Thoughts on Trends in Cybersecurity, Tech, and Innovation -- Recent Interviews of Chuck Brooks
Chuck Brooks
Named "Top Tech Person To Follow" by LinkedIn, Voted "Cybersecurity Person of the Year" Cited Top 10 Global Tech & Cyber Expert & Influencer, Georgetown U Prof, 2X Presidential Appointee, FORBES Writer, 123k LI Followers
Sharing a few of my recent interviews on topics of cybersecurity, homeland security, emerging technologies, and innovation. Thanks for reading and sharing.
For more content, kindly follow me on LinkedIn. linkedin.com/in/chuckbrooks
Thanks!
CISOs under pressure: Protecting sensitive information in the age of high employee turnover
In this Help Net Security interview, Charles Brooks, Adjunct Professor at?Georgetown University’s?Applied Intelligence Program and graduate Cybersecurity Programs, talks about how zero trust principles, identity access management, and managed security services are crucial for effective cybersecurity, and how implementation of new technologies like AI, machine learning, and tracking tools can enhance supply chain security.
CISOs believe they have adequate data protection measures, yet many have dealt with the loss of sensitive data over the past year. How do you reconcile this apparent contradiction?
The loss of data despite protection measures is not that surprising. We are all playing catchup in cybersecurity. The internet was invented in a government laboratory and later commercialized in the private sector. The hardware, software, and networks were originally designed for open communication. Cybersecurity initially was not a major consideration. That mindset has surely changed due to the explosion of connectivity and commerce on the internet and CISOs are playing a big game of catch up too.
There are a multitude of causes that can account for the exfiltration of sensitive data. The first being that hacker adversaries have become more sophisticated and capable of breaching. The basic tools and tactics hackers use for exploitation include malware,?social engineering, phishing (the easiest most common, especially spear-phishing aimed at corporate executives), ransomware, insider threats, and?DDOS attacks. Also, they often use advanced and automated hacking tools shared on the dark web, including AI and ML tools that are used to attack and explore victims’ networks. That evolving chest of hacker weaponry is not so easy for CISOs to defend against.
Another big factor is the reality is that exponential digital connectivity propelled by the COVID-19 pandemic has changed the security paradigm. Many employees now work from hybrid and remote offices. There is more attack surface area to protect with less visibility and controls in place for the CISO. Therefore, it is logical to conclude that more sensitive data has and will be exposed to hackers.
The notion of adequate protection is a misnomer as threats are constantly morphing. All it takes is one crafty phish, a misconfiguration, or a failure to do a timely patch for a gap to provide an opportunity for a breach. Finally, many CISOs have had to operate with limited budgets and qualified cyber personnel. Perhaps they have lower expectations of the level of security they can achieve under the circumstances.
As the economic downturn pressures security budgets, how can CISOs optimize their resources to manage cybersecurity risks effectively?
CISOs must enact a prudent risk management strategy according to their industry and size that they can follow to allow them to best optimize resources. A good risk management strategy will devise a vulnerability framework that Identifies digital assets and data to be protected. A risk assessment can quickly identify and prioritize cyber vulnerabilities so that you can immediately deploy solutions to protect critical assets from malicious cyber actors while immediately improving overall operational cybersecurity. This includes protecting and backing up business enterprise systems such as: financial systems, email exchange servers, HR, and procurement systems with new security tools (encryption, threat intel & detection, firewalls, etc.) and policies.
There are measures in a vulnerability framework that are not cost prohibitive. Those measures can include mandating strong passwords for employees and requiring?multi-factor authentication. Firewalls can be set up and CISOs can make plans to segment their most sensitive data. Encryption software can also be affordable. The use of the cloud and hybrid clouds enables implementation of dynamic policies, faster encryption, drives down costs, and provides more transparency for access control (reducing insider threats). A good cloud provider can provide some of those security controls for a reasonable cost. Clouds are not inherently risky, but CISOs and companies will need to recognize that they must thoroughly evaluate provider policies and capabilities to protect their vital data.
And if a CISO is responsible for protecting a small or medium business without a deep IT and cybersecurity team below them, and are wary of cloud costs and management, they can also consider outside managed security services.
How can organizations better safeguard their sensitive information during high employee turnover?
This goes to the essence of the strategy of?zero trust. Zero trust (ZT) is the term for an evolving set of cybersecurity paradigms that move defenses from static, network-based perimeters to focus on users, assets, and resources. Organizations need to know everything that is connected to the network, devices & people.
Identity access management or IAM, is very important. IAM the label used for the set of technologies and policies that control who accesses what resources inside a system. A CISO must determine and know who has access to what data and why. If an employee leaves, they need to immediately revoke privileges and ensure that nothing sensitive was removed from the organization. There are many good IAM tools available from vendors on the market.
Certainly, with employee turnover, there are ethical and trust elements involved. Employee insider threats are difficult to detect and manage. Some of that can be addressed upfront in employment contracts with an employee understanding of the legal parameters involved, it is less likely that they will run off with sensitive data.
We’ve seen increased CISO burnout and concerns about personal liability.
Yes, the?burnout?is a direct result of CISOs having too many responsibilities, too little budget, and too few workers to run operations and help mitigate growing cyber-threats. Now the personal liability factors exemplified by as the class action suit against Solar’s Wind’s CISO, and the suit against Uber’s CISO for obscuring ransomware payments, has heightened the risk. In an industry that is already lacking in required numbers of cybersecurity leaders and technicians, CISOs need to be given not only the tools, but the protections necessary for them to excel in their roles. If not, the burnout and liability issues will put more companies and organizations at greater risk.
How are these challenges impacting the overall efficacy of CISOs in their roles, and what measures can be taken to address them?
Despite the trends of greater frequency, sophistication, lethality, and liabilities associated with incursions, industry management has been mostly unprepared and slow to act at becoming more cyber secure. A Gartner survey found that 88% of Boards of Directors (BoDs) view cybersecurity as a business risk, as opposed to a technology risk, according to a new survey, and that only 12% of BoDs have a dedicated board-level cybersecurity committee.
“It’s time for executives outside of IT to take responsibility for securing the enterprise,” said?Paul Proctor, Chief of Research for Risk and Security. “The influx of ransomware and supply chain attacks seen throughout 2021, many of which targeted operation- and mission-critical environments, should be a wake-up call that security is a business issue, and not just another problem for IT to solve.”
CISOs not only need a seat at the table in the C-Suite, but they also need insurance protections comparable to other executive management that limits their personal liability. There is no panacea for perfect cybersecurity. Breaches can happen to any company or person in our precarious digital landscape. It is not fair or good business to have CISO go at it alone. In a similar context, cybersecurity should no longer be viewed as a cost item for businesses or organizations. It has become an ROI that can ensure continuity of operations and protect reputation. Investment in both the company and the CISO’s compensation and portfolio of required duties need to be a priority going forward.
As supply chain risk continues to be a recurring priority, how can CISOs better manage this aspect of their cybersecurity strategies, especially under constrained budgets?
Ensuring that the supply chain is not breached including the design, manufacturing, production, distribution, installation, operation, and maintenance elements is a challenge to all companies. Cyber-attackers will always look for the weakest point of entry and mitigating third-party risk is critical for cybersecurity. Supply chain cyber-attacks can be perpetrated from nation-state adversaries, espionage operators, criminals, or hacktivists.
CISOs require visibility of all vendors in the supply chain along with set policies and monitoring. NIST, a non-regulatory agency of the US Department of Commerce has a suggested framework for supply chain security that provides sound guidelines from both government and industry.
NIST recommends:
Other mitigation efforts can be done with the acquisition of new technologies that monitor, alert, and analyze activities in the supply chain. Artificial intelligence and?machine learning tools?can provide visibility and predictive analytics, and stenographic and watermark technologies can provide tracking of products and software.
##
Chuck Brooks: Crafting Cybersecurity's Future, from Policy to Quantum Frontiers
Meet the cybersecurity titan navigating the complex intersection of technology, policy, and the future of our digital world
As the digital fabric of our lives continues to expand, we find ourselves increasingly reliant on the labyrinth of interconnected systems and devices that underpin our modern existence.
