How Vulnerable Are We? Inside America’s Cybersecurity Crisis

Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Jim Cardoso (00:00):
Jim, hello everyone. Welcome to this week's

(00:14):
episode of at the boundary, thepodcast from the global and
national security Institute atthe University of South Florida.
I'm Jim Cardoso, Senior Directorfor GNSI, and your host for at
the boundary. Today on thepodcast, we're conducting a
follow up conversation with theparticipants from a panel GNSI

(00:35):
organized for the recent cyberBay conference in downtown
Tampa. That panel examined thequestion is cybersecurity the
foundation of national security?
It was moderated by our own Drtat schnaufer, strategy and
research manager at GNSI.
Joining him on the panel is DrLinda known resident research

(00:56):
fellow at GNSI, Dr GeorgeBurrus, the founder of the
Cybercrime interdisciplinaryBehavioral Research Laboratory,
otherwise known as the cyber labhere at USF, along with Chris
hunter, a former lawyer with theDepartment of Justice who is now
the chief legal and complianceofficer in the IWP family
office, and A GNSI non residentfellow, take it away Ted.

Tad Schnaufer (01:24):
Well, we're here with the GNSI team that spoke at
cyber Bay on a panel. Is cybersecurity, the foundation of
national security. We were ableto explore that topic in depth.
But first, why don't we goaround the team and talk about
the overall, your overallassessment of cyber Bay. How did
the conference go? And then,what were your major takeaways?
What were the things that youlearned about cyber or saw that

(01:47):
might keep you up at night? Sowe'll start with you.

Unknown (01:49):
Linda, Thanks, Ted. I thought the turnout was great at
cyber Bay. It's very exciting tosee Tampa Bay, kind of going
head to head with SiliconValley. It's very awesome to see
a good representation from USFcyber Florida, the Bellini
college was there awesome foodtwo days, a great food. And I

(02:12):
heard there was an awesome droneshow too. And so, yeah, it was
very great seeing like academia,government and industry coming
together talk aboutcybersecurity

issues and what was your biggest takeaway? What
was the thing that you learnedabout cybersecurity, and maybe a
discussion you had in thehallway or from one of the other
panels?

Unknown (02:30):
I think what really hit home was how it isn't how
cybersecurity isn't just an ITproblem. It's actually more than
that. It's pretty holistic. AndI think GNSI has a great
opportunity to kind of pitchinto the conversation. Oh,

(02:50):
great, yes.

George Burruss, Ph.D. (02:52):
I just to kind of reiterate just the
diversity of people that werethere in terms of their
backgrounds in military, lawenforcement, cyber security,
academia and so on, right? So itwas, I've been to a lot of
different cyber securityconferences, and, you know, they
tend to go towards, you know,one particular group, there

(03:13):
might be an academic conferencewhere they're mostly all
academics or or professionals.
So I think the the main thrustof this was to bring a lot of
people from a lot of people froma lot of different backgrounds
together, so you get a lot ofreally cool conversations going
things you didn't really thinkabout. So for me, that was one
of the best things about it.
Excellent.

Unknown (03:31):
Chris. Cyberbay is fantastic. Really. Was just
terrific, high impactconference, and I'm looking
forward to subsequent iterationsof it. Cybersecurity is the
present and future fight, and tohave the people present at cyber
bay that were convened, I think,is a testament to USF, to the

(03:54):
Bellini College, and to thebroader cybersecurity community
that we have here in Tampa Bay,exactly as George just
mentioned, I would really singleout and highlight the people,
because cyber security is, well,a technical problem. At the end
of the day, it's also a peopleproblem, but also people solve
that problem. And we had someoutstanding people from across

(04:16):
the practitioner community, themilitary community, academic
community, was great, right?

And you know, like we all noted, is that cyber
has become a very ubiquitousthreat. It's everywhere. It's a
part of our everyday lives. It'spart of all the critical
infrastructure of the UnitedStates. And a cyber attack,
although might stay in thedigital form, if you will, in
cyberspace, it can alsotranslate into physical effects,
which affects people you know,who are dealing with that
threat, whether if it's at oneof our ports or one of our

(04:44):
chemical factories or watertreatment plants, for example.
So why don't we first, you know,re discuss, as was discussed at
cyber Bay, that fundamentalquestion is cyber security the
foundation of national security,and if so, how ingrained is it
in the overall security of the.

Unknown (05:00):
Nation, I think it's very much ingrained into our
national security, especiallyand today's society. Not only is
our military very much digitallyconnected, but all of the
fabrics of our society, fromgoing to the grocery store to
going to the bank, being oncampus, everything has become

(05:23):
interconnected on the digitalecosystem, so that becomes very
much a point of vulnerability orpotential

attacks. So you know, going back to that point,
is that everybody kind of yourpoint, Chris as well, is that
everybody's on the front linesnow. So whether you're again,
just doing banking, just doingyour day to day activities, most
of it is happening in some formor fashion in cyberspace. So
whether if it's a criminalattack in your account or a
state actor, you're possibly athreat, and if that attack is

(05:49):
large enough, it could havewider societal impacts. I

Unknown (05:52):
very much believe cybersecurity is the foundation
of national security today,tomorrow and indefinitely. So
many unfortunately, so manyexamples to illustrate the truth
of that, and salt typhoon andvault typhoon are are two of the
more recent examples. Probablyworth getting into some of that
right now. Vault typhoon is thename given to a Chinese cyber

(06:15):
espionage operation thataccessed critical infrastructure
embedded malware essentiallyallowed the Chinese Communist
Party's various entities to beinside the systems and services
that civil society relies on,just for day to day living salt

(06:36):
typhoon was a Chinese cyberespionage operation that
compromised thetelecommunications systems in
the United States in ways thatare only now fully beginning to
be understood. The Salt typhooncompromise allowed access to
real time intelligence aboutpeople and communications it's

(07:04):
been called perhaps the mostsignificant cyber espionage
attack in the United Statesever. And yet, both vault
typhoon and salt typhoon are notnecessarily widely known outside
of the communities that arepaying attention to stuff like
this. So I think that thechallenge is one that requires

(07:25):
very much a whole society effortto both be aware of and then to
solve to and that's, yeah, oneof the things I think was
terrific about cyber base. Itbrought together that sort of
whole society representativegroup to really take seriously
the problems and to thinkthrough solutions.

