Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Aaron P. (00:05):
Welcome back to Simply Solving Cyber.
I'm Aaron Pritz.
Cody (00:08):
And I'm Cody Rivers.
Aaron P. (00:09):
And today we're here with Chris Reed, who's the VP of
Product Security at Medtronicand before we introduced Chris,
I've known Chris for a longtime.
I think we were at the samepharmaceutical company back in
the early 2000s.
So, I'm interested to hear, alittle bit about you, your
journey.
And like a lot of our guests,let's start out by telling your
(00:29):
story, how you got into cyberand maybe a little bit on your
journey over the years.
Yeah,
Chris Reed (00:33):
Sure.
Thanks, Aaron.
Thanks, Cody.
It's great to be here.
Cody (00:36):
Good to have you.
Chris Reed (00:37):
Yeah, it's been an interesting journey.
I'm a computer science grad manyyears ago.
Really quickly ended up in oursecurity team, at a pharma
company and I was there 23 yearsbefore I left to go to
Medtronic.
So quite a few experiences,starting at being in charge of
how to manage intrusiondetection on our network,
running architecture, runningoperations, and eventually
(00:59):
building a product securityprogram for, medical devices for
that company, for insulininjectors and insulin pumps.
It was quite a wide variety ofexperiences there.
Cody (01:07):
What was the defining moment?
The first thing you saw, you'relike, yeah, I think I want to
keep doing this.
Or what was the first thing thatkind of got you into the, got
that cyber bug going?
Chris Reed (01:15):
Oh, you know, I just have always been one of those
people that was curious howthings worked and
Aaron P. (01:22):
Like to break things.
Chris Reed (01:23):
I did break a lot of things when I was a kid.
There were a lot of radios thatgot taken apart looking at the
boards.
I wouldn't say I had the rightinfluences around me.
It took later in life to reallyget into the hardware hacking
side, but I was always curioushow things worked.
And, even really quickly as Iwas in college, I had a gateway
machine.
Oh, it was a Calbox.
Calbox, yeah.
(01:43):
Yeah, that was my first one aswell.
and Linux got put on.
And, just really loved,compiling software, getting in
and looking at the code.
Just understanding how all thatworked.
That continued just into myprofessional career.
So, early on got, was fortunateenough to get trained, through
SANS.
Pulling apart network trafficand, you know, for that moment
(02:04):
that really got me intosecurity.
I mean, I think probably I wasalways interested, but the part
that probably really got me intoit was early in the 2000s.
You know, that's when all theworms were happening and taking
down companies and, watching howto figure all that out on our
network and break through thenetwork traffic and start to
understand like where it was at.
Hmm.
(02:24):
Yeah.
Oh yeah.
All sorts of interesting thingson our network.
Aaron P. (02:27):
So worms got you into it.
The bigger question is, can youdo the worm?
Chris Reed (02:31):
Of course.
That's like one of my favoritemoves.
Nice.
Absolutely.
Aaron P. (02:36):
A lot of kids think they can do it, but they're
really just kind of floppingaround.
That's what my son does atleast.
Yeah.
Yeah.
Chris Reed (02:41):
My son does that too.
Now I could really do it.
Aaron P. (02:42):
Do you want to see a video for YouTube?
That's a separate show.
It should be.
Cody (02:48):
Look for the link.
Aaron P. (02:49):
Yep.
Awesome.
So, um, I guess who are some ofyour influences?
Cody asked about the kind ofdefining moments like, leaders
internally, outside thoughtleaders.
Who influenced your, who did youkind of early on?
Like, I want to be like thisperson from a cyber standpoint
or just from a general businessleadership standpoint.
Chris Reed (03:09):
Yeah, that's a great question.
Aaron P. (03:11):
And I didn't prep you on this, so I just thought of it
in the car.
Chris Reed (03:13):
No, it's good.
Yeah, great question.
I think, I was really fortunate.
Again, you heard how I justjumped into Linux and things
like that.
Back when I was in school, thewhole idea of open source really
inspired me where you had, Imean, this was the very
beginning of that.
Now it's like there's get helprepose everywhere and
everyone's, you know, but thatwas, this was earlier.
(03:34):
And, I would say that wholemindset really intrigued me that
the idea of having You know,community source software.
And so, gosh, there were a lotof big names back then.
But I mean, obviously, LinusTorvalds from Linux.
The idea that Microsoft tryingto charge hundreds of dollars
for windows and here I have aoperating system that I think
worked better that I couldliterally just download and run.
(03:55):
I thought that kind of thing wasamazing.
And so.
I think the good part about thatis I think it always showed me
the value of, I guess findinggood solutions.
You can go out and spend lots ofmoney on software.
That's like not accomplishinganything.
Aaron P. (04:09):
You don't believe in reinventing the wheel.
It sounds like, no, you want tostart with something that
somebody else
Chris Reed (04:13):
In fact, I was a little bit of a troublemaker
earlier in my career because I,uh, I was using all sorts of
open source and that's before wehad a lot of rules around that,
you know, so I was downloadingstuff from all over the internet
and in the code running all ofour networks.
Aaron P. (04:25):
So how early of an adopter have you been with chat
GTP and figuring out how thatchanges how you or your team
does work?
Chris Reed (04:33):
You know, I'll be honest with you.
As far as Chat GPT goes, I'mnot.
I mean, I've played with it, butI haven't had quite the time to
mess with it to be honest.
So when I left my previouscompany for my role at Medtronic
back in 2021, part of that wasaround.
I actually moved from a securityrole.
(04:54):
I'm running product security.
Into a role that was actually inregulatory, and it was
regulatory advocacy, andstrategy.
And part of the role wassecurity, like how do we
influence what laws and guidanceand standards are being created.
But the other part of my jobactually was digital health and
AI.
So, I spent a lot of timeactually early, but it was at a
(05:15):
more policy level.
So in Chat, GPT, it wasinteresting watching that
explode, because we've beentalking about bias.
Um, all the problems we havewith AI, we've been talking
about it.
We had a policy we set up, um, aMedtronic that basically guided
our work with AI before all thathit.
So it was super interesting toplay with, but I had already
(05:36):
been, it wasn't quite, I wasn'tquite as enamored by it.
Aaron P. (05:39):
Yeah, that makes sense.
And it's like.
It was consumerized, right?
It became approachable forpeople that didn't have a
computer science background andall that.
So new for a lot, but actuallyTim Sewell here that we work
with, same thing.
He had been doing that, yeah, adecade or two ago.
Chris Reed (05:55):
Part of my degree, I have computer science.
The other part of my degree isactually Cogno Science.
So I wrote AI back in college,but back then we didn't have the
power.
The GPUs to do what we do today,but, yeah, even back in college,
I had written like neural netsto recognize letters and images
and things like that.
So yeah, it's amazing to see howfar it's come and a lot of it's
compute power and there'stooling as well, but.
Cody (06:16):
Yeah, we said something earlier that when I thought back
on and you said the wordinfluencing, I think it's a
thing that, you know, a lot ofcyber professionals need these
days.
We need a PhD and because you'refighting for a little budget or
you're trying to look for a seatat the table.
So share with some of ourlisteners, maybe a key thing and
it can be at a previous company,current company, but maybe a
good victory you got from achallenge you face and how you
(06:38):
were able to influence others tokind of align on your vision.
Chris Reed (06:41):
Yeah, you know, this is a key skill, especially as
you climb in an organization.
When you're lower levels, you'redefinitely have a clear scope of
what you're trying to get doneand And generally, um, you know,
that scope's clear.
But as you move up, influencebecomes more important.
And, there's so many examples Ihave of this.
It's actually a skill I think Ido fairly well.
(07:02):
One of the things I'm able to dois build really great
relationships outside of my corefunction.
So, as a cybersecurityprofessional, my legal team
really loved me and knew who Iwas because...
I have one lawyer that I workwith there.
That's always like it didn'tmatter how complicated it was,
but I went and asked Chris thequestion.
I walked away understanding itand so I think the key thing
(07:22):
about influence is you reallygot to put yourself in the shoes
of the other party andunderstand a little bit of what
their current challenges are andthen put your problem in that
context appropriately, that'sthe thing I'm able to do pretty
effectively and as a result,huge accomplishments.
You know, there was one casewhere I was working with legal
on a case and they weredescribing what they were trying
(07:44):
to do, why they were frustrated.
And I came back with a log thatproved something that allowed
them to take it into aninterview to get someone to
admit something they had done.
But all that was me hearing whatthey were trying to do.