But with every new piece of tech that we bring into our homes, every app we download onto our smartphones, and every piece of data we entrust to the cloud, we expose ourselves to an ever-growing array of cyber threats.
It's a complex, often daunting world, where the very technologies that empower us can also leave us vulnerable. In this rapidly evolving landscape, few guides are as experienced, as knowledgeable, or as engaged as?Chuck Brooks.
Originally from Chicago, Chuck made his way to D.C. after an impressive academic journey, which included a stint at The Hague Academy of International Law. Today, this die-hard Cubs, Bears, and Bulls fan sports a different hat, as the proud founder of?Brooks Consulting International, where he consults on cybersecurity, artificial intelligence, and other emerging technologies.
“Through my consulting firm, I engage in marketing, government relations, and influencer thought leadership, specifically focusing on cybersecurity, AI, and emerging technologies," Chuck explains, with a calm confidence that betrays years of navigating the complex dynamics of the cybersecurity industry.
The path Chuck has charted is far from ordinary. His career started in the public sector, where he received two senior Presidential appointments and served as a key player in the Department of Homeland Security's early days. From government, Chuck extended his reach into academia, industry, and media, becoming a prolific speaker and writer on cybersecurity, homeland security, and technology.
In the world of academia, Chuck is an adjunct faculty member at Georgetown University's Applied Intelligence Program and?graduate Cybersecurity Risk Management Programs. He also lent his expertise to Johns Hopkins University as an adjunct faculty member, where he taught a graduate course on homeland security for two years.
His journey through the private sector is just as compelling. His roles have included Senior Executive positions in Fortune 1000 and several corporations, at companies from General Dynamics to Xerox.
In the media sphere, Chuck’s contribution is sizable. He is a frequent speaker at conferences and has published more than?300 articles and blogs?on pressing issues in the field. His TV show on SkyTop Media, covering intelligence and security topics, is on the horizon.
Recognition has not been shy in coming his way. Chuck boasts an?impressive following on LinkedIn?and has been recognized as a top influencer in his field. "I was named 'Cybersecurity Person of the Year for 2022' by The Cyber Express, and as one of the world’s '10 Best Cyber Security and Technology Experts' by Best Rated," he reveals. These accolades and many more are a testament to Chuck’s expertise and influence.
And yet, at his core, Chuck is a family man, passionate about his wife, two daughters, and their rescued Eskimo dog. He is also a food enthusiast, running a 'DC Foodies' group on LinkedIn, and is a self-confessed reality TV fan. In another life, he was a powerlifter and a martial artist. How he has found the time to do all this, I wish I knew!
However, it's cybersecurity that would become his career. Chuck’s journey in cybersecurity started when he was at the Department of Homeland Security’s Science & Technology Directorate. He explains; “It was evident that the world was moving from analog to digital, and that our world was going to change."
But this journey has not been without its challenges. Chuck likens his struggle to promote cybersecurity awareness and best practices to a stubborn horse who won't drink the water. The expanding digital attack surface, the shift to remote work, and the rise of cyber threats have not made the task any easier.
Nevertheless, he remains steadfast in his mission. He sees Public Private Partnerships (PPP) based on risk management frameworks as the cornerstone of promoting cybersecurity awareness. He underscores, "Mitigating evolving cyber threats and being resilient to breaches are paramount for critical infrastructure protection."
Chuck is a staunch believer in the power of collaboration and partnerships in effectively tackling cybersecurity challenges. "It really starts from the top down," he explains. When it comes to successful cybersecurity, leadership is key. CISOs (Chief Information Security Officers), CTOs, CIOs, and executive management must communicate effectively, align strategies, and regularly assess their information security programs. Information collaboration, Chuck suggests, is the lifeblood of a successful cybersecurity initiative.
"It is smart to utilize the collective talent and research and development arms of allied countries, and?Public to Private sector cooperation should be an integral part of alliances," he advises. The global threat actors targeting critical infrastructure come in various forms: terrorists, criminals, hackers, organized crime, and, in some cases, adversarial nation states. Meeting these threats head-on requires robust security strategies built on vigilant public-private partnerships.
Within this broad coalition, organizations and associations also have a crucial role to play. Chuck points out, "They are a gathering place to share best practices and develop new approaches to help mitigate cyber threats."
And he has resource recommendations in spades:?AFCEA,?CompTIA, The?Homeland Defense and Security Information Analysis Center?(HDIAC), The?Cyber Security Forum Initiative?(CSFI),?National Academy of Sciences,?SANS,?IEEE, and?ISC2?are among his suggestions.
It is only fitting that a man with so much experience and knowledge would choose to share this wealth with the next generation. In?his role as an adjunct faculty member at Georgetown University, Chuck prioritizes critical thinking. He aspires to prepare his students to innovate and offer solutions. He aims to provide them with the skills to understand, evaluate, and address key questions that arise for businesses and organizations.
But it's not just traditional methods that Chuck encourages his students to explore. He passionately discusses how disruptive technologies are reshaping the cybersecurity landscape. "We are proceeding in an era of 'Malthusian' advances in science and technology, enabled by faster computing and ever-expanding data analytics," he explains. This new technological era, which Chuck describes as the fusion of our physical and digital systems, is set to impact security, economy, and our way of life profoundly.
“There are a variety of emerging technologies in our industry, including artificial intelligence and machine learning, predictive analytics, the Internet of Things, 5G, as well as other significant areas of development such as 3D printing, blockchain and quantum computing.” Here, Chuck draws on the words of famous futurist Michio Kaku, who he says “characterizes the technological shift we are experiencing as moving from the ‘age of discovery’ to the ‘age of mastery.’ [Kaku] characterizes it as a period in our history where we will be able to harness our technologies and control our destinies.”
The implications for cybersecurity are vast. According to Chuck, “Cybersecurity is the glue that permeates the digital ecosystem of disruptive tech and holds it together for secure operations.” He sees automation, combined with artificial and machine intelligence, as the future cybersecurity pathway: “AI is really going to be a big catalyst for cybersecurity. It will enable real-time threat detection and real-time analysis. Companies will be able to monitor what is in their system, and who may be doing things that are anomalies.” He sees the future of cybersecurity leveraging automation, AI, and machine learning.
While Chuck acknowledges the transformative benefits of emerging technologies, he also stresses the risks if businesses and shareholders are unprepared to assimilate them—especially when hackers and bad actors are more than willing to assimilate new technologies. The solution, he explains, is industry frameworks that emphasize planning, ethical policy protocols, and systematic technology integration. Read his article on the topic?here.
The convergence of blockchain technology and cybersecurity is another area of interest for Chuck. He views blockchain as a good tool for integration into cybersecurity practices due to its decentralization, use of cryptographic principles, and difficulty to breach data.
On the research front, Chuck is consulting on several projects ranging from quantum to artificial intelligence. He is also part of a government agency leading a technology working group focused on helping cybersecure space assets, and has written about space assets for Forbes?here. Despite the proprietary nature of some of these projects, Chuck promises they will likely come into the public spotlight soon.
For Chuck, developing a successful cybersecurity strategy within organizations requires a 'yin-and-yang formula' of technical expertise and executive buy-in. He stresses the need for a clear and well-defined plan, which includes protecting data and establishing governance. Unfortunately, a common misconception he encounters is that some organizations believe they will not be targeted—a dangerous assumption in today's digital landscape.
"The fact is everyone is a target," Chuck states unequivocally. Today, cyber threats are more sophisticated than ever before, and the basics—strong passwords and multi-factor authentication—are not always prioritized.
"The biggest pitfall is that most organizations are reactive rather than proactive," he notes. For Chuck, being proactive in cybersecurity is more than just acquiring technology or hiring experts. It requires adopting a robust cybersecurity framework involving tactical measures, encryption, authentication, biometrics, analytics, continuous testing, diagnostics, and mitigation.
