The Future Hides In Plain Sight: Will We See It In Time? Artwork

Security Unfiltered

Cyber Security can be a difficult field to not only understand but to also navigate. Joe South is here to help with over a decade of experience across several domains of security. With this podcast I hope to help more people get into IT and Cyber Security as well as discussing modern day Cyber Security topics you may find in the daily news. Come join us as we learn and grow together!

All Episodes

Security Unfiltered

The Future Hides In Plain Sight: Will We See It In Time?

November 03, 2025 • Joe South • Episode 210

Send us a text

We explore how to prepare for a post‑quantum world while dealing with today’s outages and social engineering risks. From zero trust on satellites to multi‑region cloud design, we share practical ways to trade brittle efficiency for real resilience.

• mapping careers toward emerging security domains
• zero trust for satellites and patch constraints
• harvest now decrypt later and crypto agility
• early adopters of quantum‑resistant algorithms
• futurist methods for security decision‑making
• shifting from passwords to stronger credentials
• efficiency versus resilience trade‑offs in cloud
• lessons from government redundancy models
• attack surface, attacker and defender effectiveness
• deepfakes, social engineering, and process tripwires
• practical controls like rotating passcodes and dual control
• resources and where to find Heather’s work

Pick up Heather’s books and reach out if you want

Inspiring Tech Leaders - The Technology Podcast
Interviews with Tech Leaders and insights on the latest emerging technology trends.

Listen on: Apple Podcasts Spotify

Support the show

Follow the Podcast on Social Media!

Tesla Referral Code: https://ts.la/joseph675128

YouTube: https://www.youtube.com/@securityunfilteredpodcast

Instagram: https://www.instagram.com/secunfpodcast/
Twitter: https://twitter.com/SecUnfPodcast

Affiliates
➡️ OffGrid Faraday Bags: https://offgrid.co/?ref=gabzvajh
➡️ OffGrid Coupon Code: JOE

➡️ Unplugged Phone: https://unplugged.com/
Unplugged's UP Phone - The performance you expect, with the privacy you deserve. Meet the alternative. Use Code UNFILTERED at checkout

*See terms and conditions at affiliated webpages. Offers are subject to change. These are affiliated/paid promotions.

SPEAKER_03: 0:53

How's it going, Heather? It's great to finally get you on the podcast. It's it's been an interesting couple months for me for sure. Things are just getting ramped up in my life and lots of changes with two little kids, but I really appreciate you taking the time to come on and talk with me today.

SPEAKER_00: 1:11

Yeah, Joe, thank you so much for having me here. I am excited to share all things cybersecurity future related.

SPEAKER_03: 1:19

Yeah, you know, it's interesting that you bring that up because I always try to coach people to like look to the future, and then that's what you should be focusing on now. Right. And you know, I I think of my own career, and when I was getting into IT, you know, security was like kind of in its infancy of blowing up, right? Where where organizations started to realize, you know, okay, we need to look at this thing, we need to pay attention to it and give it more money and whatnot. And so I knew IT overall wasn't for me, but I knew security was. And so I tr started to work towards getting into security. And then once I got in, I immediately started looking at cloud security. And cloud security was like AWS had like, I think, 10 or 12 services at the time, you know, like nothing compared to the 200 plus that it has now. And so I started to look towards getting specialized in cloud security, and now I'm actually getting a PhD in something that is probably gonna be more relevant in five years. So like it, I I bring all that up because it's extremely important, you know, to look towards the future and then start mapping your own career for that.

SPEAKER_00: 2:33

I think what you're talking about, like how you decided to focus on cloud security. I mean, when I started in tech, cloud security didn't exist. We had to go to data centers and do all the coding. And I had a friend who was a consultant, and he's like, Yep, setting up some servers in the rack space. Those, I don't know. I used to look on Flickr and find all of those funny images of how people would do their cabling. Sometimes that cabling was like a crazy, and sometimes it was really beautiful. I mean, behind all of the clouds, there is still a rack somewhere, somewhere, a server somewhere, just who knows where it is. So yeah, yeah. Can I ask what you're focusing on for your PhD? I'm curious.

SPEAKER_03: 3:19

Yeah, so I'm focusing on deploying the zero trust framework on the communication satellites to prepare for post-quantum encryption. Because right now, there's no real Yeah, there's no real good way to maintain security on satellites once they're launched. It's kind of like you get what you get when they're on the ground and that's it. Because you only have like a 10 to 15 minute window to actually patch them as they orbit around the earth, and you can, you know, switch ground stations, but you know, switching ground stations mid-upload of a security patch is like pretty difficult to do it right without you know something breaking. So it's just easier to not patch it at that point.