They didn't ask me for thisspecific log.
They were explained to me.
Why they were frustrated andwhat they wish they understood.
And I was like, wait a minute, Ithink I can prove that.
(08:05):
And I came back and proved it.
And that's the kind of, and thenthat wins you points.
And then all of a sudden nowyou're a trusted partner and,
you have, they start listeningto what you're saying.
Cody (08:14):
Oh, that's excellent.
That's excellent.
Aaron P. (08:15):
Awesome.
So it sounds like listening,putting yourself in their shoes
before trying to force them intoyour shoes or to force your
agenda on them.
I had a similar thing.
Actually, we may have crossedpaths on this, but with privacy
regulations and trying to dothings like, you know DLP.
There's a lot of roadblocks thatcan come up, especially in
(08:36):
certain countries.
And I remember some of theconversations where the
individual kind of already madeup their mind before going in to
the meeting.
So if you don't walk them backand understand what are you
trying to do and articulate,Hey, we are not big brother.
We're not looking to look atwhat you're doing on the
Internet during your personaltime.
It's kind of like, how do you,bring down the defensive,
(08:57):
because a lot of times peoplecome in with, an assumption
that's already, Hey, I know whatthis is.
I don't like it.
And, here's my agenda.
Chris Reed (09:03):
Yep.
Another really good example ofthis would be, later in my
career at the pharma company,I'd taken on product security,
which is part of how I got toMedtronic.
And, one of the things I reallywanted them to do was, to be
able to update the firmware onthe device in the field.
So in the field updates, whichrequired some pretty advanced
cryptography and it's not cheapto design that.
(09:27):
Yeah.
A working model of it.
Right.
Aaron P. (09:29):
Did you call in Diffie Hellman?
Chris Reed (09:31):
I did.
No, actually I won't go into allthose details, but yeah, it was
fascinating because of thebattery power and in the low
processor, like it's actuallyquite a challenging problem that
we had to work on because itwasn't just slap inserts places
and using standard libraries.
It was actually quite acomplicated problem.
But what I was able to do when Ilistened to the business was
(09:52):
share how they could go tomarket with more of an MVP
product and that this capabilitywould allow them to evolve it as
they learn from the market.
Yeah.
Yeah.
And it went from something I wastrying to convince them to to
their number one feature for MVPwas the ability to update the
device because again, they were,they heard now that this was a
(10:13):
business enabler, not a just asecurity solution.
And so that it's finding thosetypes of situations and
expressing complex problems likethat, that really help influence
and bring things along.
And again, you get brought tothe PA table as a partner, not
just that annoying security guythat keeps nagging you.
Aaron P. (10:29):
What was it?
One question to throw in thereis, has there been any cases of
ransomware in medical devices?
Chris Reed (10:36):
Oh, thanks for asking that question.
Aaron P. (10:37):
Is that a vector?
Chris Reed (10:38):
Yeah.
You know, I really appreciatethe ask that question and that
was not preceded for everyone.
Aaron P. (10:43):
So off the cuff.
Chris Reed (10:44):
Right off the cuff, which is great.
This is actually a reallyimportant issue.
If you read a lot of articlesout there, obviously we have a
problem with ransomware inhospitals right now.
Specifically, they're just verycomplex environments that are
built to be open because theyneed access to records to treat
patients
Aaron P. (10:59):
And it's desperation and it's don't have it.
Chris Reed (11:01):
Yeah.
And it's desperation becausethey all of a sudden have to
shut down.
It's a really complicatedsituation and a lot of times
when we read the articles outthere, They say, look, we're
having all these ransomwareattacks.
And then the very next statementis, and medical devices have
lots of vulnerabilities, and itimplies that medical devices are
causing the ransomware.
And I want to be really specificabout this.
They get ransomware just abouthow everyone else does.
(11:23):
It's someone clicking on aphishing email.
And then, of course, it goesthrough their workstations.
It is true that medical deviceshave gotten ransomware on them,
although it's a prettyexceptional situation, but it's
definitely not the root cause ofit.
That being said, there's been afew cases lately, and I won't
name company names, but you cango out and look.
There's been a couple exampleswhere, you know, as devices get
(11:46):
more connected, they rely on thecloud services behind them to
operate.
So there's been one situationwhere radiology equipment to do
cancer treatment.
Um, it needed settings from acloud service to be able to
operate.
And because ransomware hit thecloud, it shut down cancer
centers all across the countrybecause they couldn't operate
(12:07):
the equipment.
Aaron P. (12:08):
But it wasn't the equipment.
Chris Reed (12:09):
It wasn't the equipment.
It was back on the cloud side,but it was affecting the medical
device indirectly and mostimportantly, the service.
So, It's a huge problem.
You know, we're leaning in onthe medical devices as well
because we never want to becomethe source or the primary part.
Aaron P. (12:23):
If you think about it, if you get a pacemaker, if
you're going, even if you founda way to proverbially click the
fish on your pacemaker, where'sthe alert screen going to go?
Like, if you shut down theheart, you're done.
You're not going to pay.
So it's a little, it's not thetarget market, right?
Chris Reed (12:40):
It's not right now.
And we never want it to be.
So we're working very hard.
Yeah.
And honestly, there's a lot ofreasons that prevent you from
that situation from happening,but the reality is threats
change fast and, one thingthat's tough in medical devices
is our development life cycles,kind of like pharmaceuticals,
(13:00):
they last years.
So unlike tech companies thatcan build a product and put it
out in three months, we have torun clinical trials to prove
they're effective.
There's all sorts of work thatgoes into it.
We're highly regulated withmanufacturing.
Every time we make a change toour process, you know, we have
to communicate to FDA what we'vedone.
Aaron P. (13:16):
Minimum viable product is not a term that correlates.
Chris Reed (13:19):
Yes, agree.
Cody (13:21):
Well, yeah.
And like you said, just like thelength and oftentimes in
healthcare and strategies, likethe technical debt is large
because, you can't just go outand buy 15 new ultrasound
machines, absolutely two yearsand so it's like,
Chris Reed (13:31):
That's a problem we call legacy.
It's a huge problem inhealthcare.
And not only that, We could goall around on this.
I know we're bouncing allaround, right?
But, one of the things I'velearned in my role is you have,
bigger healthcare systems thatbuy the MRIs brand new.
And as soon as they've used themfor their useful lifespan, they
turn around and actually sell itto the aftermarket.
(13:52):
And so a rural hospital will buythat and continue to operate
that MRI.
So we have this ecosystem in theU.
S.
that, equipment, aged equipmentout.
So now our life cycle is long.
The equipment gets used way pastthe, when it was meant to be
used, which is a huge issue thatwe're working on solving in
general.
Aaron P. (14:11):
Right.
Cody (14:11):
So then let's pivot a little bit here.
I've said I had a great careerand still do amazing things, but
what would you give advice forsome of the listeners who are,
maybe new in the field or arethere other emerging, but Hey,
the things that I, what I'velearned over my career, if I can
go back to my first three tofive years in the field.
What would you tell yourselfthen that you've learned now?
Chris Reed (14:30):
Yeah.
So definitely early in yourcareer.
First of all, I think picking aspace and really going deep in
it, is super important.
Aaron P. (14:39):
I thought you were going to say pick Amazon stock,
but
Chris Reed (14:42):
If you pick the right stock, it could always
work well.
Of course, then you don't reallyhave to work.
No, absolutely.
Going deep to really understand,I worry today even about
professionals coming in.
As I shared earlier, like I camein at a time where, I was
compiling the software.
I understood how the operatingsystem worked.
There's a lot of people thatdon't understand some of those
fundamentals today.
(15:02):
Yeah.
And I think it's reallyimportant.
You need to know you're nevergoing to learn everything.
Cody (15:06):
Yeah.
Chris Reed (15:07):
But you need to be able to go deep and understand
it.
And then the other thing wouldbe in doing so.
Look for those experts in thatspace.
And, you asked about influencersearlier, but, you know,
participate not just going deep,but then watch the conversations
that are happening around thattechnology and possibly from
participating.
But I think part of why I wasable to develop pretty fast is,
(15:30):
I found people I reallyrespected that knew their stuff.
And those are the ones that Ilisten.
I listened to their voices, notjust the loudest voice, but hey,
that guy there knows what he'stalking about.
Ed Scotus from SANS is oneexample, right?
Like that guy is amazing.
And I think I took his classagain in the mid 2000s, right?
Um, but he used to do this thingcalled command shell Kung Fu,
(15:51):
where they would come up withcomplex problems to solve and
then write a one command linethat would solve the problem,
right?