Yeah, one aspect of the security. Part of
it is, if you think about nationstate actors using hackers to
get into the system, that justseems like one more tool in an
espionage toolkit, right? Butthe thing about hacking is it's
evolved motivation where peopleare doing it, sometimes speak
for profit, because they canmake a lot of money off it.

(08:03):
Sometimes because they're kindof forced to do it, like, if,
especially if you're in a, youknow, nation state where
they're, you know, you're forcedto do things because they make
you do it. But a lot of timesit's simply the nature of
hackers, is they want to hackthings because that's, it's fun
to do, right? It's, it's amotivation that if I can score
big, not only does it benefit mein terms of profit, but also

(08:27):
benefits me in socialrelationships, so I can build my
hacker persona. So it's alwaysgonna be the case where we're
behind the curve, not justbecause technology evolves, but
because the motivations of thehackers evolve, and the way they
do things is just we're alwaysgonna be catching up to be
catching up to them, whetherit's a nation state or an
individual hacker, and, youknow, in some remote country.

Unknown (08:46):
Yeah, I agree with you that the the line between cyber
crime and state sponsored, uh,cyber attacks, that becomes a
little bit blurry when it comesto attributions. I think tad you
had mentioned during the panelthat it takes much longer time,
like sometimes years, toactually confidently say who the

(09:10):
attackers were after theincident. And I think when it
comes to vault typhoon, forexample, think the US knows
pretty confidently that as theChinese backed hack, and the
reason, from some sources thatthese malware, you know, we're

(09:33):
still uncovering where they lie,but the reason why they're still
dormant is almost A form ofstrategic deterrence from
China's perspective of if the UStries to align themselves with
Taiwan in the scenario of aninvasion, China's invasion to

(09:53):
Taiwan, they have implantedthese potential these malwares
in our. Political infrastructurethat I'm not sure to what extent
the US government knows whattype of damage that malware will
cause, but it's almost like a ayou know, let's be careful about

(10:15):
how we're going, how the US willrespond in a potential invasion
of Taiwan.
I think that's exactly right.
The strategic window that theChinese Communist Party wants to
create with full typhoon is isessentially a strategic window
of deterrence, so that if theChinese Communist Party decides

(10:37):
to move on Taiwan, so to speak,it has the cape. It meaning the
CCP has the capability todestabilize us, domestic, civil
society, creating that strategicwindow to allow for action in
Taiwan while, while the UnitedStates is distracted. And
unfortunately, the parallelsbetween what was going on in

(10:57):
Taiwan in the fall of 2024 andwhat was going on in Florida and
elsewhere in the southeasternUnited States in 2024 are too
stark, as we know here.
Hurricanes Helene and Milton hitback to back, and the Tampa Bay
area hit and among other placesand were just absolutely
devastating. At the very sametime that those Hurricanes were

(11:18):
hitting here, Taiwan wasobserving its its National Day,
which is October 10, and thePresident of Taiwan, at the
time, gave a speech thatPresident Xi Jinping of of China
didn't care for. And theresponse was swift. Within 48
hours or so of the National Dayspeech China engaged in what was

(11:43):
called Joint sword 2020 4b whichwas a massive multi domain
military exercise in and aroundTaiwan, in the air over it and
the waters around it, todemonstrate to Taiwan and to the
world a level of kinetic abilityto try to deter Taiwan from

(12:07):
acting further on the ideasexpressed during that National
Day speech. Meanwhile, here inFlorida, post Helene and Milton,
civil society had becomedisrupted, not by vault typhoon,
but by the hurricane. So gaslines were extraordinarily long.

(12:28):
Not only were gas lines long,but Fights broke out. I mean, in
one county in Florida, withinthe first 48 hours following one
of the hurricanes, there were177 law enforcement calls for
fights at gas stations. Thatsame type of civil society
disturbance can potentially becaused by a cyber espionage

(12:51):
actor gaining access to criticalinfrastructure, destabilizing
society by shutting down water,shutting down sewer, shutting
down power sources. I meanColonial Pipeline, for example.

Because you might not think that those you know
gas has any type of cyber to it.
It's just in a truck and itdrives and it fills up a gas
tank, right? But that gastypically comes from a port, and
that port structure is runs on acyber system. That cyber system
could either be hacked and then,you know, used to overflow or
actually cause physical damage,but also going to just be simply
hacked, and then the responsewould be to shut down the system

(13:26):
to prevent the hacking fromgoing further, which, either
way, keeps that fuel fromgetting to people. So it's the
same type of scenario that youmight have in a hurricane. The
only difference is, is that thisis all happening digitally,
which whether it's a cybercrime, maybe they hold a port or
a fuel system at ransom. You payus, you know, so much money,
then we'll open up your youknow, we'll stop cyber attacking

(13:46):
your system. Or it's or it's anation state purposely doing it
to cause that social unrest,because cyber attacks have those
secondary and tertiary effectsinto into society. Yeah.

Unknown (13:58):
And I think what you just alluded to is the aspect of
not only can a pandemic causesupply chain disruptions or
tariffs, but cyber attacks canalso cause supply chain
disruptions quite rapidly, aswhat we saw with sand worm.
That's another operation thathappened. Think it started in

(14:21):
2015 but it's continuously startkept going in 2022 2023

Can you explain a little bit more what sandworm
is? Yes.

