Episode Transcript
[00:00:00] No visibility equals no security. I can't secure things that I don't know.
[00:00:05] You're listening to Protect it all, where Aaron Crow expands the conversation beyond just ot delving into the interconnected worlds of IT and OT cybersecurity.
[00:00:17] Get ready for essential strategies and insights.
[00:00:21] Here's your host, Aaron Crowe.
[00:00:25] Hey, welcome to Protect it all podcast. This is, this is a, an interesting episode. Obviously, it's a solo episode. There's so much going on in the news with, with change of administration. And just to be clear, this is not a political conversation. This is about cyber security. This is about challenges that we, we face. And, and, and things are not always as easy in black and white as they may appear. So all that to say we're going to dive into major cybersecurity dilemma that everybody's talking about. How do we hold governments accountable without compromising security? What happens when global policies force tech companies to break encryption? How do we, how does this trickle down from national security to your personal devices, from trillions of unaccounted dollars to backdoors in your phone? This conversation is not, again, is not about politics. It's about cybersecurity risks that we all face, whether you're a business leader, a cyber security professional, or just someone who values privacy. And we all expect a level of privacy on our home devices, on our personal devices, and in, in life in general. So with that, let's, let's dive in. Stick with me here. Right?
[00:01:44] So the U.S. department of Defense hasn't passed an audit in years. Trillions of dollars unaccounted for.
[00:01:51] No oversight, no transparency. And yet we trust them with the most sensitive information in the world. How hold these massive organizations accountable when we can't even audit where the money is going? And how do we do that while keeping data secure? Now, obviously, there's, there's national security risks and things like that. There's a reason why sometimes, you know, we've all heard the, the, the stories where we're paying, you know, $1,000 for a hammer or, you know, 500 bucks for a bolt or a screw or whatever. Like, we, the obvious reasons behind that is because we can't exactly say where all of that money is going, because if we did, then our, then our adversaries and, and anybody that we're going against or using that money towards would know about that. And, and that could, you know, put at risk people, whether that's our, our, you know, our operatives, our partner forces, and, and, you know, even our plans. And those things can be an issue all that to say, though, that doesn't mean that we can just open a checkbook and, and, you know, run it into the ground. Like, there has to be some level of oversight on those things, even if it's with a, you know, the right people and organizations that are actually doing those, those insights.
[00:03:08] But again, reminding. This is not supposed to be a political conversation. It's around cyber security, transparency and protecting critical systems.
[00:03:18] You know, the dod, like I said, the DOD has a past nine years. Where's that money going? Why do massive organizations operate without proper security foresight? You know, and how can cyber security help before enforce accountability without exposing data? Here recently we've had this, this new organization with a new administration, DOGE coming in, and they have these people, some of them fairly young, coming in and, you know, diving in.
[00:03:45] Again, I'm not saying this is right or the policy is right or anything, but how do we do this in a way that we haven't done in decades? Like, we've, we've not dove into this level of, of information in these organizations. But, but take it, step back again, get away from, from the doge, get away from, from any of that stuff. But how do we do this in a business? How do we do this? And what is the implications of these things? Right? It's not just all about diving into, you know, waste and money and all the things, but also, like, what are we doing, like, as an organization with that money and the resources and, and the, the u.
[00:04:24] These organizations exist. The challenge to me is that no visibility equals no security. We have the same problem in ot, right? We, we, we. Every time I go and I do an assessment or I walk into a power plant or I walk into, you know, a critical manufacturing environment, and I'm like, okay, what do you know about these environments? Most of the time, this, the senior leadership does not know the assets. They know there's stuff behind the ot, right? They know their stuff called ot. They know that it's there. They know somebody, they hope that somebody has the answers, but unfortunately, they have no visibility into those spaces. And the lack of visibility, just like in these conversations I'm talking about with, with the government, no visibility equals no security. I can't secure things that I don't know. Like when I walk into these environments, you know, if I, if I'm going to build a new OT program, if I'm going to, you know, completely come in and do a large scale, lots of money, all the things, the first thing I have to look at is what does good look Like I have to know what good looks like before I could ever start saying these are the things that we need to start blocking and attacking because I don't know what good looks like, then I may actually end up blocking something that's good, thinking that it's bad. If money and operations can't be tracked, how do we ensure proper cybersecurity spending? It's the same thing. And again, going back to critical infrastructure, you know, a lot of times critical infrastructure, the, their budgets, their, their technology budgets are rolled into a control system upgrade. So the control vendor is, they have those cyber tools built in. Whether it's Foxborough or GE or Schneider or, or Emerson or Yokogawa or whatever, the control vendor, Rockwell, whatever it may be, they inherently bring in the cyber tools and processes that they have in their environment. The problem is