What does industry think of the White House's cybersecurity strategy? - Safe Mode Podcast

Summary8 min read

Safe Mode Podcast: “What does industry think of the White House's cybersecurity strategy?”
Date: April 10, 2026
Host: Greg Otto (Editor in Chief, CyberScoop)
Guests: Tim Starks (Cybersecurity Reporter), Bob Ackerman (Founder, Alegia Cyber; Managing Partner, DataTribe)

Episode Overview

This episode of Safe Mode Podcast explores industry reactions to the recently released White House National Cybersecurity Strategy. Host Greg Otto discusses federal budget cuts and the evolving threat landscape in Washington with reporter Tim Starks, before delving into an in-depth interview with Bob Ackerman at the RSA Conference, focusing on how industry is responding to the national strategy’s call for more active disruption, government collaboration, and the impact of AI-driven threats.

Key Discussion Points & Insights

1. CISA Budget Cuts and Federal Cybersecurity (00:30–12:42)

Massive Cuts and Industry Concerns

Proposed 2026 budget for CISA (Cybersecurity and Infrastructure Security Agency) signals deeper cuts, on top of already significant reductions in both funding and personnel.
- Tim Starks: “They've already cut the budget significantly … in the order of 900, 1000 people.” (01:42)
- Exact figures hard to pin down, but the agency may drop from a $3 billion budget to around $2 billion.
- Cuts may affect “election security, vulnerability scanning, and regional personnel — critical for local response.” (02:16)

Political Messaging & Document Repetition

The budget’s language appears “copy-pasted” from previous years, interpreted as symbolic of CISA’s deprioritization by the current administration.
- Greg Otto: “It just almost seems like … borderline negligent … literally just, you know, control C, control V, send out…” (04:50)
- Starks: “Negligence is a fair word … This is an agency that they've deprioritized.” (05:36)
- “The easiest way to reinforce that message is just to say what you said last year.” (06:53)

Core Mission Under Threat

CISA’s traditional roles—safeguarding federal networks and critical infrastructure—may suffer even if these aren’t the explicit budget line items being cut.
- Starks: “If you have a thousand fewer people, how can you possibly do the same … quality of job?” (07:25)
- Cuts threaten the agency’s ability to respond to AI-driven threats and escalating attacks on critical infrastructure.

Impact on Regional Response

Loss of regional personnel is widely seen as undermining effective incident response.
- Otto: “The outreach on the regional factor is really a big deal … that’s going to be a really big blow to … their core mission.” (03:00)

2. Geopolitics and the Persistent Threat Landscape (08:57–12:42)

Iranian Cyber Attacks on Critical Infrastructure

Recent government warnings highlight Iranian hackers targeting operational technology in water and energy sectors.
- Starks: “They were targeting the water sectors, they were targeting the energy sectors, and there have been new victims.” (09:23)
- The threat isn’t new, but the intensity and impact (financial losses and tangible disruptions) have escalated since March 2026, possibly linked to ongoing Middle East conflicts.

Ceasefire ≠ End to Cyber Tensions

The cybersecurity threat landscape remains highly active regardless of diplomatic or kinetic ceasefires.
- Otto: “The cyber realm in this has really never calmed down … while there may be a more kinetic ceasefire, that automatically translates to the cyber.” (11:18)
- Starks: “These groups are ostensibly Iranian government connected … supposedly semi-independent … I don't think the ceasefire is going to have any kind of dramatic impact.” (11:50)

3. Industry’s Response to the National Cybersecurity Strategy (13:26–30:10)

Industry-Government Collaboration on Active Disruption

The White House National Cybersecurity Strategy urges industry to go on the offensive with government, particularly on “active disruption” of adversaries.
- Bob Ackerman: “The collaboration is absolutely essential. … The disruption, … where are the lines is really … the still out there question.” (15:00)
Industry generally supports tighter partnership, but there is widespread confusion over rules of engagement, liability, and the definition of “disruption.”
- Ackerman: “Everybody I'm talking to is just looking for direction in terms of what can we do, what can't we do?” (15:00)
- Some professionals are reluctant to engage beyond a defensive posture; others, with backgrounds in national security or offense, are more ready to act if clear boundaries are set.

