Between Two Nerds: Feast or famine? - Risky Bulletin

Summary6 min read

Risky Bulletin Podcast Summary

Episode: Between Two Nerds: Feast or Famine?
Host: Risky.biz
Release Date: April 7, 2025

In this engaging episode of Risky Bulletin, hosts Tom Uran and Grok delve deep into the pervasive myths surrounding scarcity in the cybersecurity landscape. Titled Feast or Famine?, the discussion challenges conventional wisdom about the limitations in cybersecurity operations, particularly focusing on the scarcity of vulnerabilities (bugs) and cybersecurity talent. Through insightful analogies, expert opinions, and real-world examples, the hosts unravel the complexities that define the current state of cyber defenses and offenses.

1. The Myth of Bug Scarcity

Introduction to Scarcity in Cybersecurity
The conversation kicks off with Tom Uran referencing their previous discussion on the NSA's dominance in signals intelligence and cyber espionage. This leads to an exploration of why other nations struggle to create comparable cyber juggernauts, introducing the concept of scarcity as a potential limiting factor.

Challenging False Scarcity
Grok immediately counters the notion of bug scarcity, labeling it as "false scarcity." He argues that theoretical discussions often misrepresent the availability of vulnerabilities, simplifying them into binary categories of scarce or plentiful. Grok emphasizes that this oversimplification fails to account for the dynamic nature of cyber threats and patch deployments.

Grok [00:56]: "It's a very straightforward and binary way to model it."

Reality of Vulnerability Lifecycle
Tom Uran concurs with Grok, noting the overly simplistic nature of binary models in representing vulnerabilities. Grok further elaborates that even when a vulnerability is patched, its lifecycle doesn't end there. The time taken for patches to be deployed across systems varies, meaning vulnerabilities can persist as long as it takes for patches to be widely adopted.

Grok [01:42]: "The bug is dead... how long is this going to be an issue?"

Exploitation Patterns
The hosts discuss the prevalence of older exploits in the wild, used primarily by advanced actors targeting high-priority threats. Grok points out that even state actors tend to rely on established vulnerabilities rather than continuously seeking the latest zero-days, undermining the idea that new vulnerabilities are the primary bottleneck in cyber operations.

Grok [03:02]: "Bugs are just a subset of the things you need to worry about."

2. Analogies to Understand Scarcity

WWII Ball Bearings Analogy
To further debunk the scarcity myth, Grok draws an analogy to World War II's strategic focus on ball bearings. He explains that targeting what was perceived as a critical component (though easily replaceable) was flawed due to inaccuracies in targeting and overestimation of their criticality.

Grok [09:16]: "They picked the thing that gives the illusion of being a critical component... it's easy to substitute."

iPhone Exploits as a Case Study
Tom introduces the scenario of modern iPhones, highlighting their robust patching mechanisms as a potential indicator of bug scarcity. However, Grok contextualizes this by explaining that even with rapid patch deployment, the multifaceted nature of cyber access means that scarcity in bugs doesn't equate to immunity.

Tom Uran [03:02]: "In the commercial space, you could say that there's some impact."

3. The Reality of Cybersecurity Talent

Debunking the Talent Shortage
Shifting focus, the discussion addresses the widely held belief in a cybersecurity talent shortage. Grok vehemently disagrees, asserting that the real issue lies not in the absence of talent but in the inadequate investment in training and developing cybersecurity professionals.

Grok [11:26]: "I think it's ridiculous... They need to be trained."

Training vs. Availability
Tom and Grok compare the cybersecurity talent market to the taxi driver medallion system in New York, where market limitations and high entry barriers artificially created scarcity. Grok emphasizes that the perceived shortage is a result of stringent hiring criteria and lack of structured training programs rather than an actual deficit of capable individuals.

Grok [12:10]: "China... put together training programs and now they're overflowing with talent."

Successful Models of Talent Development
Grok cites Israel and China's strategic investment in training pipelines as examples where systematic training has effectively bridged the talent gap. These nations prioritize identifying aptitude and providing robust training, resulting in a surplus of skilled cybersecurity professionals.

Grok [15:23]: "They have a training pipeline where they take people who have aptitude, put them into training programs."