SPEAKER_00: 4:03

You know, it's really smart to start thinking about like the post-quantum world and what how we're gonna secure those things. Because I think at least one of the things that I've been kind of seeing is this cons, this fear that a lot of the threat actors trying to have like these data grabs right now that maybe they can't crack into them and get that, or even like with blockchain or something like that, just having it and uh you know, keeping it on some server somewhere because space is so cheap, and then just waiting until the quantum, until the current encryption is cracked through quantum computing. And uh yeah, it's it's gonna be really interesting. So I'll put on my futurist hat here for a minute. What I would look for is what organizations are already thinking about implementing the zero trust framework like you're talking about? Which ones are already looking at quantum resistant, you know, algorithms or quantum resistant blanking on the word, whatever, like the NIST requirements, the NIST guidelines that they have it. Like Apple and Signal are two companies. And those are the companies that are going to, the companies that are using this host quantum quantum resistant security, they're the ones that are going to be less targeted in the future. And from a user perspective or like a vendor perspective, you're gonna want to trust those those organizations more versus organizations that are just kind of like focusing on other things. And it doesn't matter who's gonna crack quantum first, whether it's gonna be China, it might be China or the United States, or United States in combination with EU, you know, like it's just coming down. It's a very real concern that unfortunately, like most of the focuses on like all the big fires and the things that are like top of, you know, all the current drama that's like the fire that we have to deal with. Dealing with quantum and understanding it for both security perspectives and other perspectives is a must focus that is not urgent yet. And so it's actually a really great example of like why you want to think about the future. You want to wait until quantum is a huge fire for you, or you want to have a little bit of a plan so that you're not taken by surprise when there is a pretty radical quantum breakthrough. You know, there will be news stories saying that quantum quantum computing's been reached. And then, of course, all the hackers and threat actors and even the nation state threat actors are going to start using it for all kinds of stuff. It'll be like a whole new paradigm shift.

SPEAKER_03: 6:46

Yeah, it's uh, you know, I a part of my research, I'm talking with a lot of experts in the field, of course, and all of them pretty much agree on the same thing is that companies are kind of downplaying it right now and they're waiting until the last minute when their urgency should actually be right now because of the amount of work that is actually going to be required to prepare their organizations for you know the newer algorithms and whatnot, right? And so a lot of a lot of places are gonna be in a situation where you know, seven years when it's actually real present day, they didn't prepare at all, and now they're in a mad dash to you know get it all done, right? Which it's interesting because you know the other side of it is oh, we've been told you know for the last 20 years that quantum is you know five years away or whatever it might be, right? But it's a little bit different when you start throwing quantum on the satellites, and then you're using those satellites to connect to ground stations as it orbits via quantum, like China did. Or at least what they claim that they did. Uh-huh. It's a little bit different when that becomes a reality because it's like, oh, this is this is being used. Like this is real, this is no longer theory, you know, and and one expert is was actually telling me, you know, a lot of people are looking at the wrong the wrong thing to determine if quantum is mainstream yet or ready to be used. And he, you know, I don't want to like give away everything for my research, right? But he pointed out like one key thing, and he's like, everything else just doesn't matter. If we get this one factor working, everything else just corrects itself. And he's like, and that's what I'm focused on, right? And he he literally told me, he's like, yeah, it could it could happen tomorrow. I say five years because I think it'll actually be three, but I give myself more time, you know, to actually like make it happen. But it's it's interesting because it's a new, it's a completely new field or new domain within security that like you know, even when I'm reading these research papers on how quantum cryptography works, I have to read it like 10 times and then go talk to the person that wrote it, and the person that wrote it like still, you know, isn't quite able to explain it to me as like you know, a high schooler, right? Or a grade schooler. And so it's like, okay, well, this thing is like so complex, you know, that it's going into like truly uncharted territory.

SPEAKER_00: 9:52

You know, I think what we've ended up landing talking about on, you know, people are always like, what does a futurist do? How do you know what the future is? Yeah, everyone wants a prediction of what the future is. We've just been talking about a future right now, one that is gonna be really, really important. And unlike like, you know, AI or the metaverse or pick whatever like most recent hyped technology, this is really serious and is gonna have a really serious impact. And it's interesting that it's not being taken as serious as, say, the metaverse or AI. But in futurist terms, I would call what we are talking about right now a pocket of the future in the present. And you're deep in research talking to folks who this is like their day-to-day presence, and you're thinking about this, and I study this as well. But that's because we're attracted to this and we're we're interested and we're like living in the future in this little moment. And that's why, and like William Gibson has a quote the future's already here, it's just unevenly distributed. So we're in one of these little unevenly distributed pockets of the future, and we're like, why are no more people, why are people like paying more attention to this? Because they're they're living some other pocket of the future, or maybe not even the future in the present, whatever, you know. So, and also, Joe, this isn't the only big future thing that might be happening. It feels like that to us, and probably to you because you're deep in that research. But you know, other people are looking at other things, and you gotta realize that they're focused on other things, which is another point. It's like the future isn't no one's in control of the future. No one can say this is gonna happen, and I have all the resources and I can make it happen because you're specifically a quantum, you're looking, you're researching, there's a whole lot of stuff happening. There's governments, there's private companies, there's nation states, there's there's organizations, there's like, you know, your impact with satellites, there's impact with other things, like even within this topic area, there's a lot going on. And so none of the people and the players in that space have control over the trajectory of how quantum's gonna like unfold into the present moment. And that I think is a really important understanding. Like the future is this kind of fluid, movable thing, but we can influence it. Like you and everyone you're talking to in quantum right now have a tiny bit of leverage points that you have a tiny bit of leverage. You can kind of leverage it. You were doing your research, highlighting your points. You're gonna be able to say, these are the things you might want to have. Recommendations, you definitely will probably have security recommendations for your security friends. And you might be able to have positively influence the adoption of quantum resistant technology within your circle. And that's you being able to take this knowledge and influence the future. And that's like what I'm trying to do, helping people understand how they can be empowered by knowing this stuff. And I didn't expect to come in and have like a such a clear case, like of you might not think that you are working and influencing the future, but you really are in this specific area that you're passionate about. So that's awesome.

