October 26, 2022 • 23 mins
We live in a world of increasing interconnectedness through the internet and the rapid development of new technologies, even as growing threats continue to put it all at risk. Learn all about the national perspective of cybersecurity, counterintelligence and how businesses can ensure their systems and data remain safe from malicious actors with SNC’s Vice President of Security Robert Daugherty.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Ariel Stenger (00:00):
Hello and welcome to this episode of You Got
Hacked, a podcast produced bySierra Nevada Corporation's
cybersecurity team. On You GotHacked, we focus on
cybersecurity issues, currentevents and technology solutions
specific to protectingOperational Technology at the
endpoint to make you, yourfamily and your community
smarter, safer and more securefrom the ever evolving cyber
(00:22):
threat landscape. I'm your host,Ariel Stenger. So, as of June
2022, the Russian invasion ofUkraine is still ongoing, and
news is constantly changing.Because the event is still
happening, the information inthis episode may be or may
become slightly outdated. Buttrust us, it's intended to show
a snapshot of time as we watchedthe invasion happen back when we
(00:45):
recorded in February. A dayafter Russia invaded Ukraine,
and reports of Ukrainiangovernment and banking sites are
under cyber attack, I'm sittinghere with Robert Daugherty, a
key leader here at SNC forsecurity and safety and we're
going to chat aboutcybersecurity on a global front.
As you all may know, I do have amaster's in international
security from the Korbel Schoolin Denver, and have been
(01:07):
passionate about history andglobal politics as long as I can
remember. So today, it's a realtreat for me to be here with
Robert because we'll be chattingabout company-wide cybersecurity
amid an increasingly competitivethreat landscape for foreign
adversaries, malicious actors,hobbyist hackers and more. But
before we get started, Robert,thank you for being here and for
(01:27):
taking the time.
Robert Daugherty (01:28):
My pleasure.
Ariel Stenger (01:28):
And could you give us just a quick idea of who
you are, how you got to whereyou are right now, and why
cybersecurity,?
Robert Daugherty (01:36):
Oh, goodness. Well, kind of going back all the
way to the beginning of theinternet, I consider myself
extremely fortunate for being atthe right place at the right
time, in my career. Really gotinto IT, you know, kind of at
the dawn of the internet, if youwill, so I'm kind of dating
(01:58):
myself quite a bit. And was veryfortunate to make some good
decisions very early that wereon track with where things are
going from a technologystandpoint. I work for a
startup, small startup companyin Austin, kind of right out of
the military. And that companywas acquired by Polycom. So, we
(02:18):
had to do a lot of stuff veryquickly, you know, in a startup
environment, learning everythingabout different protocols and
ports, and how to secure thingsvoice communications, video,
telecommunications, you know,circuits, all of that stuff.
This is back in the early '90s.So things were a lot harder back
then. And there weren't a lot ofresources, you could go to, to,
(02:39):
you know, find out how you'resupposed to do something. So we
had to do a lot of, you know, onthe job training daily, which I
really enjoy. But we had tolearn a lot quickly in order to
be able to stand stuff up. Sopart of that was figuring out
how to secure things, becauseeven then, at that point, that
was all still something that wasfairly new. You had to handled a
(03:01):
lot of things like firewalls atthe time. So that's kind of how
I get started, security hasalways been kind of a component
or part of what I've been doing.And then right after 9/11, I
made a decision to go to try todo something to contribute to,
you know, to that effort, andended up working at NSA and then
the CIA for almost 15 yearsafter that. So really, super
(03:26):
hard focus on security ingeneral. Everything from
physical operational security,you know, how to hide things and
then just protecting programs.So really, again, concentrated
very short amount of time tolearn a whole lot of stuff about
security. And that again, Iconsider myself very fortunate
(03:46):
to have been exposed to that.Decided, I decided to make a
change in 2015. Honestly, I kindof woke up one day and realized
that I'd been doing what I'dbeen doing for so long and had,
that was not kind of the plan.Like a lot of people that were
brought in right after 9/11, wethought well, this is going to
be over fairly quick. I didn'tthink 15 years later, I'd be
(04:09):
doing kind of the same stuff. Socareer wise.
Ariel Stenger (04:12):
No one did.
Robert Daugherty (04:12):
Yeah. You know, it's just, it's
astonishing because you, it'snot that you weren't you know, I
got comfortable. It's just thatthe work was not going to end
that...right. It was not goingto stop, decided to go on pursue
an executive MBA to try to makecertain make myself a little bit
more marketable, pick up somethings that I had not really
been able to focus on for thelast 15 years within the
(04:34):
intelligence community. And thenstarted looking for kind of a
chief information security roleor Chief Security Officer role.
Not really private sectorbecause we're a defense
community and have IC customersor intelligence community
customers. So I went to go workfor another company before I
Yeah, you're far too humble.Your journey has been is very
came here and in early 2018. Andit's been a, it's been a
fantastic four years. We'veachieved a I mean, more than
(04:57):
most organizations could eveneven, you know, conceptualize
we've been able to do in thelast four years here. So, really
proud of the work we've done.
impressive. And it's, I thinksomething that as newer and
earlier in my career I admire alot. So thank you. Thank you for
sharing. I couldn't ask though,when you were a kid, were you
(05:21):
thinking, Chief InformationOfficer?