The Strategy’s Impact Compared to Past Approaches

Increased political will for disruption distinguishes this strategy from the prior administration, though tools and authorities (“letters of marque,” law enforcement takedowns) have existed before.
- Ackerman: “It’s a matter of political will. … Our technical capabilities are very, very good … if we can find a way to engage industry, kind of a collective or communal defensive action, that is part of leveling the field.” (18:30)

4. The Looming AI-Driven Security Threat (19:33–30:10)

Experts Warn of an "Unprecedented" Wave

The next 2–3 years are expected to present a “sea change” in cyberthreats due to AI, radically increasing the speed and scale of exploits.
- Otto: “The next two to three years are going to be a sea change when it comes to the way that we look at AI … the exploits are just going to come at such a rapid pace…” (19:33)
- Ackerman: “The description of [AI-driven threats] as a little spicy was, was front and center. … The offense always has the advantage. … If you want to build cutting edge cyber defense, you get as close to the offense as you can.” (20:28)

Offense Outpaces Defense (AI Edition)

AI will allow adversaries to utilize the entire universe of known vulnerabilities (CVEs), not just a small subset.
- Ackerman: “Expect them to prosecute the entire library of CVE. So what you look at is potentially a tsunami of activity coming at you powered by AI … but on our heels a bit.” (21:58)
Defensive organizations, constrained by caution, regulation, and the need for robust testing, will be at a disadvantage compared to agile, risk-tolerant attackers.

Fundamental Cyber Hygiene Still Key—But Not Enough

Despite advances, basic security hygiene and fundamentals remain neglected; adversaries continue to exploit these gaps.
- Ackerman: “All too often we seem to be focused on the shiny new objects and not going back to the basic hygiene. And that's on us.” (24:39)
- Training and improvements seen in phishing are exceptions; most other fundamental areas need attention.

Insider Threats and New Vectors (Digital Agents)

Human insider threat is already a major factor, but soon digital/AI agents will become an equally serious internal risk.
- Ackerman: “Now we're in a situation where insider threat is not going to just be the human element. It's going to … be the agent, it's going to be the digital human.” (24:39)

Signal-to-Noise Crisis for CISOs

The sheer volume of cybersecurity tools and solutions is overwhelming for CISOs, making it difficult to identify the most actionable or urgent issues.
- Ackerman: “CISO needs signal … the noise … does not make the job easier, makes it a lot harder.” (27:43)

Agentic AI: Uncharted Territory for Leaders

Even leading CISOs are openly admitting they are “trying to figure it out” when it comes to agentic (autonomous) AI security.
- Otto: “He was like, I'll give you a little secret. I'm not, I don't have anything to talk about just because I'm trying to figure it out.” (27:43)

Market in “Reconnaissance” Mode—Treading Carefully

Most CISOs are pausing, experimenting, and learning as much as they can, unwilling to commit to full-scale AI deployment due to unresolved safety and governance questions.
- Ackerman: “I call it … reconnaissance in force. … But until … fundamental questions … are addressed, … are you going to see scale deployment? No, you're not.” (28:39)
- Offense, unconstrained by regulation or risk aversion, is expected to take advantage in the interim.

Notable Quotes & Memorable Moments

“Negligence is a fair word to use here… This speaks to that there is less rigor about things that there have historically been rigor in the federal government under Trump.”
— Tim Starks (05:36)
“If you have a thousand fewer people, how can you possibly do the same good, the same quality of job?”
— Tim Starks (07:25)
“The disruption, you know, in terms of where are the lines is really kind of the still out there question ... what exactly do you mean?”
— Bob Ackerman (15:00)
“The offense always has the advantage. ... If you want to build cutting edge cyber defense, you get as close to the offense as you can.”
— Bob Ackerman (20:28)
“Expect them to prosecute the entire library of CVE. So what you look at is potentially a tsunami of activity coming at you powered by AI...”
— Bob Ackerman (21:58)
“All too often we seem to be focused on the shiny new objects and not going back to the basic hygiene. And that's on us.”
— Bob Ackerman (24:39)
“CISO needs signal ... and trying to find that signal in all of this noise ... does not make the job easier.”
— Bob Ackerman (27:43)

Timestamps for Important Segments

00:30–04:18: CISA budget cuts, numbers debate, implications
04:50–06:53: Political messaging in budget language
07:25–08:57: Impact of cuts on CISA's core mission (federal networks, critical infrastructure)
08:57–12:42: Iranian cyber threats amidst conflict, distinction between kinetic and cyber ceasefire
13:26–19:33: Bob Ackerman on National Strategy collaboration, industry needs for clearer government guidance
19:33–21:58: AI-driven future threats, offense/defense innovation cycle
24:39–28:39: Blocking and tackling, insider threat, the noise problem, agentic AI uncertainty
28:39–30:01: CISO market-wide pause on AI, long-term outlook, closing thoughts

Takeaways for Industry and Leaders

The White House's cybersecurity strategy is welcomed for its emphasis on collaboration but criticized for lacking operational clarity and actionable guidance.
Budget cuts threaten federal capacity at a time of record-breaking threat volumes, especially as AI rapidly shifts the offense-defense dynamic.
The next two to three years will be especially challenging, with AI-powered attacks likely to outpace defensive adaptation—fundamental cyber hygiene is necessary, but not sufficient.
CISOs and cybersecurity leaders should double down on fundamentals, push for clarity from government, and accept that some uncertainty—especially around AI and agentic systems—will persist in the near future.