SPEAKER_03: 13:33

Yeah. Yeah, no, it's it's definitely interesting. And I I have a bad habit of like when I get bored, I start trying to challenge myself and learn new things and whatnot. And so I think that this is kind of what what came of it. But you know, Heather, we kind of just dove right in, right? Without telling, you know, your background, right? What's what's your story? Like what what made you want to get into the IT field overall? And uh, you know, it it sounds like you're you're a bit specialized with security, but with some other things as well, being a futurist and whatnot. And I want to hear all about what that is and what that means.

SPEAKER_00: 14:13

Okay, so I'm gonna try to keep it short, but I can kind of be a talker sometimes. When you asked me like what got me into this, well, I landed in San Francisco in 1996, and my first job was at a startup. And so I kind of just got started into that. And then, like, you know, one of my favorite films that came out shortly afterwards was the original Ghost in the Shell. And that has, you know, it's it's that in Japan, it's like, you know, a little bit of espionage, really questioning like the human identity, the technology identity. And I've always been really curious about how technology augments and extends and helps us create our personal identities. And so I've always been on the internet, and so also being on the internet, and like when I was in college, my first website was in 1992, 93, and I had to like learn how to code HTML and upload it on a VAC system and stuff like that. Then doing HTML and movable type and blogging, like all I've known, all that kind of stuff in the back. So understanding how all that goes around. I worked in tech and I always found myself attracted to companies that were doing cool new things that were ahead of their time. They were ahead of their time in that they were not financially successful when I was involved. Oftentimes later they would be really successful. I worked, I was a DHTML evangelist in 1999 and 2000, which ended up being Ajax. It was a whole new way of how do you build the web and how do you build interactive web technologies that had a different type of relationship with the client and the server rather than back in the old days, when you hit a new web page, you hit the server, it recreated the web page from scratch. And so you'd have long load times. And then anyway, this technology really changed it. So I have, it wasn't just about the new technology and what it could do, it was getting people to adopt it and realize that, oh, okay, hey, we're gonna adopt it and it's better and it's gonna be more improving. Let's fast forward. I got tired of working for startups that were ahead of their time and not making any money. So I try to figure out what I could do where I could stay naturally attracted to the future. And I met someone at a conference, told them what I did, and they said, You're a futurist. I said, That's crazy. What's that? And then a couple of years later, I went back and I got my master's of science in strategic foresight. Strategic foresight or a futurist is both an art and a science. It is both studying research and then putting patterns, patterns together, understanding patterns, looking at trends, extrapolating them out into the future, creating little stories about the future, understanding that the future hasn't happened yet, and that if you understand certain trend lines, you might be able to influence them. Why would you want to do all of that? I say because you might want to make better decisions in the present moment. I like to use the nerdy analogy. Being a futurist or teaching someone to think like a futurist allows you to see the cling on shift decloak just a little bit sooner before everyone else. So you can react to it. You can have kind of it's it's almost in some ways like you know how you do tabletop games in order to be familiar with different scenarios. So when you do have an incident come up, you don't freak out, you're a little bit more relaxed. Well, you did the scenario planning, you think about these scenarios in order to understand what the future could be. So as you start to identify, it could be like that, or it could be like that, and then say, Oh, is that what we want? If you're working for a company or insecure, a specific security thing, you could say, okay, well, if this thing shifts, that might mean we're gonna get more attacks here or more impact here, or more attention or scrutiny here. So we can watch that trend and see how that might happen. Unfortunately, not a lot of people have the kind of bandwidth to be able to think that way because we're just so busy dealing with fires. I officially got my re-entrance into cybersecurity as we know it today, in about 2014 or 15. I was doing a project for the US Army, was about teaching with a future teaching module. And the topic that we used in that teaching module was cybersecurity because you know, cyber warfare, the biggest warfare that we're happening right now. And in the process of going through that, of course, I was watching all these DEF CON videos, and I came across Chris Rock's. What was it? How to hack into, how do you how he hacked into a country? And I thought, who's this crazy guy? This crazy, audacious guy. Like, what the hell? Is it for real? This just sounds too crazy. So, so yeah, of course I had to learn more. You know, a few years later, fast forward, I partnered up with a T a friend of mine, Bob Blakely, and we wrote a paper for the new security paradigms workshop, which basically took all my strategic foresight methodology and applied it to cybersecurity. And I just pulled it up over here. It's called Shifting Paradigms, Using Strategic Foresight to Plan for Security Evolution. Because I had this theory. I was like, okay, if we can anticipate what the future could be, maybe I could help security folks secure things better. And so we came up with all these scenarios, and I came up with 12 new paradigms based on old paradigms. I'm just gonna pull up a few of them because they might be interesting. My proudest moment with this is that this was in we did this research in 2017 and 18 when we were looking at security in 2038. And at that time, one of the paradigms that was just like taken for granted was this idea of username and passwords. And this is also like a huge attack vector because everyone wants to steal credentials to go do bad things with them. And so at that time, I had the concept of having like no more passwords, and interesting. We were talking about using zero knowledge proofs and biometrics as a way to potentially reduce the use of passwords and have something that's a more secure and more difficult to you know have credentials dealing. Back in 2018, it was crazy. Why would you no one was talking about new passwords? That was just the way the world worked then. And now, you know, we have a lot of different options that aren't passwords. Magic links, zero knowledge, you know, security at the edge, new concepts. And that's kind of like that was interesting. Some of the other old paradigms and new paradigms that might be interesting are user is the weakest link in security, and in tech, we always like to blame the user. Blame it. They screwed up, they forgot their password, they put their password on a spit post-it note. But what if we built security that actually augmented what humans are really good at instead of like fighting with hum our human experience? Anyway, I could talk more about that, but that's kind of how I got into it. And yeah, I've written some books. I also like exploring spies and espionage that kind of was like on the edge. Also really curious about studying disinformation and misinformation and psychological manipulation and like social engineering and uh everything, though. What I look at is I'm motivated to have people be empowered to make more conscious decisions and have more conscious awareness. And hopefully give like all the people, like you and people who are listening to you, like extra tools and powers so that you can be heroes in your own areas because we can all influence the future in very different ways.