Chuck highlights the importance of comprehensive risk assessment—a critical first step in cybersecurity best practices. Such an assessment can quickly identify and prioritize cyber vulnerabilities, allowing for the immediate deployment of solutions to protect critical assets.
Cyber-hygiene practices are also vital to one’s cybersecurity plan. This includes everything from education and training to code testing to regular network audits. Chuck has written about the Three Pillars of Cybersecurity—Security by Design, Defense in Depth, and Zero Trust—here.
Educating and raising awareness about cybersecurity among non-technical individuals or organizations is another significant challenge. Chuck recognizes that the task is daunting, particularly since "very few in management understand the importance of technology or cybersecurity issues."
To overcome this, he advocates for a strong board of directors and advisors. "Board directors should have a working understanding of risk management and have context on the different array of threats and threat actors," he recommends.
But the reality is that many companies are slow to seek outside help. To bridge the gap, Chuck takes on the role of an evangelist, distilling complex technical jargon into easily understandable concepts. This is done through outreach, speaking at conferences, and through his writings.
"LinkedIn is a real force for digital influence," he asserts, pointing to the platform as an effective tool for promoting discussion on risk management issues. For Chuck, platforms like LinkedIn have become a crucial part of how he communicates, operates, and conducts business—effectively making cybersecurity part of the broader conversation.
As a respected voice in the cybersecurity community, Chuck observes the unfolding landscape with a sobering reality in mind: "We are all playing catchup in cybersecurity."
He notes that the internet, born in a government laboratory and then commercialized in the private sector, was originally designed for “open communication”—cybersecurity was not a priority. This perspective, though, has shifted now that connectivity and commerce on the Internet have skyrocketed.
For Chuck, the challenges are daunting and multi-faceted. “State actors and cyber criminals are automating cyber-attacks, malware is becoming more sophisticated and lethal, the speed of attacks is also growing, and organization’s exposed and attackable assets are exponentially expanding with hybrid clouds and with billions of Internet of Things devices attaching to the networks.”
In this digital era, the defense perimeter has practically dissolved.
Among the pressing issues, six stand out: critical infrastructure protection, adapting to Cloud and Edge Trends, ransomware, IoT threat mitigation, protecting the digital supply chain, and bringing cyber expertise to the board level.
Despite the magnitude of these challenges, Chuck retains an impressive sense of purpose. When asked what keeps him going, he responds with enthusiasm, "I am always eager to learn more as life is an adventure and exciting possibilities can be ahead on the journey!"
As our conversation concludes, Chuck leaves us with one final, poignant note that echoes throughout his life and work: "Be a contributor for the better by fostering altruism, knowledge, and collaboration." Sharing his wealth of knowledge with us at?Machinelab?seems part and parcel of that mission.
Chuck’s story is one of ceaseless pursuit of knowledge and collaborative innovation, from his roots in Chicago, through his ventures in academia, industry, and media, to his current position at the helm of Brooks Consulting International. Whether he's shaping policy at the highest echelons of government, consulting on state-of-the-art technologies, educating the next generation of cybersecurity experts, or inspiring thousands of followers on LinkedIn, Chuck remains driven by a steadfast commitment to broaden understanding, foster collaboration, and navigate the challenging terrain of cybersecurity.
As the digital landscape evolves, one thing is certain: Chuck Brooks will continue to be at the forefront, ever eager to explore what lies ahead on the journey, and more than ready to share the knowledge and insights gained along the way.
###
Chuck Brooks – Cybersecurity Expert, Influencer, Georgetown U Faculty, and President at Brooks Consulting International
TheCconnects:?Can you tell our readers a little about your professional journey & how did you come to your current role/position?
?Chuck Brooks:?Over my career in government, the corporate world, media, and academia, I have worn many hats. There have been some strong common threads [of] science, technology, national security, and legislative and executive policy in all my various roles. Like most people in their current roles, my roles evolved from my interests and opportunities that arose.
?
?When I first arrived in Washington, DC I had just completed graduate school at the University of Chicago and attended the Hague Academy of International Law.?and like most others, I was uncertain what my career future would hold. I began going to events in my areas of interest, national security, and foreign affairs to build relationships that might guide me. Fortunately, at one gathering, I was introduced to a soon to be mentor, the late General Daniel O. Graham. General Graham was a decorated war veteran and was a former Deputy Director of the Central Intelligence Agency (CIA), and former Director of the Defense Intelligence Agency (DIA). He was really connected and a brilliant man. I engulfed myself in learning all I could about his special High Frontier project of creating a Strategic Defense Initiative. As soon as I was able, I volunteered to write several articles for him that were published. He appreciatively took me under his wing and introduced me to the next step in my career and my first job in government, working at The Voice of America.
?
?With a strong recommendation from General Graham, I was able to obtain a position as Special Assistant to The Director of the Voice of America (VOA), Hon. Richard Carlson.??VOA was the arm of the US Government responsible for sharing American values and virtues with the rest of the world in the war of ideas. As editor of the internal VOA newsletter, and as a speechwriter, I learned and wrote about information dissemination issues and about the cultural aspects of the many listeners of VOA across the world. This was the time of the Iron Curtain and there was no internet nor cell phones. Most of the communications were done via short wave radio broadcasts that were often the subject of jamming.?It quickly became useful for serving as a subject matter expert (SME) on these issues and the knowledge I shared opened new doors with other parts of government, including Congress.
Chuck Brooks?is a world-renowned cybersecurity expert and an Adjunct Professor at Georgetown University where he teaches courses on risk management, homeland security, and cybersecurity.
Chuck is also a two-time Presidential appointee and Forbes contributor. LinkedIn named him one of “The Top 5 Tech People to Follow on LinkedIn”. He was named by Thompson Reuters as a “Top 50 Global Influencer in Risk, Compliance,” and by IFSEC as the “#2 Global Cybersecurity Influencer” in 2018. He has served as Senior Legislative Staff (Defense, Security) to Senator Arlen Specter, U.S. Senate, and was also the former Technology Partner Advisor at the Bill and Melinda Gates Foundation. In addition, Chuck runs 15 other businesses and is co-leader of the top two Homeland Security groups on LinkedIn.
Tune in to this episode of Ask A CISO to hear:
What he teaches at Georgetown University
About The Host: Paul Hadjy
Paul Hadjy?is co-founder and CEO of Horangi Cyber Security.?
Paul leads a team of cybersecurity specialists who create software to solve challenging cybersecurity problems. Horangi brings world-class solutions to provide clients in the Asian market with the right, actionable data to make critical cybersecurity decisions.
Prior to Horangi, Paul worked at Palantir Technologies, where he was instrumental in expanding Palantir’s footprint in the Asia Pacific.?
He worked across Singapore, Korea, and New Zealand to build Palantir's business in both the commercial and government space and grow its regional teams.?
He has over a decade of experience and expertise in Anti-Money Laundering, Insider Threats, Cyber Security, Government, and Commercial Banking.?
Transcript
Jeremy
Hello, and thank you for joining us for today's episode of the Ask A CISO podcast. My name is Jeremy Snyder. I'm hosting today in for Paul Hadjy. We're delighted to be joined today by Chuck Brooks.
Chuck has so many titles under his belt that it would take the entire podcast episode just to go through his accomplishments. But in summary, a few things we can say is that Chuck is a world-renowned cybersecurity expert, and an adjunct professor at Georgetown University in Washington, DC, in the USA where he teaches courses on risk management, homeland security, and cybersecurity.
Chuck is a two-time presidential appointee and a Forbes contributor. LinkedIn named him as one of the top five tech people to follow on LinkedIn and he was named by Thomson Reuters as a top 50 global influencer in risk and compliance, and by the IFCC as the number two global cybersecurity influencer in 2018.
Wow. That is quite a lot of accomplishments, Chuck, and I know you've had a long and storied career. Is there anything else you'd want to add to that introduction that you think is important for our audience to know about you?
Chuck
Yeah. I mean, that's a terrific introduction. Thank you.