4. False Scarcity Beyond Bugs and Talent

Stockpiles in Cyber Warfare
The hosts examine the misconception that in cyber warfare, stockpiles of malware and bugs are finite resources that will be exhausted over the course of a conflict. Grok argues that this is an oversimplification, as the continuous evolution and discovery of new vulnerabilities make such stockpiles inherently unsustainable.

Grok [18:38]: "It's a false assumption and it's based on, again, this... rule of thumb."

North Korea's Cyber Capabilities
A pivotal point in the discussion is North Korea's rapid development of cyber capabilities despite severe internet restrictions. This example underscores Grok's argument that geopolitical focus and investment, rather than inherent scarcity, drive a nation's cyber prowess.

Grok [20:05]: "North Korea... developed all of these internal capabilities by sort of sheer force of will."

5. What Truly is Scarce?

Scarcity of Political Will and Investment
As the episode nears its conclusion, Tom and Grok reconcile their arguments by identifying political will and strategic investment as the actual scarce resources in cybersecurity. Without substantial commitment and resources, even the most talented individuals or abundant vulnerabilities cannot be effectively harnessed or mitigated.

Tom Uran [23:57]: "I think from an industry perspective... lack of caring about it enough."

Impact of Limited Investment
Grok reinforces this by highlighting how insufficient investment hampers the development of comprehensive cyber defenses and offensive capabilities. He posits that the critical shortage isn't in talent or vulnerabilities but in the dedication to fostering and maintaining robust cybersecurity infrastructures.

Grok [24:42]: "We're on the inside looking out... lack of investment in cyber shows that the world is mad."

6. Conclusion: Rethinking Cybersecurity Challenges

In wrapping up, Tom Uran and Grok reiterate the central thesis: the cybersecurity landscape is hindered not by an inherent scarcity of bugs or talent but by a failure to adequately invest in critical areas. The hosts call for a paradigm shift in how organizations and nations perceive and address cybersecurity challenges, emphasizing the need for sustained investment, strategic training, and a broader understanding of the multifaceted nature of cyber threats.

Notable Quotes:

Grok [00:56]: "It's a very straightforward and binary way to model it."
Grok [01:42]: "The bug is dead... how long is this going to be an issue?"
Grok [03:02]: "Bugs are just a subset of the things you need to worry about."
Grok [09:16]: "They picked the thing that gives the illusion of being a critical component... it's easy to substitute."
Grok [11:26]: "I think it's ridiculous... They need to be trained."
Grok [15:23]: "They have a training pipeline where they take people who have aptitude, put them into training programs."
Grok [18:38]: "It's a false assumption and it's based on, again, this... rule of thumb."
Grok [20:05]: "North Korea... developed all of these internal capabilities by sort of sheer force of will."
Grok [24:42]: "We're on the inside looking out... lack of investment in cyber shows that the world is mad."

Final Thoughts:

Between Two Nerds: Feast or Famine? offers a thought-provoking examination of prevailing misconceptions in cybersecurity. By dissecting the illusion of scarcity in vulnerabilities and talent, Tom Uran and Grok provide listeners with a nuanced understanding of the real challenges and necessities in the cyber domain. This episode serves as a compelling call to action for increased investment, better training programs, and a more strategic approach to building resilient cyber infrastructures.