Episode hosted by Greg Otto, Safe Mode Podcast, April 10, 2026.

Loading summary

Transcript70 lines

[00:00]
A
What does industry think of the national cybersecurity strategy? We'll talk about it on this episode of Safe Mode. Welcome to Safe Mode.
[00:09]
B
I'm Greg Otto, editor in chief at cyberscoop. Every week we break down the most pressing security issues in technology, providing you the knowledge and the tools to stay ahead of the latest threats, while also taking you behind the scenes of the biggest stories in cybersecurity.
[00:22]
C
An attack is coming.
[00:24]
B
It's about keeping us safe.
[00:25]
A
He's just a disgruntled hacker.
[00:27]
D
She's a super hacker.
[00:28]
C
Stay alert. Stay safe.
[00:30]
A
Stay safe.
[00:31]
B
This is safe.
[00:31]
A
Mod foreign. Welcome to this week's episode of Safe Mode. I am your host, Greg Otto. In our interview segment this week, we're going to be talking with Bob Ackerman, the founder of Alegia Cyber and managing partner of Data Tribe, about the national cybersecurity strategy and what industry thinks about it. We spoke at rsa and a really interesting conversation for you up ahead. But first, talking with Tim Starks, who outside of the White House cybersecurity strategy, there's been other stuff going on in Washington, cybersecurity wise, been pretty busy. Let's dive into it. I know last week there was a proposed budget for CISA that was released. And look, we spent a lot of time on this podcast and obviously in the pages of Cyberscoop talking about CISA's rough first year in this Trump administration. And with these budget cuts, it doesn't look like there's really any light at the end of the tunnel. I mean, I hate to be bleak, I hate to be, you know, fuddy and speak with doom, but there's a large number attached to some cuts here that is eye popping is.
[01:43]
D
Yeah, I mean, certainly they've already cut the budget significantly. Certainly they've cut the personnel significantly. I mean, in the order of 900, 1000 people. Something to have a bit of a caveat here is that the exact numbers were pretty hard to put a finger on. Even today, contacting people, trying to get a sense of what they're trying to cut and for and how it compares to previous cuts. The bottom line is we can get into that detail if you want, but the bottom line is they are looking to cut it more and they're looking to cut things that they have not cut before. You know, there's been some discussion on the Hill that. Take the election security piece. Right.
[02:16]
A
Okay.
[02:17]
D
The. Some of that. The election security dedicated personnel were cut by this administration. Some of the money for the ISACs that work on election security was Cut. That money has already been eliminated. The Hill tried to put some of that money back in. We don't have a CISA budget for this year yet because of all the DHS problems that are happening. But appropriators move to put some of that back in. This budget looks to take it back out again. So that's an example of something where, where it's hard to read what, what exactly is happening, but the idea is cut more. You know, there are things like vulnerability scanning that they haven't talked about cutting before, that this would potentially cut if the budget blueprint became reality. Things like regional personnel, which is something that the Hill has tried to say, no, this is important. We need this.
[03:01]
A
I know that that does seem important. We've heard that it's important from other sources that you and I have both talked to that the outreach on the regional factor is really a big deal. Because when people, people need to, are going through cyber attacks and need to pick up the phone and call somebody in years past says it has reach out to a regional person, that's gone. That's going to be a really big blow to what even this administration has said is to be their core mission.
[03:28]
D
Yes. And, you know, it's one of the things where, you know, when we wrote the story we wrote a few months ago about maybe it sounds like a few months ago, maybe it was just a month or two ago about sisa's bruh first year. Everybody I talked to was saying, you know, if this is still going to have value, even if you're shrinking it, this is one of the areas you really need to keep. So, so if we start talking about the totals here, you know, this was a, a $3 billion agency right before Trump came into office. Now, no matter how you cut it, it's looking more like a $2 billion agency. That's a pretty dramatic amount of reduction. You, you just can't get the same amount of things done, you know, eliminating entire divisions. One of the things that, that, you know, when I've been trying to figure this out is what is the actual number. The administration touted a $77 million cut, but it wasn't clear what they were comparing that to.
[04:19]
A
Right.
[04:19]
D
We don't have a fiscal 2026 number to compare it to yet. So that's hard to say. It might be that that's largely a cut that reflects things that were annualized or things that were just a cut and paste from the. This is what we wanted to do last year. This is what we still want to do this year a more reasonable number. You know, that 707 million number includes things like some transfers of things that isn't necessarily a cut, but I think the bottom line is they're talking about cutting hundreds of millions of dollars more than they already have from an agency that they've really pared back.
[04:51]
A
