B (7:07)

I love it. And I just for the record, so you know, have two people, I actually find that can be very therapeutic. Remember, I just don't, I just don't get that same level of satisfaction that I've completed a row or so. I, I, but, but I get the analogy.

A (7:25)

My family welcomes you to vacuum.

B (7:28)

Thanks. Okay, thanks. I'll remember that when I come over. So, but let me dig into maybe some specifics of what you said. If you think about this, then arms race, the good guys are getting faster, the bad guys are getting faster. AI is enabling both. How do you think about high speed computing accelerating AI, specifically automating actions, for example, within cyber operations? Just give us a window into how you're thinking about that.

A (8:04)

It's a great question. I think with all this compute power, the world runs on data. That's our fuel. And the more we can do with that data to not just find patterns, but tie things together that we never had the resources to do before. And I mean the speed, it's a little bit like 10 or 15 years ago, I studied high speed weather forecasting and you look a lot at tornado modeling because not everything is random. And if there's a chance you can see rotation or certain parameters that are lining up in a harmful way, even minutes sooner, you save lives. And so there a lot of work went into the same kind of philosophy, and it still is. There's a lot of applications scientifically here. You can apply that to cybersecurity. Are there events all over the world that are 1, 2, 3, 7 events that might tie together to a greater pattern later? In the old days, denial of service attack, distributed denial of service attacks showed themselves with first a little test bump in the traffic and then the big delivery, because the adversaries of that attack wanted to make sure their infrastructure worked and those that were able to detect that sooner were able to prepare. So a lot like weather forecasting, this speed will give us analytics that gives us hints we never knew we could find before. I firmly believe that on the flip side, we have to be ready for a different kind of cyber incident response, not just faster, but when you look at a poisoned large language model, how do you get to last known good very quickly? It's different than in a cyber event or where data is destroyed because you have a backup in AI, you have backups in these models, but you have to be very meticulous about how those are taken and kept and when something was disrupted, because all the activities and all the data and decisioning that was based on that model could be offset once it's compromised. So your job is not only to refresh the data with something that isn't compromised, but to understand, my goodness, what happened as a result of the decisions that were made, also at speed. And so it's going to reframe how we have to look at electronic incident response.

B (10:31)

I love your analogy of weather, because in my mind it's just so chaotic and there's signal, there's noise. You're trying to just deal with so many parameters at once. And I'm curious, how do you feel that the security industry, like the vendors, for example, are responding to this? Are you seeing innovation happening some of the very large vendors? Or is a lot of the innovation coming from startups that are coming into the ecosystem? Given just rapid adoption of AI, how do you feel about the pace of innovation coming from the community to be able to respond to this?

A (11:14)

It's a great question. And remembering we were vendors, I was a vendor, I was a. Your competitor. Went way back when. That's right.

B (11:22)

But it's the CTO of ad tech. Yeah, I remember.

A (11:24)

It's a different view, I think as the consumer from a large vendor, we expect so much. And I always try to, whenever I'm in these positions to say this stuff works. 90 something, 99% of the time you can be on your phone in an Uber and walk into an airport still on the phone, only dropping it for security, be back on your iPad before you get on the plane. And stuff just works. And we don't stop enough to say, I appreciate that because that is a success. And I always say that before I say this. I think it's very difficult right now to be a security vendor or an infrastructure vendor because highly paid, very smart individuals have all the resources in the world to poke one hole in you. And then we complain, but the reason that we complain is because we want to keep our business up. And so I do think, and I have seen a lot of innovation, I can speak mostly to the IT infrastructure and cybersecurity parts of the large vendors, but a lot of attention to critical infrastructure, a lot of attention to cybersecurity, a lot of attention from large vendors saying, hey, these are the problems that we are facing, let's work this together. These are the challenges we have. And I do see a lot of innovation there, especially from the speed perspective. I think we as a community have to think about what is AI going to demand of us next and be part of shaping those requirements. I'm very careful, I don't like to, and I know you don't either. We're not the ones that are out there complaining that somebody got compromised their victims. I do think though, this is an effort of community going forward to get our head around what high speed computing will do before the adversary does that for us. And I think that's a we do that together.

B (13:20)

It's such a great framing and you know, this community really has stepped up in the past for big challenges and come together. And it's interesting to think about it from the adversary side too. How are you seeing this reshape how the adversary is thinking about attack or you talked about the rapid pace of discovering of zero days, for example. How is this access to this kind of computing through the cloud or elsewhere changing the behavior of the adversaries or how might it change it?