SPEAKER_03: 22:35

Yeah, that's interesting. You know, like when I think back in my career, like when when I was trying to do some work that would prepare, you know, like my team for the future, you know, with a solution and whatnot, I remember very clearly, right, I I wanted to put all of our work on hold and really optimize you know the rules that we were putting into this one particular tool. Because we were seeing a lot of performance issues, and you know, our rules were were very inefficient. And my my argument was we should probably have like, I don't know, maybe 25% or 20% of what we actually have. That would reduce it to you know 50 rules compared to the insane amount that we had. And a part of it was actually you know me having the vendors like top architect come into the environment, review, you know, every single rule that we created, tell us what the most efficient ones are, tell us which ones we can get rid of and how to do it, and everything. And when he did, he came back and he said, Yeah, you guys only need like 25 rules, you know, to do everything, and you guys have over 800 at the time. And the the issue was that my manager didn't really see it that way. He saw it as, well, we need to keep pushing forward and we'll correct it as we go. But at the at the level of work and effort that we were putting in for like current ongoing initiatives, there was no way that we were ever going to like go back and actually clean it up or anything. And I eventually left that company and I still you know kept in touch with with people that were there on the team and whatnot. And the one the one guy that was left on the team, you know, he told me he goes, Hey, we're finally like doing the cleanup. He's like, Well, I'm I'm actually doing the cleanup. And I said, Oh, okay, you know, let me know how it goes. And like 18 months later, he says, I finally got done. Like, now we're running really efficiently. And I mean, we had so many, so many issues with the pro with the solution, just because it was running so inefficiently, you know, you would make a change, and it would take two to four hours for that change to actually like take place, unless you went into the SQL database and like manually triggered it.

SPEAKER_01: 25:03

Wow.

SPEAKER_03: 25:03

It's like, guys, you understand that this is like a really bad way to interact with a SQL database.

SPEAKER_00: 25:09

So, okay, well, clearly you are of a futurist mind. I can tell with your quantum and and this. It is very hard to make the case for a lot of executives in traditional organizations. And that is unfortunately because they are just really dealing at the fire drill level. I mean, I would like to, I know thinking a little bit about the future opens a little bit more capacity. I guess if I were to have to pitch this, I think maybe the most successful way to pitch this was would be about increasing internal resiliency. Increase the resiliency of your systems, right? Because an example you brought up, the tool product wasn't running efficiently. And I don't know, if something had broken or gone wrong, maybe it would have been really bad, right? Whereas if you just yeah, well, if you just like done a little bit of cleanup, just allocate a little bit of time to do some of these proactive resilience building things, then you're gonna be able to absorb and recover faster from you know stuff that might come in to try to to knock it off. And I think that's like so much of for profit organizations are just like maximizing the efficiency so much for profit for profit. And when you're maximizing from official for efficiency, you are taking away from resiliency. And efficiency is great because boom, it does that one thing really efficient, but efficient things are also fragile and not always flexible, and so if something in the world or the system or whatever breaks the thing that this is efficient made efficient for, you've lost all of it. And so it's I think it's really interesting that maybe we're seeing a little bit of come back to some resilience, desire for resiliency. And I think like government and the military maybe get a bad rap for not being very efficient, but they are very resilient, highly resilient, and they have to be like military and government, they do think about the future because the future of the country, the future of democracy, the future of capitalism, free market capitalism. Like that's all stuff that you know, United States protects, not just the borders, it protects our belief, what freedom thinking, like that kind of stuff. And that enables capitalism. And so I do think that like I've worked both in the private sector, uh for big companies, trans global companies, for startups. I've worked on government projects, I've done European government work. I think there is a lot that the United States private sector could learn about resiliency from government versus putting private sector fragile efficiency, forcing that on government. I do think some government stuff can be streamlined. And I think we are starting to see some of that with the adoption of new like identity technologies. It takes forever, but um but that's what you get with resiliency. And bureaucracy also generally has a level of transparency in the leadership levels, and even military has transparency, like you know the route you're gonna take to get promoted, or you know what you need to do to be promoted. It's not secret. Well, you don't always know that in the private sector. Like you might be like, why'd that person get promoted versus someone else? So it's interesting to see how these different agencies, organizations work, you know, like the private sector corporation versus like a government agency. And what's more focused on security, you know, security is a cost area for private sector for government, no, that's just part of and military, that is what it is, it's security in a way. So I think understanding all of that, yeah, and and learning, like it's not like one is better or worse, it's not like capitalism is bad, but and it's not like AI or quantum or humans or technology is bad. It's about knowing what's the best tool for the job. And sometimes the human's the best tool for the job, and sometimes technology is the best tool for the job, and sometimes having a free market is a great way to get great new products. And sometimes you need like, you know, a very resilient base to have security for everyone.

