Jake Braun (12:41)

My name is Jake Braun. I am currently the Executive Director of the Cyber Policy Initiative at the University of Chicago, but may be more relevant for this conversation. I was most recently, as of about six months ago, eight months ago, the acting Principal Deputy National Cyber Director in the White House, which essentially means I was the COO of this new cyber office they set up in the White House that was actually created in the Trump administration, but it was so new they hadn't hired any people into the office until Biden. And the first employee I think was hired in 21. And by the time I left we were up to about 100 people. So running a startup is interesting. Running a startup in government is, is particularly unique and then running a startup in the White House is something that I have a lot of scars from, but I would have never given up for the world.

Dave Buettner (13:42)

Wow. Yeah. So I want to hear more about that. Not the scars up to you obviously, but the work that you were doing in the White House. Please tell me a bit more about the efforts that you are working on.

Jake Braun (13:54)

Sure. So Congress created this office essentially because while there's a bunch of offices around the federal government that do cyber, there wasn't one that was at a level, meaning White House level, that could kind of compel other agencies to implement government wide policies and programs in cyber. And so this group in Congress, the Cyberspace Solarium Commission, created this. And our first task that was assigned to us by the President was to write or really update the National Cyber Strategy, which the first one was written in Bush, the second term of W. Bush. And then it's been updated, we did the fourth iteration of it. So our office rewrote or updated the National Cyber Strategy and then I was brought in to oversee implementation across the federal government of that strategy. And space was a key component of it, as well as a whole host of other things, including AI and mundane things like workforce and sexy things like cybercrime and cartels and stuff like that. But it ran the gamut.

Dave Buettner (15:13)

Yeah, Given what I often focus on. Clearly biased. I really want to hear more about the space side of things because as I mentioned before we started recording, I have a number of conversations with people in various parts of the space industry where we talk about space as critical infrastructure, what that means and what that would affect. And I don't think this is a very well understood thing. So I'd love to hear a bit more about your thoughts on that and sort of why the effort to get space designated as critical infrastructure is so important.

Jake Braun (15:46)

Sure. So actually our role in that conversation, the role of my office in the White House, the office of National Cyber Director, was actually not kind of a foregone conclusion. Initially the Space Council and the National Security Council were going to work to decide how things should unfold as it relates to space as critical infrastructure and kind of key recommendations on security of space infrastructure and so on. However, we kind of rose our hand as kind of the new kid on the block and said, hey, cyber's kind of a key component of all this. We should really be at the table. And after some hemming and hawing and typical government turf battles and everything else, folks agreed that not having the Cyber Office involved in this conversation was a big missed opportunity. And so over time we made a strong push, as did others, to designate space as critical infrastructure officially. I know that there's been some disagreement on that designation, but I think in practice people have largely come to agree that space is critical infrastructure, regardless of its formal designation by the government as such.

Dave Buettner (17:06)

That's a really good point. I think you're right that I think unofficially a lot of people are thinking of it that way. What would that. Would there be a really super big material difference if it was more officially designated? I mean, I know there is, but how, how big a difference would that really make at this point?

Jake Braun (17:22)

Well, part of the reason I think the space industry was, was somewhat less excited about it was that it can doesn't always, but can come with increased regulations and scrutiny from government, which of course industry generally doesn't like for obvious reasons. That being said, also, more resources often come with it. So there's. The government will often fund the way it does with other industries, information sharing groups to share threat intelligence they'll often fund, via CISA and other entities, folks that will go out and do free cybersecurity assessments. CISA does this, and a whole host of entities like state and local governments in the energy sector and water and so on, other parts of critical infrastructure. And so those types of resources would be available. Generally, we try not to subsidize major corporations who have the financial wherewithal to do it themselves. Like CIS is not out there doing free cyber assessments for JP Morgan or Bank of America, which are also critical infrastructure designated formally as such. But, you know, you could certainly envision that being applicable to many of the smaller companies in space.

Dave Buettner (18:47)

Absolutely, yeah. I think some of the tenor of the conversations I've had also have been, we're fine, we're good, we've got this. But my question is often the follow up, do you actually have it? Are you actually fine? Is the nature of the threat really fully understood? I'm not an expert here, I don't know. I often wonder though, do people quite understand what threats look like in the realm of space? Is it even all that special and all that different from the threats that we see terrestrially? I'm just so curious your thoughts on sort of the nature of what's going on in the space domain.

Jake Braun (19:22)

So first off, just to answer your question, absolutely not. They don't got it. And that's not their fault. Like no one does. I mean, you know, if you've got a nation state actor after you just remember stuxnet, right? Stuxnet was US and Israeli attacks on the Iranian nuclear program. The Iranians put their centrifuges in concrete vaults in the desert, buried underground, zero connection to the Internet or anything else. And we were still able to hack into those centrifuges and shut them down and make them break in a whole bunch of creative ways and so on and so forth. And so if somebody can get into your infrastructure that's not connected to the Internet, that's buried underground in the desert in a concrete vault, then they absolutely a nation state of similar capability like China or Russia or Iran or whoever could get into your satellite, which by definition is connected to networks all over the planet. And by the way, in fact, I'll give you an example. So, in my current capacity at the University of Chicago, we've partnered with defcon, the largest and longest running hacker conference in the world, to put out an annual report on the top findings at defcon. One of those findings this year was around space. And since this is a little bit more technical than I am, I'm just going to kind of read it off to you. So a group of hackers figured out that they could reverse engineer efforts to exploit VSAT satellite modems from Earth and they focused on the Newtek MDM 2200 from iDirect. So as far as they could tell, this was the first successful demonstration of a signal injection attack on a VSAT modem using software defined radios from Earth. I mean, they're spending hundreds or single digit thousands of dollars just messing around. Now granted these are brilliant people, so they're messing around is a lot more advanced than most people's messing around. But nonetheless, if they can do it on a shoestring budget, imagine what China, Russia, Iran or some other bad actor could do when they have millions or billions of dollars to throw in it. And considering that China itself has said that we're going to be at war over Taiwan in 2027, which hopefully none of us, hopefully that doesn't happen and hopefully that's all bluster and everything. But as we know from the Ukraine war, the first shot across the bow was against satellites. And we would presume the first shot fired in a war with China would be in space at our satellite infrastructure.