Like, that's the kind of stuffthat when you see those
influence, like those types ofpeople, like paying attention to
them and learning is just huge.
Cody (16:03):
Yeah.
One thing, I'm a ct, a former CT O in a no former life, but one
thing to your point I think wasbeneficial was listening to the
other side and the perspective.
And it's like, not so much how Ispeak, but how do I talk, how my
other side listens and to yourpoint, bringing the business,
whether it's the business, it'sdifferent function, but talking
in their perspective, I thinkpoint
Aaron P. (16:20):
You have to tailor the message to the audience for
sure.
Chris Reed (16:23):
Yeah.
And I think that would be theother thing I would share, to
that point, I know we're kind ofcircling around this, but to
emphasize that.
A lot of security professionalsthink there's like this black
and white, right and wrong, likethis is the policy and if
everyone did this, it would fixeverything.
And the reality is it's not likethat.
It's, but it's helping it againwhen you listen and you try to
(16:43):
put it in context, like this isthe benefit you're going to get
if this is happening, and alsounderstanding when that black
and white answer wasn't theright answer.
Because there's so many timesand I know Aaron and I have a
personal experience in this.
So many times you set upcontrols and water flows to the
easiest route, and you createall these bad behaviors that you
(17:03):
didn't mean to because you havecontrols that aren't effective
and they're just causingproductivity.
Aaron P. (17:08):
My new passion topic is user experience for
cybersecurity, because I feellike the, unfortunately, the end
user or the employee is, Theleast focus of the budget.
There's very little OCM and alot of cyber programs, and we
are giving them technologythat's 10 years old to do things
(17:29):
like encryption and things.
So what we're advocating andCody, you've done a lot of work
in the space on, awareness,focus programs and process
development and OCM around evencyber tool rollouts, you can't
spend enough money and timethere because to your point, the
water's going to move around tothe easiest path forward.
(17:50):
So you should be focusing onmaking the path easier to do the
right thing, not black or white.
Here's the 10 things you can'tdo versus how do you do my job?
Like here's three ways to doyour job.
Focus your effort on that, notthe David Spade.
No list.
Chris Reed (18:05):
Yeah.
People are always a littlesurprised.
I've had, definitely in mypharma career, it was always
funny.
because we would havevulnerabilities come up in
products and everyone wasfreaking out because, oh, we
have this vulnerability and it'scvs, s you know, eight and we
gotta get this fixed.
And I'd sit down with'em and welook at it and we'd realize it
(18:25):
probably wasn't that big of adeal.
And my next question was, when'syour next maintenance release?
And they were like, well, it'sin three months.
And I'm like, that's goodenough.
Hit your maintenance release.
And they were like, wait, what?
And, and I just saved them.
And hours of paperwork andtrying to do an off cycle
release.
Like, think about the cost ofthat.
And when I became the voice ofreason in those situations, and
(18:49):
by the way, we were stillkeeping that product safe and
secure, right?
Aaron P. (18:53):
People listen to you.
They're like, yeah, he's got myback.
He's not here to derail me frommy agenda.
Chris Reed (18:57):
So all of a sudden now they come and ask a device
and they start flowing causethey're realizing, Hey, they're
going to help me get thisdecision that's going to help
manage my time, or if it reallywas a big deal, I became a help
and an advocate to get them theresources they needed.
Cody (19:10):
Yeah, the cost of jumping around.
And we have to say a lot oftimes, like one of the biggest,
like obstacles in cybersecurityis the lack of focus.
To your point, it's like there'salways something you can do,
right?
There's no short thing that youcan, but it's like, how do I
focus, take time, push togetherinitiatives, and then, make a
list and go after and thenreport that back out.
Aaron P. (19:26):
So we normally ask our guests for a fun fact.
I'm going to switch mine alittle bit because I think I
know what you'll probably sayhere, but I'm gonna I'm gonna go
out on a limb here.
What you know both of ustraveled a lot internationally
when we were in thepharmaceutical world What is
your most interestinginternational experience?
Chris Reed (19:46):
Yeah, Aaron knows this probably a little bit,
right?
I mean the witness maybe I havebeen a little I've been fairly
fortunate to travel a fairamount not quite to every
continent yet, but pretty closeand But I got an amazing
experience at the pharma companyI worked at.
And, to make a long story short,I was put on a short term
assignment where I got to movemy entire family over to
Shanghai and my four year oldand five year old got to go with
(20:10):
us and with my wife and wedecided to live smack dab in the
middle of the city on the 16thfloor of a high rise apartment,
Cody (20:18):
Just immerse yourself.
Chris Reed (20:19):
Just immersed in, and, um, and really just had the
most amazing experience there.
My wife was amazing that everyday when I was at work, she
would go out and adventure andthey had such amazing
experiences.
I guess my fun story for this,and I wasn't there, but I have
pictures of it.
They went to the zoo one dayand, things work differently in
(20:39):
China.
So you know, how you can do aride like through the exhibit
and see the tigers off in thedistance and things like that.
Yeah.
Well, in China they have bars onthe windows and my kids put
their hands on the bars to tryto see out.
And then immediately the guidewas like, no, no, no, no, no.
Like pulling their hands off.
And then my kids were like,what's going on?
What's going on?
And about five minutes laterthey took a chicken and put it
(21:00):
out the window and the tigerscame up and ate it on the side
of the vehicle.
Aaron P. (21:04):
You don't want to be your hands mistaken for a
chicken.
Chris Reed (21:06):
So they had trained the tigers that food comes out
the window.
So
Cody (21:11):
It's like they're coming to your zoo.
You're just like paradingthrough there and they're like a
little exhibit.
Chris Reed (21:15):
It is.
So in China has all sorts of funthings like that, but it was
also an amazing environment.
The people in China are justamazing and so friendly and
welcoming.
And, there was just the amazingexperience all around.
Oh, that's cool.
Aaron P. (21:28):
Well, Chris, we bumped into each other at the
biohacking village at Black Hatslash Defcon, but it's really
Defcon.
Yep.
And, you know, I was wadingthrough the massive, every year
it gets worse, like the shoulderto shoulder, massive body odor,
just uncomfortable.
Like, I don't know, but anyway,once you get past all that drama
(21:48):
.Yeah, Cody, you're going nextyear in my place, uh, once you
get past all that, you get tothe really cool exhibits in the
biohacking villages, med devicesand chance for people to try to
hack them.
Tell us about your experiencethere.
Tell us what else goes on inthat and what is accomplished by
that?
Chris Reed (22:05):
Yeah, great.
Great question.
Yes, the biohacking village hasbeen around for a number of
years now and the scope of itisn't just medical devices.
They do implants and they'vetalked about how to make
pharmaceuticals like insulin.
They do any type ofbiotechnology, if you will.
But medical devices have hasspecifically found a space
(22:27):
there.
It's been the passion of somepeople in the industry.
There's a group called I am theCalvary and they work in
multiple areas, but a few oftheir leaders created the
biohacking village and invitedmanufacturers to come in there
to talk and interact withsecurity researchers or hackers,
whichever term you want to use.
I was not Medtronic back in theday, but one of the things
(22:49):
that's happened at Black Hat andDEF CON is, when people have bad
practices, hackers like to findit and expose it, make it
public.
Right.
And so back in 2018 Medtronicwas one of those companies that
was, they looked at pacemakersand insulin pumps.
And basically after that, itcreated quite an almost
adversarial relationship forsome period of time until
(23:11):
manufacturers became more awareof this coordinated disclosure
and how do we work together?
And if we find a flaw, reportit, get it fixed,
Aaron P. (23:18):
Hackathon, like get it all out on the table,
potentially even offer rewards,right?
Chris Reed (23:22):
Exactly.
In medical devices, we haven'tquite gotten to the bug bounty
point yet.
It's a discussion that'shappened, but we actually show
up at the biohacking village nowand I think we had over 10
manufacturers there this yearand we bring our devices.
So this year we had ourimplantable heart rate monitor.
link along with a telemetryreader, like what it
communicated with and an iPadthat had the app running on it.
Aaron P. (23:44):
And I think you're missing the laser that cuts
sharks or maybe it was an appleor something.
Chris Reed (23:49):
Yeah.
Yeah.
Right.
So we had a, we also had apowered surgical tool.
It wasn't a laser, but it, poweris quite a interesting tool in
surgery.
So they can use electricity toheat instruments or things like
that.
Yeah.