So can we talk about one of the other angles that I know that you pointed out in your article on this is that it almost looked word for word, like the language that they used in 2025. And what does that tell you and what are your sources telling you what that says? Because that just strikes me as having an underlying message there where I don't mean that there's something deep there. It just almost seems like I want to use the word negligent, but like borderline negligent, I want to say maybe not so far as to say negligent, but there's not a lot of care or thought put into something if the documents are literally just, you know, control C, control V, send out to the
[05:36]
D
world in some cases that the language was actually identical. So I think there are a few things going on here. I think negligence is a fair word to use here, even if, you know, taking any judgment out of it. This is an agency that they've deprioritized. Right. So that's, this speaks to that there is less rigor about things that there have historically been rigor in the federal government under Trump. I mean, maybe they would consider that a point of pride that they just. This shows how much they are trying to atrophy the federal government. So again, no judgment on that. That's partially that. The other thing is, you know, sometimes they're just kind of lazy, I'm afraid they don't seem to put a lot of work into it. So there's a deliberate message sending. There's the message that they keep trying to reinforce that agents, that CISA is an agency that's out of control, it's off mission, but they've had control of the agency for a year plus. If it was off mission, what, what are they. What, you know, what are they still trying to put back on mission? And if you're trying to reinforce that, that, that message, that political message, easiest way to keep doing that is just to say what you said last year, I guess. Right. So you're saying SIS is off mission. How do you, if you keep cutting the things that you say were off mission and, and you're talking about trying to get it back on mission, how do you keep advancing that message. Unless you just say what you already said before.
[06:54]
C
Right.
[06:54]
A
Speaking of the on mission, part two of the big on mission things that have always been the bread and butter of CISA is safeguarding federal networks and safeguarding critical infrastructure. I'm wondering from your conversations whether you've seen any cuts into that or if that's what they are really concentrating on. Because it just seems like as we head into 2026 with AI moving at a breakneck pace and a story we'll talk about shortly after this, with critical infrastructure being targeted, there needs to be concentration there.
[07:26]
D
Yeah. So I think that insofar as things have suffered within the agency that has suffered less, that doesn't mean that it hasn't suffered. It's not as though they're cutting some of the big signature CDM type programs or anything like that. There's no line item saying CDM's gone or anything like that. But if you have a thousand fewer people, how can you possibly do the same good, the same quality of job? I mean, whatever you think the role of federal government is, whatever you think the role of sister should be, you're not. There's always the idea of like maybe there's an A point, a breaking point where the higher you go there start to become diminishing returns.
[08:05]
A
Right.
[08:06]
D
Where if you just have thousands of thousands of people, just really focus on one part of the federal government and protecting it, maybe Those, those extra 200 people or so don't make a huge difference. But if you're Talking about cutting 1,000 people, you just don't. You're not going to end up with the same work product. Right. You're just not going to. It's not possible. If people thought the agency should have been bigger, which by the way was. The consensus coming into this administration is that this agency should have been perhaps billions of dollars bigger than it was at 3 billion and it had rapidly grown. And I think there are people who, you know from that I talked to were like, look, maybe it's grown too fast. Maybe we need to look at some places where there are efficiencies, maybe that's viable, but you're just not going to have the same work done if you have a thousand fewer people. One third of your personnel are gone. Even if most of them are focused on things like that, you're still going to have cuts to that area.
[08:58]
A
So on the critical infrastructure are shifting gears now. We also saw this week, as this is being recorded last night, there is a two week ceasefire in the Iranian war. But 12 hours before that, we saw the government put out some warnings about Iranian hackers going after critical infrastructure. And you wrote a story for us on that. So give us a breakdown of what we know.
[09:24]
D
Yeah, so FBI, cisa, Department of Energy, a number of international security and energy focused agencies said that they didn't name the specific groups, but that Iranian hackers were going After Operational Technology PLCs, all of those kinds of areas of, like, industrial control, that they were going after those areas. They were targeting the water sectors, they were targeting the energy. Energy sectors, and that there have been new victims. So one of the things that, you know, when I was looking at what, what they put out and what they were going to put out, I had seen that, that this was something they've been warning about since like 2023.
[10:01]
A
Right. That was something that really struck me as we went through the, the production of the story was like, is this, is this really something that is concentrated just because of the conflict going on, or is just this more of an update that is just sort of, hey, they've always been doing this and, and now is the time to just remind everybody that they tend to target critical infrastructure?