It's great to be here. I think what makes, I think, my background a little bit different and I've served in sort of the very core pillars of different worlds here. One being government. I was twice in government, actually three times in government. But I helped set up the Department of Homeland Security. I was one of the first hundred people hired, called a plankholder by then governor Ridge, who became Secretary Ridge, worked on the Hill for many years.
And then I've also worked in, you know, as media, as visiting editors of Homeland Security Today and Forbes, and then in corporate world, where I've done a lot of executive roles for places like Xerox, General Dynamics, Mission Systems, et cetera.
And then the final one is academia, which I think is probably the most enjoyable one where I'm currently an adjunct faculty, as you mentioned, at Georgetown University.
Jeremy
Awesome.
In your role at Georgetown University, what types of courses are you teaching or what types of information are you sharing with the students as they come through your classroom?
Chuck
Well, it's a really well-rounded practical curriculum and there are some really good faculty there. The courses that I've taught is one's called Homeland Security technologies, which focused on the emerging technologies in Homeland.
Another one on risk management and my favorite, which is actually what I developed and wrote myself, which is called disruptive technologies and organizational management. It's been a very popular class for students since it's usually filled. And it really explores all the sort of breaking technologies and how they impact our future. From also including of course, cybersecurity as part of the weave through it. But all, everything from nanotechnology to biological, to quantum, et cetera.
So it's good for me cause I have to keep reading all this stuff and learning.
Jeremy
Yeah. I mean, there's no shortage.
Exactly. There's no shortage of quote unquote "disruptive technologies" coming out everyday.
You know, my own background has been largely in the cloud for the last, let's say 12 years at this point, going back to some early work that I did at Amazon Web Services. So I've seen kind of the very, the more narrow IT side of that, particularly IT in the enterprise construct with organizations going through that transformation, but I think the perspective that you bring is really interesting because as you said, you've got things like nanotechnologies, biotechnologies. These are things well outside the scope that I look at on a daily basis.
What's interesting for me is to try to understand: so when you're thinking about those things, how do you think about those things kind of joining up with core IT systems or core systems where we're aggregating data and we're thinking about data as being a crucial part of our business going forward. Where did those kind of off-the-beaten path, for me at least, technologies fit into that equation?
Chuck
Well, they all seem to have a sort of a linkage to two couple of things.
One of course is artificial intelligence, which leads into the whole data analytics and the synthesis of all the information, which is really important, whether you're looking at doing neuromorphic computing between, or human brain interface with computers. I mean, there's all kinds of interesting linkages.
So, artificial intelligence, and machine learning, seem to be one of the connectors, but they all have relationships because, you know, if you're talking about computing in general, the nanotechnology aspect of microcircuits, everything is getting smaller and having greater memory capability. If you remember just, you know, years back, we had these big lanky phones that were just all over the place.
Jeremy
Yeah.
Chuck
Can't really do anything. Now you have as much computing power as the whole NASA program had that sent a man to the moon in the 1980s in just one smartphone.
So things are really getting smaller and more sophisticated, more capable. And what you mentioned, I think is really also too, it was really key. That cloud has really become the framework for all of this for transmitting and storing a lot of this information and it's moving farther and farther away from the, you know, I think the network to the edge where it's really now becoming the computing capabilities on the, on the same phones or devices you're using are becoming pretty amazing in themselves.
Jeremy
Yeah. I mean, to your point, I can take my phone right here anywhere on the planet and connect to my backend IT systems without really jumping through any hoops.
You know, I've got an app, I've got authentication. Maybe, you know, if my organization is security aware, I've got multifactor authentication to think about, but yeah, I can really access not only the entire knowledge of humanity, collective knowledge of humanity, but all of my key assets as well.
So from that perspective, as you've seen organizations, whether it's kind of your work in the government or in academia move towards these cloud models, what are some of the common, let's say, experiences that these organizations have with new disruptive technologies, like cloud coming in. How do they manage that transition?
Chuck
Well some of them are having difficulty because they don't quite understand the role of the cloud and also you know, it's still their data and I think they give it and someone else is managing it. In some cases, you can get people in a managed service providers, but it's still your data and it's still at risk, you still have to protect it.
So most companies, you know, just assume that if you give it to someone else, it's being taken care of and it may be correlate with other companies too. So their planning has been pretty interesting. I mean, the amount of money being invested into transfer from on-prem to cloud has gone way up. Most of the big companies have done it already.
Government's been trying to do it. Unfortunately, they're wedded to a lot of legacy systems and processes that make it difficult. Also the procurement process itself, which sort of empowers those already that have those programs not to change them. So, it's been slower than I thought, but I think it's definitely, in terms of where it's revolutionizing technologies and emerging, it's really becoming, to really do this in a grand scale that we couldn't do before, particularly with transmitting information anywhere.
And, you know, if you'd be willing to take it further, you're seeing it now with the satellite transmissions now down to us, to all the data, every sensing point on the earth is now being able to draw into it. So you have a lot of issues, but the biggest issue is still cybersecurity, and it's really more of that, what you said, cybersecurity awareness cause people just take it for granted.
They don't understand that, you know, now that they're exposing all their data, that it's you know, even before they go to the cloud, it's already exposed. We need to do more.
Jeremy
Yeah. And I mean, this is one of the key things that I've worked on for the last six years, but I want to dig into something that you there which is that, you know, the government has not been as forward as we might've hoped in terms of embracing cloud, or maybe in terms of, let's say securing their data assets on the cloud.
What do you think is kind of holding them back more? Is it more the lack of technical understanding or is it kind of that process that they're wedded to that you alluded to? Because I've seen in the corporate world, both can really impact things and I've not done any work with public sector whatsoever so I have no visibility into how government organizations work, but I'm curious what your observations have been and maybe kind of what advice you would give to people if they think about trying to solve those problems?
Chuck
Yeah, no I think it's endemic to the size and nature of government.
You have people that are there for, you know, entrenched for many years. You also have difficulty attracting the right kind of people in particular in technology and cybersecurity areas outside of the military and outside NSA and other agencies like that. So attracting those kinds of people is tough and keeping them staying is the other thing, you know, if they're younger.
So you don't have the innovation capabilities you have in the private sector. And, you know, there's always lapses and there's also a fear of taking risks that, you know, if you're sticking with a big company and they're doing it, you know, it's easy for me, you know, they're doing it. If the contract's out, do I need to change it? So it's sort of a combination of what you said.
It's sort of the process itself and the procurement process, but also it's a combination of that. And people with an aversion to new technologies. Now there's been a lot done the last couple of years, particularly with expanding DARPA's role with the defense innovation units throughout the government. And of course, DHS has really expanded their outreach to the private sector. And that's really, the solution is really, it's a cooperative effort between the public and private sector that will make cybersecurity work, and ingenuity and agility of what you say in the commercial side is really what government needs to take it to its advantages, you know, and they're starting to do more of that.
And particularly with verticals, you know, with critical infrastructure and stuff where we already have the lessons learned, you have people capable that could give you information, experience with the technology they've tried. But, if you really want to go, go to the financial industry, which is really the most capable of all commercial industries to get lessons learned, but you know, there is still a lot of skill, and a lot of money, and a lot of classified programs that could bring the information the other way too.
So I think it could be a two way street. It's not just the private sector. We have the government, and the private sector.
Jeremy
Sure.
Yeah. Yeah. I think that's a great point. And I'm comforted to hear as a taxpayer one of the things that you said, which is that, you know, some of those, let's say more sensitive organizations are the ones you highlighted as being the most capable on that side. So that feels good to hear. I'm curious, when you think about, let's say, the overall ecosystem, so we've talked about a lot of different things in a very short period of time, but let's say we take the example of kind of the digital satellite communications that we were mentioning.
And we've got a gazillion sensors all around the world now that have the ability to send data up through satellite links, through 5G links, cellular links, what have you, for processing and then out to the cloud to be turned into some type of enriched information that we might use as an organization.
What do you think is kind of the first thing, if I'm brand new in an organization that's going through a rapid transformation and ingesting this data, what would be the first thing that you would recommend I start to look at?