A (13:59)

So I'm not an adversary, so I won't pretend to know.

B (14:02)

Okay, that's good. That's very good.

A (14:03)

So one large thing I've noticed and I think my peers are seeing this together with me more zero days. And in a prior life there was a phrase called burning a zero day and what it meant was, you know, this, this exploit has value. So are you going to quote, waste it on something where you won't learn much or are you really going to Use that cyber weapon on something where you can either cause a large effect or gain a lot of knowledge. And now I see it. It's not just burning a zero day, it's kind of like potato chips. There's always another one in there and they're using a lot, they're much more frequent and they're at a similar level of sophistication. And my. I surmise that there's some automation in designing and finding those exploits.

B (14:54)

It's a different, different world. It's just a different way of thinking about things. And I wonder, you know, these things often come so real with examples. Can you share an example where you feel like speed was the difference between containment and escalation of some incident?

A (15:18)

It's speed of how quickly we can act as a community. It's speed of how I would think back to put it in sort of the eras tour here. If you think back to the time of Code Red, we didn't have the kind of computing visibility. We didn't have the kind of logs. We basically chased that thing by where it showed up next and it was crazy. Had we had the visibility we have today and the speed of compute that gives you the ability to go through logs, the storage capacity that lets you have all those logs, we would have nailed that. Right. If you go forward to where there was a series of large ransomware events. Right. Even then we didn't have all the procedures in place. And by the way, speed isn't just a stack of processors. It's also how we practice and how we exercise. We do a lot, as you know, in the community, tabletop exercises with partners, with colleagues. Our speed is how quickly we react to mitigate risk and how we're no longer afraid as a community to say that's an incident and not wait four hours to try to convince ourselves it's not an incident and to really move out. I think that's. That's people speed and that's our reaction to technology speed. And I think that's key and just go forward now to modern day when we think about a lot of understanding of what we bring on a network. For me, I'm all about prevention and detection and engaging methodology where success for us is mitigating a risk. It's not preventing everything because I know how to do that. I'll unplug the network and people won't be so happy or productive. Right. But if you're hardest part, I think of what we do view every day is helping people have a good user experience and build the amazing products that they build and not getting in the way, but understanding what the risks are and accepting them. And speed helps us understand what those risks are. We can run calculations, we can do simulation, we can understand even cost perspective. How much are we investing in protecting something and using it versus not using it? And what is the difference in the business? And so for me, it's what is the effect my team and I can have to help this amazing business at Northrop Grumman? And a lot of that is assessing risk and saying this as a company we're willing to do for the good of our work, and this we will not. But those calculations are the difference that speed's making every day.

B (17:55)

That's such a great way to frame it. And I can see what you're saying. If we're more agile with our speed and we're able to take all these factors into account, we could possibly adjust the things that a human might have to do or, you know, even lessen some security controls in some circumstances. If you feel absolutely confident about it after these calculations. And I'm wondering, you know, I'm imagining somebody listening to this podcast. They're thinking about their own 1 year, 2 year, 3 year plans for defense. How should they be thinking about the kind of infrastructure they need to build behind it? Like what, what is a secure high performance environment need at its foundation?

A (18:53)

So that, that's core for me. It means looking out, as you said, a few years and looking deep. It's not just the vendors you use, it's, it's how are you structured? Do you have some redundancy? So how your data flows? Are you running on data centers that are physically located? Are you running on with you, Are you running on someone else's data center? How much is in cloud? How much, for example, are you able to support with remote work? We had this interesting snow event here on the east coast in most of the country and infrastructure didn't flinch. But that's because people designed it not to flinch. And that was thoughtful. And it's balancing where your traffic is flowing and where the demand is and follow the sun to make sure that work goes on. And not just typing, but video. Video is computationally expensive. Making sure, you know, we don't look, as a friend of mine calls digital on the really enabling business. So good design number one. I'm a former coder and they always used to yell at us requirements definition first. I think two is not falling into that trap. And we all love this trap. It's very exciting and enticing of hey, it's still running. Why fix it? I had a 20 something year old car in grad school. I kept my next car to almost the same age. And I'm also the proud owner of a 2006 Mustang still. So I don't always replace my automotive infrastructure, but I do believe in replacing your IT infrastructure. And it's very tempting to keep it because it still works. But if you are keeping things that are obsolete and we all have a cycle, no one is perfect. And we're all on this journey together. What I think we're learning as a community is it's very hard for those large vendors to keep the older models updated. And so while it seems economically better in some cases to run it because it's still working, I do think that one of the things we have to figure out as a community is how to make it cost effective to, to go ahead and get a new one because it's easier to secure. So that infrastructure is there for you because the speed of computing has to match the speed of the network flow. And if one of those is out of alignment, you're still going to have the lowest common denominator for speed. And when you do these calculations and things burn hot. Your infrastructure includes cooling, it includes power for that cooling. And so all of this has to get designed holistically. And I do think that's going to be a very specific and sophisticated expertise that we're only just beginning to develop in the next generation of networking. And I think, as we've often said, success in cybersecurity is putting yourself out of a job. It's making it so that we don't need the discipline. We're clearly not there. And thank you for that. I love my work. But the networks of the future will have more self learning, self healing capabilities, just like our, our routers. Talk to each other right now and make sure everybody's still up. I think we'll be doing that in security going forward.