SPEAKER_03: 30:15

Yeah, it's it's fascinating that you bring up resiliency, right? Because I mean, obviously, I don't plan anything, right? So but we didn't plan to talk about resiliency or anything like that. But yesterday, you know, AWS had probably their biggest outage ever that impacted something like 80% of the internet. So, like for most of the users, it was 100% of the the internet that it was that was affected. And uh it's always it is so just absurd to me how many people just fully rely on AWS US East One and put all their stuff into it when AWS makes it actually pretty easy for you to make your things redundant across regions, like it's not terribly difficult, and I I talk about it like all the time, right? Because you know, a couple years ago I actually got the AWS security specialist certification. There's a whole section in there that just drills into high availability, redundancy, disaster. Recovery. And I mean, you have to know those topics inside and out with AWS. Like you have to be able to, you know, be presented with a failure somewhere and say, yeah, it's a failure there, but it we have to look at this problem all the way over here that no one else would look at, right? Mm-hmm. And the government actually does an extremely good job of this. And I I tell this example before because early on in my career, I managed all of our government clients for the company that I was working for. And so that included me going on site to some really cool places that you know the public doesn't even realize that are there.

SPEAKER_00: 31:57

You know, and so have your fingerprint scanned to get in.

SPEAKER_03: 32:01

That's like the lowest tier facility that I was at, right? So I mean, I, you know, at this one facility, I was in the middle of the mountains, and I think it was like West Virginia. And, you know, like it's this facility just tucked away in between mountains. It's a giant facility. And, you know, I'm walking through and I'm asking my handler, I was like, why is there so many people here? Because like the building is literally as long as you can see, right? Like you can stand at one end and not see the other end. And there's these huge modules of people. I mean, rows of like 50 to 100 people in each row. And I said, like, you know, is everyone really working on something different here? And he goes, Yes and no. All of us in the same row have the same skill set. We can do each other's job with no issue. It's not really a big deal. But we are all working on different things, and we don't know what the other one's working on. But if they came over to one of us and was like, hey, the guy across the aisle from you, you know, is no longer with us. You have to do his job and the stuff that you are doing. This is what it is. All of them can do it. And within each module, they're only working with one tech stack. And the tech stack overall is servicing, you know, the underlying infrastructure of whatever servers and data they're protecting and whatnot. Well, each module has its own completely separate tech stack. So for instance, one module will have an Avaya phone system. The entire thing will be Avaya, and it will be scaled to the point where everyone on the building could run off of this phone system, but only one module is actually running off of it. And then the next one over is all of the competitors of that tech stack. All of them. Cisco, everyone is in that next one. And then it just keeps on going down. Because to them, they're like, we're gonna have high availability, high resiliency across absolutely everything. We're gonna get the top five products in every single category that we need for a tech stack. We're gonna buy them all and we're gonna deploy them all, we're gonna hire the experts in, they're gonna be in-house. You know, like that's the sort of stuff, right, that like organizations should be thinking of. You know, like when I when I go into that building and they're asking me how high availability works for my product, and then they're asking me what's the limitation of it. You know, their their response to me was okay, well, let's do five-tier high availability for each module, right? So we're gonna put 25 of your servers in here. They're all gonna be servicing different modules. We're gonna we'll have five tiers of high availability. And they they did not care what the cost was. Like it was just straight up didn't care. Send it over. And at the end of the year, they would always ask me, is there anything else I could buy from you? And I'm just sitting here, like, guys, you buy literally every single skew we have. Like, there isn't another thing you can buy. And they're like, Well, can we buy more of it? Okay.