So if you go get your tonsilsout, they'll use a blade to do
it, but they superheat it sothat it actually cauterizes as
it cuts.
Cody (24:08):
Yeah, that's what I had done.
Chris Reed (24:09):
So we have power generators and so yes, we had a
demo where we had an orange andwe were,
Aaron P. (24:14):
Orange, yes.
Chris Reed (24:15):
We call it ablating, which means kind of burning to
close.
Aaron P. (24:18):
Yeah.
Chris Reed (24:18):
We were basically searing the orange and it was
creating a nice, a nice stenchfor the room.
Aaron P. (24:23):
Yeah.
It's not an orange peel that Iwould want to put it in a
cocktail after going throughthat.
Chris Reed (24:27):
It's been a scarred up pretty good.
Cody (24:29):
For the old fashioned.
Chris Reed (24:31):
Yeah.
And we also had a light ball wewould connect it to, to show how
we could literally power thelight bulb, the power flowing
through the scissors from thesurgical equipment and things
like that.
So we had our engineers there.
Yeah.
They answered questions.
Yeah.
The hackers could sit down andwe had them actually, you know,
we have Bluetooth operating onone device on that device.
It had a RFID prox cardinterface that someone was
(24:55):
messing around with.
They were connecting to all theports and interacting and so
they could do.
So it's a great learningexperience and I think it
creates an appreciation from thethe attendees, because they're
seeing that how seriously wetake this and some of the
problems we're trying to solve.
It's not your typical desktopcomputer.
There's some pretty complicatedstuff we're in safety issues.
We're trying to manage.
(25:16):
But at the same time, we areengineers when they watch them
go after things are like, Iwould have never thought someone
would have done that.
And so they learn to it's areally great environment to me.
Aaron P. (25:24):
So how many challenges have been found?
Or, do you know this?
Yeah, how many things?
Chris Reed (25:28):
So one of the things we push in the village is
coordinated vulnerabilitydisclosure.
And, I didn't even realize thistill this year, but they have a
capture the flag running wherethere's a bunch of simulated
things, but if you find avulnerability in one of the
products of the manufacturers,you score extra points.
Cody (25:41):
Ooh.
Chris Reed (25:42):
So, the winner this year, you can see when he turned
in all of his vulnerabilities,because his score goes straight
up, and he got a score way pastwhat you could get solving all
the challenges.
Aaron P. (25:52):
Oh, wow.
Chris Reed (25:52):
So I think we did not have anything found, and you
can go onMedtronic.com/security.
We have a blog post about ourexperience there.
We would absolutely welcome ifwe did.
We didn't have any, but myunderstanding is at least 16
this year got found in the roomand reported them to the
manufacturer.
Cody (26:07):
Okay.
Excellent, man.
So what would you say, I knowwe're getting close to time
here, but what would you think,looking at the next year to
three years, what are the bigchallenges that you see coming?
And I would say too specificallyto, to medical devices and to
like the IOT medical field and,cyberspace.
Chris Reed (26:22):
Yeah, I think the biggest challenge that I'm
passionate about right now is,medical devices.
They have long development lifecycles.
They've grown up in the hardwarespace where you work really hard
on that initial release, andthen you run it for, you know, 5
10 years and don't make a lot ofchanges because every time you
change it, it's risky.
So the biggest issue we'reworking on is how do we come up
(26:44):
with reasonably rationalmaintenance cycles on these
devices?
We can't do like monthly patchesand that's not just for the
manufacturers, like even ourdownstream healthcare, like the
hospitals.
If you ask them to go touchdevices every month in every
hospital room, it would be animpossible task.
So.
We're working through jointly,what are those rational cycles
(27:07):
and what do they look like?
And that will change based onthe type of platform.
So like a pacemaker, which hasvery little third party
software, we're probably notgoing to have a very fast life
cycle or a maintenance cycle.
It might be years.
We're not even, since we have sofew third party software items,
it might not, we have theability to update it, but we
might not never update it.
Whereas if you have aworkstation that's interacting
(27:29):
with an MRI that runs specialsoftware and it's running native
windows.
Cody (27:33):
Yeah.
Chris Reed (27:33):
Well, maybe that's quarterly or every six months.
Aaron P. (27:36):
That's probably more targetable, right?
Versus a pacemaker that may beharder to get to.
Chris Reed (27:40):
Exactly.
Yeah.
Yeah.
And has more just becausethey're using more off the shelf
software, that's morevulnerable.
and just more complex software,right?
Aaron P. (27:48):
Threat modeling come into this at all?
I'm trying to get to what shouldyou prioritize based on the
actual threat?
Chris Reed (27:55):
Yeah, luckily we've been really fortunate that FDA
instead of some regulatoryagencies, authorities, they've
really not tried it.
They do have some amazingexpectations around the types of
controls they expect and theguidance they actually just
finalized last week, includingsigned and verified firmware on
devices and things like that.
So they have some prettyadvanced expectations, but even
(28:17):
that is not a checklist.
It's not you need to have thisin your product.
It's here's the controls weexpect you threat model and then
you give us the information ofwhy the choices you made are
rational and we use threatmodeling to do that and then
present that case to FDA andthey kind of gut checked to make
sure we've made a good decision.
Just a really quick example ofthat.
Um, You know, we all think ofauthentication, even multi
(28:40):
factor authentication, as likea, that's a no brainer.
You put it on everything, right?
Well, if you have a device inthe ER that needs to be
accessible right away to, like,Jump someone's heart.
Yeah.
Stopping the like badge on
Cody (28:53):
Hold on.
Let me pull out my authenticatorand get my 62 code real quick.
Chris Reed (28:56):
Not a good idea.
Aaron P. (28:57):
I left my badge in the cafeteria.
You're going to have to wait,Cody.
I'm sorry.
Chris Reed (29:01):
Right.
So we have to threat modelinghelps us work through those to
come up with, that benefit riskanalysis and come up with the
right rational controls.
And so a lot of devices likethat have no authentication in
the room, but of course ifthey're network accessible, they
do.
Aaron P. (29:15):
So last thing it's Cyber Awareness Month, Cody and
I were on a recent podcast,trifecta podcast with the Cyber
Ranch, Allan Allford and GeorgeKamide at Bare Knuckles and
Brass Tacks.
And it was a little bit of arant on awareness month and that
it can turn into the vendor seaof marketing messages.
(29:36):
And then on the employee side,ill-defined programs that are
just pushing stuff out.
That's just creating a bunch ofwhite noise.
So we banded together.
We challenged the community tothink about cyber community
month of how you're giving backto your communities, whether
that's within the workforce orwithin your actual community.
(29:57):
We're doing something here witha local nonprofit to kind of
give back.
But my question for you isthinking about, maybe community.
Groups kids you have kids.
We have all of us have kids hereor elder parents.
One what's the group that youthink needs the most help that's
not maybe in your day job?
And two what's your best tipthat you would give them here in
(30:20):
October to really help them as acommunity in need?
Cody (30:24):
Good questions.
And for listeners, man, this wasnot teed up.
Aaron P. (30:26):
So this is off the cuff.
Chris Reed (30:28):
Yeah.
I think, I always get reallyconcerned about youth and I know
there's some good materials outthere for them, but even just
watching how my kids interactwith technology, sometimes I'm
terrified about decisions theymake.
I definitely think, one of mybiggest fears I have a mom who
actually has Alzheimer's even,and she uses an iPhone.
And the thing I'm most terrifiedabout is all these scam messages
(30:50):
coming across on text and thingslike that in phone calls.
So I think on that side, justhelping people with the right
tools, but then on the use side,teaching them things like how to
use the password manager ontheir phone.
I have simple things I teach mykids around.
Hey, these passwords you keepmemorized, but, all these game
sites and stuff that you couldcare less if someone gets your
(31:11):
account, you need to be using aunique password, keep it in your
keychain.
You should never have to worryabout remembering that thing,
right?
Just those types of strategiesfor kids.
I'll catch my kids just not evenreusing the same password
places.
So I think things like that forour youth to help them
understand what this world, islike, and definitely how not to
get themselves in trouble.
(31:31):
Cause, you know, it's aninteresting time out there,
right?
Cody (31:35):
A lot of access to a lot of things.
Chris Reed (31:36):
Yes.
Aaron P. (31:37):
Awesome.
Well, this has been a greatconversation, Chris, thanks for
coming on.
Hope you have a good rest of theweekend and we'll see you next
time.
Thanks Cody.
Thanks again.
Welcome back to Simply Solving Cyber.
I'm Aaron Pritz.