No, I mean, it wasn't. You know,I grew up in an era where kids
drink out of the hose and growin the back of pickup trucks,
and you had to be home when thestreet lights came on, you know,
that. No, that...I, when I grewup, I actually wanted to be an
astronaut. So it's, you know, Ican remember just like it was
(05:41):
yesterday, my dad coming in towake me up to watch the, you
know, the Apollo 11 landing onthe moon, you know, our glorious
black and white TV back then. Hewas a huge, huge space nerd. And
we built scratch models of likethe LEM, the Lunar Excursion
Module, and the Apollo, like,from paper towel tubes, and
toothpicks, and things likethat. And he really, really
(06:04):
inspired you know, that part ofme kind of more the science side
more the space side. And whenSNC reached out in 2017 to start
the conversation that, you know,led me to the role, really
wasn't as familiar with SNC assome of the larger tiers, but
definitely familiar with some ofthe programs and the platforms,
because we were using them inthe IC. So like, oh, that's who
(06:26):
that company is. But I didn'tknow at that time, you know,
there was a whole spacecomponent. So that's been a very
exciting piece for me is justbeing able to be able to support
that and that we've beensupporting Sierra Space as they
get ready to spin off and alltheir cybersecurity concerns,
you know, for several monthsnow. So no, answer, direct
answer's no, I'd you know, Iwanted to be an astronaut. So,
(06:46):
but being able to work in anindustry that at least supports
that is about close enough, Ithink.
Ariel Stenger (06:52):
Absolutely. I can, I can imagine a little
Robert building your Apollo withpaper towels and everything and
be like where does cybersecurityfit on this device. But in all
seriousness at SNC, I mean, weare, we are a large and quickly
growing company. How do youapproach kind of the bird's eye
view of cybersecurity? It's kindof, what's your philosophy?
(07:13):
And...
Robert Daugherty (07:14):
Wow, well, we are told this is not just coming
from us that is coming from...wejust met with one of the you
know, a very large vendor hereat Rocky Mountain Campus
yesterday, conversations withAmazon, Microsoft, other very,
very large internet scalecompanies. They're telling us
that we're doing somethingdifferent. They're telling us
(07:36):
that the larger primes are notdoing what we're doing, which to
me is which, you know, it's kindof hard to understand or believe
because everything we're doingis just common sense to us.
Apparently, it's hard to do. Sowe operate from what I would
call a counterintelligencemindset. We assume that we are
(07:56):
breached, we assume that we havean active insider threat at all
times. So starting about fouryears ago, we established the
ability to start threat hunting,and then have in you know, a
really robust incident responsecapability. If a determined
nation state threat actor,Chinese or Russians as an
example, use them becausethey're our two biggest ones
(08:17):
that kind of pound away at ourperimeter every 24 hours. If
they put kind of the A Teamagainst us, we're going to be in
trouble. Just recently, lastweek, CISA, NSA, FBI came out
with a warning about increasedRussian activity.
Ariel Stenger (08:34):
CISA stands for the Cybersecurity and
Robert Daugherty (08:34):
But in that warning, they indicated that at
Infrastructure Security Agency.It's part of the Department of
Homeland Security. And you maynot have heard of that before,
because it's one of the newestorganizations and agencies in
the federal government. It wasfounded just in 2018. And their
real mission and their charteris to lead the national effort
(08:54):
to understand, manage and reducerisk to our cyber and physical
infrastructure. You can learnmore by checking them out online
CISA.gov.
least two of the larger primes,you can kind of take your pick,
experienced significant breachesin the past year. One of them,
it took them six months todetect that they had been
(09:15):
breached. So the damage ispretty significant. So with that
counterintelligence mindset,constantly hunting, assuming
that we're breached, we can findthings much quicker and be able
to respond to limit damage. Soif the idea is find it, contain
it and get it out, right, sowe've been very successful last
couple of years of doing that.Most people in the company have
(09:36):
no idea what we're doing on a,you know, a daily basis to
protect the organization andthem as individuals or
Ariel Stenger (09:43):
Yeah, yeah. I mean, it's, it's a catastrophic
individual employees.
sort of impact if you're in thatsix month window of being
breached. And just the farreaching and the unknown
unknowns about what's happeningon your network is, it's hard to
think could be a reality, but itsounds like with a
counterintelligence mindset, we,we kind of proactively we're one
(10:03):
step ahead and constantly,constantly trying to prevent and
mitigate any of those risks.What about from a national
perspective? So, I mean, the US,and in other countries in NATO
especially, have been applyingsanctions to to Russia. What do
you think? How effective do youthink sanctions are? Would you
(10:26):
say that there are any othertools in our, in our, in our
tool set from a nationperspective?
Robert Daugherty (10:32):
Well, I think even the news that's broke, you
know, broke in the last 24hours. Russia was prepared, in
my opinion, you know, based onopen intelligence and resources
that are available, they knewthis was coming, they've been
preparing for it. I think theimpact is going to be, you know,
not insignificant, but prettyminimal to them, you know, for
(10:52):
their activities going intoUkraine. An established pattern
of behavior, we kind of knowwhat they're what they're doing.
This goes back to old school andwhat I trained up in the
military is you you see thingslike this far in advance,
something like a, I guess wecall it kind of a black swan
effect of a terrorist attack ismuch harder to detect.