[10:21]
D
I think it was a mix of both. I mean, the original impetus for that was there was a Pennsylvania water plant attack by the Cyber Avengers.
[10:28]
A
Right.
[10:28]
D
Well, I've never said their name out loud. Do you pronounce the three?
[10:31]
A
Yeah, I think in leet speak, it generally just crossover into words.
[10:35]
D
Anyway, that was the group that was claiming credit for that kind of thing back then. And there were some other groups that they, that they named, that they thought were doing this kind of thing. What's different is, yes, I think they were trying to remind people of that, but they say they've had new victims since March. People who have suffered financial losses, people who have suffered disruptions that were tangible, that they could say this has happened. So you can wonder about the timing and say, do we know for sure that this is a response to the US Israel conflict and the bombings and the strikes. I don't know if we can say that for sure. I don't know if the FBI would say that for sure. I think they suspect that's the case. So I hope to have more from this on this soon to get into some more details about what they think is happening here beyond the alert that they put out.
[11:19]
C
Right.
[11:19]
A
And I think it's a good reminder for, for people in that with this ceasefire, I think things may be at least appearing to calm down. Who knows what's going to happen from now, this is, this is taped at a point where we think that things are calm. So that caveat there, that aside, the cyber realm in this has really never calmed down. And I don't foresee it being something where while there may be a more kinetic ceasefire, where that automatically translates to the cyber.
[11:51]
D
Yeah. And I think part of that is, you know, these, these groups are ostensibly Iranian government connected. Maybe ostensibly isn't the right word, but their suspicion is that they are connected. There's a lot of evidence that they are connected, but they're also semi independent. And then there's also the whole deniability of, like, Iran's like, hey, we don't control those guys.
[12:09]
A
Right.
[12:10]
D
So there's that, there's that kind of thing going on where I think the fact that you, you can't necessarily say, oh, that's a violation of the ceasefire. I think the cyber activity is going to keep going. There's the espionage part of it, of course, but there's also the part that's like some of these groups are, are hacktivists essentially that are aligned with the government and doing what they think the government wants to do, even if the government isn't saying it out loud. So I don't think that this is going to, the ceasefire is going to have any kind of dramatic impact. Maybe it'll have a small impact on the amount of targeting that's happening, but I don't think it's going to have a dramatic impact.
[12:42]
A
Whichever way the wind blows, I know you'll be able to keep our readers up to date on it. So, Tim, thank you as always. Now to our interview with Bob Ackerman. And I talked to Bob on the sidelines of the RSA conference and we unpacked the National Cybersecurity Strategy, Really a conversation around what industry is hearing from the government when it comes to active disruption. Bob talks about how in practice, this really hasn't been clear and what he would like to see from the White House in terms of drawing concrete lines on how industry can help the government with all sorts of takedowns and disruptions. Check it out.
[13:26]
C
All right.
[13:27]
B
Joining us on this week's Safe Mode is a man, the cyber money man is what I.
[13:34]
C
Where did you get that?
[13:35]
B
That's what the Internet tells me about Bob Ackerman. But Bob, man of many hats, founder of Allegiance Cyber, partner at Datatribe,
[13:51]
C
well
[13:52]
B
known in the policy and just cybersecurity circles across the board. Thank you for joining us here at the sr. Great to be here.
[13:59]
C
Appreciate it.
[14:00]
B
So, Bob, I've been having a lot of conversations around the national cybersecurity strategy that was just released, and especially the pillar that says companies should go on the offense more with the help of the federal government, especially in terms of, like, what is being categorized as, like, active disruption. Like, I know, Sean, Karen Cross has spent the past couple of weeks after the release saying, no, it's not hack back. Like, that's not what we're saying, but this is what we're talking about in terms of takedowns and collaboration. And I know that Sandra Joyce from Google Threat Intelligence Group gave a keynote where she talked about her vision for the way that Google is going to do this. So I'm wondering from the conversations that you're having, what has been the reception to this more sort of loud, open, collaborative state when it comes to. Comes to taking down bad actors on the Internet?
[15:00]
C
