A

It's just a matter of time that just about any company, they're going to get caught up into some kind of geopolitical affairs, even if they have no intention to. You may have no political ties or intentions or anything, but if your company can very easily get tied in, and if you're not prepared and understand the implications of getting pulled into these scenarios, then it's going to be so much harder to up your defensive once you've already been targeted.

B

Hello and welcome to another episode of Data Security Decoded. I'm your host, Caleb Tolan, and if this is your first time joining us, welcome to the party. Make sure you hit that subscribe button so you're notified when new episodes are live and if you're already a subscriber. Thanks for coming back. We'd love it if you'd give us a rating. Drop a comment below, let us know what you think of the show. And in this episode, I had the pleasure of sitting down with Dustin Drouillard, who brings a wealth of experience and threat intelligence and specializing in the intersection of geopolitics and cybersecurity. We had a fascinating conversation on how geopolitical tensions impact cyber operations, the human nature of threat actors, and trends amongst the next generation of defenders. I really enjoyed speaking with Dustin. I'm sure you'll love this conversation, so let's dive in. Dustin, thank you so much for joining us. Before we dive into the meat of the conversation, can you tell us a little bit about your first introduction to cybersecurity and what made you decide to pursue this as a career?

A

First, Caleb, thanks for having me today. And I'd say my career isn't necessarily unusual, but it wasn't exactly planned in a linear way. I started out as an intelligence analyst in the army, and I didn't know it at the time, but it kind of provided solid background for when I later pivoted into cyber operations. But along the way I learned, you know, I was introduced to new technologies, different complex analysis scenarios and different types of data sources. Human intelligence report is very different from a signals intelligence or imagery intelligence. And so when I was introduced to the cyber as a source, if you will, it was kind of a nice addition to a lot of what I'd already been trained in and experienced with. So along the way the army decided that they needed to kind of get in on the cyber thing, if you will. And so they, they offered me a position where they're taking a bunch of intelligence analysts and IT professionals and putting us together and calling that Cyber eventually developed into what became, you know, now a dedicated cyber branch within the Army. But at the time, it was kind of a little bit of all these skills mixed together, and I kind of assumed that that would just be a temporary assignment. I'd move back on to other things. But once I got exposed to a lot of cyber operations, I really enjoyed the challenge. There's something new every day. There's so much complexity, you know, and I really enjoyed it. And I decided I wanted to stay within that kind of technical analysis, so realm within the rest of my career. And since then, that's really what I've been focused on.

B

And I'm sure no one would be surprised, based on that background, that your focus has been a lot in geopolitics. And that's why I'd love to kind of shift focus to now. So when major geopolitical tensions arise, we often hear about the physical impacts, but rarely that cyber element. Can you tell us and walk us through what typically happens on the cyber front when these escalations happen, and how are adversary nation states leveraging cyber operations during these conflicts?

A

That's a great question. And we are seeing a lot of. Not the convergence of these different types of threats are new per se, but we're seeing a lot more, I guess, emphasis on that, in that understanding that if you have kinetic warfare, if you will, and cyber, you know, it's going to go hand in hand, right. And at a high level. And this is kind of a generalization, but you really, when it comes to cyber conflict, you kind of have two different methods. You have espionage and you have effects.

C

Right?

A

You can combine the two, but it's in a general sense, when there are military actions or some kind of geopolitical events, you can conduct espionage in cyberspace. And usually that's a little more quieter. You don't want to get caught. Because the whole point is to obviously have that advantage of being able to collect that information and have that advantage over your victim. But then there's also effects which can be a wide variety of things. It can be ransomware, it can be DDoS, it can be whatever intended effect, right? And those are usually meant to be noisier. A lot of times they're meant to be clearly aligned with whatever that geopolitical activity is. In many ways, there's almost that desire for attribution to show that, hey, we are doing this because of this geopolitical activity. So two different approaches, you know, again, they can be combined, but every country, and really, in every conflict, it's implemented a little differently. Whether you're doing it defensively, offensively, I would say overall, cyber hasn't come into play quite as prominently as we assumed. There's a lot of theory of how cyber is going to be a major factor within warfare and we haven't seen it quite yet. It certainly is a significant factor, but not quite as much as we've assumed. But in recent events, I mean, you're seeing with like the Iran, Israel and US ongoing conflict right now, right? There's general threats being made in terms of cyber capabilities. There's the Iranian banks were hacked as part of the whole geopolitical situation. You know, there's likely hacking of defense systems potentially on both sides. You know, there's even. It kind of goes the other way as well. Like within Israel there were specific organizations that were doing advanced technology research, right, in cyber AI, that kind of stuff. And they were specifically targeted by Iranian missiles because Iran wanted to take out some of those potential cyber capabilities in the research and development capabilities. And so it's interesting to see sometimes the geopolitical and the technical can influence each other in both ways and they really, they go hand in hand now. And I mean there's countless examples, you know, North Korea using, they're typically financially motivated in order to fund their geopolitical activity of developing nuclear weapons and all that Volt Typhoon, which is an ongoing campaign attributed to China, it appears, according to the US Government, that they're staging for potential future operations. So they're not necessarily doing anything on the effect side yet, but some kind of espionage or preparing for something in the future. Right. And so all of that ties into all these geopolitical conflicts around the world. And you really, I'd say you can't separate the two anymore.