Ariel Stenger (11:11):
A black swan effect is an event that is so
rare, but has such a severeimpact, and will probably be
talked about in history books,even though they're rare people
and companies try to prepare forthem as best they can. And
because the consequences arejust so high, and that they
impact the day to day society aswell. It's an example of Black
(11:31):
Swan effect, was something thatyou probably felt as well, the
2008 financial crisis, whereeveryone, everyone felt the
impact of that.
Robert Daugherty (11:40):
Moving large scale forces armies and
preparing to do something, youknow, you can see the stuff
that's on TV from a satellitereconnaissance standpoint, we
kind of know everything that'sgoing on, or on Twitter or Tik
Tok, and all these other mediasources, and Russia is allowing
that stuff to get out to andit's on purpose, you know, so
they're there. It's a well knownplaybook. And they've been doing
(12:00):
it for quite some time. Theinteresting thing about all this
to me, though, is that the mediais not reminding folks what
happened in 2017. So people whohave just forgotten that
WannaCry and NotPetya originatedout of that area during the time
of conflict, and cost the worldbillions and billions of dollars
in damages.
It's just you know, 2017 was notthat long ago. But really none
Ariel Stenger (12:19):
So in June 2017, Ukraine was the unfortunate main
recipient of a series of NotPetya malware attacks. These
powerful cyber attacks took downUkrainian websites for banking,
ministries, newspapers andelectricity firms costing over
$10 billion in damages. This wassimilar to the WannaCry
ransomware attacks you mighthave heard of, they haven't just
(12:41):
a month earlier in May 2017.
of the talking heads and theexperts on TV are even referring
to that as a potential outcomeof what's happening right now.
So we're very concerned, onalert, you know, I'd say not
high alert, but a heightenedsense of, you know, awareness
that we need to be on thelookout for something like that.
(13:03):
Yeah, I think thatcounterintelligence mindset
coming back to the surface hereand, and taking the lesson from
history is really powerful. Youmentioned CISA and FBI and the
alert that they posted publiclylast week. And all the private
investment that we have here onthe on the DoD side, what do you
(13:25):
what do you see as a missingelement or missing link? I mean
the US cybersecurity posturefrom a, from a national
perspective, is, still feels alittle bit vulnerable from where
I'm sitting. What kind ofcomponents could we ingest?
Robert Daugherty (13:41):
I, you know, it's a good thing, I think that,
you know, I'd say average, Ihate to use the term average,
but average American citizenjust doesn't know what's going
on. Otherwise, I think a lot ofpeople would lose more sleep.
We're extremely vulnerable.We're an open society, you know,
the Internet was, you know,became came into existence here.
(14:02):
And it was never intended to besecured or kind of locked away,
like it is behind the GreatFirewall of China or Russia
developing their own capabilityto, you know, cut off access,
during times of conflict orsomething. So it's just kind of
something that you have toaccept, there's risk associated
with being connected to theinternet. We've made huge
investments in what I've calledthe cybersecurity stack to
(14:24):
protect the company. But I lookat that as kind of the price of
admission just to connect to theinternet, that stuff is there to
prevent kind of the known stuff,then going back to that
counterintelligence mindset, thenew things or what that that
stack is not going to detect. Soour ability to analyze data and
look for anomalies is reallywhat saved our bacon, if you so
(14:46):
to speak multiple times in thelast couple of years, but as a
country, you know, we're seeingan emphasis. CISA has been an, I
think what they just celebratedtheir third anniversary, they're
becoming much more public.There's still some growing pains
there. There has not been aconcerted effort to try to, you
(15:06):
know, coordinate and orchestratethings, you know, different
organizations are still doing,we have FBI cyber that we work
with quite a bit. We haveintelligence community partners
that we work with quite a bit.We just don't, you know,
advertise all of that. Sothere's information assurance
going both ways. Most of thoseorganizations, they're either to
warn you at the potential ofsomething happened or help you
after the fact; we have no,there's, we're on our own. From
(15:29):
a defense standpoint, we defendourselves, we don't we don't
have, you know, we're not hidingbehind resources that the NSA
provides, you know, nationally,there is no such thing. So, most
of the capability at the federallevel is, is post event or
reactive. But they are gettingbetter with the alerts. And I
think you're seeing just likethe one you mentioned, with the
(15:51):
frequency of joint alerts frommultiple agencies in the
coordination, that should be anindicator that you really need
to pay attention to that,because there's a lot of
classified stuff behind it thatthe of course can't disclose,
you know, in a in a publicposting like that.
Ariel Stenger (16:05):
Yeah, and having that one voice of advice is is
more powerful at this point,especially when there are so
many multiple fronts and open,vulnerable points from, from the
national perspective. This maybe a somewhat tenuous
conversation, but cyberespionage, I mean, espionage in
a historical sense, has alwaysbeen part of the art of war and
(16:27):
a nation state building. Butwithin the cyber world, and
coming from an Americanperspective, where we are an
open society, what do you thinkthe line is, in terms of cyber
espionage? And then offensiveand or in a defensive sort of
perspective?