Unknown (14:30):
So sandworm, it started in Ukraine. So it's the way that
they attackers deployed. It wasthrough phishing emails, once
they were able to access thecredentials, then they were able
to implant a Trojan, which theynamed it black energy. Once they

(14:51):
were able to get into put inimplant the malware, they were
able to go into the commandcenter, Control Center, and.
Then from there they were ableto then gain access. So this is
where they're going from the ITrealm, moving laterally into the
OT, the operational tech. Soonce you're accessing what they

(15:16):
call the ICS, industrial controlsystems, that's what the
operator on the outside wouldsee is on their computer,
there's this mouse that startsto move and starts to control
the circuit breakers, so likesomeone

takes control of your computer, is moving your
mouse. Yes, all right,

Unknown (15:33):
and that's part of the design in the malware they're
now having. Well, let me backup. Part of the strategy was for
the attackers to gain remoteaccess, and that's what they
took control of. Was what theability to gain access into the

(15:57):
ICS so the industrial controlsystems from a different
location. So once they'reinside, they control the circuit
breakers. And the person, theactual Ukrainian personnel, they
can see the circuit breakerssignals moving down, pushing
down, so they're the attacker istrying to cause a blackout. And

(16:24):
immediately the operatorrealizes that, okay, this is not
a normal situation. And thenpart of the other strategy is to
create not hysteria, but theoperators will start to freak
out, because they also, somehow,I don't know how, but was able

(16:47):
to hijack the phone systems. Sonow the operators in this room,
they're seeing that the controlhas been hijacked. But then the
phone starts ringing off,ringing, so there's a ring,
ring, ring, ring, ring, ringthroughout the throughout the
room, and so they're panicking,and they're actually now eating
into the scheme, or which is forthe operators to turn that power

(17:12):
back on as quickly as possible.
And so what happens when youturn the power back on? Fast,
overload the system. Yes, youoverload the system, and you
cause a power surge. And so whatactually ends up happening,
ended up happening, which ispartly what the attackers
wanted, is for thesetransmissions to blow up, so
that starts to cause actualphysical damage onto the

(17:33):
Ukrainian grid system, sandworm. It's backed by the
Russians. So you could see whythis is and this is in 2015 so
this is before the Russianinvasion, but they're already
starting to, I guess, enter, Iguess the Russians are trying to

(17:56):
test out their cybercapabilities in Ukraine.
You were speaking to Ukraine andRussia Ted. You were recently in
Poland at a security summitthere talk about the front lines
of the fight in every way, bothkinetic and non kinetic,
especially cyber. Curious someof the some of the observations
that were shared in Warsaw abouthow Poland and Eastern Europe is

(18:19):
dealing with the cyber securitychallenge that is presented by
Russia, sure.

Well, I mean, as we've noted here, that critical
infrastructure, not just in theUnited States but within our
allied nations, is certainly atrisk, particularly those that
are in proximity to, you know,potential adversaries, in this
case in Europe, the Russians,and they felt, they have felt
and experienced cyber and hybridattacks for years, but even
recently, you know, in 2020 thePolish stock market was

(18:44):
attacked. So again, this isaffecting everyday citizens.
When your pension fund or yourinvestments get affected, you
know, you log into youraccountants, there's a bunch of
zeros, or you just, it just sayserror, or you service, that
really causes some unrest ascauses an unsettling feeling.
And that's that social dynamic,where a cyber attack might sound
relatively benign, but largespread, it can have some large

(19:07):
societal effects. And that'swhat the Finnish use is, these
ideas of vital societalfunctions. So you have critical
infrastructure, which is a pieceof that, but you're also trying
to hold society together. Sothat's trying to limit crime,
trying to keep leadershipinformed, trying to keep
messaging on tasks. Or goingback to what Linda was saying
about the telephones, what ifyou have nobody you can call

(19:28):
because the phones are down, sosomething bad has happened, you
don't know what to do becauseyou haven't been trained, or
you're not familiar with what'sgoing on. And then the people
you typically would call whensomething comes up, it's denied
to you that mode of transport orthat mode of communication. And
one of the things that theWarsaw security forum we
mentioned quite a bit was thismajor cyberattacks on the
Ukrainian government rightbefore the invasion, in February

(19:49):
of 2022 where the Russiansknocked out or were able to
cause a denial service of manyUkrainian government websites.
What this This might not soundlike a big deal, but when the
invasion started. People arelooking for information. I'm a
normal citizen in Kiev. There'sbombs going off, there's people
in uniforms running around. Idon't know what's going on. And
you know, an official sourcethat I could trust would be

(20:10):
maybe a government website, butthat's not up. So now, what do I
do as a normal citizen? Do I amI supposed to run and hide? What
is my reaction? That's one ofthe key things as well for
coming out of cyber base that,how do you message and, in a
sense, get a society ready forthat and but before we go there,
maybe we talk about thedeterrence and defense piece of
it.

Unknown (20:30):
Yeah, that's exactly what I was just gonna say. So
you know, how do you deter that?
If you're whether you're Poland,Ukraine, United States, or any
nation state that's on thereceiving end of advanced
persistent threat activity inthe cyber domain. How do you
deter the actor when, as Lindaobserved, attribution sometimes
isn't immediate, if ever on theone hand, on the other hand,
sometimes attribution, althoughmay not be pristine from a

(20:55):
technical sense, is clear as dayfrom a geopolitical sense and
and the challenge then, ofcourse, is to to respond
proportionally, but also to doso in a way that deters future
conduct with without taking astep up on the escalation

(21:17):
ladder, so to speak and keepingthe conflict at a non kinetic
level. But you know, so manyanalogies, I mean, gosh, I
remember when, when China hackedOPM many years ago, which is the
federal government's humanresources department. The
Chinese Communist Party was ableto suck out bio data on millions

(21:39):
of Americans who held securityclearances. They did it through
cyber means. But imagine, assilly as it may sound, imagine a
scenario where foreign nationstate armed forces, you know,
descend on the on the HRbuilding, set up a perimeter, go
inside and steal all the HRfiles and then x fill. That

(22:03):
would be a pretty seriousphysical breach that would
require a pretty serious,presumably physical response.
But when the very same thing isdone, except, quite frankly,
with greater effect, because thecomprehensiveness is is much
easier to achieve from a cyberattack than from a physical

(22:25):
theft. The dilemma is, is real,right?

