A (3:21)

For 10 years. And. And truly also, Dave, for me, this is also about your specific perspective from the host chair of the Cyber wire. So again, 10 years is a long time to be thinking through the memory banks. But anything that pops out to you as you look back, any personal color, anything like that, that's the kind of stuff I'm. I'm always fascinated by. So, yeah, with that said, let's go.

B (3:46)

Right.

A (3:46)

Wayne's world go back 10 years. Right now it's 2026 when we're recording this. But honestly, 2014 feels like a good place to start, even though it's okay math 12 years ago with the Sony hack, because that just feels like a good starting point. So walk me through that one.

B (4:04)

I think it was a milestone. I think it was. I think the Sony hack was one that gained national attention. It had a lot of geopolitical influence. There were elements of intelligence gathering. Sony, of course, hard to get a bigger, well recognized brand for a multinational organization.

A (4:30)

They make my tv.

B (4:32)

Yeah, I mean, yeah. I mean, it's a brand that many of us have great affection for, you know, dating back to our first Walkman.

A (4:41)

Oh, my gosh. Yes. Yeah, yeah.

B (4:42)

So I think it grabbed a lot of people's attention that a big, major brand could get hit this way and sort of, I think, set the global stage for these large scale breaches.

A (4:57)

Yeah. And there was that intrigue with the. With the movie, wasn't there? Yeah. So there was this kind of made for the headlines story that I think it added this layer.

B (5:07)

Yeah. And the south park guys were involved with it. And I mean, it was. It had a little bit of everything when it comes to intrigue. Something for everyone. So, yeah, it really was kind of a starting point. And then I guess the one that really was on my radar when I switched careers and started being a cybersecurity professional was the OPM breach.

A (5:34)

Oh, yeah.

B (5:35)

And that had just happened when I joined the Cyber Wire.

A (5:40)

Baptism by fire.

B (5:42)

Yeah, well. And several of my co workers had been personally affected by that because they had security clearances. And so the OPM breach, which was 2015, I believe, and that's the Office

A (5:55)

of Personnel Management for the US Federal Government.

B (5:58)

That's right. Yeah, that's right. And so this was a major breach of all kinds of information that they were in charge of keeping safe, including things about people's security clearances. So some of our nation's greatest secrets were revealed. It turns out our adversaries, we think was China was in there for A long time. So they got all of this information that was extremely valuable and extremely sensitive. Turns out it was because they had outdated equipment and outdated security protocols and, you know, wasn't. How do I say this? We contributed to that breach through retrospective negligence as much as

A (6:48)

retrospective negligence through

B (6:50)

their own retrospective negligence. Right.

A (6:52)

Love that.

B (6:52)

Yeah. Feel like that's how all of us Gen Xers grew up, right? With retrospective negligence.

A (6:59)

Drinking from the hose. Yeah.

B (7:00)

Yeah. So as much as the Chinese certainly have great tradecraft, I think our government learned a lot from that breach as to what to do and not to do. So that one was another biggie back then.

A (7:15)

I don't want to get too into the weeds on opm, although I probably will. So forgive me, but I'm wondering about the nature of attribution, and I feel like with OPM and maybe even the Sony hack that things have started to change. And maybe this is way off base, but I'm just curious your thoughts, especially looking back the last 10 years, with all the many, many data breaches, have we gotten more. I don't know, has attributing who is responsible for a breach gotten more palatable or more certain? What. What's your take on attribution? Is maybe where I should leave that one?

B (7:50)

Well, I mean, yes, I think we've gotten better at knowing different groups. Signatures. Right. They're tradecraft, but they go around impersonating each other as well. So you can't be sure. There are people out there who say attribution doesn't matter. I'm not sure I agree with that. I think it's good to know who's doing the things they're doing because it helps inform why they might be doing it and how they might be going about it. But I think we've got a pretty good idea these days when things. Where particular things come from, if it's espionage versus people looking for financial gain, just scammers and fishers and all that stuff.

A (8:42)

Yeah. So after opm, we can go through this chronologically if you'd like. If there's another breach that sort of bubbles up in the intervening years. Is there anything?