Is it on the visibility side, understanding what's what? Is it understanding business objectives? Is it getting a cyber mindset? Is it first principles? I mean, where would you say, it's like, okay, we focus on this?
Chuck
Yeah. I think you have to go with the cyber mindset, just because you know, security is broken and this whole zero trust movement throughout government and somewhat now in the private sector realizes that you know, we've already been corrupted and there's a lot to lose out there. You know, particularly small-medium business being taken out every day by ransomware and other attacks, you know, so you really have to look at the security mindset first and then see what your inventory is and design it.
But I think for any company now moving into this next decade, you know, the fourth industrial revolution. It's essential that they have an understanding of what the new technologies are, what the emerging technologies can do. You know, you don't have to be an engineer or a technical expert, but you have to have an understanding of the capabilities and the use situations. You're seeing so much happen just in the last couple of years, even with COVID, you know, with Space X launching satellites, with electric cars, with neuromorphic computing, all kinds of different things is breaking through.
And artificial intelligence, certainly, being used through for drug discovery and all kinds of things. So I think it's inherent that, you know, everyone needs to know this kind of thing. If you're growing up, if you're not getting it in school, you should be.
But again, you know, technology is not just designing from a technical perspective, it's really understanding the use cases and also how to market and sell it. You know, that's half the battle too. And then operate it.
So there's so many components that go into it. So that's why I encourage all my students to get up a varied background in technologies.
Jeremy
Yeah, it makes sense.
So when you think about the cyber mindset, and I particularly think about zero trust, let's say, aside from that term kind of being corrupted as a marketing term, or let's say not corrupted, but co-opted as a marketing term, I think the core principles of, you know, authentication and authorization, and don't assume that the system that you are connecting to, or the application you're connecting to, you know, assume it's bad until proven good, you know, kind of the don't trust, verify model, if you will, is kind of a simplification that I've heard around it.
Does that kind of match with how you think about that? And does that kind of also match with the cyber mindset that you think about, or what's missing from that cyber mindset?
Chuck
Yeah. Well, it is. It's part of it.
You know, I think zero trust is really a strategy and there's really no one set strategy for every company or every industry. So I think you have to adapt it and have really a mistrust management strategy in up first. And that would be a part of it. You have to also assume that you're going to get hacked. You have to have a incident response strategy as part of that. You also have to have management strategy - who has responsibility in the company for what, so all of that needs to go, it's part of it.
And then yes, the multi-factor authentication, the firewalls and inventory, what's in your system, assuming that you've been corrupted, which likely you have been. You know, all kinds of issues, you know, all will follow, but I think, you know, zero trust is part of the strategy.
领英推荐
So, you know, I mean, you still have defense-in-depth depending on what you need for your other industries to do that.
Jeremy
Right.
Chuck
And if you can, go with the new security by design, so all those elements fall in, but I think I like the idea of zero trust because after what we saw with SolarWinds, you know, they've been in the system for over a year and we didn't know it. And it corrupted, you know, thousands of companies and agencies, government agencies. So it's that easy.
Jeremy
Right.
Chuck
So if you don't really assume the worst, you're going to be in a bad situation.
Jeremy
Yeah. Yeah. One thing that I wonder, so you talked about kind of like the need for people to be more cyber aware. And I would agree with that a hundred percent.
You know, I recently started a company and one of the very first things that we did was we laid out cyber principles for the organization, just in a Google doc, but at least our high level principles for, you know, guiding things that we will do our best to do every day in the work that we do with our customers.
And one of the things that comes to mind though, is that outside of our work or let's say if you're not at an organization that's very cyber conscious.
How do we get people, just kind of the general population to be more cyber aware? Because I think about kind of kids coming through schools; I see my own daughters going through universities right now. There's almost no cyber awareness in what they're doing. You know, they log in with a single username and password to a Google workspace.
They've got Google classrooms, Blackboard, any number of other systems that they're using to complete their work. There's not a single security concern in there. And I wonder if they will then transition into the workforce and they'll just expect that everything works that way. And they don't have to think about cybersecurity because they never have up until that point.
How do we kind of break that mindset or kind of get those cyber learnings pushed down?
Chuck
It's gotta be a communication effort and it starts, you know, getting them on social media, even the things that they look at, like Tik ToK and others getting in early. But also it's not just the kids, it's adults out there, you know, so LinkedIn and Facebook and Instagram, all those places need to be, you know, it's a campaign, it's constant, you know, with cyber hygiene.
And you saw, what you mentioned the academic example, there was a college just taken out last week that has been around for over a hundred years. Colleges and universities and schools are easy targets because of the disparate systems that they use, and multiple users. So they're easy to get for ransomware.
So I think at some point everyone's going to have to realize, and I keep saying this last big hack, you know, whether it be Colonial Pipeline or something, everyone's got it. You know, everyone will wake up, but they don't 'cause their attention spans are short. So I think what we really need to do is start going with the curriculum in these younger schools.
Jeremy
Yeah.
Chuck
Even the elementary schools and junior high schools have cyber hygiene be a part of course, because they're operating all on digital already. And they're co-mingling their personal stuff with their work stuff I mean, their school stuff and they'll eventually it's going to be their work stuff. So I think you have to start early and there are some organizations trying to do that. I just think that there has to be more of them and more money directed that way.
Jeremy
Yeah. It makes a lot of sense.
I mean, if, especially if we consider that going forward, just imagine how much time we spend online today and how much, you know, we do on internet connected systems, basically 40 hours a week, if not more. Well, 40 hours a week of work time, if not more. And then our lives outside of that, which have another 10 hours a week.
And I think about kind of the example, I think to your point, Chuck, you know, we had the global financial crisis between 2008 and let's call it 2012, right? And we had all these kinds of mortgage meltdowns and subprimes and blah, blah, blah, blah, blah, right? I won't go into it.
But one of the positive outcomes that came out of that, I noticed in my daughter's high school was they ended up with a basic kind of financial literacy curriculum as a result of that. And, you know, how do we use credit as consumers? How does a mortgage work? How do I use a bank account, balance a checkbook, all of those kinds of basics.
And it sounds like one thing that might be an interesting idea or an interesting concept to float around is kind of a similar course for cyber and for basic IT hygiene, right? Let's train these children early and get them to understand at least what these things are. And they might join organizations with different levels of maturity, but still knowing the basics would be really fundamental.
Chuck
Yeah. I think there's an urgency to that. I know that this has a program there's going up, but again, it's small in scale compared to what it needs to be. And I think, you know, maybe the kind of thing you're talking about doing right now, and the more you talk about it, hopefully more people will listen and, and expand that perception of what we need to do because it really is going to get worse if we don't do something now.
Jeremy
Now speaking of kind of zero trust and authentication in particular as one of the core pillars of that, identity theft and identity breach are pretty common nowadays. Identity breach, I think about more on the business side because you know, a breached email, for instance, business email compromise as being one of the most prevalent kind of initial attack vectors to get into an organization.
I know biometrics have been floated as kind of being the silver bullet solution writ large to that. What do you think about that? I mean, do you think it can be as simple as let's move everything to biometric or do you think there's more nuance that we need to think about?
Chuck
Well, I think it's good that they're moving to more biometrics just because it is an extra layer. It's not infallible though. There are ways to get around it.
Apple has another face recognition, which is pretty good, but there needs to be more of that just because we don't tend to do things when they need to take steps and do this and that. It automates it, which is really important, you know, whether it be a thumbprint or something.
So I think that's good for particularly for the younger generation that expects everything to be automatic, and they're not going to take the extra time to do things. So, but, I think there's there, you know, the strong passwords are still important, changing your password, being aware of that, encryption still needs to be thought about by most businesses. Because, you know, what happens if your data is stolen?
Like you said, a lot of the breaches for companies, you know, still the main motivation of hackers, you know, worldwide is financial gain. You know, it's just transferred from brick and mortar to this, the digital, but it's so easy for them because it could be in a, you know, 3000 miles away and get cryptocurrency payments for ransomware or holding your hostage and hold your data hostage for companies and economic espionage is another big problem.