How do you respond to attack that clearly
in physical in the physicaldomain, would be an easy
response to a cyber attack,which you have that deniability,
and it happens so quickly, andmost people don't even realize
it. So how do we deter thosethings? How do we respond to
them?

Well, so there's two levels. Of course,
the you know, one is the nationstate level, and then the other
is the individual level. And asa criminologist, one thing we've
been looking at for a long timeis whether or not hackers that
is malicious. I should saymalicious hackers can be
deterred, and the assumption wasprobably not, because the
probability of them beingarrested and prosecuted for

(23:09):
committing hacking frominternational courts is so low
that it's not even something tothink about. But then we put
that to the test. So we what wedid, we did an experiment where
we tracked a bunch of malicioushackers through a website called
zone age, where they can logtheir website defacements. So
I'm a newbie hacker, and I wantto prove myself so that I can

(23:32):
make contact with more leadhackers, I can learn more skills
and so on. So I go to a website,let's say the UN's website, and
I hack it. And on the front theweb page. Front web page, I put
Spongebob, flipping off the UNand so that that shows that I
can do it. And I've done it for,you know, major organization. So
this website, zone H will then Ilog, I go to the website, I log

(23:53):
it in the website. Then sendsabout to take a picture of the
defacement so I can prove it.
And then I, you know, I countthat as a tick on my my resume.
So we know these people arehacking because they they're
showing us that they're hacking.
So what we did was then randomlysampled a bunch of them, and
then we followed them for awhile on their social media,
made sure they had social mediaaccounts, so YouTube, Facebook,

(24:16):
tick, tock, etc, and then wecreated our own fake hacker
account. So we made a bitourselves a fake hacker. And so
we kind of hacked the hackers,and we had, we, I think we
bought, like, 10,000 followers,and then we had our grad
students with daily login, youknow, just kind of post stuff on
computer technology and hackingand stuff, so that we had our
own presence. And then we andthen after a while, we messaged

(24:39):
the hackers and we said, look,you know, we just got, we have a
friend who just got busted, theFBI came with guns drawn. You
need to lay low for a while, orelse, you know, because they're
after us. And just to see ifthat, just putting that into the
the ether would have an effect,and because they kept logging
their defacements over, youknow, months and weeks, we could

(24:59):
then. Track the decline indefacements, we saw that that
was the case. So surprise, youknow, somewhat surprising to
ourselves that we saw that itactually did have a pretty good
deterrent effect, and that's atthe individual level. But one
thing to think about is a lot ofnation state actors may not be
employed by the ChineseCommunist Party military or the
North Korean military. They maybe hired out by these countries

(25:22):
to do things that they don'teven know why. They're just
being paid to do it. So they'rebasically contract hires. So
those people could probably bedeterred again, if they think
that there's a possibilitythey're going to be they're
going to be arrested. Now, ofcourse, the corollary of that is
there has to be, actually athreat there that the
governments can can go afterthem. And the FBI has, in many
cases, they've gone after peoplefor ransomware or people for sex

(25:45):
extortion cases where they've,you know, they've arrested
people in Africa and Europe fordoing those types of right.

Because, you know, going back to that point
about deterrence is you candeter individuals, because some
of the state actors are justsimply hiring hackers, and the
hackers might not even know whothey're working for. They're
just getting paid, you know. Sothat hurts. Attributions makes
it very difficult to, you know,again, blame the Russians or the
Chinese for everything that goeswrong with cyber attacks, but
also the international lawpiece. So if I'm a hacker and
I'm I'm doing a cyber attackfrom Turkey to the United

(26:13):
States, for example, how doeswho's got a jurisdiction who can
actually adjudicate that andthen prosecute if necessary? So
just create some some difficultbarriers to deterrence. And then
even on the defensive side, canyou defend against cyber attacks
or cyber crime completely?

Unknown (26:30):
The Department of Justice, a little while ago,
stood up what was then calledthe disruptive technology Task
Force, or strike force, and oneof the more significant early
cases that they brought involvedan indictment of a Chinese
national who had been anemployee of Google and had used

(26:51):
privileged access as an employeeof a private sector company to
essentially steal artificialintelligence technology for the
purpose of advancing variousinterests in China and on behalf
of Chinese entities. Oftentimes,when cases like that are one

(27:12):
learned of two investigated andthen three presented to a grand
jury that returns an indictment,the bad actor, so to speak, is
in a jurisdiction beyond reach.
In this instance, thatindividual happened to be still
in California and was arrestedprior to leaving California,
where where he otherwise wasplanning to leave on a one way

(27:36):
flight back to China. That caseis still pending. There was a
superseding indictment broughtearlier this calendar year, and
I believe it was the firstfederal criminal prosecution
involving the essentiallyforeign nation state backed
theft of artificial intelligencetechnology that individual case

(27:58):
can serve as, of course,specific deterrence against that
one individual by bringing itand publicizing it, it can also
achieve a general deterrenceeffect on perhaps demotivating
like minded people. But those,but those sort of like minded
people who might be otherwiseaffected by general deterrence

(28:19):
are not truly employed by theMSS, for example, and so I don't
know that general deterrenceactually has an effect on the
foreign nation state backedactors. One of the benefits,
though, of one off cases likethat, is it does a great job of
informing business community forsure, and society more broadly,

(28:41):
of the severity of the threat,the severity of the challenge.
And I think that's one of therealities of today and tomorrow,
is that so much of this, of thecybersecurity war fight, so to
speak, is buy in through theprivate sector. You know, a lot
of the a lot of the activitythat is happening to both defend
and protect is being done bycivilian war fighters working

(29:04):
for private sector companies.
Right? Because a lot

of our critical infrastructure is in private
hands, and you have civiliansoften working in those power
plants and those sewage plants,water treatment plants. I mean,
again, the list goes on. Of allthe critical infrastructure we
have these individuals, and thatgoes to a point that was talked
about at cyber Bay, and I thinkwe discussed on our panel a
little bit, but that one of theweakest points in cyber security
might be the employeethemselves. So they might be

(29:29):
lacking the training, or theydon't know what to do when a
cyber attack does something thatthey don't have the ability to
counter. So what, you know,what's, what's that look like
when the employee might be theweakest link. And how does that
tie into, you know, socialengineering risks, yeah.