SPEAKER_00: 35:14

They probably had an extra, extra budget. I think that's probably one of the things that was like really so surprising to me because I kind of started the early part of my career working for startups. And all the folks that started the startups, you know, the founders, they all came from the same tech private sector area. And then I did some projects for the government, and it feels like it's not efficient. And in fact, for a while, I was like involved with developing and designing decentralized identity, which was a new type of technology designed for privacy, private data sharing, and securing and stuff like that. But there was a whole division inside of DHS that was looking to fund startups developing this technology, and their attitude wasn't we're gonna just pick one. Their attitude was like, we want to support the development of this industry, so we're going to give money, we're gonna fund, you know, five projects of X amount, and in order to create a robust marketplace, so that marketplace will compete with each other, and they will end up, and us consumers will end up with a better product because they're helping all of these startups in order to create similar solutions using uh this technology, but might want to build different products. Like that's kind of like the best way of using capitalism to have an idea, to develop it, etc. You know, and it's very, you know, you win if you make profit, right? The money is the win way. But we like end users win from this, and we don't use any, we don't invest anything into it. And the government wins because it ends up having like the best, most innovative things come up versus like, oh, say you only like invest in like say Microsoft products or like everyone's on Amazon Web Services, you know, like that. Like the diversity is critical to the success because the competition, in order to compete, you become better. So it was just kind of like really interesting to see this relationship between how the government enables this competitive marketplace that we then all win from. But then like the private sector has no doesn't even see this. They are only really focused on winning in their stack or whatever their product area. And so I feel like again, like private sector could like have a little bit of more awareness of where they fit in the overall scheme of things. You know, it's not I'm not saying that they shouldn't make money. I mean, money, you have to make money to survive. That's that's the currency of the realm. But there's more to these technologies than just profit. And I think there's some other business models that kind of explore that. So it's just really interesting to see what comes. And also, you know, the internet and the government, like some of these projects that you might think, what's the how are you gonna apply this? I mean, you know, I was on some, I was, I was on the internet really early days, had no user interface. It was you had to like dial up, dial into like a BBS, you know. But it turned out to be like now I'm in my office, you're in your office, and we're recording a podcast, you know, through that same technology. So it's it's kind of cool 30 years later, something like that happens. So the way the technology evolves is not a direct path. And that point from today, that trend extrapolated into the future is not a direct path either. So you can kind of have an idea of what the future could look like in some ways, but it's really just more of like a feeling, like, oh, it could feel like that. Because then when you start, if you're familiar with some of what those futures might be, and I'm thinking about some of the futures that we put in our cybersecurity futures paper, that then you can better respond to it. Oh, I just remembered something. One of the things that resulted from this paper that I'm working on, I'm working on I'm writing a new book, Cybersecurity Futures Playbook, kind of more of a playbook model of if you are in cybersecurity, you want to apply some of these ideas, this would be like a playbook for you. So we have like variables, like general variables when talking about the future. But working with Bob on this paper, we ended up coming up with cybersecurity variables, cybersecurity specific variables. And of course, we totally like got very detailed, like a lot, they're like 20 or 30, or like I just added like 10 more. But at a high level, they're basically like attack surface variables. Are attack surfaces increasing or decreasing? And you can talk about specific attack surfaces like quantum or IoT. Attacker effectiveness are attackers more effective and successful at getting through? Or are they not as successful? Is their effectiveness going down, aka we're better repelling them or securing? And then defender effectiveness. So is defender, are defenders better able to increase their effectiveness, or is there like a new technology that's causing the defenders to not be as effective? I think AI is really interesting in this case with deep fakes that enables threat actors, but AI is starting to be explored to see how it can be used to kind of help identify pattern recognition to make things more secure, make make it better for defenders. It's not just, you know, the magic, magic key for attackers. So those kind those kinds of variables. And I really want to get some feedback on how these variables, the concepts of these variables, like attack surface, attacker effectiveness, defender effectiveness, how they could be used like for you or for other people that you're listening to. And that's one of the reasons why I'm I'm realizing like I need to write this book and then get it out there. And I'm interviewing folks so that you know to see if some of these theories can practically improve your guys' ability to secure things.

SPEAKER_03: 41:52

Yeah, it's it's interesting, you know, because I've um I talked to a lot of experts and it's pretty well just like kind of recognized that most companies you know secure their environment pretty well, right? Like most, the vast majority of them will, you know, put the funds in, get the right tools, deploy it, configure it properly, and everything else like that. And so attackers realize that. And attackers, you know, realize, okay, if I'm gonna actually attack this company, it's gonna be a huge amount of resources if I do anything, you know, kind of like technical. And so they're resorting to other, you know, social engineering methods, right? Like you look at the the Caesars Entertainment Breach or the MGM breach, whichever one it was, I think it was Caesars, where they just called up the help desk and said, Hey, I'm locked out, I need to reset my MFA token. You know, can I reset my password? I just don't remember what it was.

SPEAKER_00: 42:50

But like the t the Twitter hack, the Twitter one that happened like you know, probably three or four years ago. I was super impressed by that one that people got in and like changed people's names and yeah, no, it yeah, but yeah.