We saw with China the vast amounts of IP being stolen from companies and universities all over the country being transferred to them and being used in their military program. So there's a lot of reasons to have this biometric on there and it's not hard to do so I think, but eventually it's gotta be more secure.
And then again, you know, there's always a worry of privacy issues too. It's how much you give away with your face, with your thumb prints and stuff. And I understand that to most privacy considerations, but right now it appears that most of the people out there don't really care that much about privacy, unfortunately.
Jeremy
Yeah. Yeah.
It does seem that way. That's something I worry about a lot.
And something that you've mentioned just now, and I've seen a previous interview of yours where you talked about this, which was kind of the thing about ransomware it's been around for a long time, but right now the economic payout is just too good and too easy, right? The low hanging fruit, so to speak, hangs so low and it's so ripe for the picking that you know, there's just a lot of motivation for bad actors to go after that.
And it's probably even enticed some people into, let's say kind of ransomware gangs that might have otherwise been other types of organized crime offline, for instance, who knows?
But I wonder, what you were saying just now is let's say with the example of this university shutting down, do you think that just making it so much more expensive to breach an organization is enough to deter a lot of these bad actors and kind of get them out of the space?
Or do you think there needs to be more effort by law enforcement to put people behind bars? What do you think is a better deterrent?
Chuck
I think the better deterrant is the prosecution. It's difficult, you know, there's Interpol and others, but of course, some of the countries that are involved in Interpol are also some of the countries that are sponsoring these gangs, these criminal games or looking the other way.
So it's difficult to do law enforcement activities. But they have been more and more recently, there's been a lot more people that have been extradited and captured and it sets an example.
So I think that's important. Of course, making the cost higher too. There's also talks now that, you know, you're seeing it now in the Ukraine Russian conflict, they're going after some of these groups with offensive cybersecurity capabilities. So, you know, there could be retaliation by governments. If one of these groups goes after critical infrastructure, it does something that is considered more of an act of war, or violation of the norm. They could pay the price there too, but we're going to have to watch this cyber warfare aspect of this kind of thing again.
Jeremy
Yeah. I think that's something that a lot of people have expressed concern around and certainly myself I've been following the situation closely. I have a family history in Finland and we have our, let's say our shared history with of conflict with Russia, to put it mildly.
But we've been, I think a lot of us in the cyber world have been observing the cyber warfare and kind of this hybrid warfare going on right now. And I think frankly, I myself have been surprised at how low stakes it's been and actually how low impact it's been. And I would say relatively contained.
Do you think that's because there is this kind of uncertainty around, let's say, a cyber attack outside of Ukraine being interpreted as an active hostility towards potentially like, say, a NATO member nation or something like that?
Chuck
You know, there's a lot of speculation on that. And my own personal view is that it's probably strategic, I guess, misconceptions that caused a lot of the lack of cyber. I thought that it probably the Russians thought that this would be over in a few days and we're going to take it out kinetically anyway, all their infrastructure. Well, they did launch a few attacks so that cyber of the ancillary and they wouldn't need it.
Now they found out that not only did they need it, but Ukrainians have more capabilities, plus it mobilized a lot of the world to start to go after some of the Russian cyber capabilities. So I think it was an unintended consequences that did that. And now we're at the point right now is I think they have their hands full and yes, I mean, we know who these gangs are and if they do something, there could be some serious retaliation.
The West does have capabilities. We demonstrated that and against our a few years ago, taking out their whole ports. So, even the Chinese, Russians, North Koreans are not the only ones that have this ability. So I think there is a perception there that they don't want to fool around and NATO have some great capabilities and certainly Finland. certainly, what you mentioned, has been one of the forefront of ingenuity and in terms of digital applications of technology.
So it's a pretty cool interesting scenario for some of the people in this world to look at the implications and why it's being used and not being used, but that's only my personal opinion.
Jeremy
Yeah. Yeah. It's fascinating to watch. And it's one of those things where going back to the Stuxnet example you cited there, the asymmetric impact can be massive.
You know, if I recollect from looking at that case study, I think the amount of human time, aside from the code development, but the amount of human time involved in kind of introducing the Stuxnet virus into the systems was really minimal on the order of a couple of man-days. No more than that. And it just had this massive effect that set back the nuclear program back decades was one of the calculations that I've seen.
So the asymmetric impact can be really dramatic. That's really interesting to think about. I guess, from my side, I know we're kind of wrapping up the conversation. We've touched on a lot of things, everything from kind of training kids in schools to new technologies, disruptive, embracing a cyber mindset, zero trust, a lot of things.
I know one thing that I've got here on my bio and on the list here, that I think is not discussed is that, I guess you used to compete in powerlifting in a past life. Is that right?
Chuck
Yeah. Yeah. You can probably see there's some trophies back there, but, yeah, I did. And I paid the price, It was great. I did it for many years but I do have bad shoulders now. I actually just tore my rotator cuff on the side working out.
But you know, it's still fun. I mean, I still work out a lot, but not those heavy weights anymore. Cause they take its toll, but it's, yeah, it was a lot of fun.
Jeremy
Absolutely.
What was the personal record?
Chuck
I was at 181, I was benching 375, drug tested, you know, which is pretty good if you take away the, if you , it gets blown out of proportion and out as you compete with a rock to compete with equipment or drugs, it changes the equation a little bit. It's a little bit cheating. I think. You know, rod and drug testing is a way to go.
Jeremy
Absolutely. Absolutely. Are there any lessons from your powerlifting days that you've brought to your career in cybersecurity?
Chuck
Yeah.
I think it's sort of a discipline, you know, when you get up and have to work out every day and follow an order, I think you do have to do that with work too, and you have to separate, you know, what your priorities are. And I'm sort of doing that too. I juggle a lot of things with my consulting and my teaching and, you know, you just need to be able to focus on when you need to be able to focus on it.
So you know, it's just like when you're going up there and there's, everyone's watching you and you have the weight on you. You're only focused on the weight. You're doing the same thing with what you are juggling, multitasking, but in a different way. I mean, if you have things planned and have a strategy, then you, then it's much easier.
Jeremy
Yeah, absolutely.
Well, planning, strategy, focus and discipline, I think our four core tenets that everybody can agree on. And they're certainly important in the cyber world, as well as in kind of work and in life in general.
Chuck, thank you so much for the conversation today. This has been a real pleasure connecting with you and I'm sure our audience is going to really appreciate this. We will call it there for this episode of Ask A CISO with great thanks to our guest for today.
Chuck Brooks, thank you so much for joining us.
Chuck
Thank you for having me. I really enjoy talking to you.
Jeremy
Likewise.
###
Chuck Brooks is The Cyber Express Cybersecurity Person of The Year 2022
Chuck Brooks is a man of all things cyber! This a globally recognized thought leader and subject matter expert in cybersecurity and emerging technologies is currently the president of Brooks Consulting International
A winner of several felicitations such as the Top 10 in Cybersecurity and Tech and the Top 2 Global Cybersecurity Expert and Influencer by Thinkers 360, he was also among the Top 50 Social Influencers in Risk and Compliance by Thompson Reuters and has been a two-time presidential appointee to the US Department of Homeland Security.
While presiding over the president chair at Brooks Consulting International, he lent his expertise as a consultant for Fortune 1000 clients and has been a speaker for AT&T, Intel, and IBM.
He has been an adjunct professor at Georgetown University for nearly five years and a contributing writer at Forbes for over four years. A Gov Con expert, Brooks was recognized as a thought leader and a subject matter expert in?cybersecurity news?and emerging technologies.
He has also been a part of the inner circle CISO advisory team at CyberTheory, contributing cyber panel expert at the Washington Post, an advisory board member at the WBAF Angel investment fund, and a strategic advisor at VIBE?cybersecurity?international LLC.
Brooks has many accolades to his name, including being a featured contributor at the High-Performance Counsel and a board member of several organizations, including the Franklin Foundation for Innovation.
He also served as?the vice president of government relations and marketing in Sutherland, as an advisor at the Bill?and Melinda Gates Foundation, and was the director of legislative affairs at the Department of Homeland security between 2003 and 2007.