Well, I think, look, I think, I think number one, the collaboration is absolutely essential. I think we can all acknowledge that, you know, when you sit down and have conversations with the government, they'll be very forthright in terms of saying, we cannot secure industry. We don't own those assets. Those assets are owned and controlled by industry. Industry is going to have to take the front line in terms of defending. But we need to collaborate and there's things that we can do to benefit each other, to basically improve our game. So I think that all makes a tremendous amount of sense. You know, the disruption, you know, in terms of where are the lines is really kind of the still out there question. It's like, what exactly do you mean? You know, John Keith was at Global Cyber Innovation Summit, which we were talking about, and John was in the White House and was responsible in the last administration for developing the rules around letters of mark. Okay, right. And so we actually had a conversation with John and Sander Joyce and Morgan Adamski around this question of, you know, where are the lines, where are the boundaries? I think we're still looking for a lot of clarification in terms of what does that actually mean? You know, historically it's been, you know, off limits. I think getting to a place where you can selectively take actions to disrupt adversaries is a positive step forward. But the devil's in the details, and we're still waiting, you know, for those details. And the, when the strategy piece came out, it was, you know, watch this space, you know, for a little more clarification. I, you know, I get that. You know, what I, what I'm a little disappointed by is, you know, the industry has convened here in San Francisco where these conversations could and should be taking place. And unfortunately, the government is not represented here. And I think that's. That's a missed opportunity. We will find a way to recover, you know, because the conversation needs to take place. But, you know, I think right now, everybody I'm talking to is just looking for direction in terms of what can we do, what can't we do? You know, there. There are some people who are like, look, I don't want to be involved in that at all. You know, I'm not even interested in attribution. I just want to be safe and secure. And there are other people, I think, who, you know, probably have backgrounds that have a little more offense and a little more national security, you know, in their historical resume, who are much more comfortable with what actions can we take to disrupt the activities of our adversaries. But the question is, where are the lines, you know, and what does that engagement with government look like? If you look at what Brett Leatherman is doing at FBI, you know, Brett I think, is kind of. Brett and his team have done a great job of kind of building bridges, you know, to the community. You know, what they've done with their CISO academy and building the trust and building that open dialogue, I think that has allowed for very close collaboration between industry and the FBI. But that's in a reactive, after the fact, kind of law enforcement centric approach. I'm glad it's there. I think they do a great job. But when you start talking about how do we get ahead is where I think there's a lot of gray space.
[17:58]
B
Yeah. So you're building on something that I have been asking among people that I've been talking to about this is with whether it is a letter of mark or it is something where law enforcement is involved in a takedown. Weren't these options all there to begin with? Like, I'm just wondering, like, look, we know that hackback is not on the board, but a lot of what goes into active disruption are levers that we've seen the government pull. So I'm wondering, in your opinion, do you see things that are different or is it just. The difference is just that we're being a lot more open about it.
[18:31]
C
I think with this administration, there is a greater willingness, you know, to take those steps. I think the prior administration there wasn't that same willingness. I think the prior administration did a lot of really good things. I think, you know, way CISA was able to engage with industry on a very proactive Basis and build those bridges, those relationships was a really good example, but they weren't prepared to go, you know, to the, to what we'll call the more disruptive or active defense, you know, side of the equation. So it's a matter of political will. And I think, you know, pragmatically, you know, conversations that I have is the realization that our technical capabilities are very, very good. You know, it's, you know, we are world class with our technical capabilities, but from a resourcing standpoint, you know, we're up against, you know, if you look at the Chinese, for example, you know, a massive resource that outstrips anything that we have. From a quantitative perspective, you're saying, how do we level the playing field and if we can find a way to engage industry, kind of a collective or communal defensive action that is part of leveling the field.
[19:34]
B
So you were talking that you spoke with Morgan Adamski at your event that you had. I also got some time to sit down with Morgan and Kevin Mandian, Alex Stamos, who are luminaries in the industry. But I had a really interesting conversation with them where they were like, look, the next two to three years are going to be a sea change when it comes to the way that we look at AI, and especially AI in an offensive sense where the exploits are just going to come at such a rapid pace that it's tough to wrap your head around. And this is, it's one thing if it's coming from, you know, just idle conversation, but like I said, these are luminaries right in the space. So I'm wondering, do you share that opinion? Are you having the same conversations where people are like, God, the next, the next couple years are just going to be unprecedented for what we're seeing.
[20:29]
C