Loading summary

Transcript83 lines

[00:00]
Tom Uran
Foreign, this is Tom Uran. I'm here with the Gruk for another between two nodes discussion. G'day, Grok, how are you?
[00:11]
Grok
Good day, Tom. I'm fine. And yourself?
[00:13]
Tom Uran
This week's discussion is brought to you by Run Zero, an active and passive infrastructure and attack management platform. So last week, Gruk, we spoke about how NSA is the 800 pound gorilla in the signals intelligence and cyber espionage world. That made me think about what is it that makes other countries not do that? What is the thing that limits them from, from creating their own 800 pound gorillas. And that is kind of what's scarce. Now that's apparently, you tell me one of your bugbears, this idea that there's some things that are scarce, but they're not really scarce. I think you called it false scarcity.
[00:57]
Grok
Yeah, the scarcities. So this comes up a lot, particularly when you talk to people who are talking theoretically about the domain. They'll say like, you know, we need to look at are bugs scarce or are they plentiful? Right. And if they're scarce, then we just need to find and kill them and no one else can use them. But if they're plentiful, then we need a different strategy. And I think that both of those are incorrect in terms of the real world because it's an assumption about bug death that is not accurate. Right. It's that if an O day has been discovered and there's a patch available, then the bug is dead. Which is a rational way to model it, but it's not a realistic way to model it.
[01:39]
Tom Uran
It's a very straightforward and binary way to model it.
[01:43]
Grok
Yeah. And it disregards the humanity side of cyber where it's patched upstream. But has it been deployed? Will it be deployed within the next 6 months to 12 months to 24 months? Like how long is this going to be an issue? And if you look at the exploits that people are using in the wild, the majority of them are several years old. The ODA are used very, very rarely by specifically advanced actors against specifically high priority threats. But the majority of stuff that gets done, and I believe even by those state actors, will be done with these older exploits, simply because not everything is the highest priority that needs the most Gucci tooling.
[02:30]
Tom Uran
Right. So in terms of, I guess, scarcity, you're just saying bugs may or may not be scarce, but it doesn't matter.
[02:40]
Grok
Exactly. And I'd say that that's the start of it and that bugs like they may or may not be scarce. I don't think they are scarce, but even if they are, they don't die when you patch them. So that's not a relevant metric in terms of people's vulnerability. I think if you're only looking at how to gain access, bugs is just a subset of the things you need to worry about.
[03:03]
Tom Uran
Okay, how about I look at what I think is probably where they would be scarce if. Or the strongest counterexample that I can think of, which would be modern iPhones, where it seems like the hoops that actors have to jump through to get malware onto an iPhone are increasingly ridiculous or amazing, depending upon your point of view. And iPhones are one of those cases where almost everyone patches relatively quickly because Apple pushes it out within the first week or so. Yeah, I think most phones, not all, but most. And so even in that case, do you think bugs are scarce and. Or does it make a difference?
[03:48]
Grok
So I think they are scarce, although I don't know if they're scarce in. You could say the number of exploitable bugs or the number of bugs that exist that you can exploit that can get you anything goes down and the number that you need goes up. Right. Like you need to chain multiple things together. First you need access to the browser, then you need to escape from the sandbox, then you need to elevate privileges, then you need to gain access to the file system. You know, like you just need these multiple stages and then the number of those available goes down. But at the same time, you'll have things like the triangulation. Right. Where you had three exploits being used against thousands of people.
[04:33]
Tom Uran
Yep, yep. So triangulation was a campaign discovered by Kaspersky against Russian interests, it seems. And the FSB said it was nsa. So there have been a couple of times where NSO group had zero interaction exploits that they could just send something like an. An imessage to someone and without any interaction it would get them onto the phone. And those were patched and seems like, if I remember correctly, there was a period of months where they didn't have any similar capability. So it seems like, at least in the commercial space, you could say that there's some impact. And the reason I went with iPhones is because it seems like the most extreme example. I can't think of another one that.
[05:21]
Grok
Is nothing comes close, I think.
[05:23]
Tom Uran
Yeah, yeah. So the very, very pointy edge, maybe bugs are becoming scarce in one particular case. We may be getting to that circumstance, but. But the rest of the world. No, I guess it's fair to say.
[05:36]
Grok