Dave Buettner (22:13)

If I'm a space company, large or small, I'm sure if I'm a large company, I have a good, I would hope a good understanding of some of the things that I would need to do. But I mean no company can deal with this alone. I mean nobody can deal with it in a vacuum. Collaboration is key, threat, information sharing is key. What needs to be done. I mean, I know there are some efforts underway. I'm thinking of the space ISAC is one of them in terms of sharing threat intel in the space industry and the space domain. If there's something going on, if there's a threat, that's if something is underway, how do people in the space domain share that information with each other in a meaningful way?

Jake Braun (22:51)

Right, so first off, your initial point is the exact right one. Join the Space isac. Even if you're a small company, I forget exactly what their fee structure is like, but usually the little guys and gals get a get a joint for free or very reduced rate and it's worth it. Secondly, particularly if you're a startup and you don't have a ciso, hire a ciso. And look, that's important not just for your security, but it's also important for your valuations and so on. I mean a lot of these folks in China and elsewhere will look at what Companies most recently got major investments from private equity firms or venture capital firms or, or whoever else. And then those will be the ones they target. In fact, we found several years ago at Homeland Security or Homeland Security found several years ago that attacks from China on IP were directly correlated to press releases of $20 million of investment or more. And so, yeah, like we could see that within weeks or whatever after press release saying they got 20 million in investment, they were getting hacked and their IP was getting pulled out the back door. So it's not just that you should do this for the good of the security of our space infrastructure, it's also for the good of the security of your company's ip. So number one, join the space isac. Number two, if you don't have a ciso, hire a ciso. And then number three, you know, if you have a ciso, they're going to know most of the things that you need to the basics that you need to do. A huge challenge in cyber that often precisely prohibits folks from hiring cyber staff is how expensive they are. And if you want somebody with a master's or even a bachelor's in computer science with a focus on cyber, they're incredibly expensive. However, if you've already got a ciso, you probably don't need people at that level. And one of the things we really pushed for in the national cyber strategy was for companies to think about how they could bring on folks that are maybe not super duper cyber Experts with a PhD in cyber or whatever, but somebody who they can do on the job training, there's a lot of certifications, online classes and so on where you could plus up your cyber workforce. Meaning you could do more cyber security if you were to bring on people who maybe have less qualifications from a degree perspective, but could quickly gain the hands on knowledge they would need from, you know, working with your ciso, taking some online classes, getting a certification here or there, or by the way, attending defcon, who we partner with on the Hackers Almanac. I encourage everybody to Google and read because it's fun. Read.

Dave Buettner (25:39)

Well, Jake, I've learned a ton from you and I really appreciate you taking the time. So thank you for joining me today.

Maria Vermazes (25:46)

And of course be sure to check out the T Minus Space Daily podcast wherever you get your favorite podcasts. Is your AppSec program actually reducing risk? Developers and AppSec teams drown in critical alerts, yet 95% of fixes don't reduce real risk. Why? Traditional tools use generic prioritization and lack the ability to filter real threats from noise. High impact threats slip through and surface in production. Costing 10 times more to fix. AUX Security helps you focus on the 5% of issues that truly matter before they reach the cloud. Find out what risks deserve your attention in 2025. Download the application Security benchmark from AUX Security. And finally, our five Finger Discount desk tells us about Diego Gouvea, a Portuguese software developer and cyber sleuth who uncovered a sneaky flaw in a local food delivery app. The bug? A sneaky little null character in the payment mode parameter. Turns out this unassuming character can tell the system to ignore everything that comes after it, like your actual bank balance. Diogo found that by slipping a null character into a payment request, he could order food without having the system actually check to see if you had any available cash. The system just nodded and said, yeah, that sounds legit. The loophole let users sidestep payment checks, potentially costing businesses big. Diogo's step by step exploit shows just how easy it was to game the system using tools like Burp Suite. His advice? Sanitize inputs, validate parameters, enforce strict data types, and maybe don't trust strings at face value, especially when food is involved because no one should be able to order pizza with Monopoly money. And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing@thecyberwire.com don't forget to check out the Grumpy Old Geeks podcast, where I contribute to a regular segment on Jason and Brian's show. Every week you can find Grumpy Old Geeks, where all the fine podcasts are listed. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music and sound design by Elliot Peltzman. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Foreign cyber threats are evolving every second, and staying ahead is more than just a challenge, it's a necessity. That's why we're thrilled to partner with Threat Locker, the cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit threatlocker.com today to see how a default deny approach can keep your company safe and compliant.