Yeah, look, I, you know, going back to the Global Cyber Innovation Summit, we had that conversation. And you know, what's fun about that, you know, about that gathering is it's Chatham House rules. Everything's off the record. You know, it's the right people in the room, people that you're talking about in the room having those conversations, things that quite frankly, people are a little, a little circumspect about talking about more openly. But that theme came up, you know, with Rob Joyce and Phil Venables and Jason Clinton, you know, talking about what does that next two to three years look like. And you know, the description of it's going to be a little spicy was, was, was front and center. And the fact that, you know, the offense clearly has the advantage. The offense always has the advantage. And, you know, I'm going to step back and tell you, from my point of view, the offense drives all innovation in cybersecurity. So if you want to build cutting edge cyber defense, you get as close to the offense as you can. The offense will tell you where the defense needs to be. There's a, there's a four to five year time lag. I've certainly seen that in industrial. When we did Dragos, okay, you know, we took, we took the keys, we took the cues from what the offense was doing with respect to critical infrastructure, said, okay, that's going to escape containment, that's going to become a new vector, you know, in the marketplace. And that was kind of the origin story for Dragos. But you see the same thing with artificial intelligence today. The offense is materially ahead, you know, of the defense. The defense, you know, the offense can be frankly, a little more aggressive, a lot more aggressive, and they can, can be a little more reckless.
[21:58]
B
Right?
[21:58]
C
You know, if they choose to. On the defense, reckless is not in the vocabulary. You have to be very thoughtful, you have to be very deliberate. If you're deploying technology, you need to make sure you understand everything that could go right and everything that could go wrong. What are the limiting conditions, and that's going to give a time advantage to the offense. And I think that's where you kind of get to this two to three year window of where the offense is going to be running materially ahead of the defense. You know, when we had that conversation as you and I were talking about, you know, one of the, you know, one of the points that was made is that, you know that that universe of CVE is out there. You know that that 5 to 7% of that universe is what the adversaries are typically exercising, right? Because they've been resource constrained. All of a sudden, offensive AI, they're not resource constrained. So expect them to prosecute the entire library of cve. So what you look at is potentially a tsunami of activity coming at you powered by AI, with us reacting as fast as we can, but on our heels a bit. I think once, once we get through this two to three years and we kind of close the time gap, there's a lot of things that AI will do in terms of boosting our productivity. Our code will be more secure, our networks will be more secure. But I think there, I don't think our community from a defensive posture has really stepped up yet to the full implication of what this offensive threat's going to look like. I mean, you know, one of them that you and I have talked about was just looking at your network. Right. You cannot defend what you cannot see.
[23:27]
B
Right, Right.
[23:27]
C
And you look at network mapping today, you know, network map. Today people spend a lot of money mapping their networks. They maybe get 50% efficacy. They just hope they got the right 50%.
[23:37]
B
Right.
[23:37]
C
Well, you're going to find out real quick when offensive AI is coming at you. And that's just in an IPv4 context. Right. You go to IPv6. You know, I'm aware of one solution which came out of the NSA, you know, little company called Six Map, you know, which can, can map an IPv4 or an IPv6 network in near real time with total fidelity. But boy, you sit down to try and have those conversations with people, it's like, oh, no, we've got our network mapping strategy and you have absolutely no idea what's coming at you. And so those are going to be kind of very, very hard learned lessons, I'm afraid, which is going to contribute to the tsunami effect over the next two to three years.
[24:14]
B
Yeah. I'm wondering with what you just talked about in terms of network visibility. Yeah, that's something that has been talked about, I feel like, for 10, 15 years. Like it's something that is very, very basic in concept. So I'm wondering, is there a way to blunt this tsunami or survive the tsunami by really just kind of doubling down on some of the blocking and tackling that we've been talking about at this conference and many other conferences for the past decade?
[24:39]
C
Look, there are so many things that go into that category of blocking and tackling and just good hygiene that materially improve our defensive cyber posture for whatever reason. All too often we seem to be focused on the shiny new objects and not going back to the basic hygiene. And that's on us. Right. And the fact that the adversary understands that, and the adversary is extraordinarily good at finding our vulnerabilities and exploiting them. And I think we have to do a much better job there. I mean, you know, there are examples where people have gotten better. You know, fishing is an area where people have gotten better, but we're going to see fishing at a level that we've never seen before. Right, right. And we're, we're going to overwhelm all of our traditional defenses against fishing. But fishing was an area where people actually did get into making conscious investments in hygiene and running training and running those tests and kind of upskilling, you know, their, their workforce. But after that I have a hard time you know, coming up