A

How's the federal government preparing for a post quantum world? We'll hear about it on this episode of Safe Mode. Welcome to Safe Mode. I'm Greg Otto, editor in chief at cyberscoop. Every week we break down the most pressing security issues in technology, providing you the knowledge and the tools to stay ahead of the latest threats, while also taking you behind the scenes of the biggest stories in cyber security. An attack is coming. It's about keeping us safe.

B

He's just a disgruntled hacker.

C

She's a super hacker.

B

Stay in line.

C

Stay safe. Stay saf.

A

This is Safe Mode. Welcome to this week's episode of Safe Mode. I am your host, Greg Otto. In our interview segment this week, you're going to be hearing from Garen Lacy, the assistant director of cybersecurity and Technology security in the State Department's Bureau of Technology Security. I'm sorry, Bureau of Diplomatic Security. Sorry, Garen, you've got one of the longest titles that I seen in government. But he was recently at cyber talks and he gave a really interesting talk on what the government needs to do to prepare for a post quantum world. So you're going to be hearing from that, but first talking with Derek Johnson. Derek, you're our AI guy and there was a really interesting study put out by ETH Zurich, who for listeners, you. We just had Professor Kenny Patterson on from ETH Zurich talking about some cryptography things. But this study looked at some de. Anonymization with LLMs. Let's get into it turns out the LLMs can be smart when, when prompted.

C

Yeah. So, you know, this was really an attempt to look at how large language models, which have kind of matured now to the point where we're starting to see them, have really strong utility within certain tasks of certain, you know, industries. We've seen that on the cyber security side, on both the defensive and the offensive side. And what we're seeing now is how they go to the task of essentially open source research, the kind of work that you might hire a law firm or private investigator to do, where you would essentially have someone online. You would look at all of the little digital breadcrumbs that they leave around the Internet and essentially try to find out, you know, see if we can connect this to, you know, this person's posting about San Francisco sports a lot. And there's another profile with exactly this name where it's linked to your. This person's LinkedIn profile, that kind of stuff. Well, it turns out large language models are, are pretty good at that. That's that's one of the things that they really, really excel at is summari and pulling various bits of data and making connections. And so this study really looked at a couple of different ground level truth data sets in the form of essentially profiles on sites like Hacker News and Reddit, and essentially set these large language models loose, trying to see if they could identify the people on the other end.

A

And this was all test data. Right. I noticed that they weren't just going out there and going, let's play a game and see if we can figure out who's behind, you know, who's, who's the Reddit moderator for this subreddit or who talked about this interesting AI inference on hacker news, right?

C

Yes, yes. And so that was done for, for a couple of reasons. Number one, you don't want to dox real anonymous or pseudo anonymous people to prove that your concept works. But that is a caveat here. Right? And another caveat is that this data set that these data sets that were used in this study, which the LLMs were, had varying success.

A

Right. What models did the best? Because I know there were.

C

So they didn't name, they actually did not, you know, go through naming. But the, the, it was 25 to 67% success with like 70 to 90 recall in terms of, that was sort of the range that they had. And what that essentially means is that you saw a wide variety of success from these models in terms of their ability to unmask these people. But, and these are not people who are necessarily going around and trying to hide every last detail of their, of their background as well. And that's also something that you should say, but that's, that's like us, like a lot of us. You know, you might have a, an anonymous account that you've posted on. Um, it's now kind of much easier for an LLM to find that and eventually link that to your real identity.

A

Right. And we've seen in the past few years, whether it's somebody with a burner account where there's an enterprising reporter, or there's somebody that's really well versed in open source intelligence that does mine through these breadcrumbs and may be able to say, hey, that's, that may be this person. Like it recalls the story of finding former FBI Director Jim Comey's Instagram account or Twitter account, but that took a lot of work. This just goes to show it's another version of the story that we're hearing from AI coverage where AI is just doing what humans can do, just synthesize to a level of 1. LLM can do the work of tens of people.