Right. And I would Say that that gets you part of the way there to like, you can't get access because bugs are scarce, but it doesn't actually get you to. You can't get access. And I'd say that reasons for this are sort of. There's multiple ones. So, like, let's say you're the IRGC commander for Northern Iran, like, you're the Republican Guard and you want to make sure that you're safe from hacking. Can you use the latest iPhone as your operational phone to avoid being monitored by nsa?
[06:08]
Tom Uran
Well, I mean, I think the problem is that iPhone is just one part of the problem.
[06:13]
Grok
Right, right. But it's sort of like that's not going to help you. It might reduce the number of times your phone gets exploited. Like, it might, but it's not going to start the collection apparatus working against you. Like, it strikes me that the fixation on the scarcity of bugs, it puts blinkers on so that you're blinded to the entire range of options for gaining access and that the number of different ways that exist, and I would include things like from evil mate attacks to bribery, like Lapsus was doing, to all of these different ways of finding usable credentials. There's just like, there's a galaxy of options out there. And if bugs are scarce, then so be it. We're left with Nothing but the 99.9% of other options out there. So, yeah, I think it's a false scarcity. And I think it comes up in interesting places where, particularly in the academic or policy space, there's a lot of talk about what are things we can do to limit the spread or proliferation of exploits, like how can we reduce these bad things going to bad people? And that's based, again on the idea of scarcity. And part of that is based on the idea that these are complicated things, therefore you need a huge investment to get to them. And I mean, that's not wrong, but I think it's not wrong in the same sense of the, the apocryphal story during World War II where one Nazi scientist says to another, could the enemy break Enigma? And the other guy says, yeah, but it would take a machine the size of a building to do it.
[07:56]
Tom Uran
Right? Yeah.
[07:57]
Grok
So they made one. I mean, like, that's what they did. Like it was worth doing that. So they invented a computer that took up an entire building and it worked, you know, like. So I think it's based on a sort of false assumption. Like, it's just. It's not a realistic way of modeling the world to Say that there is scarcity in bugs. Therefore, if we can limit the number of people who share bugs with other people, that will reduce the number of exploits in the world and make everyone exponentially safer just because we've somehow shut down the supply. That is very broken thinking. That's my belief that it's just. That's not true.
[08:31]
Tom Uran
Yeah. So I guess another way of thinking about or saying that is that bugs are just not the thing that limits the hacking that people do.
[08:40]
Grok
Right.
[08:40]
Tom Uran
So from a biological perspective, there's this concept of in a chain of reactions, there's a step that limits a rate limiting step. So bugs just aren't the rate limiting thing. Another way of saying it is that bugs are not the thing that limits your total addressable market for people who are marketers out there. So, yeah, there's many different fields where you've got pipelines of things and so there's many different ways to express the same concept. But it's just that bugs are not the thing that's limiting.
[09:16]
Grok
One of the theories of the strategic air war again during World War II, was the idea that ball bearings were the critical factor. That if you could take out the ball bearing factory, then it would grind all the other factories to a halt because they wouldn't be able to produce all the things that relied on ball bearings. And there are multiple flaws with it. One of them is that they couldn't hit the ball bearing factories. Like the way that they measured accuracy was how many bombs fell within a 1 mile radius of the target.
[09:48]
Tom Uran
Right. Okay, yeah, that's quite a distance.
[09:51]
Grok
If a bomb's got like a effective range of 100 meters, it blows up and it'll do damage within 100 meters. And if whatever falls within a mile, that's not going to do you very much good. But the other thing is that ball bearings are actually not that thing. Like, if you are not an engineer who produces stuff, you would say like, yeah, ball bearings are like this critical component and if you don't have them, the thing stops working and everything has them. So they seem to be this linchpin. But the thing is there are multiple ways of solving problems and ball bearings are one of them. Right. So you'll have all these different things and ball bearings are one way of solving them. The other thing is that ball bearings are ridiculously easy to make if you're producing a tank engine. The small round ball is the simplest part of that precision machine. That's the one you can kind of work around or bodge together somewhere. So they picked the thing that gives the illusion of being a critical component, which it is, but it's also easy to substitute and it's easy to replace. And they also couldn't even target it properly. I would say that that analogy is bugs. It's that you can't actually get rid of them. Even if you do get rid of them, they're not the only option out there. And then they're also fairly easy to replicate. If you somehow could get rid of this one source, they can be spun up somewhere else.