So, so October is Cyber Security
Awareness Month, right? So he'sstill there, he's still there,
yeah. And so, you know, you seewhich is the right thing to do,
which is increase awareness likeso, so people like us will go on
the local news and talk aboutit. Um. There'll be public
service announcements, etc, andthat's all good. But the problem
is, it's not so much necessarilyan awareness problem that people

(30:09):
don't understand the risk is, ingeneral, is they don't
understand the risk tothemselves. So to give you an
example, you might have anemployee who understands they
shouldn't click on links thatthey don't know to look for the
warning signs, you know, youknow an email that comes in that
says, Dear friend, and then it'sgot grammar mistakes that used
to be the case. Now AI hasreally made that problematic,

(30:29):
because you can, anyone cancraft a targeted email, spear
phishing email to towardssomebody that has all the
details. So, for example, solet's say someone was targeting
me, and they go and let's say Ihave a LinkedIn account, and
they go to that and they say,Okay, well, you've, here's your
expertise. I'm going to send youan invitation to a conference in
Paris, France, in March, andclick here to get more details.

(30:50):
And like, Okay, well, that lookslegitimate because they've, you
know, it's come to me, but Iknow not just to click on a link
because I have awareness. Butlet's say it's a day where I've
had, you know, 20 emails,something's blowing up. I have
to answer all these things. Ireally don't have time. And as
the pressure gets up to actquickly and efficiently, then
even though I have awareness,even though I know the dangers
and the risks, I'm caught. Andso there's, I'm sure there's

(31:11):
plenty of times where I may haveclicked on something I shouldn't
have, just because, because ofthat reason. So so it's not just
awareness, it's alsoorganizational issues, like
email load pressure, also thehigher level you are. If you're
in the C suite, whether you're aexecutive or administrative
assistant, you're gonna behighly targeted for business

(31:32):
email compromise. So again, notjust knowing the general risk,
you have to know the specificrisk to your job, your position
and etc.

It sounds like a lot of extra burden on an
employee, right? So you have toscreen pretty much every email
and be judicious. And seeingthis is one letter off, because
that's typically how these comein. They're one letter off, and
one letter is from a differentalphabet. So it even looks
similar, but it's the Cyrillicalphabet and then, so now that
turns out to be a, you know, ahacker, but you thought just in

(32:01):
your glance, that you were goodto go?

Yeah.
Well, a common, common one is,instead of dot c o m, it's dot c
o r n, if the fonts, they're alllowercase. And so depending on
the screen, the R and the Nlooks like an M, so it looks
like a.com Okay, what's the.comthat's probably legitimate. But
in fact, it's, it's not, wow.

So you even have to zoom in right at the zoom in
on any of this. And again,that's, you know, it's one thing
for someone in just a company,or maybe at the university, but
someone who's working at acritical functioning site, it's
a much bigger deal. So theirresponsibility is a lot higher,
on top of the stress of theirday to day lives at the chemical
plant, at the munitions plant,or whatever critical

(32:38):
infrastructure we might bediscussing. So why are those you
know, obviously going back toyour point, Georgia and the
targeting piece. So if you're anemployee at a critical site and
nuclear power plant or amunitions plant, what makes them
so vulnerable to cyber attacksis just simply because they're
going to be exposed a lot morethey're a target or what else.
Yeah,

that's pretty much, I mean, just, it's
just that you're the hackers arelooking for those specific
people that are gonna beimportant, right? So they're not
just, they're not just sendingout phishing emails willy nilly.
A lot of them are targeted. Andthen you target an organization
at a, let's say, 100 people. Yousend an email, you just need one
of those people to do the wrongclick. So it's cost effective.

(33:19):
It costs them nothing to do itright, and you don't even have
to be a trained computerscientist to craft these things.
There's hacker for hire serviceswhere you can actually just pay
for someone. And you you get theGUI, the graphical unit user
interface, plug in the numbers,you know, everything you need,
send it off, and then it does itall for you, and you pay for the

(33:40):
service.

Sounds like that would be illegal, wouldn't it?
Like those sites would be, well,they're on the dark web, yeah,
okay, just to be clear, it's notjust something you Google. No,
no, but that's obviouslyconcerning. But what about,
maybe our chemicalinfrastructure, some other
infrastructures? Yeah.

Unknown (33:55):
I mean, I think over the last 20 years, the numbers
of reported, reported criticalinfrastructure incidents. So
attacks on our criticalinfrastructure has increased by
tenfold consecutively over thelast like each within each
decade. So for example, in 2005time period, there was only

(34:16):
about like 10 reportedincidents. Then you jump into
2015 2010 2015 time period. Nowyou're in the hundreds, and
today we're in the 1000s, likethere's been. So far this year,
it's been 2300 reportedincidents on of attacks on the
critical infrastructures. Andthat number, obviously, is

(34:41):
expected to increase. We're notsure if it's still on that same
trajectory of 10x by the nextdecade, or 100x because now
we're in the realm of AI beingused to increase the frequency
of these attacks and so butthat's. That's a good and bad
thing. So if the offense isusing AI, you would also assume

(35:05):
that the defense would also andcould use AI to speed up the
patchwork and scanning for allthese vulnerabilities. So it is
getting more difficult, I think,in terms of securing the
critical infrastructures, justbecause they're getting
bombarded with these attacks ata much higher frequency than

(35:28):
previously seen.

So if you, if you're an employee, and you
click on a link, what actuallyhappens if I open the email?
Nothing? I haven't introducedmalware, but it's just clicking
on the link, is that's thecritical step.

Unknown (35:40):
Maybe in the future, it'll be sort of like what
happened with a spinal tapdrummer. Just spontaneously,
poof.