Cody (00:08):
And I'm Cody Rivers.
Aaron P. (00:09):
And today we're here with Chris Reed, who's the VP of
Product Security at Medtronicand before we introduced Chris,
I've known Chris for a longtime.
I think we were at the samepharmaceutical company back in
the early 2000s.
So, I'm interested to hear, alittle bit about you, your
journey.
And like a lot of our guests,let's start out by telling your
(00:29):
story, how you got into cyberand maybe a little bit on your
journey over the years.
Yeah,
Chris Reed (00:33):
Sure.
Thanks, Aaron.
Thanks, Cody.
It's great to be here.
Cody (00:36):
Good to have you.
Chris Reed (00:37):
Yeah, it's been an interesting journey.
I'm a computer science grad manyyears ago.
Really quickly ended up in oursecurity team, at a pharma
company and I was there 23 yearsbefore I left to go to
Medtronic.
So quite a few experiences,starting at being in charge of
how to manage intrusiondetection on our network,
running architecture, runningoperations, and eventually
(00:59):
building a product securityprogram for, medical devices for
that company, for insulininjectors and insulin pumps.
It was quite a wide variety ofexperiences there.
Cody (01:07):
What was the defining moment?
The first thing you saw, you'relike, yeah, I think I want to
keep doing this.
Or what was the first thing thatkind of got you into the, got
that cyber bug going?
Chris Reed (01:15):
Oh, you know, I just have always been one of those
people that was curious howthings worked and
Aaron P. (01:22):
Like to break things.
Chris Reed (01:23):
I did break a lot of things when I was a kid.
There were a lot of radios thatgot taken apart looking at the
boards.
I wouldn't say I had the rightinfluences around me.
It took later in life to reallyget into the hardware hacking
side, but I was always curioushow things worked.
And, even really quickly as Iwas in college, I had a gateway
machine.
Oh, it was a Calbox.
Calbox, yeah.
(01:43):
Yeah, that was my first one aswell.
and Linux got put on.
And, just really loved,compiling software, getting in
and looking at the code.
Just understanding how all thatworked.
That continued just into myprofessional career.
So, early on got, was fortunateenough to get trained, through
SANS.
Pulling apart network trafficand, you know, for that moment
(02:04):
that really got me intosecurity.
I mean, I think probably I wasalways interested, but the part
that probably really got me intoit was early in the 2000s.
You know, that's when all theworms were happening and taking
down companies and, watching howto figure all that out on our
network and break through thenetwork traffic and start to
understand like where it was at.
Hmm.
(02:24):
Yeah.
Oh yeah.
All sorts of interesting thingson our network.
Aaron P. (02:27):
So worms got you into it.
The bigger question is, can youdo the worm?
Chris Reed (02:31):
Of course.
That's like one of my favoritemoves.
Nice.
Absolutely.
Aaron P. (02:36):
A lot of kids think they can do it, but they're
really just kind of floppingaround.
That's what my son does atleast.
Yeah.
Yeah.
Chris Reed (02:41):
My son does that too.
Now I could really do it.
Aaron P. (02:42):
Do you want to see a video for YouTube?
That's a separate show.
It should be.
Cody (02:48):
Look for the link.
Aaron P. (02:49):
Yep.
Awesome.
So, um, I guess who are some ofyour influences?
Cody asked about the kind ofdefining moments like, leaders
internally, outside thoughtleaders.
Who influenced your, who did youkind of early on?
Like, I want to be like thisperson from a cyber standpoint
or just from a general businessleadership standpoint.
Chris Reed (03:09):
Yeah, that's a great question.
Aaron P. (03:11):
And I didn't prep you on this, so I just thought of it
in the car.
Chris Reed (03:13):
No, it's good.
Yeah, great question.
I think, I was really fortunate.
Again, you heard how I justjumped into Linux and things
like that.
Back when I was in school, thewhole idea of open source really
inspired me where you had, Imean, this was the very
beginning of that.
Now it's like there's get helprepose everywhere and
everyone's, you know, but thatwas, this was earlier.
(03:34):
And, I would say that wholemindset really intrigued me that
the idea of having You know,community source software.
And so, gosh, there were a lotof big names back then.
But I mean, obviously, LinusTorvalds from Linux.
The idea that Microsoft tryingto charge hundreds of dollars
for windows and here I have aoperating system that I think
worked better that I couldliterally just download and run.
(03:55):
I thought that kind of thing wasamazing.
And so.
I think the good part about thatis I think it always showed me
the value of, I guess findinggood solutions.
You can go out and spend lots ofmoney on software.
That's like not accomplishinganything.
Aaron P. (04:09):
You don't believe in reinventing the wheel.
It sounds like, no, you want tostart with something that
somebody else
Chris Reed (04:13):
In fact, I was a little bit of a troublemaker
earlier in my career because I,uh, I was using all sorts of
open source and that's before wehad a lot of rules around that,
you know, so I was downloadingstuff from all over the internet
and in the code running all ofour networks.
Aaron P. (04:25):
So how early of an adopter have you been with chat
GTP and figuring out how thatchanges how you or your team
does work?
Chris Reed (04:33):
You know, I'll be honest with you.
As far as Chat GPT goes, I'mnot.
I mean, I've played with it, butI haven't had quite the time to
mess with it to be honest.
So when I left my previouscompany for my role at Medtronic
back in 2021, part of that wasaround.
I actually moved from a securityrole.
(04:54):
I'm running product security.
Into a role that was actually inregulatory, and it was
regulatory advocacy, andstrategy.
And part of the role wassecurity, like how do we
influence what laws and guidanceand standards are being created.
But the other part of my jobactually was digital health and
AI.
So, I spent a lot of timeactually early, but it was at a
(05:15):
more policy level.
So in Chat, GPT, it wasinteresting watching that
explode, because we've beentalking about bias.
Um, all the problems we havewith AI, we've been talking
about it.
We had a policy we set up, um, aMedtronic that basically guided
our work with AI before all thathit.
So it was super interesting toplay with, but I had already
(05:36):
been, it wasn't quite, I wasn'tquite as enamored by it.
Aaron P. (05:39):
Yeah, that makes sense.
And it's like.
It was consumerized, right?
It became approachable forpeople that didn't have a
computer science background andall that.
So new for a lot, but actuallyTim Sewell here that we work
with, same thing.
He had been doing that, yeah, adecade or two ago.
Chris Reed (05:55):
Part of my degree, I have computer science.
The other part of my degree isactually Cogno Science.
So I wrote AI back in college,but back then we didn't have the
power.
The GPUs to do what we do today,but, yeah, even back in college,
I had written like neural netsto recognize letters and images
and things like that.
So yeah, it's amazing to see howfar it's come and a lot of it's
compute power and there'stooling as well, but.
Cody (06:16):
Yeah, we said something earlier that when I thought back
on and you said the wordinfluencing, I think it's a
thing that, you know, a lot ofcyber professionals need these
days.
We need a PhD and because you'refighting for a little budget or
you're trying to look for a seatat the table.
So share with some of ourlisteners, maybe a key thing and
it can be at a previous company,current company, but maybe a
good victory you got from achallenge you face and how you
(06:38):
were able to influence others tokind of align on your vision.
Chris Reed (06:41):
Yeah, you know, this is a key skill, especially as
you climb in an organization.
When you're lower levels, you'redefinitely have a clear scope of
what you're trying to get doneand And generally, um, you know,
that scope's clear.
But as you move up, influencebecomes more important.
And, there's so many examples Ihave of this.
It's actually a skill I think Ido fairly well.
(07:02):
One of the things I'm able to dois build really great
relationships outside of my corefunction.
So, as a cybersecurityprofessional, my legal team
really loved me and knew who Iwas because...
I have one lawyer that I workwith there.
That's always like it didn'tmatter how complicated it was,
but I went and asked Chris thequestion.
I walked away understanding itand so I think the key thing
(07:22):
about influence is you reallygot to put yourself in the shoes
of the other party andunderstand a little bit of what
their current challenges are andthen put your problem in that
context appropriately, that'sthe thing I'm able to do pretty
effectively and as a result,huge accomplishments.
You know, there was one casewhere I was working with legal
on a case and they weredescribing what they were trying
(07:44):
to do, why they were frustrated.
And I came back with a log thatproved something that allowed
them to take it into aninterview to get someone to
admit something they had done.
But all that was me hearing whatthey were trying to do.
They didn't ask me for thisspecific log.
They were explained to me.
Why they were frustrated andwhat they wish they understood.
And I was like, wait a minute, Ithink I can prove that.