B (22:00)

It's. I could see it being really easy for folks to make missteps along this journey. Right. And you highlighted two of them just now. Right? One, one misstep. Or maybe, you know, just a bad thought is that something's running, it's great, doesn't have any problems right now, but I'm not thinking about the future, so I'm not replacing it and keeping it current. You also mentioned bottlenecks like you might have the great compute infrastructure, but if you don't have the communications upgrade and the bus speeds, you can't really take advantage of it. What are some other common missteps that you've seen companies make while they try to pursue speed and innovation and maybe they don't have a strong foundation.

A (22:50)

You can address some of the things I've looked at with colleagues all over the country and in different areas and even academically one of the, if you look at some of the stock trading applications, because that's a very high speed application we can all relate to. And it's true in manufacturing too. It's important to design your infrastructure if you're going to use very fast mathematics or high speed computing to do calculations that literally create what they call a digital twin. Or instead of having to, if an object is going to fly and you want to know if changing it a bit is going to fly the same way, 30 years ago you had to make a new model and try it out. Now you do a digital simulation that is hard, that is billions of calculations to emulate one small change in the physical model. If you're going to do that in real time, it turns out the distance from your computing infrastructure to where you are watching it matters. So the time, the speed of light, the time it takes to get the result to you for the simulation matters. So you wouldn't be doing something like that based on a data center overly far away. Now most applications don't have that much sensitivity, but some of the digital twin and simulation and certainly a lot of the financial applications do. And that's something that I think from an academic and scientific mind, those are fascinating problems to look at right now. And they go into how we design our infrastructure in all of our companies.

B (24:29)

And you, you bring up such, such a fascinating point because folks usually don't think about that without a lot of experience and making those mistakes in the past or you know, they, they've seen all these best intentions but haven't thought about it end to end. And I'm, I'm wondering what advice would you give to an organization that wants to harness high performance computing? They want to be able to defend quickly. They want to look at all these signals as you mentioned, and be able to calculate risk act. How do they do that responsibly where they can get speed but not introduce new weaknesses that the adversary may take advantage of. It's an age old. Do we actually want to automate response response and if we do, how do we make sure that the attacker doesn't take advantage of that automation and trick us into shutting something down and we shouldn't. How do, how do you think about that.

A (25:34)

You've raised like 50 great questions in there.

B (25:37)

I know. Sorry, sorry. Yeah, that's like a compound question.

A (25:41)

If I go from the last one. So an automated response and think about our operational technology too, that is connected. In some cases it's not connected, in some cases it needs to be for monitoring. But how we protect that and ensure that it is segmented so that it doesn't face outward and is not subject to the wild west of the Internet, I think is one piece where you can mitigate risk and add a lot of automation to that. The other risk in there though, of course is accuracy. Not just adversarial problems, but making sure if you make a mistake, there's a time frame to correct. If you make a mistake at high speed, that mistake propagates very quickly. And so how you design these things and as we grow as a community, look at this is holistic. If I'm a small company, I would outsource when I would get high speed computing and I would understand what the distance has to be from of the last discussion. But that's something that's readily available all over. If you're a large company, you still, you have a balance of what you outsource and what you bring in for a variety of reasons. And then you look at sensitivity and you look at how am I able to manage this and cost and facilities and geographic balance and disaster recovery. So I think a lot of it depends on financial models for your size too. But I never underestimate. Not every risk with high performance computing is caused by an intentional adversary. Some of it is escalated because we're running so fast and it's a mistake and I think we have to be wary of that too and understand how to recover.