that you don't necessarily, that doesn't always translate up the stack and it only necessarily many times actually focuses on their environment. So a prime example, if I'm at a power plant, maybe I have a balance of plant that is vendor A, and I've got a different turbo control vendor and I've got a different third party control vendor and I've got, I've got like five different disparate systems and there is no single truth of all of the assets, of all the, the risks, of all the, the classifications. I don't really have visibility into how all of those things tie together. Now as a person, there isn't control engineer, there is a, you know, a systems person, you know, the plant manager may know that. But from a TECHN and a cyber security and even just a business risk perspective, there isn't a, you know, a dotted line that really, that helps me understand where those risks are. Right. And this is the same thing that I see from all that's in the news. And again, you know, with the DOGE stuff and with, you know, diving into these organizations, that's the way I look at this, right? Is it's not, and again, I'm not talking about the, the method that they're using or any of that kind of stuff, but taking, putting all that aside, I would love to see some transparency. And again, I'm not expecting that they are transparent with me, a US citizen that has no, you know, security clearance to understand those stuff. But somebody should have an understanding of what's going on in these organizations. Why do they exist? What is their, what is their purpose? I was just watching a movie this morning and, and you know, the, the main character was asking this rowing team why Are you here? Well, because we're on the rowing team. Okay. But why are you on the rowing team? Well, because I have a scholarship. Right. He was trying to get to the crux of why are you here? Why did you join the rowing team? What, what is the purpose of this rowing team? And finally it came down to hey, we're. Our goal is to win national championship. Awesome. There you go. Right. And everything else is to that goal. And understanding that goal really helps us to, to narrow down. And when I'm looking at is this task, does this align to the ultimate purpose? Right.
[00:08:14] And if it doesn't, then I shouldn't do it. Right. And if it doesn't, you know, lift that goal up, then I shouldn't focus on it. So that leads me back to kind of the next topic that's, that's been in the news. The United States has the first amendment. First amendment is, you know, freedom of speech. Not all countries, many, very few countries actually have, have that first amendment right.
[00:08:36] We, we've seen a lot, especially here recently since COVID it's, it's really gotten a lot more obvious. Other countries, um, UK, Germany and others are, um, they don't have that first amendment and they're actually going after citizens for things that they post on social media or Twitter or whatever and, and holding them criminally liable for things that they say to take it a step. And again, this is not political. I'm not really going to fight over any of that type of stuff, whether that's right or wrong. I don't live in the uk it's not my place to really say much about it. Where it does impact me as a U. S. Citizen is the.
[00:09:19] And others are suing companies like for instance, Apple because they want to have a backdoor into secure communication so that they can make sure that none of their citizens are saying anything that would go against these hate speech laws and things like that that are in those countries. The problem with that is that that impacts me as a citizen, as somebody who potentially has an iPhone or an Android or whatever. The thing is that I have. How does that impact me? Right. And if you look at a bigger picture, what does Aaron have to hide? Like what are you doing, Aaron, that you don't want somebody to, you know, to be able to see, you know, what's going on on your phone? Nothing. Like I'm obviously upstream citizen, I pay my taxes. You know, I'm not hatefully going out and talking about people or, or anything like that. But that's not really the Point. The point is, is is I was doing a tabletop, you know, a number of years ago when I was an asset owner and we had a third party organization coming in and leading it. We had the C suite executives in there and one of the questions in the was ran. We were doing the OT version of it, right? And, and in the room one of the questions was asked like, who is the person who knows where all the bodies are? Who's the person that. If I was a bad actor and I wanted to get one person that could, could have the biggest impact, knew where, you know, how to get into all the systems, had access to all the systems, who would that person be? And I raised my hand and I said, it's probably me. And they said, why do you think that? And I'm like, well, I know all the control system passwords, I have accounts on all these systems. I know how the security is set up. I know where the, you know, the firewalls are set. I know the, into the firewalls. Like I just know all of those things because that's my job to kind of set it up. And the reason they were getting that question is like if, if I were going to kidnap someone and take their child or their wife or husband or you know, mother or significant other, whatever those things are, and hold a gun to their head and say, you will go break into this or you will get me access to these environments. Who, who has that access? And that, that person that I would be one of those types of people. So what, what am I getting to? The point I'm getting to is, is that yes, I don't have anything that I'm trying to hide on my phone. Like I don't have state secrets. I'm not trying to, you know, overthrow a government. I'm not, you know, secretly a, a bigot or, or talking about people in a negative way. Anything that I'm really trying to hide. But, but what I do know is that there are things on my phone that are personal. There are things, there's a lot of personal information about my family, about, you know, my, my banking. There's a lot of things on my.
