B (13:35)

So I would give a generalized statement first, that when I think about cybersecurity and when I think about politics in general, I think about Congress's ability or inability to pass meaningful legislation that keeps up with cybersecurity, if you will, cybersecurity technology and cybersecurity issues and problems. For example, I am a very data analytically driven human being and as such I am still amazed that we don't have certain mandatory reporting requirements or some type of standard that the government has deemed that must be in place with the exception of Fedramp for governmental utilization. But you're truly asking about what we see politically and what we see politically. Unlike some of our adversaries, quite frankly, we oftentimes change every four years or potentially eight years. We change even ever so slightly our initiatives and one of the things that has been changed as of late is the mission of cisa. And looking at that there's been some impact and looking at that there's been some concern. Now I see it from both sides. I see when CISA was started very early on it was very hard for them to find their Footing.

A (15:16)

Right.

B (15:17)

And then they started coming into their own and they started really filling in some voids within the community. We seem to be pulling away from that and pulling back from that now. It's going to be very interesting to see what governmental or private resources that we have to step in and fill the void.

A (15:39)

My perspective has been that for many, many years, cybersecurity kind of enjoyed broad bipartisan support. It stayed out of the fray of any particular side's interests. Everyone agreed this was important for our national security, for the security of our citizens. And my sense is that the past couple of years that's kind of drifted away a little bit, or perhaps would it be fair to say we lost a little of our innocence? Is that an acceptable way to frame it?

B (16:15)

Yeah, I would say we lost a little of our innocence. But being in government, I would say that depending upon which part of government you're in, it's no different than certain businesses. There are different silos, and people understand the problem differently. So those that are closest to it. Right. The line level agents within various organizations that are combating these adversaries and actors every day have a very different understanding of what's going on, quite frankly, than some other parts of the government. And sometimes I think our attention is somewhat diverted. I pause and I hesitate to say because. And this is Jason Manar's take. Right. What I continue to see is in certain ways, Congress and our congressional delegates and representatives having a very difficult time providing legislation, whether it's on cybersecurity or other matters. And I think that affects cybersecurity in a meaningful way. And if you look back to, you know, when the last true legislation was passed, and I'm not talking about, you know, presidential, you know, some type of presidential directive, but actual, you know, congressional cybersecurity legislation, you know, it's truly been some time. And even the laws around cybersecurity, when you look at the laws around cybersecurity, many times they are using financial fraud laws, they're using RICO laws, they're using other laws that aren't necessarily specific. Because all that we have, you know, is one law that was passed back in, I think it was back in the 80s on the books, at least federally for cybersecurity.

A (18:11)

Yeah. So do you think there's kind of a fundamental velocity mismatch here between the ever accelerating rate at which things happen in the cyber domain and Congress's inability to squeeze anything through?

B (18:30)

Well, I think it's that, but I also think, and I want to give Congress and I want to give our government the benefit of the doubt somewhat. You know, there are many, many issues to address at any given moment. But I think, truly understanding, right. That where our technology, our data, our intellectual property, and a lot of things that make this a great, great country resides in the digital realm and digital space. And as such, I really believe that we need to give a lot more bandwidth to thinking about how we're protecting, addressing that and how we're doing that, you know, across the board through public and private partnerships. I'm not just speaking to, you know, potential regulatory compliance or congressional mandates, but true public private, you know, collaborations that move the needle in a meaningful way, that protect America's interest while protecting, you know, the interest of our businesses.

A (19:42)

What do you suppose something like that could look like?

B (19:45)

Wow, Isn't that the $50,000 question? Or maybe in this realm, 50, you know, $50 trillion question.

A (19:53)

Yeah.

B (19:55)