C

Right.

B

And you gave a ton of great examples of different conflicts and, and how they're kind of manifesting in the real world in moments of these high stake geopolitical conflicts. What are some of the behaviors that you see from cyber adversaries in terms of, you see this oftentimes it starts with some type of kinetic warfare like you were talking about. What are the behaviors that you start to see from the cyber front as that kind of evolves and moves forward? Do their tactics change? How do they measure the effectiveness of their campaigns and what does that look like from the victim perspective?

A

I'd say one of the most prominent strategies we've seen lately has been the implementation of influence operations via cyber means. When these geopolitical events kick off, there's a heavy flux of Influence operations from all sides, really trying to both influence the general public's understanding of what's going on. But a lot of times it's just for the sake of making noise, to be honest. You know, it's really just adding to the noise and intentionally causing confusion, which causes divisions. Even though that's even kind of beyond cyber, it's cyber enabled and is becoming a very popular way to kind of utilize technical means to advance, you know, those geopolitical initiatives. But we do see things like targeting of, or at least threats of targeting major events. You know, like major, especially international sporting events can become a primary target in order to, again, it's more of that messaging or in protest to something that happened to a certain country and then they will want to interrupt another country's events of some sort. So we see a lot of that targeting a major, like industry players, companies, corporations that may somehow be involved in, you know, supplying a government with whatever technologies or systems. And so then they become targets.

C

Right.

A

And so then they're, I would say, fair game in the cyberspace, you know, so they have to up their defenses because they're going to get pulled into this whether they want to or not. And I would say in general, the tactics, they really change depending on how much impact they have. But the hard part is measuring the effectiveness. How do we really know? You kind of have to know what was were the threat actors original intentions to know if they're effective. They may have been effective in an unintentional way, but it's really hard to gauge like did they really get the desired effect that they wanted or was the desired effect that we saw was that, you know, maybe that was just a distraction, maybe we haven't caught what they were actually doing, you know, and so it gets really complicated trying to decipher what is effective and what isn't when you're talking about cyber defense.

C

Right.

B

And I guess that's getting into the conversation of like what is information versus intelligence? And kind of like dissecting what all of this data and this information means within the greater context. So I gave you a pretty open ended question that, you know, it wasn't very straightforward, but that is really interesting. And so when these high stakes geopolitical conflicts happen and they occur oftentimes civilian facing organizations are the ones caught in the crossfire. And so what can these organizations do and what steps can they take to protect themselves and their customers during these times of turbulence?

A

That's essential for I would say any organization to consider ahead of time before they get caught up in this. You know, it's just a matter of time that just about you're talking in terms of companies, you know, they're going to get caught up into some kind of geopolitical affairs even if they have no intention to.

C

Right.

A

It's really vital to understand every region that a company is operating in or has customers in.

C

Right.

A

Because again, you may have no political ties or intentions or anything, but if your company can very easily get tied in and if you're not prepared and understand the implications of getting pulled into these scenarios, then it's going to be so much harder to up your defensive once you've already been targeted. So just having that general lands understanding of the landscape that you do operate in, you know, we're in a, an international environment now and no company's really isolated. But, and I would say even organizations that don't operate internationally like you just, you never know why threat actors are going to, they get creative and sometimes they can pivot off of different infrastructure and so never assume that you're not going to get pulled into one of these broader situations. But really, I mean, a lot of it boils down to investing in standards, cybersecurity practices. I've seen a lot in the industry, a lot of the basics are overlooked and I know a lot of people harp on that. But it really is starting with the basics on the technical level. And if an organization can invest in some kind of cyber threat intelligence capabilities, it doesn't have to be anything fancy or what have you, but whether it's an in house analyst, whether it's some kind of service or vendor, really being able to get some of that tailored intelligence for your organization so that you're not just trying to watch the whole threat landscape, but having something that's specific to your organization so you know when you should care about certain things and when you can not care as much if you will. So.