More importantly,?Chuck Brooks?won the prestigious title of?The Cyber Express?Cybersecurity Person of the Year 2022.
In a brief interaction with?The Cyber Express, Brooks talks about the response from the industry over his win, cybersecurity trends in the educational sector, governance and even the future of cybersecurity with AI and quantum engineering.
Watch the?video here: https://youtu.be/Jt5rBngnv2g
###
???Top Cyber News MAGAZINE?is pleased to present to you the February 2022 edition.
?This month you will discover a renowned Thought Leader, Global Cybersecurity Influencer - a globally recognized subject matter expert on Cybersecurity and Emerging Technologies, President and CEO of?Brooks Consulting International, Mr.?Chuck Brooks. Along with exclusive and innovative insights from international Cybersecurity Leaders.
###
Video Interview: GovCon Expert Chuck Brooks Talks Cybersecurity & Government Tech Market Trends
Link to Interview: Video Interview: GovCon Expert Chuck Brooks Talks Cybersecurity & Government Tech Market Trends - GovCon Wire
In today’s increasingly online world, government agencies are harnessing the power of digitization and cyber capabilities to push modernization. Now, more and more critical government systems, infrastructure and operations are online — but are these components protected?
Chuck Brooks, president of Brooks Consulting International and a member of Executive Mosaic’s?GovCon Expert?program, thinks that overall, the federal government is off to a good start in the area of cybersecurity — especially considering what has not been done in the last decade. However, cyber threats are increasing, and we’re not moving fast enough.
“This group, particularly at DHS and CISA, has brought in a lot of private sector talent, they’ve initiated the zero trust strategies, there’s a lot of proclamations coming out from DOD, from OMB, from all over. So they’ve been very aggressive, particularly against the backdrop of the threat from Russia,” Brooks said in a?video interview with Executive Mosaic.?
But unfortunately, Brooks said, “it’s just too little.”
“The attack surface is so huge, there are so many vulnerabilities we have with legacy systems in government — patching, correcting and redesigning them is going to take a long time,” he warned.
In the meantime, he said agencies should focus on basic cyber hygiene, implementing zero trust and moving to the cloud, among other cyber best practices.
Brooks also said the government tech market is “wildly hot” right now, especially surrounding things like AI/ML, quantum and 5G.
###
Executive Interview: Chuck Brooks, Cybersecurity Expert
Chuck Brooks, president of Brooks Consulting, globally recognized as a subject-matter expert on Cybersecurity and Emerging Technologies, sees the coming proliferation of IoT devices as expanding the threat landscape. His experience helps to put it in perspective. In government, he has received two Presidential appointments, by George W. Bush to a legislative position at the Department of Homeland Security, and by Ronald Reagan as an assistant to the director of Voice of America. In industry, Chuck has served in executive roles for General Dynamics, Xerox, Rapiscan Systems,?and SRA.??
Today, Chuck is on the Adjunct Faculty at Georgetown University’s Graduate Applied Intelligence Program and the Graduate Cybersecurity Program, where he teaches courses on risk management, homeland security, and cybersecurity.?He has an MA in International relations from the University of Chicago, a BA in Political Science from DePauw University, and a Certificate in International Law from The Hague Academy of International Law.??
He recently spent a few minutes with??– IAIDL?Editor John P. Desmond to discuss the state of cybersecurity today. Chuck is a speaker at the upcoming?AI World Government?event?held both online and?in Alexandria, Va.,
– IAIDL: What do we have to worry about today in cybersecurity??
Chuck Brooks:?We have a lot to worry about. First, everyone is a target now?because of the increased attack surface from remote work and from the interconnections of IOT devices. Now, everyone has several IOT devices at home, and they’re all entry points now for hackers.??
Second, not only are these hackers a threat, they’re a more sophisticated threat. They’re using artificial intelligence tools, machine learning tools, to automate their attacks. So they don’t necessarily have to be on a computer looking at your email one at a time, they can do thousands at a time. It only takes one or two to make it happen and then you’re hacked.??
Third, and probably the most critical thing you have to worry about is, is our infrastructure has been under attack. We’re looking at not just?Solar Winds and Colonial Pipeline, but our energy grid, financial institutions and transportation systems—all of them are vulnerable for one reason or another. It may be because they’re legacy systems, built on legacy systems, with a lot of gaps. And hackers are now targeting that and they’re asking for ransomware payments, which are now more accessible [to hackers] because they can use cryptocurrencies. And they’re doing it many times with the help of state sponsors. So the criminal gangs are sharing their information and tools and sometimes even the money.?It’s a real precarious world out there.??
How about on the defensive side? What are the top current trends in AI in cybersecurity???
Well, AI does a lot of different things, and the first thing it does is it synthesizes information, and looks for patterns and correlations, much more quickly than previously possible. We’re really talking more about machine learning at this point, but artificial intelligence that encompasses machine learning and other things such as deep learning, allows defenders to look at the whole ecosystem at once. It can look for anomalies, pick them out and block them. It also allows defenders to process known threats and separate them from being on your computer or network. AI can also detect risky configurations, and it can be used for analytics, which is really important.??
So AI has given us a huge opportunity to compensate for the lack of skilled cybersecurity workers and fill in gaps in security activities that in the past would have been done by adding people.?Now we can do more with AI.??
Can we ever go on the offense in cybersecurity? And, if so, how do we do that??
Well, we’ve already done it. A few years back, we had an incident in the Gulf where Iran took out one of our drones. And so we?took out?their network. That was an example of how capable we are in that area.??
Offensive cybersecurity in some ways is easier because we’re on the attack, not the defensive, and it’s much more difficult for defenders to find those attacks. The reason it’s a precarious capability is that if you’re dealing with China, Russia, you’re dealing with equal capabilities or close to equal capabilities, which can inflict damage too. So it really is an asymmetrical type of offensive capability that we reserve for situations when it’s really needed.??
But, yes, we have the ability to do it. We can put things in deep packets, we can get into networks, we can use insiders, we can do all kinds of back doors. There’s a lot of different ways. Everything a hacker can do, we have the tools to do and probably more.?
Is there any forum where the US can sit down with Russian and China and talk through cybersecurity to see if we can reach some agreement, like we used to do with arms talks??
There has been talk of that, and it goes back to having the red phone when we had nuclear confrontations back in the ’60s. I think there’s a need for it because there are very strong capabilities, particularly on the Chinese and Russian side, so it has to be looked at. This current administration has already reached out and told the Russians not to do it, but that doesn’t mean anything. I think eventually there will?have to be some formal treaty that says, for example, you do not use these offensive weapons or attack critical infrastructure. And it remains to be seen whether this will happen, but it’s a good idea to at least try to have a dialogue.??
That’s encouraging. How about on the topic of ransomware? Is there any solution??
Well, there’s no one real clear-cut solution. But obviously the solution is, first, having a backup of your data. Because if you do get hacked, and they hold your data at ransom, you’re really in a tough spot. So you need to be able to have a backup somewhere on a different system and network to be able to operate.??
The second thing is that we need to have laws that enable us to go after the perpetrators and charge them with crimes. So we need some enforcement capability, some international law enforcement cooperation, to be able to operate against these people. It’s a real issue right now. We have Interpol [International Criminal Police Organization], but there’s not much activity because some of these same governments who are part of Interpol are harboring these cyber criminals.??
How do you think the current administration is doing with cybersecurity???
I think pretty well. It starts really with personnel, and they have brought in some very good cyber [security] people from industry, and others who really have experience, who know the players and what needs to be done. The administration had a strategy going in with DHS [Department of Homeland Security]. The DoD [Department of Defense] and NSA [National Security Agency] tend to operate by themselves, but I think we’re still a long way off.???
We have realized that it’s a public-private cooperation issue, and where the administration is excelling right now is reaching out to industry. And so in that sense, I give them a B plus. I think they’re doing pretty well.?
Are social media companies that permit the spread of misinformation security threats???