[11:08]
Tom Uran
Okay, let's move on from bugs, then. So what about people? Because it seems like people are much harder to make. They take a lot longer to train compared to ball bearings.
[11:19]
Grok
I'm willing to do my part. Let me say that.
[11:22]
Tom Uran
And all the time. Talk about a skills shortage, right?
[11:27]
Grok
Yeah.
[11:27]
Tom Uran
Cyber. So one perspective is, you know, from the point of view of a country, is there enough talent in my country to create a cyber agency? There's the sort of industry perspective. Companies complain all the time, or industry bodies campaign all the time. There's a shortage of cybersecurity talent. That's. Is it a truism at this point? It seems like received wisdom, perhaps, is the better word. So now you're going to burst my bubble and say that we're overflowing with talent?
[11:58]
Grok
No, no, I think that's true. I think that there's only so many brilliant people in the world, and only brilliant people can do cyber based on a random sampling of people on this podcast.
[12:11]
Tom Uran
That's right. Yeah.
[12:14]
Grok
I mean, honestly, I think it's ridiculous. It's like saying that there's not enough taxi drivers in the world and it's like, well, yeah, if you're looking at freshmen in high school, they don't know how to drive a car and they don't know where things are. So, yeah, like, you can't hire them to be taxi drivers. They need to be trained. But that's a really bad analogy.
[12:33]
Tom Uran
I mean, there is something interesting in that analogy. In the market in many places for taxi drivers was actually limited by something else.
[12:42]
Grok
Right.
[12:43]
Tom Uran
And it was the ability to get a license.
[12:46]
Grok
There's the taxi medallion.
[12:48]
Tom Uran
Yeah. So in New York, it was a taxi medallion, but I think the market was artificially limited. And then Uber came along, and all of a sudden you've now got lots and lots of different options that weren't air quotes, taxis per se, but they provided exactly the same function, Right?
[13:07]
Grok
Yes. No, I think that that's fair. And I think that it's in a Way it was that to get the medallion you had to have this huge upfront investment of like $100,000 or whatever it was. Right. And there are not very many people that did that. Well, it was, there was a limited number of them and they were expensive to get, so.
[13:27]
Tom Uran
Yeah, well, it was a form of cartel.
[13:28]
Grok
Right, right.
[13:29]
Tom Uran
And so the. From a skills perspective, it seems like the cartel is employers who just don't want to pay more for people. It's like.
[13:40]
Grok
Right, well, I think there's part of it in a way is also the certificates that everyone has now, which is very much of the. In the medallion.
[13:50]
Tom Uran
Right. In groups and out groups.
[13:52]
Grok
Yeah, it's like, you know, we're looking for someone with four years of experience in this field for an entry level position, has to have these 10 different certificates. This is a great opportunity to learn the ropes. If you're looking for people who've already been trained and are capable and have the skills to do the job, then they would have the job already. There's just not that many people who already know how to do the thing that you need them to do. You need to train people. And I very much believe that this is the case because if you look at, for example, China, they've got huge volumes of people doing stuff and they didn't used to, they used to struggle and then they put together trading programs and now they're overflowing with talent. If you look at Israel, right, Israel is a tiny country. They don't have a lot of people. I think it's almost the same size as Bangkok, so it's a bit under like 8 million, maybe 8200 is like world renowned for the high class people that they have. They turn out so many people that it's produced this entire cyber industry as well. And all of that is done because they have a training pipeline where they take people who have aptitude, put them into training programs, feed them through the training programs, and then they replace them with more people that come in. And I think that that demonstrates that it's not a problem of insufficient people, it's just that there's insufficient investment to create those people.
[15:18]
Tom Uran
Yeah, yeah, yeah. So I just checked, population of Israel is just under 10 million. So about right. I'm not sure if I've told this story on the podcast before, but in the area I worked in, in asd, it was known as the Defense Signals Directorate. Back then we had a physicist, a mathematician, a chemist, biologist, and these were all people who were taken on board because they had critical Thinking skills.
[15:46]
Grok
Right.
[15:47]
Tom Uran
And we weren't exactly doing cyber per se, but related fields, let's say. And there was very much a training pipeline that took people off the streets with some relevant skills or aptitude and, and trained them. And that was also true for the military as well. And so that totally makes sense to me that.
[16:12]
Grok
