive stuff. And that's what people have always talked about. I wonder if this would open the door for that not to be the case longer term.

Thomas P. Bossert (20:14)

Well, you know, and then.

Michael Sikorski (20:15)

And then where do you. Where do you draw the line? Who's. Who's watching the companies? Who would be doing that?

Thomas P. Bossert (20:20)

Right. There's a thousand answers to that, but one of the simplest ones is, honestly, it's like the rule of artillery in the military. You know what you're allowed to do if somebody starts shooting at you? Shoot back. You don't shoot first, but you shoot back. And there's. There's a misnomer in the cyber world that shoot back is kind of a. Is kind of a pause thing where you get hacked and then you get together and you call a bunch of experts and you say, okay, now we're going to hack back to, like, kind of a pain type of application. We're going to. We're going to apply pain to them for doing that. Like, it's a. Like it's a spite thing. But that's not what I'm suggesting. What we're trying to do here is to create friction, the kind of pain, like I described earlier, that throws off their operations, that stops them from so unimpededly imposing costs on us. It's not about getting into a fight where I'm mad and I want to have my emotion vindicated. It's about trying to achieve a better operational outcome.

David Moulton (21:24)

This conversation is a blueprint for what comes next in cyber defense. Don't miss it. The episode is called From Policy to Cyber Interference, and it's live now in your Threat Vector feed. Thanks for listening. Stay secure. Goodbye for now.

Dave Bittner (21:49)

And be sure to check out the complete Threat Vector podcast, wherever you get your favorite podcasts. Today we published a special, spicy new episode of our Only Malware in the Building podcast. Here's our podcast producer, Liz Stokes, speaking with N2K Director of Enterprise Content Strategy, Mayan Plot. About the show.

Liz Stokes (22:17)

Hi, Liz.

Alice Carruth (22:19)

Hi.

Liz Stokes (22:19)

Hi.

Alice Carruth (22:20)

Hi.

Liz Stokes (22:20)

I am here to ask you lots of questions about only malware in the building, and in particular, the newest special edition that's coming out in September. Can you tell us a Little bit of background about what we're making and why it fits into the Only Malware universe.

Alice Carruth (22:34)

Yeah, absolutely. First, thank you so much for having me. I'd love to tell you a little bit more about one of the shows that I work on, specifically called Only Malware in the Building, and especially the special edition that's going to be coming out in September. So Only Malware in the Building is kind of one of our little niches that we have on the show. It's this malware infused podcast where we have Dave Bittner, Keith Milarsky and Selena Larson all come on and talk about social engineering, different malware strings that are out there, all kinds of different stuff that's, that's out there in the world right now. And they just kind of come on and vibe. But this idea really came from a show that we all like, which wink, wink, if anybody can guess what it is. And we kind of thought it would be fun that of our hosts kind of took on the Personas of those people on the show and shared malware through the eyes of the podcast like the show. And so from basically, I believe it was last year that we started doing this, it kind of transformed into this fun, creative show every month that comes out where we have a different cold open each episode, where I work on the script with my good colleague Trey Hester, the audio engineer of the show. We kind of just basically put Dave and Selena and Keith in all of these weird crazy scenarios every month and they have to figure it out while also talking about malware. So it's this amazingly fun episode each month that we get to work on and it's very creative and it really just brings out the best of our creative flow here at N2K. And specifically the September episode that's coming out, we kind of took this idea of having all three hosts eat ridiculously hot sauces with wings and kind of answer some, get to know your questions about their past, like different questions that involve them coming up in cyber, them coming up in the careers, and just kind of like getting to deep dive into their personalities and their careers a little bit. So I'm really excited about this show to come out. I'm really excited for this episode to come out. I'm so excited for the audience to see it. But it's just, it's mainly something that we've been working on for the past year now. And so it's going to be great when it comes out.

Liz Stokes (25:08)

It really will, without teasing too much because we want to make sure that people see the whole episode, when it comes out, can you talk a little bit about how we went about recording it? Like, who was involved? What were all of the pieces that went into this? Any sort of, like, exciting things that happened along the way?