Robert Daugherty (16:42):
That is a great question. One of the I
think the problems that we haveas westerners whether western
mindset is we, it's verydifficult to put ourselves in
the shoes of a Chineseintelligence officer or Russian
intelligence officer. They don'tplay the game the same way we
do. And it was kind of thisgentleman's gentlewoman's
(17:03):
agreement for a long time thatthere's certain lines that you
just don't cross. That all wentaway a couple of years ago. And
if you talk to, and we've beenvery fortunate to have some of
our IC partners come in and giveus classified briefs on, you
know, what's going on in theworld, that there are no hard
lines when it comes to that now.And the ability to reach out and
(17:23):
touch somebody virtually orthrough technology is much less
risky from a operationstandpoint than trying to
develop an asset somewhere,developing meaning I'm trying to
recruit somebody in a company toget them to give me information
or pay them to give meinformation, things like that.
(17:44):
Historically, people withsecrets or leaders were targeted
by, you know, foreignintelligence entities. Well,
it's a whole lot easier to goafter your systems
administrators because they havekeys to everything and
compromise their accounts orcompromise their home accounts
or personal stuff so they canget insight into what they're
doing in the company, than it isto try to, you know, get assets
(18:06):
and country in the location totry to start collecting, you
know, intelligence on a on anorganization like us. Does that
still happen? Yes. We get a lotof information from the FBI from
a domestic standpoint of whatpotential threats are, we
successfully prosecuted insiderthreat case last year, went to
court, the individual pled out,was facing, you know, 10 years
(18:29):
in federal penitentiary.Fortunately for him, he was able
to plead out and receive a muchreduced sentence and probation,
but lost his ability to everhave a clearance again, or work
in the defense industry. I hadbeen in organizations where
foreign intelligence assetsactually have been recruited and
the damage is just catastrophic.So that's a really, it's a,
(18:51):
that's a tough one, because Ilook at it from an operational
standpoint, you know, theydon't, they don't stick to the
same norms we do as a society,they're things that I would
think even as an adversary, Iwould never do to somebody
because it's just not, you know,culture. That's how I was
raised. That's not the case inthose those organizations are
(19:13):
within that culture. So, youknow, it's often described that
we're playing a game, you know,certain games, and they're
playing another game, justdifferent, you know, from a
mindset perspective of how theyapproach that.
Ariel Stenger (19:25):
Yeah, that's, that's a massive challenge,
especially, I mean, as youmentioned, here at the end, the
cultural perspective, and just,it's so difficult to empathize
with someone who we don't shareinitial values with. But I'm
wondering with these blurredlines and with a human in the
loop constantly in the cyberworld and, and how humans we
(19:45):
just we can't help ourselves, weare, we are vulnerable points in
a secure system.
Robert Daugherty (19:50):
Our greatest assets, but also one of the most
vulnerable that we have.
Ariel Stenger (19:54):
Yeah. So like with with, like, knowing that,
that that context What do youthink about a sort of line, an
arbitrary line? And it's, it'salways a fool's errand to try to
predict the future or to set outto set a rule before it's ever
happened. But what would you sayis the, is the line that if
crossed, would be an act of war,or something similar?
Robert Daugherty (20:19):
I think we've, we've come close several times.
I think if you, if you'refollowing the news, and I'm
trying to remember when itstarted, there's the whole
Havana syndrome situation withState Department, you know,
officers in embassies that havebeen targeted with some type of
electronic or energy type weaponthat had been permanently
(20:41):
injured. That to me is, that'scrossing that line. Maybe it was
not intended, you know, maybe itwas a some kind of passive thing
that ended up being, you know,active against a human being
that, you know, they didn'tattend to that happen, but it's
continued on. And contrary tosome of the talking heads and
experts that you see on TVtalking about, oh, it's crickets
(21:02):
or something like that? No, it'snot, you know, and it's, it's an
ongoing problem. So that, to me,is a line. Attacking critical
infrastructure and purposelytrying to harm people, that to
me would be an act of war, orflipping the switch within, you
know, water, water treatmentplant and poisoning, you know, a
(21:22):
water source or causing achemical spill might be local,
but still, you know, have thatkind of have that impact. There
are a number of things likethat, but going after physical
infrastructure to harm people,that to me is crossing a line,
we kind of played this cat gamemouse on the on the virtual side
all the time, like, you know,systems hacked, alright,
(21:43):
whatever, you know, we kind ofhave this, that's something that
we accept. But, you know, maybefinancial, that's another area
that while banking does a verygood job of protecting those
networks and those systems, notbeing able to conduct business,
not being able to make financialtransactions for an extended
period of time, that to me wouldbe another indicator that
(22:04):
they've gone too far in whatthey're doing.
Ariel Stenger (22:07):
Yeah, thank you. Very interesting. It's been
super wonderful to chat with youand to learn a little bit about
the counterintelligence mindsetand also just concerns that we
can, that we can actually actupon as, as citizens here and
ways that we can look at look atour cyber hygiene maybe a little
bit differently, and alsoconsider what the impacts are of
(22:27):
geopolitics around the world.
Robert Daugherty (22:29):
Right. So it's been a pleasure and just always
reminder to everybody just stayvigilant. You know, if you, if
you think something's off,please let somebody know,
because there could be goodreason why you're, you know,
you've noticed something. Sothank you. Really appreciate the
time here today.
Ariel Stenger (22:44):
Wonderful. Thanks, Robert.
Robert Daugherty (22:45):
Thank you.
Ariel Stenger (22:46):
Thank you for listening to this episode of You
Got Hacked, brought to you bySierra Nevada Corporation's
cyber team. For moreinformation, you can visit us
online at sncorp.com. That'ssncorp.com. Special thank you to
our guests, and of course, allof you our listeners. I'm Ariel
Stenger. See you next time.