Well, it can do a couple things. So it
can most common things. It'llsend you to a website, so it's,
you know, it's still the socialengineering part. So I'll say,
click on this link for your, youknow, free access to Netflix or
whatever. And so by doing that,then you go to the website, and
then once you go there, willdownload the payload onto your
machine, right? So it's whetherit's surveillance or a

(36:08):
ransomware or something likethat, or sometimes it'll be a an
attachment like, say, here's anExcel file. Go click on this. So
to give you an example, and thisalways, always think about this.
I when I moved here to Floridafrom a previous university. One
of my I get an email from acolleague that says, here's the
data, and there was a Excelfile, and it came from their

(36:29):
email address, you know. So Ithought, Okay, well, everything
looks fine. I was about to clickon it, I thought, but that's not
the way they usuallycommunicate. Usually there's a
long list of things they want meto do. I'm like, well, that's
weird. So I just reached out andcalled and said, you know, did
you send me something? And shesaid, No, I haven't sent you
something in a couple of weeks.
I said, Well, I think somebody'sgotten into your email and
they're using it to email me, soyou need to call it immediately,

(36:50):
and then I just deleted theemail. I probably should have
sent it on to our it to look andsee what it was, but, I mean,
that was such a targeted spearphishing attack that they went
into their probably what I don'tknow for sure, but probably what
happened is they went into thisperson's email. They got inside,
could read the emails and knowthat we communicated with data.
Knows that she sent me excelfiles all the time. So it's all

(37:11):
that insider information again,even if I have awareness, I'm
the chances of me clicking getsgreater and greater.

Yeah, if it's late, it's five o'clock in the
afternoon, you're just trying toget through the day. You're just
like, looks pretty good. Wow. Imean, but you caught that one,
so, right?

So that's, that's pretty good.
That's the one I caught it.
There's probably ones I didn'tcatch, but that's

what I got. But would you know? So if I'm
working at a chemical plannuclear plant, would I know if I
accidentally click on somethingthat it's something's been
installed, or is it pretty muchall in the background?

It's all in the background? Yeah, unless,
unless it's a ransomware thatimmediately pops up. Yeah, it's,
it's, it probably a lot of timesit's just surveillance, like,
you know, the keystroke, they'relogging your keystroke so they
can see what your password is,you know, all kinds of
information. Then they get inyour email. Then they can, they
can go further. And a lot oftimes it doesn't have to be a
key person that they go after.
It could be somebody who's onthe it could be a vendor that
you do business with. They getinto their account because they

(38:01):
have low cybersecurity. Look atthe email that you're talking to
the, you know, the buyer in yourcorporation, then send an email
from that, then you click on it.
Now they're in your you know,and so on, right? So, again,
that's why it's evolvedmotivation. They they're trying
all these things, and some ofthem work. Some of them don't
work.

Unknown (38:17):
Unfortunately, a great example of exactly what you just
described George occurredseveral years ago where a small
excavating business innorthwestern United States was
targeted by Russia. Would not bethe sort of business that would
be expecting to receive aforeign nation state cyber

(38:38):
attack, and that was preciselywhy it was targeted, because it
had no particular reason to haveenhanced cybersecurity defenses,
and it just so happened toprovide services to to a
utility. It then became thebackdoor, the vector into the
utility, which then allowedRussia the capability to

(39:01):
essentially shut down the gridif it had wanted to do so, and
this was all publicly reported anumber of years ago. But one of
the big challenges, again,really, for the private sector,
as much as for the government,is how to, in an age of scarcity
and tight budgets, how tonevertheless allocate sufficient
budgetary authority to havesufficient cybersecurity

(39:22):
defenses, knowing that thereality is, there's no such
thing as a final state of beingcyber secure.

You can't build a cyber wall, right? Is that? Is
that true? So you can build afirewall, I guess, in
cyberspace, but it's still notimpenetrable, because there's
that human element we've beentalking about. So you might have
a amazing defensive you know, inthe cyberspace, you have all
these different protections, butif someone clicks on a link now
they're inside your wall, if youwill, right? It's just that

(39:54):
simple. So that's why thetraining, the awareness of
employees, and then again. Justnormal citizens as well as we've
talked about. So you might beworking at an adjacent industry
to critical infrastructure, andyou have responsibility there,
and that's one of the topics wewanted to discuss a little bit
more too, is what role does thegovernment have with a
partnership with the privatesector to protect not only the

(40:15):
critical infrastructureindustry, but also those
adjacent industries that aredealing with it? So we're not
just talking about the military,but again, that military, but
again, that vendor that'sworking with, you know, the oil
pipeline, whatever it may be,

Unknown (40:29):
solar winds, right?
Yeah. I mean, solar winds is thebreach that involved lots and
lots of private sector companiesand lots and lots of federal
government entities, majorsoftware or a major vendor in
the software sort of supplychain. It's a whole of nation
effort that requires close andcontinuing cooperation and

(40:52):
resources and serious thoughtand serious people and serious
dedication to sort of solvingthe problem continuously over
and over again. One of thethings that I really like about
what the team in Florida isdoing and has done, and you you
mentioned it, one of the greatways for the government and the
private sector to cooperativelythink through the problem and

(41:14):
come up with solution set isthrough tabletop exercises,
whatever you want to call it,but the sort of activity that
brings people together andreally goes through simulated
experience of a cyber attack,what happens, what the effects
are, what the consequences are,how to respond, but in a very
realistic way, and the lessonslearned from those, those

(41:38):
opportunities to come togetherin those sorts of settings are
ones that can really drive thesorts of changes that must be
made, whether you're in thegovernment or in the private
sector, right? And that's

one thing that cyber Florida, here at the
University of South Florida, isdoing, you know, they're doing a
lot of hands on educationapproach, with legislators, with
other groups setting up thosetabletop exercises as well as
educating, you know, students inmiddle schools and high schools
as well. So getting them primedfor their entire life will be,
you know, cyber based. So theyabsolutely need to have that
cyber literacy. But also here atUSF is the Bellini college with