B (8:57)

Yeah, I mean, what. I Guess it was 2017, we had WannaCry and not Petya, which really showed global disruption, where shipping companies got affected and systems were actually shut down. And so again, kind of an aha moment of what happens if somebody can either intentionally or accidentally hit the off switch on a global network or a global basis. How's that gonna affect everybody? So, yeah, that got a lot of people's attention.

A (9:29)

Yeah, it sure did.

B (9:29)

And then also 2017, we had Equifax

A (9:34)

still dealing with the fallout from that one to this day.

B (9:37)

Yeah, right, yeah. I'm sure all of us are still enjoying our two years of credit monitoring and.

A (9:43)

Yes, enjoying, Definitely enjoying. Yeah, yeah.

B (9:48)

And then, you know, 2020, we had solar winds, which I think revealed risks of supply chain compromise and trusted software ecosystems. That. That was really the one that put a big red star on supply chains and third party providers.

A (10:07)

Yeah, yeah. And is that the one also where the ciso, I mean, I know this is not the only one, but is that one of the ones where like the CISO was held responsible for what happened or am I misremembering that one?

B (10:18)

Yeah, no, the CISO was in jeopardy of legal criminal charges.

A (10:25)

Yeah.

B (10:26)

And so at that time, if you were a ciso, you. You were like, what? Right.

A (10:33)

And he was eventually cleared, if I remember. Like.

B (10:35)

Yeah, that's my recollection as well. Yeah.

A (10:38)

I mean, that seems like a huge paradigm shift to say now people are personally responsible for a massive organizational problem. I mean, that's right.

B (10:45)

And to be potentially responsible criminally when. Especially when you put that against. I think we can agree that the trend in the US is that when a company does something bad or irresponsible, generally they pay some sort of a fine, they admit no wrongdoing, and nothing really bad happens to the executives. Maybe every now and then someone might get fired or demoted, but rarely, rarely do we see anyone sent to jail.

A (11:18)

Yeah. Cost of doing business. Right. I mean. Right, right, yeah.

B (11:21)

Right. And so that, that hazard was there, that peril was there for CISOs, I think caught a lot of people's attention, had them calling their congresspeople and saying, how do we, how do we reconcile this?

A (11:38)

Yeah.

B (11:38)

You know, how do we protect ourselves? What kind of insurance do we need? So there were all those sort of add on effects to solar winds that again made everybody sort of sit up in their seats and say, hmm, okay, this is the future.

A (11:54)

Yeah. And not always filling one with hope thinking about that stuff, but. Cause I mean, quite a chilling effect in some regards, especially from solar winds. But I think some long delayed conversations that had needed to happen did happen after that.

B (12:10)

Right.

A (12:10)

And another one looking for. I'm skipping around a little bit, but I would love to get your thoughts on the 23andMe breach. That was another headline grabbing one, but just because of what it involved, I think that one really stuck out in my mind.

B (12:25)

Yeah. It was an example of immutable Information. Right. You can change your credit card number, you can change your address, you can change your name, you can't change your DNA. And not very easily. No, actually. Right. I guess technically you can change your DNA, but anyone who's seen the Fly with Jeff Goldblum knows that theoretically possible. But the idea that, that I think such deeply personal information, that also affects not just you, but people you know, for example, your brother leaves DNA evidence at the scene of a crime. Right. And you're the one who submitted your DNA to 23andMe. And the police can now come looking for that DNA through your DNA. So I think a lot of people felt like they could be. Their information could be personally violated via a third party. So, yeah, it was another one that I think recalibrated people's expectations when it came to privacy and reminded them that there's some things that simply can't be changed.

A (13:45)

Yeah, yeah. Not only is it scary, but I think it was also a precursor to a lot of the discussions we're having about AI now. And that is a whole other rabbit hole. But it feels like a spiritual ancestor. I don't know, maybe getting a little woo woo on that one. Anyway, I'll move past that.

B (14:02)

That's fair.

A (14:04)

I'm curious about your thoughts on threat actors and the kinds of threat actors that you've been seeing the last 10 years. Are they predominantly one type of group or are we seeing more differentiation or are things sort of converging in terms of who tends to be behind a lot of these major breaches that you've covered?