Hello and welcome to this episode of You Got
Hacked, a podcast produced bySierra Nevada Corporation's
cybersecurity team. On You GotHacked, we focus on
cybersecurity issues, currentevents and technology solutions
specific to protectingOperational Technology at the
endpoint to make you, yourfamily and your community
smarter, safer and more securefrom the ever evolving cyber
(00:22):
threat landscape. I'm your host,Ariel Stenger. So, as of June
2022, the Russian invasion ofUkraine is still ongoing, and
news is constantly changing.Because the event is still
happening, the information inthis episode may be or may
become slightly outdated. Buttrust us, it's intended to show
a snapshot of time as we watchedthe invasion happen back when we
(00:45):
recorded in February. A dayafter Russia invaded Ukraine,
and reports of Ukrainiangovernment and banking sites are
under cyber attack, I'm sittinghere with Robert Daugherty, a
key leader here at SNC forsecurity and safety and we're
going to chat aboutcybersecurity on a global front.
As you all may know, I do have amaster's in international
security from the Korbel Schoolin Denver, and have been
(01:07):
passionate about history andglobal politics as long as I can
remember. So today, it's a realtreat for me to be here with
Robert because we'll be chattingabout company-wide cybersecurity
amid an increasingly competitivethreat landscape for foreign
adversaries, malicious actors,hobbyist hackers and more. But
before we get started, Robert,thank you for being here and for
(01:27):
taking the time.
Robert Daugherty (01:28):
My pleasure.
Ariel Stenger (01:28):
And could you give us just a quick idea of who
you are, how you got to whereyou are right now, and why
cybersecurity,?
Robert Daugherty (01:36):
Oh, goodness. Well, kind of going back all the
way to the beginning of theinternet, I consider myself
extremely fortunate for being atthe right place at the right
time, in my career. Really gotinto IT, you know, kind of at
the dawn of the internet, if youwill, so I'm kind of dating
(01:58):
myself quite a bit. And was veryfortunate to make some good
decisions very early that wereon track with where things are
going from a technologystandpoint. I work for a
startup, small startup companyin Austin, kind of right out of
the military. And that companywas acquired by Polycom. So, we
(02:18):
had to do a lot of stuff veryquickly, you know, in a startup
environment, learning everythingabout different protocols and
ports, and how to secure thingsvoice communications, video,
telecommunications, you know,circuits, all of that stuff.
This is back in the early '90s.So things were a lot harder back
then. And there weren't a lot ofresources, you could go to, to,
(02:39):
you know, find out how you'resupposed to do something. So we
had to do a lot of, you know, onthe job training daily, which I
really enjoy. But we had tolearn a lot quickly in order to
be able to stand stuff up. Sopart of that was figuring out
how to secure things, becauseeven then, at that point, that
was all still something that wasfairly new. You had to handled a
(03:01):
lot of things like firewalls atthe time. So that's kind of how
I get started, security hasalways been kind of a component
or part of what I've been doing.And then right after 9/11, I
made a decision to go to try todo something to contribute to,
you know, to that effort, andended up working at NSA and then
the CIA for almost 15 yearsafter that. So really, super
(03:26):
hard focus on security ingeneral. Everything from
physical operational security,you know, how to hide things and
then just protecting programs.So really, again, concentrated
very short amount of time tolearn a whole lot of stuff about
security. And that again, Iconsider myself very fortunate
(03:46):
to have been exposed to that.Decided, I decided to make a
change in 2015. Honestly, I kindof woke up one day and realized
that I'd been doing what I'dbeen doing for so long and had,
that was not kind of the plan.Like a lot of people that were
brought in right after 9/11, wethought well, this is going to
be over fairly quick. I didn'tthink 15 years later, I'd be
(04:09):
doing kind of the same stuff. Socareer wise.
Ariel Stenger (04:12):
No one did.
Robert Daugherty (04:12):
Yeah. You know, it's just, it's
astonishing because you, it'snot that you weren't you know, I
got comfortable. It's just thatthe work was not going to end
that...right. It was not goingto stop, decided to go on pursue
an executive MBA to try to makecertain make myself a little bit
more marketable, pick up somethings that I had not really
been able to focus on for thelast 15 years within the
(04:34):
intelligence community. And thenstarted looking for kind of a
chief information security roleor Chief Security Officer role.
Not really private sectorbecause we're a defense
community and have IC customersor intelligence community
customers. So I went to go workfor another company before I
Yeah, you're far too humble.Your journey has been is very
came here and in early 2018. Andit's been a, it's been a
fantastic four years. We'veachieved a I mean, more than
(04:57):
most organizations could eveneven, you know, conceptualize
we've been able to do in thelast four years here. So, really
proud of the work we've done.
impressive. And it's, I thinksomething that as newer and
earlier in my career I admire alot. So thank you. Thank you for
sharing. I couldn't ask though,when you were a kid, were you
(05:21):
thinking, Chief InformationOfficer?
