Dr. May Wang (14:09)

I see bright future for both IoT and AI at the same time. They're bringing us new challenges. We need to work together across the board to make sure that IoT and AI are bringing us more benefits than harm.

David Moulton (14:30)

Here's a quick preview of this week's Threat Vector. Tune in to the full show on Thursday. And don't forget to subscribe so you never miss a single episode. Let's get into it. Mei, welcome to Threat Vector. We're really excited to have you with us today.

Dr. May Wang (14:50)

Thank you.

David Moulton (14:51)

To start us off, can you tell me a little bit about your journey and what led you to focus on IoT security and artificial intelligence?

Dr. May Wang (14:59)

Sure. I have always been a nerd. I'm very passionate about data ever since day one of my career. And 10 years ago, I co founded a company called Zingbox, and we focus on leveraging AI for IoT security, doing traffic analysis, analyzing huge amount of data to provide visibility and detection for IoT devices. And five years ago, our startup, Zingbox, was acquired by Palo Alto Networks. And I have been at Palo Alto Networks for the past five years, leveraging AI for better detection and protection.

David Moulton (15:41)

That's really fascinating. And as somebody who's a fellow nerd, I'm with you. It's always interesting to see what gets other people excited. And I don't know about you, but I've decided that the definition of nerd that I like the most is somebody who's deeply into something, but also willing to share that passion and those ideas with others. And that's certainly what we're going to do on today's episode, talking about IoT cybersecurity and how AI is transforming the way we secure these connected devices. Mei, can you help frame the current scope of the IoT landscape for us? How many devices are we talking about globally and maybe what are some of the main industries leveraging IoT right now?

Dr. May Wang (16:23)

Yeah, sure, David. We're definitely seeing increasing amount of IoT devices being deployed around the globe. If you look at the numbers, the statistics can be different, but we're all talking about tens of billions of IoT devices being deployed. Some data shows about 20 billion nowadays. It has improved tremendously from 2019, about 10 billion. So some predictions show in next five years we're going to double that. And some says next year we're going to have 75 billion. Regardless, all these large numbers that might sound so far away from us, but if you look at each individual, you can see just around us. Not only we're having more IoT devices in enterprises, in manufacturing, in hospital, in schools, but we actually can also see that on each person we're seeing increasing amount of IoT devices, all these wearable devices that measure our heart rate and measure our glucose level, et cetera. Actually, just this over weekend. Over this weekend, I was at an event and a speaker on the stage I counted he had five big rings on his fingers and all of those were IoT devices measuring all kinds of things to help us better understand ourselves. So we definitely see huge increase in terms of deployment of IoT devices. And the industries we're seeing most are definitely manufacturing, we call them operational technology, ot healthcare enterprises and in many critical infrastructures such as energy plants and water plant, et cetera.

David Moulton (18:22)

So one of the things I keep hearing about is 5G plus IoT and this new marriage or this new combination certainly changes the IoT landscape, but I got to think that it changes the IoT security landscape. Do you see new threats or do you anticipate different challenges from this combination of technologies?

Dr. May Wang (18:45)

Actually, almost all customers we talk to are very interested in 5G technologies and because it's going to enable us to have even a lot more devices all over the place. So the scale is going to be even larger when all these devices are deployed. And again, the key thing is visibility. It's going to actually bring more challenges in visibility. And also usually when we talk about 5G, 5G security, mainly people are talking about the management plane, the signaling plane, but also we see lots of challenges on data plane. So from Palo Alto Networks we are actually trying to address cybersecurity issues on both management plane, signaling plane and data plane. And another challenge is as we mentioned, the device certification visibility are always the key and foundation and there are different parameters to identify these devices. In the IT world or the traditional IoT world we mainly look into Mac address +IP address to identify these devices in addition to Gazillion's other parameters. While for the 5G world there are other ways to identify these devices, for example IMEI International Mobile Equipment Identity. So we need to figure out way to identify these devices using their specific cellular based identifiers. And at Palo Alto Networks we have already integrated into our firewall already so we can provide the same kind of cybersecurity protection to 5G IoT devices.

David Moulton (20:49)

Mei, thanks so much for such a great conversation today. I really appreciate you sharing your insights on IoT on AI and a little bit on your background.