Well, first it's. It has to always start with the dialogue. And I will say cisa, the FBI, and several other entities are trying very hard at getting that dialogue going and keeping that going through several different initiatives. I'm very excited what some agencies are doing to try to bridge that gap. I would obviously like to see that expand. Because truly, the way that I think you get everyone involved is if you get all stakeholders in a room. I know CISA for a while last year, the year before that, they had a committee for RMM security standards, and we were able to push out some security standards for, you know, companies that were selling rmm. And RMM can be a very, very powerful tool, which is why we chose to start there. And there were really legs on continuing that legislation and rolling that into what that looked like with the, you know, SDLC process, CIDC pipeline, and how we could meaningfully look at technology and businesses that were making products, what that public private partnership look like so that we could have some directions to continue to make things in a safer way for the ultimate end consumer. Right. And I think that's a great place to start. And then I think from that you get some wonderful ideas around things that then grow legs. Because in these meetings, you have not only people from the top sectors within business, but you have representatives that. That are a part of the legislative. Legislative team. So you won't necessarily have legislatures there, but you'll have part of the legislative team. You'll have people from, you know, cyber warfare from all aspects. You'll have people from all agencies that you can think about, and they're all sharing ideas and trying to come up with that $40 trillion answer, if you will, and how we slowly get there. And I think that's where you kind of have to start, right? Because some of the best intended legislation, especially when it starts out, if you don't involve the in technical user, while it may be well intentioned, can lead to adverse consequences. And that's where we don't want to be.

A (22:48)

Do you suppose that we have what it takes to make these things happen? Is there political will there? Is there good faith partnerships in the making?

B (22:59)

Yeah. So I will say my time during the FBI, we spent a lot of time building those relationships within Fortune 50 and 100 companies and even some smaller. And so I would say that there are things even from back then a decade ago that are still bearing fruit and there are still some really good traction to be had there with some of the other initiatives. I'll be honest, I'm not sure what the newer initiatives are. I and part of that I will take personal blame for because I am set to go to D.C. and meet with some folks. But unfortunately I think it was just a time of transition last year. So unfortunately that didn't happen. So I'll be going to dc. I'll be seeing if those things potentially even exist. And I'm just unaware. But I know as I said before, several of the initiatives with CISA and DHS have kind of gone away and those were some of the ones that I was most engaged with. So while they are reconstructing what that looks like, we're engaging more with other government entities and trying to be of service and trying to make sure that we are a voice for MSPs and small and mid sized businesses to whom we protect and sell services to.

A (24:39)

That's Jason Minar from Kaseya.

B (24:56)

When did making plans get this complicated? It's time to streamline with WhatsApp, the secure messaging app that brings the whole group together. Use polls to settle dinner plans, send event invites and pin messages so no one forgets mom 60th and never miss a meme or milestone. All protected with end to end encryption. It's time for WhatsApp message privately with everyone.

A (25:20)

Learn more@WhatsApp.com this episode is brought to you by Indeed. When your computer breaks, you don't wait for it to magically start working again. You fix the problem. So why wait to hire the people your company desperately needs? Use Indeed's sponsored jobs to hire top talent fast and even better, you only pay for results. There's no need to wait. Speed up your hiring with a $75 sponsored job credit@ Indeed.com podcast. Terms and conditions apply. And finally, in a twist worthy of a digital sitcom pro Russian hackers spent September loudly celebrating the takeover of a Dutch water facility, only to discover they'd been splashing around in a honey pot. The group calling itself twonet, had in fact broken into a decoy network built by researchers at Forscout, who quietly watched as the hackers defaced a login page, disabled alarms, and generally made mischief all in a sandbox. Their victory announcement, complete with the charming signature Hacked by Barlotti F, although the F was another word, was met by the cybersecurity equivalent of polite applause. Forscout says the incident illustrates how novice hacktivists are increasingly poking at industrial systems they barely understand. Mistaking honeypots for heroics, twonet, like many of its peers, quickly folded, proving that hacktivist groups often have the lifespan of a mayfly. Just louder still, researchers warn, these bumbling forays mark a worrying shift toward real world infrastructure as the next big cyber playground. So it turns out the heck of the year was really just a splash in a very well monitored huddle. And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing@thecyberwire.com a quick program note we will not be publishing this coming Monday in observance of the federal holiday. We'll see you back here on Tuesday. Be sure to check out this weekend's Rule Research Saturday and my conversation with John Focker, head of threat intelligence at Trellix. We're discussing their research gang, Breaking Trust among Cybercriminals. That's Research Saturday. Check it out. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music by Elliot Peltzman. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here next week. Cyber Innovation Day is the premier event for cyber startups, researchers and top VC firms building trust into tomorrow's digital world. Kick off the day with unfiltered insights and panels on securing tomorrow's technology. In the afternoon, the 8th annual DataTribe Challenge takes center stage as elite startups pitch for exposure, acceleration, and funding. The Innovation Expo runs all day, connecting founders, investors and researchers around breakthroughs in cybersecurity. It all happens November 4th in Washington, D.C. discover the startups building the future of cyber. Learn more at cid datatribe. Com.