B (14:27)

Yeah, I mean, I think it's two main groups. Of course you have the folks who are doing espionage on behalf of nation states, and that's a tale as old as time. But then you've got the financially motivated threat actors. Again, tale as old as time, just with updated tools. And that can be everything from gift card fraud to major ransomware campaigns. One of the things that I've noted along the way is that a few years ago, and I'm guessing probably about six years ago, when ransomware was really starting to ascend, and simultaneous to that was crypto mining. And the thought at the time was that crypto mining was going to outstrip ransomware because ransomware operators were. They were going after small potatoes still.

A (15:25)

Yeah, yeah.

B (15:25)

And the idea was that crypto mining was almost a victimless crime and that I could infect your machine. So it's doing mining while you're asleep and you won't even notice, and it's free money. It's free money. All it requires on the part of the bad guy is patience and maybe a little bit of cleverness. But it's non confrontational. Chances are it could fly under the radar. And of course the opposite happened. Crypto mining kind of fell off. There's still plenty of people doing it, but it wasn't the huge thing that people feared it would be. And then ransomware just took off. When we had just the eye opening numbers, when people started ransoming huge companies for millions of dollars, I don't think we expected to see that. And of course that was. Would you say cryptocurrency was an accelerant for that process?

A (16:23)

Put very politely, yeah. Yes. Lighter fluid right on there. Yeah, yeah.

B (16:29)

A way to sling money around the globe in a way that's hard to track. That really made it a lot easier for the folks to do this sort of thing. So I found that noteworthy along the way that it's a good reminder that sometimes things don't play out the way even the experts think that they're going to play out. And you never know the way the threat actors are gonna behave. But to get back to your question, I think another thing we've seen over time is more blending of the threat actors where you'll see perhaps state actors, state sponsored actors who are doing a little side work, who are out there getting some money and the. The nation states are willing to look the other way, allow them to supplement their incomes, their activities through theft or selling illicit things, all that sort of thing. So I think the lines have gotten fuzzier and yeah, so that's definitely one of the trends we've seen.

A (17:30)

I'm curious, and I don't know how I would answer this question, but I'm curious if there are specific industries, verticals that you feel have really borne the brunt of the way that attacks have evolved or, I don't know, ones that you think have just really just gotten hit, taken it on the chin with a lot of these preachers.

B (17:54)

Yeah. Well, I think healthcare, I think there are few things more despicable in the world than taking down a hospital. Right. You know, we have laws of armed conflict that say you don't attack hospitals in times of war. Here we have ransomware operators going after hospitals and healthcare organizations because they know lives are on the line, they know that there will be a response. And those folks have to get up and running as quickly as possible and are under all kinds of pressure, both obviously from their patients, but also regulatory pressure. And they are often underfunded understaffed when it comes to security. So that's just a sort of a perfect storm for providing a potential victim on a platter for the bad guys to go after. And some of the stories are heartbreaking. I think we've only had like one documented death as a result of that we know of. That's direct. You certainly. I mean, anytime an ambulance gets redirected or surgery has to be delayed, it's hard to measure those sorts of things. But again, intentionally going after a hospital. I remember there were times early on in ransomware where someone would inadvertently hit a hospital.

A (19:20)

Yes, that's right.

B (19:21)

And then they'd say, oh, sorry, here's the decryption key. We did not mean. Right.

A (19:26)

I remember that. Yeah.

B (19:28)

Hard to imagine honor among thieves. But it was different. And now it's just heartless. It's become so much of a game about money and greed and all that sort of thing. So that troubles me and breaks my heart when you see people out there in good faith trying to do their best in a medical care situation and having to fight against these unnecessary things.

A (19:54)

It's the last thing they need. Yeah. I was actually in the hospital when the hospital I was in was part of the. A situation like that. And I remember it was not great. Yeah. I just given birth to my daughter, so it was great.

B (20:06)

Oh, yeah. Kind of a big deal.

A (20:09)

Kind of a big deal. Yeah. And all the entire computer system was down. And I remember I was in there thinking, this is my day job and here I am living it. Yeah, it was great. Yeah, it was not great.