(08:05):
And I came back and proved it.
And that's the kind of, and thenthat wins you points.
And then all of a sudden nowyou're a trusted partner and,
you have, they start listeningto what you're saying.
Cody (08:14):
Oh, that's excellent.
That's excellent.
Aaron P. (08:15):
Awesome.
So it sounds like listening,putting yourself in their shoes
before trying to force them intoyour shoes or to force your
agenda on them.
I had a similar thing.
Actually, we may have crossedpaths on this, but with privacy
regulations and trying to dothings like, you know DLP.
There's a lot of roadblocks thatcan come up, especially in
(08:36):
certain countries.
And I remember some of theconversations where the
individual kind of already madeup their mind before going in to
the meeting.
So if you don't walk them backand understand what are you
trying to do and articulate,Hey, we are not big brother.
We're not looking to look atwhat you're doing on the
Internet during your personaltime.
It's kind of like, how do you,bring down the defensive,
(08:57):
because a lot of times peoplecome in with, an assumption
that's already, Hey, I know whatthis is.
I don't like it.
And, here's my agenda.
Chris Reed (09:03):
Yep.
Another really good example ofthis would be, later in my
career at the pharma company,I'd taken on product security,
which is part of how I got toMedtronic.
And, one of the things I reallywanted them to do was, to be
able to update the firmware onthe device in the field.
So in the field updates, whichrequired some pretty advanced
cryptography and it's not cheapto design that.
(09:27):
Yeah.
A working model of it.
Right.
Aaron P. (09:29):
Did you call in Diffie Hellman?
Chris Reed (09:31):
I did.
No, actually I won't go into allthose details, but yeah, it was
fascinating because of thebattery power and in the low
processor, like it's actuallyquite a challenging problem that
we had to work on because itwasn't just slap inserts places
and using standard libraries.
It was actually quite acomplicated problem.
But what I was able to do when Ilistened to the business was
(09:52):
share how they could go tomarket with more of an MVP
product and that this capabilitywould allow them to evolve it as
they learn from the market.
Yeah.
Yeah.
And it went from something I wastrying to convince them to to
their number one feature for MVPwas the ability to update the
device because again, they were,they heard now that this was a
(10:13):
business enabler, not a just asecurity solution.
And so that it's finding thosetypes of situations and
expressing complex problems likethat, that really help influence
and bring things along.
And again, you get brought tothe PA table as a partner, not
just that annoying security guythat keeps nagging you.
Aaron P. (10:29):
What was it?
One question to throw in thereis, has there been any cases of
ransomware in medical devices?
Chris Reed (10:36):
Oh, thanks for asking that question.
Aaron P. (10:37):
Is that a vector?
Chris Reed (10:38):
Yeah.
You know, I really appreciatethe ask that question and that
was not preceded for everyone.
Aaron P. (10:43):
So off the cuff.
Chris Reed (10:44):
Right off the cuff, which is great.
This is actually a reallyimportant issue.
If you read a lot of articlesout there, obviously we have a
problem with ransomware inhospitals right now.
Specifically, they're just verycomplex environments that are
built to be open because theyneed access to records to treat
patients
Aaron P. (10:59):
And it's desperation and it's don't have it.
Chris Reed (11:01):
Yeah.
And it's desperation becausethey all of a sudden have to
shut down.
It's a really complicatedsituation and a lot of times
when we read the articles outthere, They say, look, we're
having all these ransomwareattacks.
And then the very next statementis, and medical devices have
lots of vulnerabilities, and itimplies that medical devices are
causing the ransomware.
And I want to be really specificabout this.
They get ransomware just abouthow everyone else does.
(11:23):
It's someone clicking on aphishing email.
And then, of course, it goesthrough their workstations.
It is true that medical deviceshave gotten ransomware on them,
although it's a prettyexceptional situation, but it's
definitely not the root cause ofit.
That being said, there's been afew cases lately, and I won't
name company names, but you cango out and look.
There's been a couple exampleswhere, you know, as devices get
(11:46):
more connected, they rely on thecloud services behind them to
operate.
So there's been one situationwhere radiology equipment to do
cancer treatment.
Um, it needed settings from acloud service to be able to
operate.
And because ransomware hit thecloud, it shut down cancer
centers all across the countrybecause they couldn't operate
(12:07):
the equipment.
Aaron P. (12:08):
But it wasn't the equipment.
Chris Reed (12:09):
It wasn't the equipment.
It was back on the cloud side,but it was affecting the medical
device indirectly and mostimportantly, the service.
So, It's a huge problem.
You know, we're leaning in onthe medical devices as well
because we never want to becomethe source or the primary part.
Aaron P. (12:23):
If you think about it, if you get a pacemaker, if
you're going, even if you founda way to proverbially click the
fish on your pacemaker, where'sthe alert screen going to go?
Like, if you shut down theheart, you're done.
You're not going to pay.
So it's a little, it's not thetarget market, right?
Chris Reed (12:40):
It's not right now.
And we never want it to be.
So we're working very hard.
Yeah.
And honestly, there's a lot ofreasons that prevent you from
that situation from happening,but the reality is threats
change fast and, one thingthat's tough in medical devices
is our development life cycles,kind of like pharmaceuticals,
(13:00):
they last years.
So unlike tech companies thatcan build a product and put it
out in three months, we have torun clinical trials to prove
they're effective.
There's all sorts of work thatgoes into it.
We're highly regulated withmanufacturing.
Every time we make a change toour process, you know, we have
to communicate to FDA what we'vedone.
Aaron P. (13:16):
Minimum viable product is not a term that correlates.
Chris Reed (13:19):
Yes, agree.
Cody (13:21):
Well, yeah.
And like you said, just like thelength and oftentimes in
healthcare and strategies, likethe technical debt is large
because, you can't just go outand buy 15 new ultrasound
machines, absolutely two yearsand so it's like,
Chris Reed (13:31):
That's a problem we call legacy.
It's a huge problem inhealthcare.
And not only that, We could goall around on this.
I know we're bouncing allaround, right?
But, one of the things I'velearned in my role is you have,
bigger healthcare systems thatbuy the MRIs brand new.
And as soon as they've used themfor their useful lifespan, they
turn around and actually sell itto the aftermarket.
(13:52):
And so a rural hospital will buythat and continue to operate
that MRI.
So we have this ecosystem in theU.
S.
that, equipment, aged equipmentout.
So now our life cycle is long.
The equipment gets used way pastthe, when it was meant to be
used, which is a huge issue thatwe're working on solving in
general.
Aaron P. (14:11):
Right.
Cody (14:11):
So then let's pivot a little bit here.
I've said I had a great careerand still do amazing things, but
what would you give advice forsome of the listeners who are,
maybe new in the field or arethere other emerging, but Hey,
the things that I, what I'velearned over my career, if I can
go back to my first three tofive years in the field.
What would you tell yourselfthen that you've learned now?
Chris Reed (14:30):
Yeah.
So definitely early in yourcareer.
First of all, I think picking aspace and really going deep in
it, is super important.
Aaron P. (14:39):
I thought you were going to say pick Amazon stock,
but
Chris Reed (14:42):
If you pick the right stock, it could always
work well.
Of course, then you don't reallyhave to work.
No, absolutely.
Going deep to really understand,I worry today even about
professionals coming in.
As I shared earlier, like I camein at a time where, I was
compiling the software.
I understood how the operatingsystem worked.
There's a lot of people thatdon't understand some of those
fundamentals today.
(15:02):
Yeah.
And I think it's reallyimportant.
You need to know you're nevergoing to learn everything.
Cody (15:06):
Yeah.
Chris Reed (15:07):
But you need to be able to go deep and understand
it.
And then the other thing wouldbe in doing so.
Look for those experts in thatspace.
And, you asked about influencersearlier, but, you know,
participate not just going deep,but then watch the conversations
that are happening around thattechnology and possibly from
participating.
But I think part of why I wasable to develop pretty fast is,
(15:30):
I found people I reallyrespected that knew their stuff.
And those are the ones that Ilisten.
I listened to their voices, notjust the loudest voice, but hey,
that guy there knows what he'stalking about.
Ed Scotus from SANS is oneexample, right?
Like that guy is amazing.
And I think I took his classagain in the mid 2000s, right?
Um, but he used to do this thingcalled command shell Kung Fu,
(15:51):
where they would come up withcomplex problems to solve and
then write a one command linethat would solve the problem,
right?
Like, that's the kind of stuffthat when you see those
influence, like those types ofpeople, like paying attention to
them and learning is just huge.