B

Right, yeah, there's so much information out there. Kind of dissecting and understanding what matters most in the context of your organization is definitely a struggle I think for many organizations. So how can smaller or under resourced organizations that don't have these massive cybersecurity budgets effectively prepare for these threats, especially when they lack those dedicated security resources? Are there any resources from like the federal government level or where would you say some of these organizations could start to address that eat your vegetables conversation of preparing before the attack even occurs?

A

There are a lot of accessible resources, you know, available through government and nonprofits as well. I know in the Government you have, like dhs, CISA here in the states has a lot of resources for critical infrastructure and other organizations. You have NSA and the DOD Cybercrime center have a lot of resources for those companies that have any kind of government contract to, you know, just to be able to boost their security posture and understand the specific threats to their organizations. And you always have ISACs, the information sharing and Analysis centers, which cover various industries and they provide a lot of, you know, it's usually affordable to buy into and get those information feeds that are relevant to your sector that you work in. So very, very helpful there. And I would say just consider collaborating with whatever industry you're working in. I know that seems kind of counterintuitive, like why would we talk to maybe a competitor in our industry? But if it's a matter of keeping the industry safe, sharing threat information is not going to hurt anybody. If you can both bolster your defenses, that's. Everybody wins there. Not a popular opinion, but, but I, I think it is worthwhile to you partner even unofficially with other organizations that you work with and do some of that threat sharing internally.

C

Right.

B

Maybe it's not a popular opinion, but it's a necessary opinion for sure. And I'm really glad you mentioned ISACs as well. We actually just had an episode drop with Errol Weiss and he is the chief Security Officer over at Health isac and he also has a background in the financial services ISAC as well as. So we had a really interesting conversation there. If you haven't already listened to that episode, for those tuning in, I definitely recommend going back to that last episode and checking it out if you haven't already. So thank you for mentioning that. But going back to the conversation at hand, I kind of want to go back and look at the earlier part of your career and look at some of your educational background because you have an interesting path of study to land where you're at today. So your background's in anthropology, which is pretty rare in cybersecurity. And I'd love to understand how has that understanding of human culture and behavior informed your work in cybersecurity? Especially when it comes to this conversation around geopolitics and cyber operations.

A

People usually chuckle when they hear the background in anthropology and, oh, that's a big shift into cyber. But I would say not really. I think I've heard the saying, all tech is human. Technology is made by humans for humans.

C

Right.

A

And so there's always going to be that human factor in tech and cyber and all that kind of stuff. So understanding human culture, I think is vital to really understanding, you know, cyber operations, especially at the strategic level. But I think it's been very helpful both understanding the people, the operators that are within cyberspace, but also the cultural backgrounds that they come from and the threat actors. You know, usually many of them, you know, have some kind of cultural ties, whether it be linguistic, religious, geographic, something there. They usually have some kind of ties. And, and it's interesting sometimes when you get into digging into the technical side of, you know, the back end of websites that are being set up for CNC domains or something like that, or digging into malware source code and you'll find little cultural indicators based off of languages used or language settings on computers to be avoided. You know, and it kind of gives you hints as to some of that geopolitical aspect of who's developing this infrastructure, these tools. And even when, like within cti, getting into open source intelligence, doing those investigations, OSINT investigations, you know, a lot of times there's that linguistic factor of having to do research, even if I'm not a linguist, but like I sometimes I have to do research on throughout websites that are not in English, and then understanding that even the term cyber can mean different things in different cultural contexts, you know, and other AI or drones or whatever advanced technology you're talking about, they have different perceptions depending on which geographic region you're looking at. And so you have to understand that otherwise you'll have an analytic bias towards what you know, what's familiar to you, and you have to kind of see things from the perspective of those that you're researching. Right. And I would say it even blends into. I've, I've done UX research for web design in the past and a lot of that is understanding tools and software from the user perspective. And that applies within cyber as well. If we make tools that are really advanced and really cool, but it's really hard to adopt at the human level, then are they really that useful? And that's where, you know, the anthropological thinking can really come into play. And, and making tools and making security usable at the human level, I love.

B

Those kind of unexpected benefits from whatever you studied in school. And so in the same vein, I have another question for you around education. And that is other than like traditional paths to cybersecurity, like majoring in cybersecurity or doing some type of master's or boot camp program in cybersecurity, computer science, coding, anything like that, or anthropology, I'm going to take that one off the list of options there for you as well. What majors would you recommend that students consider in preparing themselves for a career in cybersecurity or cyber policy? I'm going to go first on this one because I actually have a pretty interesting recommendation and it has a story behind it. So when I was in school, I studied communication and political science. And I was walking through campus one day and I was over by the student store and there was this table with a bunch of books on it. This woman came over and flagged me over to come speak to her, and she was trying to convince me to drop my communication major and move over to Great Books, which was the program that she helped run. And that's why they were giving out all these great books. And her perspective was, there's so much you can learn from history, from culture, through these different books, and learn more about what's happening with different nation states or different cultures like we were just talking about, and the history and different perspectives and ways of thinking that I think could really open your mind in a technical role within cybersecurity to kind of think outside the box a little bit. So ultimately did not decide to drop my communication major and go into Great Books, but I think it would have been very interesting. And so I think people should consider that. So that's my recommendation. But I'm curious about yours.