SPEAKER_03: 43:07

Yeah, it's really relevant too, right? Because I I was working for a company and it was it was a regular occurrence that the CEO would call up the CFO and say, hey, send X amount of money to this account, like we need to fund, you know, this thing or whatever. It was a it was a pretty regular thing. So the security team enacted. Yeah, so so the in the security team enacted a a passcode that rotates every month or every week, whatever it was. And you know, they they just told the C the CFO, like, look, if you if we figure out that you don't request this passcode or if you do it without the passcode, it doesn't matter if the CEO remembers it or not. Like you have to get this passcode, and if you don't, you're fired the next day. Like the next day, you are fired. It's done. It was written into his contract. And so, you know, one time, actually, an attacker, you know, called up, deep faked the CEO's voice, which is very easy. They just get some earning calls, you know, recordings of his voice, mimic it. Sounded exactly like the CEO, looked like it came from his number, right? And the CFO was was good with everything. He's like, okay, send this account. It was like 15 million to this account. He said, Okay, what's the passcode? And they couldn't figure it out. They it was completely threw him off. And he said, like the CFO was like, okay, I'll give you one more try with the passcode. And if you can't do it, we're ending this call. And so they couldn't do it. So he ended the call, and then he like forwarded the thing on, right? Like how he should. And sure enough, I mean, it was an attacker, and that was the only thing that was keeping them from it. Because, you know, my paranoid mindset is like, okay, well, what if everything else fails? Like, deep fakes are brand new. Surely an attacker wouldn't be using a deep fake. Like, well, no, let's assume that they are, right? Like, let's assume that they are, let's assume that they're competent. Let's assume everything else fails in the environment. What's the last thing that we have? You can request something, you know? And it just rotates regularly. So like the CFO even has to like go look up what it is, you know, at times within a secured document, within a secured server and whatnot, right? Wow. But like being able to think ahead and you know, kind of outsmart or outwit these attackers, because like these guys, I mean, I guess I am one of these guys to some extent, right? Where it's just like you see a problem and you see it as a challenge, and it's just like, okay, I'm gonna spend an in like abnormal amount of time thinking about this, testing it. Like, you know, I can't tell you the amount of times or amount of hours that I've spent, you know, testing out different things just to see if it would work, and the thousands of failures that I had. Like, for me, that's just another day, and people think that they'll just eventually stop. It's like, no, these guys, when they're set on something, like there's no stopping them. When you pay Chris Rock to go hack into a country's water system, he's getting in, and he doesn't really care how he does it. Literally, the mindset of an attacker, and I think I think it might have been MGM, it might have been MGM or Caesar's Palace where a couple years ago, right before DEF CON, he said our our network is too secure, they're never gonna attack us, you're totally secure on our network. And it's like, dude, you've obviously never spoken to a hacker before. Because if you use those words with us, like we have an unlimited amount of drinks. Vendors at DEF CON, like if I just go say, hey, I work for this company, buy me drinks, they will buy me an unlimited amount of drinks. And if I want a bottle of something, they will go buy me the bottle, right? With that, and you just challenged the top 40,000 hackers in the world. Like, we're going to get in. And then sure enough, they got breached and they were down hard for like a week and a half, all because this guy challenged us, right? And then we came back and we did the next year and the year after that, and the the CISO got fired after the first breach, you know, like it was insane.

SPEAKER_00: 47:24

I think that's like a lot of people. I did some, I did like a research survey once on hacker motivation because I was with this group of people and they were always like, okay, so they're doing it for the money. And they're needing to do it for fun. I'm like, and I'm like, I know some of these people, I don't think they're only money motivated. I think some are. And yeah, it turned out that there is some people who are money motivated, but there's feign motivation. There is doing it for the lols, you know, because you're challenged, like what you're talking about. It's like, I think this is part of like understanding like the human nature of like the type of people that are drawn to security, you know. Like you're talking about, like, I mean, I've had that itch where it's like you're trying to figure something out, and then it's like you're I'm like about ready to give up, and then I'm like, no, I will stay awake for the next seven hours and figure out how to do this one thing, you know. There's like something that snaps in my brain that like goes from being like a normal person to not a normal person. It's like, I want to figure this out. And so I try to stay on the the line of the normal person line. But I think that it's great to have that type of perspective and that kind of neurodiversity of the different way of seeing things. Like, I mean, those are spies, those are people who are trying to do social engineering, people are trying to secure things. You gotta think that way in order to outthink the bad guys, who are, I think, just some of the most creative people out there. Like, I see what they do as in a way, well, this is very positive framing, you know, as a way of they're actually helping us make our systems more secure.