No, I mean, it wasn't. You know,I grew up in an era where kids
drink out of the hose and growin the back of pickup trucks,
and you had to be home when thestreet lights came on, you know,
that. No, that...I, when I grewup, I actually wanted to be an
astronaut. So it's, you know, Ican remember just like it was
(05:41):
yesterday, my dad coming in towake me up to watch the, you
know, the Apollo 11 landing onthe moon, you know, our glorious
black and white TV back then. Hewas a huge, huge space nerd. And
we built scratch models of likethe LEM, the Lunar Excursion
Module, and the Apollo, like,from paper towel tubes, and
toothpicks, and things likethat. And he really, really
(06:04):
inspired you know, that part ofme kind of more the science side
more the space side. And whenSNC reached out in 2017 to start
the conversation that, you know,led me to the role, really
wasn't as familiar with SNC assome of the larger tiers, but
definitely familiar with some ofthe programs and the platforms,
because we were using them inthe IC. So like, oh, that's who
(06:26):
that company is. But I didn'tknow at that time, you know,
there was a whole spacecomponent. So that's been a very
exciting piece for me is justbeing able to be able to support
that and that we've beensupporting Sierra Space as they
get ready to spin off and alltheir cybersecurity concerns,
you know, for several monthsnow. So no, answer, direct
answer's no, I'd you know, Iwanted to be an astronaut. So,
(06:46):
but being able to work in anindustry that at least supports
that is about close enough, Ithink.
Ariel Stenger (06:52):
Absolutely. I can, I can imagine a little
Robert building your Apollo withpaper towels and everything and
be like where does cybersecurityfit on this device. But in all
seriousness at SNC, I mean, weare, we are a large and quickly
growing company. How do youapproach kind of the bird's eye
view of cybersecurity? It's kindof, what's your philosophy?
(07:13):
And...
Robert Daugherty (07:14):
Wow, well, we are told this is not just coming
from us that is coming from...wejust met with one of the you
know, a very large vendor hereat Rocky Mountain Campus
yesterday, conversations withAmazon, Microsoft, other very,
very large internet scalecompanies. They're telling us
that we're doing somethingdifferent. They're telling us
(07:36):
that the larger primes are notdoing what we're doing, which to
me is which, you know, it's kindof hard to understand or believe
because everything we're doingis just common sense to us.
Apparently, it's hard to do. Sowe operate from what I would
call a counterintelligencemindset. We assume that we are
(07:56):
breached, we assume that we havean active insider threat at all
times. So starting about fouryears ago, we established the
ability to start threat hunting,and then have in you know, a
really robust incident responsecapability. If a determined
nation state threat actor,Chinese or Russians as an
example, use them becausethey're our two biggest ones
(08:17):
that kind of pound away at ourperimeter every 24 hours. If
they put kind of the A Teamagainst us, we're going to be in
trouble. Just recently, lastweek, CISA, NSA, FBI came out
with a warning about increasedRussian activity.
Ariel Stenger (08:34):
CISA stands for the Cybersecurity and
Robert Daugherty (08:34):
But in that warning, they indicated that at
Infrastructure Security Agency.It's part of the Department of
Homeland Security. And you maynot have heard of that before,
because it's one of the newestorganizations and agencies in
the federal government. It wasfounded just in 2018. And their
real mission and their charteris to lead the national effort
(08:54):
to understand, manage and reducerisk to our cyber and physical
infrastructure. You can learnmore by checking them out online
CISA.gov.
least two of the larger primes,you can kind of take your pick,
experienced significant breachesin the past year. One of them,
it took them six months todetect that they had been
(09:15):
breached. So the damage ispretty significant. So with that
counterintelligence mindset,constantly hunting, assuming
that we're breached, we can findthings much quicker and be able
to respond to limit damage. Soif the idea is find it, contain
it and get it out, right, sowe've been very successful last
couple of years of doing that.Most people in the company have
(09:36):
no idea what we're doing on a,you know, a daily basis to
protect the organization andthem as individuals or
Ariel Stenger (09:43):
Yeah, yeah. I mean, it's, it's a catastrophic
individual employees.
sort of impact if you're in thatsix month window of being
breached. And just the farreaching and the unknown
unknowns about what's happeningon your network is, it's hard to
think could be a reality, but itsounds like with a
counterintelligence mindset, we,we kind of proactively we're one
(10:03):
step ahead and constantly,constantly trying to prevent and
mitigate any of those risks.What about from a national
perspective? So, I mean, the US,and in other countries in NATO
especially, have been applyingsanctions to to Russia. What do
you think? How effective do youthink sanctions are? Would you
(10:26):
say that there are any othertools in our, in our, in our
tool set from a nationperspective?
Robert Daugherty (10:32):
Well, I think even the news that's broke, you
know, broke in the last 24hours. Russia was prepared, in
my opinion, you know, based onopen intelligence and resources
that are available, they knewthis was coming, they've been
preparing for it. I think theimpact is going to be, you know,
not insignificant, but prettyminimal to them, you know, for
(10:52):
their activities going intoUkraine. An established pattern
of behavior, we kind of knowwhat they're what they're doing.
This goes back to old school andwhat I trained up in the
military is you you see thingslike this far in advance,
something like a, I guess wecall it kind of a black swan
effect of a terrorist attack ismuch harder to detect.
Ariel Stenger (11:11):
A black swan effect is an event that is so
rare, but has such a severeimpact, and will probably be
talked about in history books,even though they're rare people
and companies try to prepare forthem as best they can. And
because the consequences arejust so high, and that they
impact the day to day society aswell. It's an example of Black
(11:31):
Swan effect, was something thatyou probably felt as well, the
2008 financial crisis, whereeveryone, everyone felt the
impact of that.