Dr. May Wang (20:59)

Thank you so much David for having me and this is definitely very exciting topic about IoT and AI. I'm so glad you are hosting a session on this. I really enjoyed our conversation.

David Moulton (21:19)

Thanks for listening to this segment of the Threat Vector podcast. If you want to hear the whole conversation you can find the show in your podcast player. Just search for Threat Vector by Palo Alto Networks each week I interview leaders from across our industry and from Palo Alto Networks to get their insights on cybersecurity, the threat landscape and the constant changes we face. See you there.

Dave Buettner (21:47)

Be sure to check out the Threat Vector podcast wherever you get your favorite podcasts. Just a quick program note. The following segment with me and Tim Starks from cyberscoop was recorded last Friday before the presidential inauguration. Tim Starks is a Senior Reporter with CyberScoop and it is always my pleasure to welcome him back to the show. Tim, how are you, sir?

Tim Starks (22:24)

I am good. It is also always my pleasure to be here.

Dave Buettner (22:27)

Well, the feeling is mutual then. I suppose you have been doing a lot of reporting here lately and of course, not the least of which has been about the executive order that President Biden seemingly dropped on his way out the door, right?

Tim Starks (22:49)

Yes.

Dave Buettner (22:49)

There's no minute like the last minute and there's a lot in here. So unpack what's going on here for us, Tim.

Tim Starks (22:56)

Golly, there is a lot in here. And unpacking the whole thing, I can't do it. Not on CyberWire in the time required. But it's a 40, 50 page document that covers cybercrime, it covers artificial intelligence, it covers quantum computing, it covers contractor security, it covers federal government communication security. I mean, it's a big, big final stab by this administration to do something on cyber before they leave. And it's comprehensive to say the least.

Dave Buettner (23:31)

Why the last minute, do you suppose?

Tim Starks (23:34)

Yeah, so I think there's a long process for getting these things through. If your listeners and everyone else go back to September, I wrote a story about this and what was going to be in it. And I said something that was like 95%, according to one of my sources, 95% done. That was in September. And it had been worked on for a good long time before that. It was a couple months of me hearing about it being discussed publicly before it even was, you know, it had been being worked on by the time I heard about it. And you know, from September to January, There's a, that's 5%. You know, it's a, it's like the, it's like when you're looking at your computer and you're thinking, oh, I've downloaded it. And then it just keeps like the last second it just slows down. You're like, what's going on here? That's the situation. I'm getting things across the finish line is very difficult. And there's an interagency process for doing these things. I can't speak to them waiting until the Thursday before they leave. I Mean, it's two days from the two work weekdays from the start of the second Trump administration. I can't speak to why they waited until that period of time, but they had targeted December for this originally when I was in my September story. So it was always going to be felt like a little bit of a push from, okay, in our first year, we did an executive order on cyber. It did this, it did that, it did this. What's changed? What do we need to address that we didn't address then? And what kinds of things do we need to update from that 2021 order that we did? So it makes sense if you think of it as a bookend of the administration beginning and ending. But the timing does probably make it more difficult for this to become more of a reality.

Dave Buettner (25:18)

Is there anything in here that was particularly surprising or struck you as being bold in its inclusion?

Tim Starks (25:26)

It's going to sound like I'm dissing it, but no, I mean, it's. I think. I think what's most interesting about it is its breadth. I mean, that feels like I'm dodging the answer. But the fact of the matter is there's so much in here. There was some stuff on there about CISA having a little bit more leeway to do threat hunting in federal agency systems in terms of what kind of data they provided access to that was controversial with some federal officials, but that was in the process of it being drafted, and I didn't hear anybody complain about it after. So it seems like the majority of this is stuff that isn't controversial. It's stuff that is far more technical in nature. It's not about partisan things that people that they thought about, like misinformation, disinformation efforts versus free speech. It's not like that. It's highly technical stuff that a lot of people think would have bipartisan support. I think the one area that even kind of gave a little bit of a nod to the incoming Trump administration, although admittedly the Biden administration has been talking about harmonization of regulations, is a provision saying, hey, nist, look at all these minimum cybersecurity standards that are out there. There are a lot of them that are in conflict and make some recommendations about what the minimum across sector should be. So the areas of controversy or surprising or boldness are even limited then. It's really just more that there's so much.