C

Yeah, yeah, it would take a lot of work. And it was for James Comey, Right. The FBI director, like someone who's worth the amount of time and money that it normally would have taken to invest in that kind of research. But here, now you have the ability

B

to

C

have almost that level of accuracy, if not more, but directed towards, you know, your neighbor or, you know, that person you're stalking or, you know, and if you look, you know, sort of at all the ways where people below that level of total anonymity or pseudo anonymity operate, you know, governments, law firms, advertisers, scammers, cyber criminals, these are all groups that are going to have some interest in the ability to de. Anonymize you. And so there's many different ways where this could have a long tail effect.

A

Right. And you know, you bring up the, the stalking part and the researcher that you talked to was worried. I mean, he was worried about the, the stalking and the privacy implications that were possible here.

C

Yeah, yeah. Even under, even as he was, you know, going through the limitations, he, you know, he was said, look, I'm, I'm worried at one point said, I'm really worried. Um, you know, you described.

A

Worked too well.

C

Yeah, yeah. He described it, you know, basically as a, as a large scale invasion of privacy. He was very confident that if he could do it and that they could do it at the research team, that foreign intelligence service could do it or a cyber criminal group or a data broker, you know, whatever. And so it's, it, it, it was, it's, it's taking this technology that is really, really good at connecting, pulling different dots and connecting them through the Internet and then setting it loose on an Internet where we had kind of a pre 22 conception of, of how much you needed to do to keep your OPSEC online. And that's kind of the thing that I think is, is going to change and change for not just groups at the higher end of the privacy spectrum, but that sort of middle and lower end. Where there previously wasn't necessarily a lot of motivation or money for it, now you can kind of do it for pennies on the dollar.

A

Derek, fascinating study, fascinating story. Really appreciate you hopping aboard to dive into it.

C

Thank you.

A

Now to the state departments. Garen Lacy. And look, there are a lot of experts in the federal government that are focused on quantum security deadlines. We know they are coming up. Whether it's quantum computing, whether we actually see that coming online mainstream in the next few years. Post Quantum encryption is definitely something that a lot of government agencies are wrestling with. And Garen dives into what needs to be done in order for the federal government to meet all those upcoming deadlines. He really presses on public private partnerships. You know, we talk about that a lot when it comes to cybersecurity, but this is one of the more pressing public private partnerships that is being talked about in D.C. so Garen recently visited us at cyber talks to talk about these issues and to dive into what needs to be done to get federal agencies quantum secured. Check it out.