Right, yeah. When I, when I was working at At Stake in London, which was in 2001 or 2002, there were several ex GCHQ guys that I was working with and none of them were computer science people. There's a guy who had a PhD in chemistry who was just absolutely brilliant and like he did chemistry, that was his thing. And then he went to GCHQ and they're like, you're going to learn to be a hacker. Here is hacker training. And then he did that for a while and he left and he was like, now I'm a hacker. He was really, really good at it. And the thing that made him good at it was the same thing that made him good at doing chemistry. It was this just like he was a smart person who could think well, solve problems. Right. I think it's similar for NSAs. They recruit people who have the skill set, the mental skill set, I guess, like they have the ability to become good at this and then they just teach them to be good at that. Right. So like Charlie Miller was a math PhD. He didn't do computer stuff. They hired him and taught him to be a hacker. Like he didn't show up with those skills, but he left with them. The army in the US does the same thing. Right. Like they put people into cybercom who, they're not cyber operators to begin with. They're people who have an aptitude, who pass an aptitude test for being able to do cyber stuff and then they get put into these trading pipelines and you end up with very, very capable, competent operators at the end.
[17:38]
Tom Uran
So from an industry perspective then it's just there appears to be a scarcity because no one wants to put in the effort to find and train people or they don't want to put in the effort to actually pay people enough to make it worthwhile.
[17:53]
Grok
Yeah. So I was going to say, I think the pushback you would get from that is like, yeah, but if we train them, they're just going to leave for somewhere that pays better.
[18:03]
Tom Uran
What could we do about that?
[18:05]
Grok
If only there was some solution. That's right.
[18:09]
Tom Uran
So are there other false scarcities that you see lying around?
[18:14]
Grok
So I think these are the big ones. But then I think that people start. They try to apply scarcity to things that don't model like that. So I've seen, for example, an argument that at the beginning of a war where there's a cyber war component, at the beginning of the war, there'll be large stockpiles of malware, large stockpiles of bugs, and then as the war starts, you will expend these and you will run out.
[18:39]
Tom Uran
Right, Right. So the thinking there is that you'll use them, they'll get discovered, and therefore they'll get reported to vendors patched, and therefore lose the usefulness.
[18:51]
Grok
Yeah, it's that thing where people will say the problem with cyber is it's a use it and lose it capability. And that is true in a very limited sense. Right. Like if you have one specific bug that you're exploiting, let's say you have a single bug against a Syrian air defense system and you use that once as a demonstration and they detect what you've done and they patch it, you can't use that again. But I think that most of the time that's not the general case. Like, the general case is you're talking about regular Windows computers, not weird dedicated systems that have to be exploited once. You're talking about, like, if I have a single capability that I use against this command network, then I've lost the ability to ever hack that command network again. I think that that's a false assumption and it's based on, again, this, this. It's a rule of thumb for when you're doing an operation that every time you use an exploit, there's a chance that you will kill that exploit and you won't be able to use it again. But it's not a rule. Right. Like, it's not a. It's not a. It's not gravity. It's a rule of thumb. Like, it's a good, It's a good general way to think about things, but it's not the ground truth.
[20:06]
Tom Uran
Well, I mean, it's something to plan for. Like, and what I mean is that it's. That that's a risk you can mitigate. Maybe not entirely, but you would operate in certain ways if you want to retain that capability to, to mitigate that risk. Right. It's not like a binary thing where lose it and use it. You've got some agency, I guess, and some control over that.
[20:29]
Grok
Exactly. And I'd say that there's also this. If you allow of that thinking to dominate your operations, then you will never do anything. Right. It's a sort of. You have to respect the enemy but not fear them. Right. Because if you just get frozen with not wanting to do anything because you're going to be detected, then you may as well not have that capability at all if you're just never going to use it. Like, if you are seriously worried, then you have to be more cautious. But you still need to be aggressive or operational. You still need to do stuff. One of the best examples of why this is false scarcity, why all of this, like, there's no talent, there's no bugs, there's no whatever, is North Korea. As we've said multiple times, you've got this nation that is literally doesn't have Internet. And by investing resources, within a decade or two, they go from zero to hero, or I guess hero to zero day. They develop all of these internal capabilities by sort of sheer force of will. And I think that that proves that if France says they can't do it and North Korea can do it, then I think France is just looking at it wrong. Like they just, they don't care enough about it.