Dave Buettner (26:52)

Well, and you've done some asking around with some legislators on their takes. Are they coming down as expected on the two sides of the aisle?

Tim Starks (27:02)

Yeah, so far, I mean, not a lot of them have weighed in. It's mainly been a handful of lawmakers who are really focused on this issue. You know, the Trump administration, you know, I tried to reach out to them, and the Trump transition team did not respond to my messages. That's not unusual. So that's not me complaining or dissing anybody. That's just me saying, we don't know exactly what the Trump administration thinks, but we do know that there's one very prominent and influential Homeland Security lawmaker, the actual Homeland Security chairman on the House side, Mark Green, who said, this is bad. This is them getting in the way of what the Trump administration wants to do. When Trump comes in, he needs to overturn all the stuff that we don't like, that the Biden administration did regulatory stuff, and it was much more limited than a consensus yet. I think it'll be really interesting to see what Trump does. One of the things people speculated in my story was they're probably going to take a close look at this and say, hey, do we like some of this? The risk might be, of course, that they just decide, nope, we're gonna get rid of the whole thing and just start over. That's something that could happen.

Dave Buettner (28:09)

Yeah. Well, speaking of folks moving on and transitions happening, another one of your stories recently involved someone who was moving on from cisa, who had quite a few years there. Tell us about that one.

Tim Starks (28:27)

Yeah, this is, you know, Jack Cable is his name, which is, by the way, the best cybersecurity name to have for someone who works in cybersecurity. Jack is a bit of a prodigy on cyber. He is still just 24, but when he was going to college, he was working on cybersecurity issues in the federal government. So he's an interesting figure to talk to. He's a big thinker about things like this. And he. He, like a lot of other people, are looking at the change of administration and departing. Not that he said, that's why I'm departing, but that's just the kind of thing that happens when there's a change in administration. And we talked a lot about a couple different issues he worked on, but I really focused in my story on what I think is one of the more interesting ideas to come out of this administration, which is their Secure by Design initiative. And it's. It's voluntary. It's mainly a pressure campaign to a certain extent. The pressure might even be too harsh a word, but it's an attempt to get people in the private sector to enlist and say, hey, when we are designing our software. When we're making it, we're going to incorporate security in it at the outset as opposed to just adding a bunch of security updates later, maybe making it so you have to purchase additional services. And Jack was one of the couple few people who was really leading that effort. Within cisa, has it generally been considered.

Dave Buettner (29:52)

To be a success?

Tim Starks (29:54)

Yes, I think so. First, it can be hard to measure something like this when it's voluntary. And to Jack's credit, he pointed out that CISA has been publishing. Okay, these are the companies making pledges. Here is a progress report on what they've actually done. And that's an interesting way to approach something that's voluntary and see if you can actually net something out of it instead of it just being, oh, we signed onto the pledge, we're one of the good guys, and then never do anything about it. I mean, there's still a chance that that could happen. But even the private sector kind of thinks that this is basically a good idea and it's basically been helpful.

Dave Buettner (30:29)

And of course, Director Easterly is moving on as well. Any thoughts for the organization is, at the very least it'll be changing leadership, right?

Tim Starks (30:39)

It will. And you know, there's some scuttlebutt about who that might be. I don't want to say anything yet. There's been some of that's been published. I think it's mostly accurate. But today being Friday, the senators on the Homeland Security Committee heard from Christine Oem, who is going to be leading DHS as a whole. And she talked a lot about CISA needing to be smaller, more nimble. She talked about it's staying away from anything disinformation or misinformation related. It has largely abandoned all of that already, but it starts to give you a sense of even without having a new SISA leader, there's going to be some commandments from the top of what they want to do. And I think CIS is in for leaner times. It's a question of how lean.

Dave Buettner (31:29)

How do you feel the wind is blowing right now? I mean, for many years we, I think, were in agreement that cybersecurity was an area that for the most part was above the fray when it came to, you know, partisanship. I think a lot of that changed after with the disinformation and misinformation fights, you know, after the, the election, when, when President Biden beat then President Trump. Where are we right now? How do you measure the, the degree to which cyber is still considered to be essential from Both sides.