Cody (16:03):
Yeah.
One thing, I'm a ct, a former CT O in a no former life, but one
thing to your point I think wasbeneficial was listening to the
other side and the perspective.
And it's like, not so much how Ispeak, but how do I talk, how my
other side listens and to yourpoint, bringing the business,
whether it's the business, it'sdifferent function, but talking
in their perspective, I thinkpoint
Aaron P. (16:20):
You have to tailor the message to the audience for
sure.
Chris Reed (16:23):
Yeah.
And I think that would be theother thing I would share, to
that point, I know we're kind ofcircling around this, but to
emphasize that.
A lot of security professionalsthink there's like this black
and white, right and wrong, likethis is the policy and if
everyone did this, it would fixeverything.
And the reality is it's not likethat.
It's, but it's helping it againwhen you listen and you try to
(16:43):
put it in context, like this isthe benefit you're going to get
if this is happening, and alsounderstanding when that black
and white answer wasn't theright answer.
Because there's so many timesand I know Aaron and I have a
personal experience in this.
So many times you set upcontrols and water flows to the
easiest route, and you createall these bad behaviors that you
(17:03):
didn't mean to because you havecontrols that aren't effective
and they're just causingproductivity.
Aaron P. (17:08):
My new passion topic is user experience for
cybersecurity, because I feellike the, unfortunately, the end
user or the employee is, Theleast focus of the budget.
There's very little OCM and alot of cyber programs, and we
are giving them technologythat's 10 years old to do things
(17:29):
like encryption and things.
So what we're advocating andCody, you've done a lot of work
in the space on, awareness,focus programs and process
development and OCM around evencyber tool rollouts, you can't
spend enough money and timethere because to your point, the
water's going to move around tothe easiest path forward.
(17:50):
So you should be focusing onmaking the path easier to do the
right thing, not black or white.
Here's the 10 things you can'tdo versus how do you do my job?
Like here's three ways to doyour job.
Focus your effort on that, notthe David Spade.
No list.
Chris Reed (18:05):
Yeah.
People are always a littlesurprised.
I've had, definitely in mypharma career, it was always
funny.
because we would havevulnerabilities come up in
products and everyone wasfreaking out because, oh, we
have this vulnerability and it'scvs, s you know, eight and we
gotta get this fixed.
And I'd sit down with'em and welook at it and we'd realize it
(18:25):
probably wasn't that big of adeal.
And my next question was, when'syour next maintenance release?
And they were like, well, it'sin three months.
And I'm like, that's goodenough.
Hit your maintenance release.
And they were like, wait, what?
And, and I just saved them.
And hours of paperwork andtrying to do an off cycle
release.
Like, think about the cost ofthat.
And when I became the voice ofreason in those situations, and
(18:49):
by the way, we were stillkeeping that product safe and
secure, right?
Aaron P. (18:53):
People listen to you.
They're like, yeah, he's got myback.
He's not here to derail me frommy agenda.
Chris Reed (18:57):
So all of a sudden now they come and ask a device
and they start flowing causethey're realizing, Hey, they're
going to help me get thisdecision that's going to help
manage my time, or if it reallywas a big deal, I became a help
and an advocate to get them theresources they needed.
Cody (19:10):
Yeah, the cost of jumping around.
And we have to say a lot oftimes, like one of the biggest,
like obstacles in cybersecurityis the lack of focus.
To your point, it's like there'salways something you can do,
right?
There's no short thing that youcan, but it's like, how do I
focus, take time, push togetherinitiatives, and then, make a
list and go after and thenreport that back out.
Aaron P. (19:26):
So we normally ask our guests for a fun fact.
I'm going to switch mine alittle bit because I think I
know what you'll probably sayhere, but I'm gonna I'm gonna go
out on a limb here.
What you know both of ustraveled a lot internationally
when we were in thepharmaceutical world What is
your most interestinginternational experience?
Chris Reed (19:46):
Yeah, Aaron knows this probably a little bit,
right?
I mean the witness maybe I havebeen a little I've been fairly
fortunate to travel a fairamount not quite to every
continent yet, but pretty closeand But I got an amazing
experience at the pharma companyI worked at.
And, to make a long story short,I was put on a short term
assignment where I got to movemy entire family over to
Shanghai and my four year oldand five year old got to go with
(20:10):
us and with my wife and wedecided to live smack dab in the
middle of the city on the 16thfloor of a high rise apartment,
Cody (20:18):
Just immerse yourself.
Chris Reed (20:19):
Just immersed in, and, um, and really just had the
most amazing experience there.
My wife was amazing that everyday when I was at work, she
would go out and adventure andthey had such amazing
experiences.
I guess my fun story for this,and I wasn't there, but I have
pictures of it.
They went to the zoo one dayand, things work differently in
(20:39):
China.
So you know, how you can do aride like through the exhibit
and see the tigers off in thedistance and things like that.
Yeah.
Well, in China they have bars onthe windows and my kids put
their hands on the bars to tryto see out.
And then immediately the guidewas like, no, no, no, no, no.
Like pulling their hands off.
And then my kids were like,what's going on?
What's going on?
And about five minutes laterthey took a chicken and put it
(21:00):
out the window and the tigerscame up and ate it on the side
of the vehicle.
Aaron P. (21:04):
You don't want to be your hands mistaken for a
chicken.
Chris Reed (21:06):
So they had trained the tigers that food comes out
the window.
So
Cody (21:11):
It's like they're coming to your zoo.
You're just like paradingthrough there and they're like a
little exhibit.
Chris Reed (21:15):
It is.
So in China has all sorts of funthings like that, but it was
also an amazing environment.
The people in China are justamazing and so friendly and
welcoming.
And, there was just the amazingexperience all around.
Oh, that's cool.
Aaron P. (21:28):
Well, Chris, we bumped into each other at the
biohacking village at Black Hatslash Defcon, but it's really
Defcon.
Yep.
And, you know, I was wadingthrough the massive, every year
it gets worse, like the shoulderto shoulder, massive body odor,
just uncomfortable.
Like, I don't know, but anyway,once you get past all that drama
(21:48):
.Yeah, Cody, you're going nextyear in my place, uh, once you
get past all that, you get tothe really cool exhibits in the
biohacking villages, med devicesand chance for people to try to
hack them.
Tell us about your experiencethere.
Tell us what else goes on inthat and what is accomplished by
that?
Chris Reed (22:05):
Yeah, great.
Great question.
Yes, the biohacking village hasbeen around for a number of
years now and the scope of itisn't just medical devices.
They do implants and they'vetalked about how to make
pharmaceuticals like insulin.
They do any type ofbiotechnology, if you will.
But medical devices have hasspecifically found a space
(22:27):
there.
It's been the passion of somepeople in the industry.
There's a group called I am theCalvary and they work in
multiple areas, but a few oftheir leaders created the
biohacking village and invitedmanufacturers to come in there
to talk and interact withsecurity researchers or hackers,
whichever term you want to use.
I was not Medtronic back in theday, but one of the things
(22:49):
that's happened at Black Hat andDEF CON is, when people have bad
practices, hackers like to findit and expose it, make it
public.
Right.
And so back in 2018 Medtronicwas one of those companies that
was, they looked at pacemakersand insulin pumps.
And basically after that, itcreated quite an almost
adversarial relationship forsome period of time until
(23:11):
manufacturers became more awareof this coordinated disclosure
and how do we work together?
And if we find a flaw, reportit, get it fixed,
Aaron P. (23:18):
Hackathon, like get it all out on the table,
potentially even offer rewards,right?
Chris Reed (23:22):
Exactly.
In medical devices, we haven'tquite gotten to the bug bounty
point yet.
It's a discussion that'shappened, but we actually show
up at the biohacking village nowand I think we had over 10
manufacturers there this yearand we bring our devices.
So this year we had ourimplantable heart rate monitor.
link along with a telemetryreader, like what it
communicated with and an iPadthat had the app running on it.
Aaron P. (23:44):
And I think you're missing the laser that cuts
sharks or maybe it was an appleor something.
Chris Reed (23:49):
Yeah.
Yeah.
Right.
So we had a, we also had apowered surgical tool.
It wasn't a laser, but it, poweris quite a interesting tool in
surgery.
So they can use electricity toheat instruments or things like
that.
Yeah.
So if you go get your tonsilsout, they'll use a blade to do
it, but they superheat it sothat it actually cauterizes as
it cuts.
Cody (24:08):
Yeah, that's what I had done.