SPEAKER_03: 49:14

So yeah, no, it's it's interesting. I mean, some of the people that I've had, like I jokingly say it, but they even agree with me, is that it's it's literally a national security threat if these people get bored. Like, you know, there there needs to be an organization that just keeps them busy all day long so that they can't figure out how to like you know hack airplanes while they're mid-air on the plane and start to turn it and whatnot, and I'm gonna spoof all of the digital controls in the cockpit, you know, so the pilots don't know, right? Like I've talked to I've talked to someone that did did that allegedly. I'm sure he'll be pissed off if I don't say allegedly there. But it's just like it's just you know, you get bored and your mind starts going, oh well, how does this entertainment system hook up to the internet? What else is hooked up to that internet? You know, like is there another way to pivot through and whatnot, right? Like it starts going through that section. You know, like like you said, right, with the with the spy aspect of it, I feel like the agency really cultivates that sort of mentality as well. And I've talked to some former spies on the podcast, and you know, they they tell me the same thing that sometimes when they have a big target, they start arranging things and start, you know, kind of preparing their target in you know non-recognizable ways for when they interact with them, you know, like they make sure their target, even though they've never talked to them before or anything, gets invited to this party, right? Or gets invited to this thing, and he knows that he has, you know, some sort of you know, addiction or f or affiliation with something that he can entice them with to gain his attention, right? And shift the conversation in a way that makes it feel like they're not betraying their country. Like Jim Lawler explained it to me. He said, you know, the vast majority of people are actually good people, you know, like if you look at like the Iran nuclear scientists, I mean he and he literally said this, you know, if you look at like the Iran nuclear scientists, they don't think that they're on the bad side, they think that they're just building, you know, a solution for their country that they love, and they they don't believe that Iran would use it on anyone, right? They're just building it to secure their own country's future. And you know, he he said that he would always approach the conversation from just level setting with them. It's like, hey, yeah, I don't want the world to blow up. I'm sure you don't want the world to blow up. You're the one designing the bomb, and I'm sure you don't even think that that would ever happen. Well, let's you know, kind of make sure that that won't happen. You know, can you just tell me a little bit about this facility or anything? You know, like and that's how they they tie them all in, right? And it makes a lot of sense because you kind of disarm them before they're even able to know that they need to put up defenses, right? Like you you're disarming them when they're in Iran and not in Switzerland, for instance, or Zurich, right? You're disarming them there, where they're like, Oh, you're invited to this party, you're this really smart guy, we need you to talk at this thing. It's like, no, the agency is putting it on, they're hosting it. They invited you, they invited you from someone that you already know that you expect things from, right? It's just it's a fascinating way of doing it. It's the same thing with social engineering for hackers. You know, I'm approaching the help desk as this person. Maybe I sound like that person even. Like you mapped his voice, great, because I have his voice already locked in. It's already in my deep fake, it's already making the call, you know, all those sorts of things. But it's a it's a fascinating world for sure.

SPEAKER_00: 53:05

I feel like we can keep talking for hours because I even told you this work I just finished on research security, which like forgot that I've like doing. And also in my free time right now, I'm actively writing a spy espionage, a Cold War spy espionage screenplay. So I just feel like we could keep talking about this for forever, but but we've been going for a while already.

SPEAKER_03: 53:30

Yeah. Yeah, we're we're unfortunate, unfortunately, at the top of the time. And I apologize for going over. I'm normally a lot better about staying on time.

SPEAKER_00: 53:42

I think we're having so much fun. Like this happens to me with all my pretty much every conversation. We just get going into something about the there's just so much fun stuff to talk about.

SPEAKER_03: 53:53

Yeah. Well, you know, that that just means that I'll have to have you have you back on sometime, you know.

SPEAKER_00: 54:01

Yeah, well, anytime. Anytime, Joe, just let me know. It's pretty, pretty easy talking.

SPEAKER_03: 54:07

Yeah, absolutely. Well, you know, before I let you go, how about you tell my audience where they could find you if they wanted to connect with you and maybe where they could find some of your research papers or your books that you know you may have put out there.

SPEAKER_00: 54:20

Yeah, great. So you can find me on LinkedIn. That's kind of my more curated professional identity. So it's, you know, how we all are on LinkedIn. But I post about a lot of different stuff up there. I also have a substat, it's cybersecurity futures substat.com. And I kind of try to keep that on cybersecurity futures related, although I'm writing this espionage spy espionage screenplay, so I might kind of talk about that or movies or things I'm watching with that. I've got some books on Amazon, the cyber tech survival manual, which probably will be extremely boring to everyone in your audience. You probably all know everything in it already. It's more for like giving it to your mom or like to someone who is not like us that doesn't know about it. It does have some really fun stories in there. This audience also might really like this book. I co-wrote a little bit, is The Secret of Spies. And it's kind of a tabletop book, great photos. You can open any page. There's some stories, it's all about spies and espionage. And I did I did a lot of the writing in the book, but I also did the final chapter, which was the future of espionage. I put on my futurist hat. So when they brought me on to do that project, I was like, There's no futures in here. What's that? So my uh shifting paradigms paper, which might be interesting to folks, is called Shifting Paradigms using cybersecurity Using Strategic Foresight to Plan for Security Evolution. It came out in 2018. There's a copy on ResearchGate. If you connect with me on LinkedIn, uh you want to know my work, I'm happy to share it. I'm also very searchable. Although my blog of 21 years just got taken down because of miscommunication. So I am trying to come up with a new website with all these materials and stuff. So there. So much information can overwhelm. And yeah, if you are curious or your audience is curious about any of the things we've talked about or like the future, please just reach out. You can get me on LinkedIn, say you heard me on your podcast. I'm always down for having conversations.

SPEAKER_03: 56:30

Cool. Well, awesome. Yeah, it was a great conversation. And everyone listening or watching, I hope you enjoyed this conversation. And if you want, you know, feel free to pick up Heather's books and reach out if you want. Thanks, everyone. Thank you.

Joe South

Host