Tim Starks (32:13)

I think there's a difference between considered and is. I think, you know, I, I have for years been, been kind of pushing back on the notion in talks like this with you and talks on other, in other places that that cyber is, it has maintained its nonpartisan status. And I think, I think some of that goes back to what you said. You know, some of it goes, I think some of it goes all the way back to Obama, to be honest. I mean, not all of it, but some of it. You know, there's been a lot of talk from criticism from Republicans about whether the way the Obama administration handled cyber. If you go back that far, if you go to the Trump administration, you know, criticizing cyber related initiatives from within. You mentioned the election security issue. I think the Biden administration's push for more regulations has created more division than there was. That's not me blaming anybody. That's just me saying this is an introduction of an element and one side likes it and the other side doesn't. And that wasn't the case before. It used to be for the longest time, both sides said, we don't need any regulation. It would only harm cybersecurity. This administration said, no, that's not worked. Look at the pace of cyber attacks. It hasn't changed. The market's not doing it. So they tried to make some changes to that. Republicans, being small government on economic issues primarily didn't like some of this, maybe all of it. I think there's some potential bleeding of accepting minimum standards. I've talked about this before with the Republican national platform saying we need minimum standards and critical infrastructure. How those are enforced is different. Maybe they want to roll back all of the regulations, maybe they want to roll back some of them, but some of the principles are still bipartisan for sure. I just think that, I just think that we can't blink at, say it's nonpartisan or bipartisan the way we used to be able to.

Dave Buettner (34:09)

Yeah, yeah, I think you're right. Those days are gone. All right, well, Tim Starks is senior reporter at cyberscoop. Tim, thanks so much for joining us.

Tim Starks (34:20)

Always great to end on an optimistic. There you go.

Dave Buettner (34:38)

Cyber threats are evolving every second, and staying ahead is more than just a challenge. It's a necessity. That's why we're thrilled to partner with Threat Locker, the cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit threatlocker.com today to see how a default deny approach can keep your company safe and compliant. This episode is brought to you by Indeed.

David Moulton (35:21)

We're driven by the search for Better. But when it comes to hiring, the.

Dave Buettner (35:25)

Best way to search for a candidate.

David Moulton (35:26)

Isn'T to search at all.

Dave Buettner (35:28)

Don't search.

David Moulton (35:29)

Match with Indeed. Use Indeed for scheduling, screening and messaging.

Dave Buettner (35:34)

So you can connect with candidates faster. Listeners of this show will get a $75 sponsored job credit to get your jobs more visibility@ Indeed.com SBO terms and conditions apply. And finally, it seems one Marco Raquan honesty, a Washington man with perhaps the least fitting surname ever, has admitted to a fraud spree causing over $600,000 in losses. And it's no laughing matter except for the irony of his name. From 2021 through 2022, honesty ran the Scam Olympics Covid relief fraud, smishing bank account takeovers, forged money orders, and even selling stolen data on Telegram Using SMS phishing, Honesty duped victims into handing over bank credentials, then drained their accounts via Zelle and other transfers. He even scored fake PPP loans for friends, family and, in a wild twist, his grandmother. Authorities found his fraud factory in 2023, complete with 24 phones, card embossers and blank IDs. The damage? $622,000 in actual losses. Though his ambitions stretched beyond $850,000, Honesty now faces 22 years in prison. Plenty of time to ponder his ironic branding. Sentencing is set for May 23, and that's the Cyberwire. For links to all of today's stories, check out our daily briefing@thecyberwire.com don't forget to check out the Grumpy Old Geeks podcast, where I contribute to a regular segment on Jason and Brian's show. Every week. You can find Grumpy Old Geeks where all the fine podcasts are listed. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review view in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com this episode was produced by Liz Stokes. Our mixer is Trey Hester, with original music and sound design by Elliot Heltzman. Our executive producer is Jennifer Ibin. Our executive editor is Brandon Karp. Simone Petrella is our president, Peter Kilpe is our publisher, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Your business needs AI solutions that are not only ambitious, but also practical and adaptable. That's where Domo's AI and Data Products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact, secure AI agents connect, prepare and automate your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role. Data is hard. Domo is easy. Learn more@AI.domo.com that's AI.domo.com.