Alice Carruth (25:25)

Oh, yeah. So I think, as I said before, this episode has been probably a year in the making that we've been working towards this. And this has probably been one of the longest projects that I personally have worked on ever in my career. And the reason behind that is because so much went into making sure that the hosts had everything that they needed. So that when we sat down and actually shot this, everything was perfect. And I want to start by saying that our team has worked incredibly hard to make this something special for our audience to sit down and watch. I mean, this isn't going to be like something that we've ever done before. And I think that's the beauty of this episode, is that it's going to bring into ties of things that we have done, but also things that you're not going to want to miss when this episode comes out. There are certainly things that I want to share with the audience right now, but we are holding off on sharing all of the things because we want it to be such a big surprise. We want the audience to get that wow factor when it comes out. And so we are dropping little teasers and hints every once in a while on social media, trying to get people hyped up about it. And I think. I think for the majority of the part, everybody is getting hyped about this. And I think especially people in N2K are hyped about this. I mean, we have worked so hard on this project, and we just want to make sure that the audience sees how hard we've worked on this project.

Liz Stokes (26:55)

Yeah. Well, without teasing too, too much, I think the biggest thing about this episode that's different than the others in the past is that it is very focused on a video product. There's obviously going to be an audio podcast, because that is a thing that we do here at N2K all the time. But I'm curious how things differ between an audio first or audio only to a video first production this time.

Alice Carruth (27:17)

Yeah. You know, sitting down each month, Trey and I can bump out a script in like, a couple days, and then we can turn it into audio pretty much within a couple of weeks. This video project, like I said, it took a year in the making. And so starting from, okay, let's have this concept turn into a reality. It kind of turned into, well, what all goes into this video project. You know, like it's not just three hosts sitting down eating some very spicy sauces and wings. You know, it's, it's something bigger than that. It's what kinds of questions are going to get the audience the most involved? You know, what kind of teasers can we put out that'll really get everybody hyped up about this episode? What type of sauce are we going to choose that'll make Dave scream his head off, you know, like anything like that? And so while we were putting all of the little pieces together, trying to turn them into something bigger, it was really the team behind this project that led this into becoming what it is today. I don't want to give too much away, but this video project is something that I think all of us are incredibly proud of to put out onto our network and to share with our audience. Because we've worked so hard on this and every account that we've taken into consideration to make this thing. I think it's going to be a really beautiful thing once we put it out for our audience.

Dave Bittner (28:50)

There is an audio version of Only Malware in the Building, but I highly recommend you view the episode on YouTube for added enjoyment. He'll have a link in the show Notes Abercrombie is an official fashion partner of the NFL and I'm CeeDee Lamb, wide receiver for the Dallas Cowboys. You know, I'm here for Abercrombie's Cowboys gear. That's not a question, but I need a whole wardrobe to go with it. No shade to the guys, but I'm used to having the best tunnel fits. This season, Abercrombie has me covered. Shop NFL by Abercrombie in the app, online and in store.

Liz Stokes (29:40)

Running a business comes with a lot of what ifs, but luckily there's a simple answer to Shopify. It's the commerce platform behind millions of businesses including Thrive Cosmetics and Momofuku, and it'll help you with everything you need. From website design and marketing to boosting sales and expanding operations, Shopify can get the job done and make your dream a reality. Turn those what ifs into sign up for your $1 per month trial@shopify.com specialoffer.

Dave Bittner (30:15)

And finally, Taco Bell is discovering that teaching AI to handle late night cravings isn't quite as simple as asking for extra hot sauce. Chief Digital and Technology Officer Dane Matthews admitted the company's voice AI has had its share of meltdowns, sometimes delightfully accurate, sometimes like a burrito that unravels in your lap. Customers have gleefully documented the chaos, including one viral exchange where the AI, when asked for a large Mountain Dew, simply kept asking what drink the man wanted. With that, another prankster managed to order 18,000 water cups. Still, Taco Bell says its AI has successfully handled 2 million orders across 500 restaurants. Apparently, progress, like tacos, is best served messy. And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing@thecyberwire.com don't forget to check out the Grumpy Old Geeks podcast, where I contribute to a regular segment on Jason and Brian's show. Every week you can find Grumpy Old Geeks, where all the fine podcasts are listed. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com N2K senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixing Next by Trey Hester with original music by Elliot Peltzman. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Sa.