A

I think that's an awesome recommendation. You could end it right there. But I mean, obviously I love books and I think there's a lot of value in reading the great books and developing those critical thinking skills and. But not to steal your answer, I would say one, one thing that would be very useful is understand business, business strategy, business management. I think that's very overlooked in the cyber community is understanding how businesses operate and how cyber plays into that and enables that. Because a lot of times cyber operations are kind of seen as a cost center. You know, it drains resources and why do we fund cybersecurity? And there's always those kind of debates going on. And if you want to be a leader in the cybersecurity space, understand how business operates, how it works, the strategy, the policies, and being able to leverage a technical background and applying that to business operations and being able to explain the value would go a long ways. You know, I think that's. That's crucial, but almost to get a little more philosophical, I would say even just whatever subject that you can leverage to develop your critical thinking, whether it's literature, you know, through great books, whether it's, you know, anthropology, sociology, systems engineering, there's all kinds of subjects that you can, that different people think in different ways and whatever gets you excited and helps drive the creative thinking that you can leverage within cybersecurity. You layer that on top of good technical foundation and you're set up for success.

B

That's a great take. I definitely agree with that. Wonderful. And in the spirit of education, I wanted to talk a little bit about your current gig, gig teaching at the Institute of World Politics. So that's a really interesting additional thing that you're doing right now. And I'd love to know what are some of the trends or shifts that you're seeing in the way cyber security professionals are currently being trained? And kind of as a second question on with that too, what do you think are the core elements that schools need to consider as a part of their cyber curriculum to adequately prepare students to enter into these variety of different cyber careers that they could take?

A

That's pretty interesting. I think there's a lot of debate around those topics right now and I would say I'm not really seeing shifts at a macro level, honestly. I think a lot of the academic programs are kind of keeping status quo right now. What I hope to see, I think the natural tendency will become seeing that convergence like we're talking about earlier convergence of technical, non technical threats. And I think more programs will likely hopefully start to incorporate so that they're not developing just cyber professionals siloed in their own technical environment, but also understanding how all these different threats play together and really training people ahead of time so that when they enter the workforce they are able to collaborate very easily with the supply chain folks, the physical security, the, the geopolitical analysts and all that. So I'm hoping to see that become a trend, you know, within the broader cyber training programs. But some of the core things I think is you can never neglect the technical foundations. I think that some programs I've seen, they kind of, they emphasize so much either the policy or the management or the non technical side of things, which is important. But you have to have that technical foundation. I think if it has the word cyber in the program, it needs to have some baseline technical foundation. You know, you don't have to be a computer scientist to be in cyber, but you've got to have some technical acumen. But really I think there should be, most programs should develop specializations. Cyber is really a broad term and we could have a whole debate on what is cyber, what isn't cyber, you know, and, and so the field, there's so many subsets within cyber security. And so it does a disservice to students when you teach them a little bit of everything and then push them in the industry and say, good luck. There's a big difference between a SOC analyst and a pen tester and a threat hunter and a CTI analyst. You know, those are all overlapping, very unique skills. And so having a specialization in your programs will really help guide students as they get into the industry. But also, you know, like I mentioned, adding business education is very helpful. I think every program should at least touch on that. How does cyber drive business? And really, overall, like critical thinking, cybersecurity is not a static issue. It's not. This attack happens, so I push this button and it's all done.

C

Right.

A

It's very complex. Understand how to pivot off information, how to think outside the box, develop hypotheses, you know, and you really have to. That takes time to develop critical thinking skills. And I think any education program should really emphasize that beyond just specific tools that they recommend.

C

Right.

B

Being able to operate in that gray area where you're not just given, you know, very streamlined workflows to follow or, you know, the lines are blurred. I think to your point, critical thinking is such a important skill for cyber professionals to have today, no matter what kind of discipline you go into based on, you know, that specialization like you were talking about. So couldn't agree more. But what a great note to end on. I mean, that's all we have for everyone today. Thanks for everyone who tuned in and thank you, Dustin, for sharing your perspective. I think it was really interesting and valuable. Love chatting with you about education, geopolitics, all that stuff. It's very interesting. So thank you for your time and until next time.

A

Yeah, thank you, Caleb. I enjoyed our conversation.