(42:17):
AI cyber, cyber they're alsogoing to be have be pushing out
a lot of cyber professionals inthe next few years with with
degrees, our criminologydepartment, our School of
Information. I mean, there's alot of cyber components
education here at USF workingto, again, inform the public,
but also inform future employeesthat hopefully they are not the
weak link. Well, that's

Unknown (42:36):
critical, and that's exactly how we begin our
conversation. It's a focus onthe people and the the work that
USF has been doing, is doing,and is going to continue to do,
is to develop the experts thatare needed in the government, in
the private sector. But at theend of the day, it's a, it's a
people problem thatpeople can solve. Yeah, that's,

(42:57):
I mean, that's exactly right.
You know, NIST NationalInstitute of Standards and
Technology, they came out with ainfographic and on it, it said
that the lack of talent andhuman failure will contribute to
over 50% of future cybersecurityincidents. Right now, I think

(43:19):
the US needs about 1.5 to 2million cybersecurity type
professionals, and we're shortof that between 200 to 500,000
so definitely need more folks inthat space.

One thing about the way USF is approaching
it is you could just get adegree in cyber security, and
they just have one department.
Let's say it's adding computerscience, and that's it. But the
but I think we've come torealize is cyber security is
such a vast discipline that youneed people in business to
understand the cyber insuranceaspect of it. You need people in

(43:55):
Information Sciences tounderstand the big data issues.
Computer Science, for obviousreasons, criminology, you know,
we're having, we were launchinga bachelor's in cybercrime to
teach the legal aspects of it,the social, behavioral aspects,
and then also digital forensics.
Because, you know, so we'retrying to change the sort of the

(44:16):
next generation of lawenforcement people to handle
those types of things. So, so I,you know, again, the if you go
to a university that's got a lotof those options, you should be
able to learn, you know, pickout a sort of a niche area that
allow you to be like, you know,really top performing, you know,
future cyber professional.

Unknown (44:35):
And I also want to put a plug in for Florida, since,
you know, we're pretty attune toprepare for natural disasters,
Hurricane prep, I startedthinking about this a bit more
when it came to how do weprepare for a cyber attack,
especially when it comes tocritical infrastructures, and
the outcome, whether it's anatural disaster or an attack on

(44:58):
the grid system, is. It wouldphysically be about the same,
like we're talking about foodshortage, field shortage, lack
of power. And so I was lookingat the hurricane prep list for
like, Floridians, and I'm like,oh, yeah, you know, you need all
these critical documents becauseyou can't access it through the

(45:18):
computer. You need to have cashon hand. You have to have a
certain amount of food supply.
The only difference between ahurricane prep list and a cyber
attack prep list is the season.
You know, in Florida, it's fromMay to November. And for cyber
attacking, it's going to be youryear round. One

of the things about hurricanes, when I thought
about this after after our panelso our bay, is at hurricanes,
you typically have a few daysheads up so you can, you know,
oh, you know, I should take somecash out if you have a zero day
event with cyber meaning zeroday, meaning you have zero days
to prepare. It's happening. Youknow, just clicks. It happens.
Now you have no power. How doyou go out in the marketplace
and again, procure food andsurvive for, you know, maybe

(45:58):
it's only five days, but fivedays a long time if you don't
have running water, or you don'thave electricity, or all of the
above. And we saw that withpeople who stayed in the Tampa
area after Milton, for example,many areas were out of power for
four or five days. So are youready to endure that? And then
while enduring it, ensuring thatthere's not civil unrest, which
is the secondary piece I thinkwe've already touched on. So you

(46:20):
know, we're talking aboutpreparing, you know, what can an
individual citizen can do? Butwhat about, you know, at the
level of our criticalinfrastructure and things like
SCADA, what could they dopossibly, you know, toss it over
to you.

Unknown (46:31):
Linda, so, with SCADA.
So SCADA stands for supervisorycontrol and data acquisition.
This is a software that isdeployed across sectors, whether
it's in the chemical facilities,critical manufacturing, energy,
feel, transportation, it's acommon software and it's, it's

(46:52):
the connector between the ITsystems and the OT, so the
operational tech and so whatthat really means when you hear
the word SCADA, you're reallythinking about physical systems
that have been connected to theit, and it allows like engineers
to gain remote access to thepower plants, for example,
because, you know, it's reallyinconvenient to go all the way

(47:14):
out into the power plant to, Youknow, monitor and control the
systems. It's much moreconvenient and efficient to do
it remotely, but that's also apoint of vulnerability and area
where attackers would like toenter. How would you secure
that? I'm not sure, but I knowfrom what Cyber Command did that

(47:38):
was novel is cyber command wason one floor of a building, and
they what general Nakasone haddone was move the NSA into the
same floor as cyber command toallow cross talk much more
efficiently. So like what Chrisis mentioning, you know, the

(47:59):
aspect of the human in planningfor the security, I think
similar thing can happen with ata organizational level for these
companies with these criticalinfrastructure, is moving their
IT team to with their ot team inone central area so that there's
constant communication and that,yeah, so if there is anything

(48:23):
that happens, it could be youhave a human there to try to
address the problem, or humansas soon

as possible, right? Because right now, when
you need it, you send an emailoff, and you wait, you know, a
week, and then they, you know,they show up at your office and
they help you out with with whatit is. But if you're actually
having an operational crisis,kind of like we talked about
with the Ukraine piece towardsthe beginning, you're gonna want
someone who has a has that cyberbackground that IT background
that can tell you this is somethis is a problem. We should
just shut everything down tostop the attack, or what they

(48:52):
might have that expertise. Well,you as the operator, have the
expertise of the actual physicalplant. Yes.