B

Good morning, cyber talks. I can't stand behind a podium. I'm too short and makes me look shorter. Garon Lacy. I also hold a second title as Assistant Director of the Diplomatic Security Service at the U.S. department of State. Or as you all know, what's in the cyber world. The canary in the coal mine. When it comes to nation state cyber activity, I always love to hear someone say quantum is their favorite topic. I've never heard anyone say quantum is their favorite topic. I'm a mechanical engineer by trade. I, I study aerofluid dynamics. Yes, I am a rocket scientist. So quantum is one of my favorite topics. But what does that mean realistically, when it comes to cyber threat and most importantly, cyber defense? Well, first off, we have to understand our adversaries. Department of State, like most of you all here, see the most sophisticated cyber actors in the world. But in State, where foreign policy lives, we see them first. We see those advanced tactics first. And that gives us a very unique perspective in this space. Now, we talked earlier about AI and how AI compresses time. Well, Quantum expands it so you get this accordion effect when you take a look at your risk. Quantum means that your data now lives longer than your leadership cycle. And that's a concept we're going to explore a little bit today in this talk. Now, what does that mean for us and what we're going to do? I'm going to give you a little. I'm going to challenge everybody here in how we look at modernization. Our adversaries move holistically. Modernization has to move holistically. Modernization isn't just about the techniques and the data and the zeros and the ones and the capabilities. Modernization is also about how we think, how we move and how we understand ourselves. And that's key when dealing with these advanced adversaries. Now, we all see volume of adversarial activity. But when you get to the major leagues, the premier league, the NFL, whichever your sports of choice is right, yes, the volume of those adversaries decreases, but the capabilities of those adversaries increase drastically. When you're talking quantum, right now you're talking the Chinese. What do we know about that adversary? Well, they're patient. That adversary doesn't attack agencies. That adversary doesn't even attack sectors. That adversary attacks entire ecosystems holistically. And if we're to defend against that adversary, that's one of the first changes in mind state we have to make. We have to defend holistically as an ecosystem. The organization that goes it by themselves in modernization will not succeed. Even worse, that organization will create a vulnerability for the rest of us. This is a critical part in modernizing how we think about this particular adversary. Now when we talk quantum. Quantum changes the time calculus I mentioned earlier, that accordion piece AI accelerates adversarial activity. Thank goodness for most of you in the room. We are all focused on using AI to accelerate our defensive capability as well. But when you look at long horizon priorities of a nation state actor like China, that means that your data and the risk it poses to you will now outlive leadership cycles. And that's critical. The second component of modernization is we have to modernize past leadership cycles. We cannot shift priority just because our leaders change. Chinese leaders don't change. The Chinese priorities don't change. Russia's priorities don't change. Iran's priorities don't change. North Korea's priorities do not change. And these are the adversaries that we're against. This is the second component of that modernization. Now what does that mean when we look at historical telemetry? Well, this is where I will challenge everyone. Historical telemetry predicts your next attack chain. At State Department we are exploring this deeply. Right now we are looking at predictive attack chain analysis based off of our historical telemetry. Based off of our historical deliberative process. We can pull trends out of our historical data that can predict how we are going to be in the future. And if we're doing it, you can bet the adversary is. That's that third component of modernization. Modernization has to account for changing the threat surface and breaking some of the tendencies that are predictable from our historical data. That is the threat that harvest now decrypt later presents to itself to us. It's not just about modernizing hardware. It's not just about implementing AI faster. It's about injecting that little segment of randomness that means the adversary that's reading 10 to 20 years of our history Cannot use that to deduce what our current attack chains look like. That is that third component to modernization. Checking the time. I want to make sure I keep us on point here. Now the fourth component. Disciplined implementation, but disciplined collaboration. I mentioned earlier that this adversary attacks entire ecosystems, so those ecosystems have to protect collectively. It's not just enough to know what your stack looks like. You need to know who's in the foxhole next to you and how they're defending so you can compliment them and they can compliment you. In the department we eat our own dog food. Here we are leading our five eye collaboration and collaborations with ministries of foreign affairs to make sure that those teams that have similar business needs and see the same adversaries are sharing in real time, not just when an incident happens, but sharing that reconnaissance information, sharing that understanding that we see adversaries building up infrastructure before those adversaries have a chance to weaponize that infrastructure. And that discipline and sharing has to remain solid. We cannot deviate from these ideas of discipline modernization and implementation and and sharing just because this bad guy pushes us on that playing field. Just because we have a change in leadership cycles. We have to remain solid and disciplined in all aspects of this implementation if we're going to combat these adversaries. I saw the one minute come up. So when you look at what modernization means in the quantum area, in the quantum age of cyber defense, that means defending as complete ecosystems, that means taking into account long horizon priorities of adversary and being disciplined in implementation so that our implementation outlives our leadership cycles to maintain defense in the future. It also means being disciplined in that collaboration and in that sharing. The organizations that will succeed in this environment or are going to succeed as a collective, the organizations that share, the organizations that cover each other's six the organizations that understand who are in the fight with us are the ones that succeed. And it will not be because of tools. It won't be because of we deployed advanced AI fastest. It won't even be because we got to deploying quantum cryptology fastest. It'll be because we have created that links of shields across our entire ecosystem to match the veracity of this threat. Thank you.

A

Thanks for listening to Safe Mode, a weekly podcast on cyber security and digital privacy brought to you by cyberscoop. If you enjoyed this episode, please leave a rating and a review and share it with your friends, your co workers, your CISOs, your sysadmins, your mom, your dad, anybody that wants to know more about cybersecurity, to find out more information or to contact me. Please look for all of our social media handles or visit cyberscoop.com thanks for listening. Check us out next week.