Robert Daugherty (11:40):
Moving large scale forces armies and
preparing to do something, youknow, you can see the stuff
that's on TV from a satellitereconnaissance standpoint, we
kind of know everything that'sgoing on, or on Twitter or Tik
Tok, and all these other mediasources, and Russia is allowing
that stuff to get out to andit's on purpose, you know, so
they're there. It's a well knownplaybook. And they've been doing
(12:00):
it for quite some time. Theinteresting thing about all this
to me, though, is that the mediais not reminding folks what
happened in 2017. So people whohave just forgotten that
WannaCry and NotPetya originatedout of that area during the time
of conflict, and cost the worldbillions and billions of dollars
in damages.
It's just you know, 2017 was notthat long ago. But really none
Ariel Stenger (12:19):
So in June 2017, Ukraine was the unfortunate main
recipient of a series of NotPetya malware attacks. These
powerful cyber attacks took downUkrainian websites for banking,
ministries, newspapers andelectricity firms costing over
$10 billion in damages. This wassimilar to the WannaCry
ransomware attacks you mighthave heard of, they haven't just
(12:41):
a month earlier in May 2017.
of the talking heads and theexperts on TV are even referring
to that as a potential outcomeof what's happening right now.
So we're very concerned, onalert, you know, I'd say not
high alert, but a heightenedsense of, you know, awareness
that we need to be on thelookout for something like that.
(13:03):
Yeah, I think thatcounterintelligence mindset
coming back to the surface hereand, and taking the lesson from
history is really powerful. Youmentioned CISA and FBI and the
alert that they posted publiclylast week. And all the private
investment that we have here onthe on the DoD side, what do you
(13:25):
what do you see as a missingelement or missing link? I mean
the US cybersecurity posturefrom a, from a national
perspective, is, still feels alittle bit vulnerable from where
I'm sitting. What kind ofcomponents could we ingest?
Robert Daugherty (13:41):
I, you know, it's a good thing, I think that,
you know, I'd say average, Ihate to use the term average,
but average American citizenjust doesn't know what's going
on. Otherwise, I think a lot ofpeople would lose more sleep.
We're extremely vulnerable.We're an open society, you know,
the Internet was, you know,became came into existence here.
(14:02):
And it was never intended to besecured or kind of locked away,
like it is behind the GreatFirewall of China or Russia
developing their own capabilityto, you know, cut off access,
during times of conflict orsomething. So it's just kind of
something that you have toaccept, there's risk associated
with being connected to theinternet. We've made huge
investments in what I've calledthe cybersecurity stack to
(14:24):
protect the company. But I lookat that as kind of the price of
admission just to connect to theinternet, that stuff is there to
prevent kind of the known stuff,then going back to that
counterintelligence mindset, thenew things or what that that
stack is not going to detect. Soour ability to analyze data and
look for anomalies is reallywhat saved our bacon, if you so
(14:46):
to speak multiple times in thelast couple of years, but as a
country, you know, we're seeingan emphasis. CISA has been an, I
think what they just celebratedtheir third anniversary, they're
becoming much more public.There's still some growing pains
there. There has not been aconcerted effort to try to, you
(15:06):
know, coordinate and orchestratethings, you know, different
organizations are still doing,we have FBI cyber that we work
with quite a bit. We haveintelligence community partners
that we work with quite a bit.We just don't, you know,
advertise all of that. Sothere's information assurance
going both ways. Most of thoseorganizations, they're either to
warn you at the potential ofsomething happened or help you
after the fact; we have no,there's, we're on our own. From
(15:29):
a defense standpoint, we defendourselves, we don't we don't
have, you know, we're not hidingbehind resources that the NSA
provides, you know, nationally,there is no such thing. So, most
of the capability at the federallevel is, is post event or
reactive. But they are gettingbetter with the alerts. And I
think you're seeing just likethe one you mentioned, with the
(15:51):
frequency of joint alerts frommultiple agencies in the
coordination, that should be anindicator that you really need
to pay attention to that,because there's a lot of
classified stuff behind it thatthe of course can't disclose,
you know, in a in a publicposting like that.
Ariel Stenger (16:05):
Yeah, and having that one voice of advice is is
more powerful at this point,especially when there are so
many multiple fronts and open,vulnerable points from, from the
national perspective. This maybe a somewhat tenuous
conversation, but cyberespionage, I mean, espionage in
a historical sense, has alwaysbeen part of the art of war and
(16:27):
a nation state building. Butwithin the cyber world, and
coming from an Americanperspective, where we are an
open society, what do you thinkthe line is, in terms of cyber
espionage? And then offensiveand or in a defensive sort of
perspective?
Robert Daugherty (16:42):
That is a great question. One of the I
think the problems that we haveas westerners whether western
mindset is we, it's verydifficult to put ourselves in
the shoes of a Chineseintelligence officer or Russian
intelligence officer. They don'tplay the game the same way we
do. And it was kind of thisgentleman's gentlewoman's
(17:03):
agreement for a long time thatthere's certain lines that you
just don't cross. That all wentaway a couple of years ago. And
if you talk to, and we've beenvery fortunate to have some of
our IC partners come in and giveus classified briefs on, you
know, what's going on in theworld, that there are no hard
lines when it comes to that now.And the ability to reach out and
(17:23):
touch somebody virtually orthrough technology is much less
risky from a operationstandpoint than trying to
develop an asset somewhere,developing meaning I'm trying to
recruit somebody in a company toget them to give me information
or pay them to give meinformation, things like that.