Chris Reed (24:09):
So we have power generators and so yes, we had a
demo where we had an orange andwe were,
Aaron P. (24:14):
Orange, yes.
Chris Reed (24:15):
We call it ablating, which means kind of burning to
close.
Aaron P. (24:18):
Yeah.
Chris Reed (24:18):
We were basically searing the orange and it was
creating a nice, a nice stenchfor the room.
Aaron P. (24:23):
Yeah.
It's not an orange peel that Iwould want to put it in a
cocktail after going throughthat.
Chris Reed (24:27):
It's been a scarred up pretty good.
Cody (24:29):
For the old fashioned.
Chris Reed (24:31):
Yeah.
And we also had a light ball wewould connect it to, to show how
we could literally power thelight bulb, the power flowing
through the scissors from thesurgical equipment and things
like that.
So we had our engineers there.
Yeah.
They answered questions.
Yeah.
The hackers could sit down andwe had them actually, you know,
we have Bluetooth operating onone device on that device.
It had a RFID prox cardinterface that someone was
(24:55):
messing around with.
They were connecting to all theports and interacting and so
they could do.
So it's a great learningexperience and I think it
creates an appreciation from thethe attendees, because they're
seeing that how seriously wetake this and some of the
problems we're trying to solve.
It's not your typical desktopcomputer.
There's some pretty complicatedstuff we're in safety issues.
We're trying to manage.
(25:16):
But at the same time, we areengineers when they watch them
go after things are like, Iwould have never thought someone
would have done that.
And so they learn to it's areally great environment to me.
Aaron P. (25:24):
So how many challenges have been found?
Or, do you know this?
Yeah, how many things?
Chris Reed (25:28):
So one of the things we push in the village is
coordinated vulnerabilitydisclosure.
And, I didn't even realize thistill this year, but they have a
capture the flag running wherethere's a bunch of simulated
things, but if you find avulnerability in one of the
products of the manufacturers,you score extra points.
Cody (25:41):
Ooh.
Chris Reed (25:42):
So, the winner this year, you can see when he turned
in all of his vulnerabilities,because his score goes straight
up, and he got a score way pastwhat you could get solving all
the challenges.
Aaron P. (25:52):
Oh, wow.
Chris Reed (25:52):
So I think we did not have anything found, and you
can go onMedtronic.com/security.
We have a blog post about ourexperience there.
We would absolutely welcome ifwe did.
We didn't have any, but myunderstanding is at least 16
this year got found in the roomand reported them to the
manufacturer.
Cody (26:07):
Okay.
Excellent, man.
So what would you say, I knowwe're getting close to time
here, but what would you think,looking at the next year to
three years, what are the bigchallenges that you see coming?
And I would say too specificallyto, to medical devices and to
like the IOT medical field and,cyberspace.
Chris Reed (26:22):
Yeah, I think the biggest challenge that I'm
passionate about right now is,medical devices.
They have long development lifecycles.
They've grown up in the hardwarespace where you work really hard
on that initial release, andthen you run it for, you know, 5
10 years and don't make a lot ofchanges because every time you
change it, it's risky.
So the biggest issue we'reworking on is how do we come up
(26:44):
with reasonably rationalmaintenance cycles on these
devices?
We can't do like monthly patchesand that's not just for the
manufacturers, like even ourdownstream healthcare, like the
hospitals.
If you ask them to go touchdevices every month in every
hospital room, it would be animpossible task.
So.
We're working through jointly,what are those rational cycles
(27:07):
and what do they look like?
And that will change based onthe type of platform.
So like a pacemaker, which hasvery little third party
software, we're probably notgoing to have a very fast life
cycle or a maintenance cycle.
It might be years.
We're not even, since we have sofew third party software items,
it might not, we have theability to update it, but we
might not never update it.
Whereas if you have aworkstation that's interacting
(27:29):
with an MRI that runs specialsoftware and it's running native
windows.
Cody (27:33):
Yeah.
Chris Reed (27:33):
Well, maybe that's quarterly or every six months.
Aaron P. (27:36):
That's probably more targetable, right?
Versus a pacemaker that may beharder to get to.
Chris Reed (27:40):
Exactly.
Yeah.
Yeah.
And has more just becausethey're using more off the shelf
software, that's morevulnerable.
and just more complex software,right?
Aaron P. (27:48):
Threat modeling come into this at all?
I'm trying to get to what shouldyou prioritize based on the
actual threat?
Chris Reed (27:55):
Yeah, luckily we've been really fortunate that FDA
instead of some regulatoryagencies, authorities, they've
really not tried it.
They do have some amazingexpectations around the types of
controls they expect and theguidance they actually just
finalized last week, includingsigned and verified firmware on
devices and things like that.
So they have some prettyadvanced expectations, but even
(28:17):
that is not a checklist.
It's not you need to have thisin your product.
It's here's the controls weexpect you threat model and then
you give us the information ofwhy the choices you made are
rational and we use threatmodeling to do that and then
present that case to FDA andthey kind of gut checked to make
sure we've made a good decision.
Just a really quick example ofthat.
Um, You know, we all think ofauthentication, even multi
(28:40):
factor authentication, as likea, that's a no brainer.
You put it on everything, right?
Well, if you have a device inthe ER that needs to be
accessible right away to, like,Jump someone's heart.
Yeah.
Stopping the like badge on
Cody (28:53):
Hold on.
Let me pull out my authenticatorand get my 62 code real quick.
Chris Reed (28:56):
Not a good idea.
Aaron P. (28:57):
I left my badge in the cafeteria.
You're going to have to wait,Cody.
I'm sorry.
Chris Reed (29:01):
Right.
So we have to threat modelinghelps us work through those to
come up with, that benefit riskanalysis and come up with the
right rational controls.
And so a lot of devices likethat have no authentication in
the room, but of course ifthey're network accessible, they
do.
Aaron P. (29:15):
So last thing it's Cyber Awareness Month, Cody and
I were on a recent podcast,trifecta podcast with the Cyber
Ranch, Allan Allford and GeorgeKamide at Bare Knuckles and
Brass Tacks.
And it was a little bit of arant on awareness month and that
it can turn into the vendor seaof marketing messages.
(29:36):
And then on the employee side,ill-defined programs that are
just pushing stuff out.
That's just creating a bunch ofwhite noise.
So we banded together.
We challenged the community tothink about cyber community
month of how you're giving backto your communities, whether
that's within the workforce orwithin your actual community.
(29:57):
We're doing something here witha local nonprofit to kind of
give back.
But my question for you isthinking about, maybe community.
Groups kids you have kids.
We have all of us have kids hereor elder parents.
One what's the group that youthink needs the most help that's
not maybe in your day job?
And two what's your best tipthat you would give them here in
(30:20):
October to really help them as acommunity in need?
Cody (30:24):
Good questions.
And for listeners, man, this wasnot teed up.
Aaron P. (30:26):
So this is off the cuff.
Chris Reed (30:28):
Yeah.
I think, I always get reallyconcerned about youth and I know
there's some good materials outthere for them, but even just
watching how my kids interactwith technology, sometimes I'm
terrified about decisions theymake.
I definitely think, one of mybiggest fears I have a mom who
actually has Alzheimer's even,and she uses an iPhone.
And the thing I'm most terrifiedabout is all these scam messages
(30:50):
coming across on text and thingslike that in phone calls.
So I think on that side, justhelping people with the right
tools, but then on the use side,teaching them things like how to
use the password manager ontheir phone.
I have simple things I teach mykids around.
Hey, these passwords you keepmemorized, but, all these game
sites and stuff that you couldcare less if someone gets your
(31:11):
account, you need to be using aunique password, keep it in your
keychain.
You should never have to worryabout remembering that thing,
right?
Just those types of strategiesfor kids.
I'll catch my kids just not evenreusing the same password
places.
So I think things like that forour youth to help them
understand what this world, islike, and definitely how not to
get themselves in trouble.
(31:31):
Cause, you know, it's aninteresting time out there,
right?
Cody (31:35):
A lot of access to a lot of things.
Chris Reed (31:36):
Yes.
Aaron P. (31:37):
Awesome.
Well, this has been a greatconversation, Chris, thanks for
coming on.
Hope you have a good rest of theweekend and we'll see you next
time.
Thanks Cody.
Thanks again.
Popular Podcasts
United States of Kennedy
United States of Kennedy is a podcast about our cultural fascination with the Kennedy dynasty. Every week, hosts Lyra Smith and George Civeris go into one aspect of the Kennedy story.
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com