Unknown (48:58):
And actually going back to the sandworm student, if
there was more crosstalk? Yes,there's the IT team who knows
how to turn the controls backon, but the OT operator,
operator may say, hey, let's notturn on so rapidly, because we
don't want our transformers to

blow interesting.
So you need, you pretty muchneed, that human dynamic of both
the cyber expert and then theoperational expert. If not,
you're going to have problems,which we saw in Ukraine. Wow. So
with all that, plenty, plentymore that we could continue to
discuss, but I'll just go aroundroom. Rapid Fire, your big
comment for you know, as we lookat cyber Bay coming back up in

(49:34):
March of next year, what aresome of the focus areas you
think we need to continue thisconversation on? Obviously,
we've talked about the humandomain, social engineering, some
of the deterrence and defensefactors within cyber but where
should this conversation go now?

Unknown (49:52):
Education and action.
It's a virtuous circle. Everytime you learn, you are better
informed as an actor. Every timeyou act, you learn something
from that, and it informs howyou approach the next problem
set. And that's one of thethings that I think was
fantastic about cyber Bay. It'sone of the things I think is
fantastic about the work thatGNSI And the Bellini college are
doing at USF. And going forward,I think that's really where the

(50:13):
where the answer willcontinually lie, which is in
that education actioninterchange that's continuous
and ongoing.

I think we need to focus on readiness,
both in Tampa Bay, buteverywhere else in Florida and
beyond. Is, is what are small,medium and large businesses
doing to protect themselves?
What's their level ofpreparedness? Find out who the
innovators are, then, who theadopters? What's, what's
motivating, all that? Sosometimes you'll hear a lot of
people say that cybersecurity isthe Wild West. So anybody can,

(50:46):
you know, get a couplecertificates, hang them on the
wall and call themselves acybersecurity expert and start a
firm. But we need to reallyfigure out, you know, who is
really driving the bestpractices within that. And so I
think we can tame that a littlebit just by finding out what the
landscape is and doing somelandscape is and doing some
research on that.

Unknown (51:05):
I think cyber Bay, I had mentioned the private
sector, in addition to bringingthe private sector more into the
conversations, more so than theyalready are. And another area is
civilian education, what to doin the aftermath of the cyber
attack? I'd like to see more ofthat. Well,

that's great. And I think we've established pretty
firmly that, you know,cybersecurity is certainly a
foundation of national security.
You cannot have nationalsecurity in today's modern era
without protecting your cyberbase. And as we noted, that
cyber has a huge humancomponent, and it's certainly
going to be a cycle. It doesn'tjust end. We have a conference,
and now we've solved all thecyber issues in the world. So we
will look forward to the nextcyber Bay. We look forward to

(51:47):
our ongoing conversations hereat the Global national security
Institute. Thank you all forcoming.

Unknown (51:53):
Thank you. Thank you.

Jim Cardoso (51:59):
Special. Thanks to all our guests today, atfer
Linda known George Barris andChris Hunter for discussing the
highlights of their panel at therecent cyberbay conference and
also delving a little deeperinto some ideas that arose
afterward. It's become almostimpossible to discuss national
security without cybersecurityissues being part of the

(52:20):
conversation. We hope youenjoyed this one. As we wrap up
the podcast today, a couplequick notes, we're excited to
announce the next GNSI Tampasummit for March 2026, the theme
of the conference will benuclear weapons and Modern
Warfare. President Trump'srecent announcement on the
resumption of nuclear testingcreated media waves and

(52:42):
international responses andhighlighted the reality that
nuclear weapons on today'sbattlefield are not an abstract
concept, but a distinctpossibility requiring thoughtful
policy discussions genocide.
Tampa summit six is set forMarch 24 through 25th here at
USF, you can find more info onour website. We'll drop a link
in the show notes. The finalepisode of the Axis of

(53:04):
Resistance research initiativeled by GNSI Research Fellow Dr
Arman mahmudian, was justpublished on our YouTube
channel. In this concludingepisode, Armand took everything
he's learned over the firstseven episodes and spoke at
length with GNSI ExecutiveDirector, retired Marine Corps
General Frank McKenzie, as theformer commander of US Central

(53:25):
Command. McKenzie's insight andexperiences in the region offer
a unique point of view that youcan only find at GNSI. Check it
out on our YouTube channel.
Thanks for spending some timewith us today, on at the
boundary, next week on thepodcast, we're going to turn our
attention back to criticalminerals and resources,
specifically cobalt. It's almostthe stuff a legend, not to

(53:49):
mention movies, and it'll be thestar of an upcoming genocide
decision brief. Dr Linda noan,GNSI Research Fellow is writing
that decision brief and willgive us a preview next week on
at the boundary. You don't wantto miss that episode or any
other Be sure to rate subscribeand let your friends and
colleagues know. Follow alongwith GNSI our LinkedIn X
accounts at USF, underscore GNSIAnd check out our website as

(54:13):
well at usf.edu/gnsi. Whileyou're there, don't forget to
subscribe to our monthlynewsletter.
That's going to wrap up thisepisode of at the boundary. Each
new episode will feature globaland national security issues we

(54:33):
found to be insightful,intriguing, maybe controversial,
but overall, just worth talkingabout. I'm Jim Cardoso, and
we'll see you at the boundary.
You.

All Episodes

Episode Transcript

Popular Podcasts

Stuff You Should Know

Las Culturistas with Matt Rogers and Bowen Yang

Crime Junkie

.css-15opob5{left:0;position:absolute;top:0.8rem;} All Episodes

.css-14f5ked{margin:0;word-break:break-word;display:-webkit-box;-webkit-box-orient:vertical;box-orient:vertical;-webkit-line-clamp:2;overflow:hidden;}How Vulnerable Are We? Inside America’s Cybersecurity Crisis

Episode Transcript

Popular Podcasts

.css-r6mb8g{margin:0;word-break:break-word;display:-webkit-box;-webkit-box-orient:vertical;box-orient:vertical;-webkit-line-clamp:1;overflow:hidden;}Stuff You Should Know

Las Culturistas with Matt Rogers and Bowen Yang

Crime Junkie

All Episodes

How Vulnerable Are We? Inside America’s Cybersecurity Crisis

Stuff You Should Know