B (20:21)

Yeah. Listen, we're pretty sure we know which of these babies is yours, but the system's down right now, so we're just going to let you sort of breeze through the maternity ward and you can snuggle with any of these kids that you want to. It's fine.

A (20:34)

They were all very cute. I'm pretty sure the one I came home with is mine. Yeah, I'm pretty confident about that.

B (20:38)

Until the barcode scanners come back up, we're really not sure.

A (20:43)

Yeah. Dave, the question. I feel like you just kind of landed somewhere that I really want to dig into before we conclude. Which was a really woo woo question about your feelings. I mean, you're a host. I mean, your job is to think about these things. Right. And you're talking to people all the time and you're reflecting and I really want to get a sense of when you reflect on the last 10 years, specifically about breaches and their trajectories. And the kind of stories that you've seen. I mean, I'm curious about your feelings on where we're headed. Is there hope? Are you feeling more positive than you used to? Like, is it complicated? I want to get your thoughts.

B (21:26)

I would say, you know, when you go through the stages of grief and land at acceptance, I'm kind of there. I mean, we've heard it for all the time I've been at this, people have been saying it's not a matter of if, it's a matter of when. And I think at the outset I was a little more resistant to that notion, but I think it's true. One of the analogies I like with cybersecurity is comparing it to public health. And in public health, you can do everything right. You can wash your hands, you can do all the right things. And every now and then you're gonna get a cold. And every now and then you're gonna get something more serious, even if you do everything right. And I think cybersecurity is similar in that way. You don't want to be the low hanging fruit. You want to make it as hard as possible. But I think the idea that anyone is fully protected, as we've seen, by the most protected organizations in the world, including governments, getting their information popped, nobody's immune. It can happen to anybody. You know, you and I talk about on the Hacking Humans podcast that on an individual level, you don't get, you don't get violated because you're stupid, you get violated because you're human.

A (22:54)

Yeah.

B (22:55)

And I think that's what it is. So I try to remind myself, to maintain my empathy and my sympathy for the folks that this happens to the last thing in the world. And I, I do not like that some people in our industry have a sense of smug superiority when it comes to these sorts of things. I have no time or patience for that because I don't think it's helpful. So, look, I think people are out there fighting the good fight. They're doing it in good faith. And we all have to function within the world that we're in. And that world is constantly changing. You look at the shifts in just the political winds and the leaders and the nations and all those sorts of things. People often ask me when they hear we do a daily podcast. They're like, well, how do you come up with enough stuff to talk about every day? And I go, ha,

A (23:57)

Right, not really a problem.

B (24:00)

The challenge is narrowing it down to the top 10 things to talk about every day, because this never stops. So on the one hand, there's that, and sometimes it can be a lot. It can get you down. You can feel like, I'll joke sometimes that, hi, I'm Dave Buettner, and here's today's Bad News. But on the other hand, you see the people who are out there doing the good work, who are innovating, who are, as I said, in good faith, trying to make this world a little bit safer, trying to help each other learn more, contribute to the community. And all of those things I find uplifting. And they do give me hope. And that's how I keep going every day, knowing that we're in this together, we're trying to fight the good fight and we're making progress. So it's not as fast as I think any of us would hope that it is, but it's a fight worth fighting. So I'm glad to play a very small part in helping, try to keep people up to date and informed when it comes to all this stuff. And I think the other thing that has made my journey even more meaningful is just that I've had the privilege of taking part in that journey with so many amazing people, people like you, my co workers, our coworkers. I've learned so much, particularly when I was just getting up to speed and I really didn't know a lot. People were so kind and so patient and they supported me and they made sure I had all the information I needed while I was ingesting this fire hose of information to try to become knowledgeable about cybersecurity. And looking back over 10 years or so, I feel like I'm in a good place now with knowledge and background and history and all that sort of thing. But still, every day, it's all the people around us who make it possible for people like me, people like you, the hosts who are the public facing people to get out there and share that information. It would be impossible for us to do it without the team that we have behind us. So I have endless appreciation and gratitude for all the folks who make that possible as well.

A (26:19)

Thank you for joining us today. See you back here next time.