with. Okay, where's another example of where we've really done an extraordinary good job with respect to hygiene? Insider threat is one of those areas where we know that 70, 75% of cyber incidents have an insider component to it. And you go back, I remember I did an Insider threat company 10 years ago with a team that came out of national intelligence where they built insider threat capability. Phenomenally effective. But boy, you try to introduce that technology in enterprise and the HR people just lost their stuff. And it's like, hang on, do you understand what's at stake now? I think we've, I think we've materially moved forward, you know, in that area. And I think there, you know, there are companies out there that are, you know, dtex is one that's doing a phenomenal job with respect to insider threat. So credit to them. But, you know, now we're in a situation where insider threat is not going to just be the human element. It's going to, it's going to be the agent, it's going to be the digital human, you know, and so again, the offense always has the advantage. And we, we need to get much more efficient and we need to be much faster. And one of the challenges, you know, going back to conversations we've had, if you look at rsa, you know, heaven help us, CISO trying to make sense of, you know, I mean, we have a signal to noise problem here is off the hook. The noise is so, you know, CISO needs signal. Yeah, right. And trying to find that signal in all of this noise, you know, does not make the job easier, makes it a lot harder. And you know, unfortunately, you know, what we've got is we have these national security threats, which is really how I characterize cybersecurity. Even though it may, it may target, you know, the industrial base, it's still a national security issue, you know, at the same time that the technology is amplifying the threat and the risk and the magnitude of bad things going seriously wrong, you know, on the solution side, you know, kind of represented by people here at rsa, you know, you know, all the glitters is not gold. You know, we have a serious noise problem, which makes it harder for the defense to identify the signal, you know, and prepare themselves.
[27:44]
B
And I think that a lot of the noise that I am hearing because I've talked to CISO2s is around agentic AI in that I talked to CISO at a top publicly traded technology company who's giving a talk on agentic AI. And he was like, I'll give you a little secret. I'm not, I don't have anything to talk about just because I'm trying to figure it out. When I go up there in front of these sizzos, too, I know that some of them out there who are personally my friends are also trying to figure it out. So instead of giving, like your traditional talk, I want to go up there and kind of go, who's got the answers? Because I sure don't. And, well, let's figure this out together. I feel like that's what sizzos have to overcome, and that's just with the dentic AI.
[28:20]
C
Yeah.
[28:20]
B
And to your point, there's so much other noise in so many other areas that, yeah, I don't know what a CISO can do other than just take a breath and go. I'm just going to rely on, again, the blocking and tackling that I know has worked out for me in every other facet or every other fad that's come along in this industry.
[28:39]
C
Yeah. Go back to the fundamentals. Right. But, you know, there was a. I was talking to Tom Gillis over at Cisco, and Tom talked about a survey that they had done of Cisco's in and around the deployment of artificial intelligence, you know, and that 95% of them, you know, are basically on pause, learning as much as they can. You know, I call it kind of, you know, this, this phase of the market is reconnaissance in force. It's like, throw everything you got at the wall, see what sticks, try and figure it out, try and make sense of it. But until some of those, you know, fundamental questions around use cases, around guardrails, around securing data, I mean, all of the very, very real issues that, for example, our friends at Anthropic talk about all the time, until those issues are addressed, are you going to see scale deployment? No, you're not. You're going to see selective deployment in very specific use cases where the boundary conditions are well identified and are under control. That's the nature of the beast. That's the CISO and the CIO doing their very responsible job of don't create risk. Risk, you know, in the process of trying to tackle risk. But that is part of what opens that gap between the defense and the offense, because the offense is out there is like, hell, no. I'm going full speed. You know, I'm going to take advantage of this window. I'm going to throw everything I got at it. I'm going to pull all the tricks out of the back bag and I'm going to come at you. And so yeah, two or three years of a little spicy.
[30:01]
B
Great, Bob. Really appreciate you hopping aboard and trying to give our audience a chance to find that signal in the noise. Really appreciate your time here.
[30:10]
C
Always a pleasure. Thanks a lot.
[30:12]
B
Thank you. Thanks for listening to Safe Mode, a weekly podcast on cyber security and digital privacy brought to you by cyberscoop. If you enjoyed this episode, please leave a rating and a review and share it with your friends, your co workers, your sizzos, your sysadmins, your mom, your
[30:28]
A
dad, anybody that wants to know more about cyber security.
[30:32]
B
To find out more information or to contact, contact me.
[30:35]
A
Please look for all of our social
[30:36]
B
media handles or visit cyberscoop.com thanks for listening. Check us out next week.