[21:41]
Tom Uran
Yeah, yeah. I actually wrote about the North Korean fraudulent IT worker and I think it speaks to this discussion. I wrote about it this week in the newsletter. And what they've been doing is they've been getting IT jobs overseas as remote workers using false identities. And this I think speaks perfectly to the fact that you don't need bugs because you just need a job. One of the things that you do.
[22:09]
Grok
All you need is people who believe that talent is scarce and you can defeat the scarce bugs.
[22:16]
Tom Uran
That's right, yeah. So the. Sometimes they just work to earn money for the regime. Sometimes it seems like they're starting to enable supply chain attacks. And you don't need bugs if you've got supply chain attacks. And then the third thing they do is they just use the access they have to enable hacks. So no bugs required, just some false IDs.
[22:39]
Grok
Exactly, exactly. And I think that that encapsulates the whole thing of like, yes, there's a scarcity of bugs, sure, whatever. But that doesn't mean that there's scarcity of access. Even if that is true, it doesn't mean that there's scarcity of access because you have all of these ways. If you have $20,000 to give someone, you can get access to almost anything. There's so many people who will take $20,000 in cash up front without thinking about the repercussions or whatever. Lapsus was doing it with $2,000, you know, like that's super cheap for what they're doing. And it's, I mean, I just, I fundamentally think that if you are fixated on like exploits as this rate limiting factor, that somehow you need to reduce the number of exploits and the access to exploits and that's going to have an impact against hacking. I think that they're misunderstanding hacking, particularly these real world problems that people have.
[23:37]
Tom Uran
Okay, so we've dispelled a few myths about false scarcity. So in fact we're brimming with cybersecurity talent. That's not actually what you said, but it's close enough. We could be brimming in cybersecurity talent, I guess, is what you say. So what is scarce?
[23:58]
Grok
What is scarce?
[24:00]
Tom Uran
Look, I'll give you my answer for this. Yes. And I think from an industry perspective, like the cybersecurity industry, I think it is just a lack of caring about it enough. And I guess this is the exact same thing as saying political will. Right. So I think for a long time there were a lot of hacks where cybersecurity people would go, this is terrible, and everyone else would go, yeah, whatever. And so from a shareholder perspective, you'd have very large hacks, data from millions of people stolen, the share price would dip for a little bit and then.
[24:40]
Grok
Six months, three hours later, it's back. Yeah.
[24:42]
Tom Uran
And so it's totally rational for everyone involved to go, you want me to spend more time and effort on cybersecurity? Why should I bother? It doesn't affect my profitability. It doesn't affect.
[24:55]
Grok
It's a morally good thing to do. But the moral high ground is very expensive real estate. So.
[25:01]
Tom Uran
Yeah. And I think from a government perspective, in terms of intelligence agencies, I think it's related to proportion. Like, right. Australia, we're going to spend a certain amount on defense. It would seem ridiculous to spend three or five times as much for signals intelligence.
[25:23]
Grok
Right.
[25:24]
Tom Uran
There's a sort of. This makes sense as a proportion of that.
[25:27]
Grok
Right, right.
[25:28]
Tom Uran
And so NSA is the biggest because the US spend an enormous amount on defense.
[25:34]
Grok
Right.
[25:35]
Tom Uran
And then everyone is kind of based on how much they care about defense. You know, they get a sliver of the defense budget and I guess the outsized actors would be North Korea because they.
[25:49]
Grok
Right, but. But they actually spend a huge amount on defense. Right?
[25:54]
Tom Uran
Yeah. So maybe like, I don't know how it is in proportion, but I mean.
[25:58]
Grok
I think even in that case, your idea that there's a ratio, there's a percentage, I think that does hold up because the majority of their economy is towards defense. So however much they spend on signals intelligence stuff, that's still a fraction of their overall spend.
[26:16]
Tom Uran
Yeah. And I think most countries, and I think this is right, think that having a cyber espionage capability is an advantage, but it doesn't and can't replace the planes and tanks and aircraft carriers where the big money goes. So I guess the other scarcity is the sort of flip side of having a sense of proportion, like, like, to.
[26:40]
Grok
Be fair to speak to that, like we're on the inside looking out as, you know, like the best and brightest people work in cyber. The most important thing that anyone could be doing is cyber. So the lack of investment in cyber shows that the world is mad and.
[26:56]
Tom Uran
Everything, everyone's wrong but us. There's no scarcity of self inflated egos, I guess.
[27:08]
Grok
Thanks a lot, Tom.
[27:10]
Tom Uran
Thanks, Rhett.