B (27:29)

I'll ask you this, which is kind of an age old question in cyber and I'm curious if high performance computing changes this in any way. And you alluded to this at the beginning of our discussion 20 years ago. We were seen as the people that stop things. The ministry of no inside of the business. It's kind of how the security office was branded at some point. And I reflect back on, for example, when the iPhone introduced Touch ID. It was one of those really rare occasions where somebody could be more secure and also have more delight or get into the phone faster because maybe they didn't have a pin on the phone and now they'll put a pin on, but all they have to do is touch it and now they're inside of the device. Do you see high performance Computing enabling us to further delight the user or ease the path of the user, basically. Again, another compound question, but how do you design security and just high performance computing impact that so that employees can move quickly without needing to think about the threats behind the scenes?

A (28:54)

That's the holy grail. It could be considered career limiting, but I did commit to creating more secure solutions that are more enjoyable. To your point and one of the I did because I believe that's where we have to go to exactly your point. If someone doesn't like something, they're not going to use it. And in a company that moves as quickly as Northrop Grumman for the mission that we have from outer space to microchips, we can't expect our employees to have to climb over an infrastructure to get their work done. So one of the things is just a great example is we are implementing pins instead of passwords. So I can ask you to memorize a bajillion character password and I'm not popular for this because we did that for a while actually very secure. Or I can have you memorize a not so onerous number that you're probably never going to forget because you choose it and it's better because it's tied cryptographically to your identity. And I can cover all the corners of multi factor authentication because I can either do a have no or an R, but it covers the touch is cryptographic. And it's the high performance computing and the progress we've made in computing in general that lets us do that crypto fast enough. And I'll give you some humor. My PhD thesis at Georgia Tech way back Machine here was on high performance computing for cryptography and it was just how do I make the computer do the calculations quicker than it's supposed to be able to do? And now we have hardware that does all of that. So what we tried to do back then, which we did successfully do, and I am thankful for my graduation for that. But no kidding. But that touched that iPhone. We couldn't do that 20 years ago. That processor in your iPhone is calculating a key that's far longer than your any password and it's far better protection. And that's. You nailed it, Hugh. That's more of what we want to get as far as the security experience. And nobody's there yet. But I do think there are lots of touch points that can make that better. And that is an example of one.

B (31:18)

That's awesome. I love a hopeful story for the user. I completely agree with you. If the user is in Pain, they're going to do unexpected and probably very unwanted things. So I'm completely aligned with your career limiting statement. As you, as you put it, nothing

A (31:39)

more interesting or more risky than telling a bunch of smart people you can't do that. And it will be far more insecure, unsecure and far more risky than anything you would want. And so the trick is really, it is about a human experience. If, for example, there's a lot of security software on all of our laptops everywhere, if you open up that laptop and it takes 20 minutes to light up for you, you're going to go to your phone. So where is the secret sauce in making that stuff run faster or mitigate some of that experience? Because I would never expect someone to, to work with equipment that was unpleasant because you just can't think about what matters when you can't even log in. And I'm very sympathetic to that.

B (32:35)

My gosh, you, you definitely nailed it. On the creativity of people, if you tell them no. And you know, Phyllis, I've got five young kids, whatever I tell them not to do, the kinds of ways they can figure out to get it done are just unfathomable. Like it's unbelievable creativity. And so if we can, if we can avoid spurring that in the user base, that would be a massive breakthrough for cyber everywhere. One more question to ask you and it's the advice question. So if you had one message for CISOs that are listening or technology leaders that are listening about preparing for the future and I have this big open ended question, what would it be?

A (33:26)

Think about what you're here to protect. And before you think about vendors and requirements and regulations and acronyms, think about why you're here and your purpose in that role. And for me, I learned very quickly within the first couple of weeks of being at north of Grumman, my first visit out of the building where they greet you was to our operations center, of course, and just met that amazing team. And soon after they brought me out to one of our factories where I got to walk this amazing floor and watch them put together pieces of a fighter jet. And that wasn't cool enough. Just talk to the people putting it together and explain how every little part or everything is digitally guided. And everyone had such an expertise on their small part of this big beautiful bird that to me gave me as a human being, not just a ciso, a lot of purpose.

B (34:36)

It's a mission that motivates and Phyllis, I, I, I can't thank you enough. Not, not just for being here, but for everything that you've done and you continue to do to keep really our way of life safe, and you're such an asset to this community. Thank you for everything that you do. And I wanted to also thank our listeners for tuning in. I'd invite you to please keep the conversation going on our RSAC membership platform form by visiting onersac.com membership and be sure to check onersac.com for new content posted year round. Phyllis, it's so great to see you. Thank you so much for being a part of.