(17:44):
Historically, people withsecrets or leaders were targeted
by, you know, foreignintelligence entities. Well,
it's a whole lot easier to goafter your systems
administrators because they havekeys to everything and
compromise their accounts orcompromise their home accounts
or personal stuff so they canget insight into what they're
doing in the company, than it isto try to, you know, get assets
(18:06):
and country in the location totry to start collecting, you
know, intelligence on a on anorganization like us. Does that
still happen? Yes. We get a lotof information from the FBI from
a domestic standpoint of whatpotential threats are, we
successfully prosecuted insiderthreat case last year, went to
court, the individual pled out,was facing, you know, 10 years
(18:29):
in federal penitentiary.Fortunately for him, he was able
to plead out and receive a muchreduced sentence and probation,
but lost his ability to everhave a clearance again, or work
in the defense industry. I hadbeen in organizations where
foreign intelligence assetsactually have been recruited and
the damage is just catastrophic.So that's a really, it's a,
(18:51):
that's a tough one, because Ilook at it from an operational
standpoint, you know, theydon't, they don't stick to the
same norms we do as a society,they're things that I would
think even as an adversary, Iwould never do to somebody
because it's just not, you know,culture. That's how I was
raised. That's not the case inthose those organizations are
(19:13):
within that culture. So, youknow, it's often described that
we're playing a game, you know,certain games, and they're
playing another game, justdifferent, you know, from a
mindset perspective of how theyapproach that.
Ariel Stenger (19:25):
Yeah, that's, that's a massive challenge,
especially, I mean, as youmentioned, here at the end, the
cultural perspective, and just,it's so difficult to empathize
with someone who we don't shareinitial values with. But I'm
wondering with these blurredlines and with a human in the
loop constantly in the cyberworld and, and how humans we
(19:45):
just we can't help ourselves, weare, we are vulnerable points in
a secure system.
Robert Daugherty (19:50):
Our greatest assets, but also one of the most
vulnerable that we have.
Ariel Stenger (19:54):
Yeah. So like with with, like, knowing that,
that that context What do youthink about a sort of line, an
arbitrary line? And it's, it'salways a fool's errand to try to
predict the future or to set outto set a rule before it's ever
happened. But what would you sayis the, is the line that if
crossed, would be an act of war,or something similar?
Robert Daugherty (20:19):
I think we've, we've come close several times.
I think if you, if you'refollowing the news, and I'm
trying to remember when itstarted, there's the whole
Havana syndrome situation withState Department, you know,
officers in embassies that havebeen targeted with some type of
electronic or energy type weaponthat had been permanently
(20:41):
injured. That to me is, that'scrossing that line. Maybe it was
not intended, you know, maybe itwas a some kind of passive thing
that ended up being, you know,active against a human being
that, you know, they didn'tattend to that happen, but it's
continued on. And contrary tosome of the talking heads and
experts that you see on TVtalking about, oh, it's crickets
(21:02):
or something like that? No, it'snot, you know, and it's, it's an
ongoing problem. So that, to me,is a line. Attacking critical
infrastructure and purposelytrying to harm people, that to
me would be an act of war, orflipping the switch within, you
know, water, water treatmentplant and poisoning, you know, a
(21:22):
water source or causing achemical spill might be local,
but still, you know, have thatkind of have that impact. There
are a number of things likethat, but going after physical
infrastructure to harm people,that to me is crossing a line,
we kind of played this cat gamemouse on the on the virtual side
all the time, like, you know,systems hacked, alright,
(21:43):
whatever, you know, we kind ofhave this, that's something that
we accept. But, you know, maybefinancial, that's another area
that while banking does a verygood job of protecting those
networks and those systems, notbeing able to conduct business,
not being able to make financialtransactions for an extended
period of time, that to me wouldbe another indicator that
(22:04):
they've gone too far in whatthey're doing.
Ariel Stenger (22:07):
Yeah, thank you. Very interesting. It's been
super wonderful to chat with youand to learn a little bit about
the counterintelligence mindsetand also just concerns that we
can, that we can actually actupon as, as citizens here and
ways that we can look at look atour cyber hygiene maybe a little
bit differently, and alsoconsider what the impacts are of
(22:27):
geopolitics around the world.
Robert Daugherty (22:29):
Right. So it's been a pleasure and just always
reminder to everybody just stayvigilant. You know, if you, if
you think something's off,please let somebody know,
because there could be goodreason why you're, you know,
you've noticed something. Sothank you. Really appreciate the
time here today.
Ariel Stenger (22:44):
Wonderful. Thanks, Robert.
Robert Daugherty (22:45):
Thank you.
Ariel Stenger (22:46):
Thank you for listening to this episode of You
Got Hacked, brought to you bySierra Nevada Corporation's
cyber team. For moreinformation, you can visit us
online at sncorp.com. That'ssncorp.com. Special thank you to
our guests, and of course, allof you our listeners. I'm Ariel
Stenger. See you next time.
Popular Podcasts
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations.
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
The Nikki Glaser Podcast
Every week comedian and infamous roaster Nikki Glaser provides a fun, fast-paced, and brutally honest look into current pop-culture and her own personal life.