That’s difficult because you’re getting into a free speech area. As a First Amendment person, unless it’s violent or threatening information, I would leave it alone. I think people can discern?for?themselves on social media. It is being used for cyber hacking, though. That’s a different issue. And people are using social media platforms to gain information about people, find out passwords, find out things about their home, where they live and then use it for identity theft. So that’s a real problem. And they’re also using it sometimes to find buying habits and other things if they get hold of information off the dark web.?
So social media is a different type of cybersecurity problem. I think, personally, this is a personal viewpoint, I think it gets difficult when the government tries to be in a censorship role. But for protection and cyber reasons, I think there’s a lot to be worried about with social media.??
What’s the best thing that college students can learn or study about cybersecurity if they are interested in pursuing it as a career???
Well, I happen to be teaching. I teach at Georgetown University’s Cyber Risk Management program. So it starts with that, risk management. Your whole life is about risk management. And I think part of what students need to learn nowadays is security orientation. Everything they do has some security risks, whether it’s driving, or even going on a trip because of the risk of catching a virus.??
Students really have to consider cybersecurity because everything they do now is more digital. All their papers, all their activities, all their communications, are based on their iPhones or Androids or their computers. And if they don’t have an understanding of the risk involved in what they put out there that may be used against them, whether it be when they are going for a job interview or whether they’re being exploited for ransomware, because they were too careless. So cybersecurity and risk management, the security implications of the digital world, should be an essential part of every course of study in college.??
So is cybersecurity a good career path and what type of student do you think is the best fit for it???
Oh, it’s an excellent career path, mainly because there’re?so many unfilled jobs and also because the threats aren’t going away. And there’s always, I think, a misconception that you need to be a coder or an IT person to really thrive in cybersecurity, but that’s not the case. Some of the best cybersecurity people have come from music backgrounds, where they think in patterns, for example. Also, cybersecurity can involve public relations, marketing and the sale of products as well as engineering.??
The main thing is, it’s a learning process. You can get the background and an understanding of it. Then you can take specialized courses and get a certificate for them if you really have an interest, depending on what you want to defend and work on.??
So it depends on how you tailor your career; I don’t think there’s any one person that necessarily fits the mold. I do think it’s important to have coders and people that understand the technical side, but it’s also important to have people with liberal arts backgrounds too.??
How important is AI to cybersecurity, do you think? And does it have more potential??
Yes. You can see the amount of money being invested by the Department of Defense and Department of Homeland Security into artificial intelligence technologies. And the reason for that is because they’re differentiators. And, again, it goes back to several factors: one, that there’s a lack of qualified people to fill roles; but it also, it really goes directly to capabilities. With advances in computing and artificial intelligence along the way, we’re building the ability to synthesize so much data at once. And when this data is synthesized and correlated, it can lead to immediate actions being taken.??
Artificial intelligence is really a catalyst for cybersecurity. Everything you do is based on the threat horizon. You need to know what’s in your system, and who may be doing things that are anomalies. You need to know if your sensors are being tinkered with if you are in industrial automation, for example. AI is going to be the backbone for all that.?
How well, in your opinion, is the industry doing in offering software tools and services to help people with cybersecurity????
Well, it’s a marketplace and, unfortunately, it’s not always the best tool that gets bought. We see a lot of issues with multiple things being bought by companies when they don’t know how to use them, maybe because people have left. It comes down to good orchestration to use the products effectively.??
I think we have many interesting things coming down the pipeline, particularly around encryption. The bottom line with industry is, it depends on the consumer market. And of course, there is the corporate market and the government market. For the consumer market, you want to make it as easy as possible, the lowest common denominator, something that can just make one click, and you’re protected.??
Many interesting encryption technologies are coming out. Polymorphic encryption [in which the encryption/decryption pair changes each time it is used] is one that I’m really following closely because I think it will?change the game. This will also impact Internet Of Things devices, 98%?of which are not encrypted. They might not have enough bandwidth, but encryption on the network connected to them could do the job. So I think that will be one of the areas where I think you’ll see a lot of interesting things.??
Plus many interesting technologies around segmentation and Kubernetes [container management] in cloud technologies, particularly hybrid cloud,?are making their way into the system. We are likely to see more adoption by managed service providers, because it takes some expertise to know what you need. Every company is different. The growth of those managed service providers with expertise who can come in and customize your networks and your devices, is going to be the next trend.??
Is the impact of hacking tools used by the NSA that were released by Edward Snowden in 2016 still having an impact???
Absolutely. He did a lot of damage in what is referred to as an “insider threat.” And he took tools that were not only used by nation states, which he brought them to, but also by criminal hackers. And those tools are some of the better, more effective, tools that still have application today. It was a very dangerous situation, and I’m sure most people are not aware of the damage he inflicted, but they still apply to what is happening now.??
Regarding IoT, what is the impact around IoT devices on cybersecurity???
We’re in a world where we will have 20 billion connected devices. Every one of those is an avenue for a hacker.?It’s going?to triple in the next 15 to 20 years. Everyone will have three or four devices, more devices than people on the planet. So it just, basically, gives hackers a field day. They choose their way to come in.??
And so also the other aspect of IOT is that there’s really no one regulation or manufacturer standard for security. So you’re getting devices manufactured all over the world, put together and usually without much security. People don’t change the default passwords on their devices. So it’s a mess. And I think the only solution is to have a capability to monitor those IOT devices. I have seen some interesting companies and products doing that. In the future, we will have to know what’s in the network. It’s not going to be easy.??
Do you have any advice for people as to how to protect themselves from all of these threats??
Yes. I would advise that the most prevalent form of hacking today is phishing. Don’t click on anything you don’t recognize from an email, and don’t fall for a fake bank or a promise that you won a lottery. That is some quick advice. Also, try to use multi-factor authentication if you can, such as a thumbprint or facial recognition on your device, in addition to your password. Strong passwords still work. The hackers usually go for the easiest, low-hanging fruit, and a lot of that is in small and medium businesses. They need the basics in place.??
I would also advise that you segment your valuable data. If you have data that you don’t want anyone to read, don’t have it connected to your network. That’s another good part of advice. And then keep up with patching and antivirus stuff. A lot of the big companies, Microsoft and others, have products that are updated regularly. Use them and follow them.??
Being prudent and vigilant does not mean you’re not going to get hacked, but it reduces your likelihood.?
Thank you. Is there anything you’d like to add or emphasize???
Yes. We are now in a digital world where Industrial Revolution Four is here, the convergence of the physical and the digital. This brings new security implications between operating systems and IT systems—they are all meshed. So we have to be really cognizant that, from here on in, understanding what the threat is will be critical for our economic well-being and national security. All those aspects now need to be re-evaluated and looked at into the new threat landscapes that come with digital connectivity.?
Partner Alliance Marketing Operations at Data Dynamics
10 个月Intriguing article about CISOs and the current cybersecurity landscape! This piece offers valuable insights on the challenges CISOs face today, especially with employee turnover and the evolving threat landscape. The emphasis on zero trust, identity access management, and leveraging technologies like AI and machine learning for better security resonates. I particularly found the section on supply chain risk management insightful. It highlights the importance of setting clear policies and collaborating with vendors to mitigate these risks. The importance of data analysis for threat detection and a comprehensive data security and compliance strategy cannot be overstated.
Named "Top Tech Person To Follow" by LinkedIn, Voted "Cybersecurity Person of the Year" Cited Top 10 Global Tech & Cyber Expert & Influencer, Georgetown U Prof, 2X Presidential Appointee, FORBES Writer, 123k LI Followers
1 年Over 13 million views of my posts and content in the past year
IT Specialist
1 年This is really useful interview, I've got many ideas through it. thank you for posting. Chuck Brooks
Experienced Analyst & Wealth Manager with a proven track record in business growth and client relations.
1 年Chuck Brooks doesn’t shy away from the hard truths about data loss, the COVID-19 pandemic, and resource optimization. This interview is a must-read for cybersecurity enthusiasts. ??
Marketing and Sales Consultant & Former CEO
1 年Thanks for sharing. Very enlightening.