[00:11:48] Do what is not good. I don't want anyone having access to those things. It's why I do, you know, I use password managers and I've talked about that on these, some of the episodes before is, you know, having security around your, your world, your home network, your, your, your, your personal devices don't connect to, you know, WI fi, guest WI fi or any of the wi Fi, you know, public wi fi, like at Starbucks or at your, at your hotel. But it really comes back to, you know, those back doors are, they don't just help the government that's looking for those things. They, they create a huge attack vector for, for hackers. Because if the united, the UK can get in, then so can bad actors. Right? That door is open. It's open like it's Pandora's box. You cannot close those things. Oh, yes, okay, well, maybe we only give the uk but again, if there is a back door, then it can be taken care of. Right. If the UK can demand Apple's encryption keys, what's stopping China, Russia or North Korea? That, that, that's again, not a political conversation. I am not comparing the UK to any of those other places. But what is stopping those other countries from suing Apple and Google and Facebook and Twitter and all of the places, whatever that may be, Reddit, you name it. Any place that you have personal information that people can get to you. What stops any of these countries from suing and forcing them to demand a back door and the encryption keys and access in. Like you can't allow anyone in or you have to allow everyone in. Right. Again, I'm not an attorney. I'm not trying to get into politics or anything like that. I'm really just looking at the cyber risk of these conversations. What is the risk to those things? Now, obviously it's not black and white, right? Obviously there's, there's a reason why the UK is doing this and they feel that it's the right thing to do. And again, I'm not trying to argue that point. My biggest point, and again, really just focusing on the cyber implications of those things and how that a bigger implication than just the UK citizens, because it's not just like a door that can open just for the UK citizens. If I go to the uk, then is my phone, do they have access to my phone even if I'm just there for a day? What, when I come back, do they turn it off?
[00:14:03] Do they have it to my phone and just ignore it until I'm in the uk? Like, how does that work?
[00:14:09] And ultimately what is the reasoning and justification behind those things?
[00:14:14] And, and the risks behind them are greater. And I don't believe that any one country has the ability to really overwrite the risks to me and my personal data just because they think that they have access to it. Right. That's just my personal opinion. But again, it comes from a cyber perspective, not a politics or global politics or, you know, Any, any of those other types of things. So again, so the key question there is if your device has a backdoor for the government, how secures your personal data from hackers? Right, so this trickle down effect of, we've heard of trickle down economics and again, not talking about that, but you know, how this affects individuals and critical infrastructure. So you know, from national security to personal devices, even if you don't have classified data on your phone, how much personal data can be leveraged? Social engineering. Again we talked about the example of holding, you know, getting my kid or knowing where my kid goes to school or who my wife is and you know, her daily, her daily routine, etc. Can somebody social engineer their way into my life and what could they use to manipulate me? Corporate, corporate espionage and insider threats. What happens when global regulations weaken encryption and security on personal devices? Critical infrastructure concerns, like if global policy mandates less encryption, how does that impact hospitals and power grids and financial systems? Right. And it's not just encryption thing but it's, it's a bigger conversation around the risk and, and the, the access to data and, and the access to endpoints, right? These devices and these systems and this, this data, you know, nerc, sip, I can't put data in the cloud, I can't put critical assets data in, in a cloud or, or you know, I have to have people that have access to that data have to go through training and all that kind of stuff. But yet we're, we're going to access everybody's iPhone messages just because they're going to search for somebody saying racist or bigoted conversations. And again, I'm not saying that you should or shouldn't just saying that's a risk and we have to be able to judge that and control that.
[00:16:18] So all this to say is just these are, these are really, really complex conversations and really complex things in the news and it's really easy to get on one side or the other of, of this conversation. Right? And I'm completely against this or I'm completely for this and you know, burn the boats or you know, put them, you know, put the people on, on stake and burn the stake. Right? It's, it's, it's not that simple. Transparency and security should go hand in hand.
[00:16:50] But too often governments prioritize control over protection and, and ultimately I believe that's just because that's the lever they have to pull. If we keep giving up encryption in the name of security and safety, we'll soon find that no one is safe.
[00:17:06] So my question to you, what do you think, should governments encrypt backdoors, have encryption backdoors? I mean, is there, is it too big of a risk to security?
[00:17:16] What are your thoughts? Like, is, is, is it okay that, that the governments have access to your, your messages and there's nothing to hide and I'm just over, you know, making too big of a deal of it or am I not making a big enough deal about it? Like is this is such a huge deal that we've got to draw a line in the sand and, and say no more. You know, everything from all of this that's going on from Chinese espionage and, and, and Microsoft Exchange attacks, there's, there's so much in the news that's going on nowadays that we see from, you know, bad actors and state, state sponsored actors that are going after our data. There's, there's no, there's no doubt that our data is at risk and our cyber security is at risk. And there's also no doubt that a bad actor and an attacker, whether it's a, it's a nation state attacker or it's an individual looking, you know, to use money, financial purposes, they will come after you, right? If they, if they find an access point, they'll come after you to get to something else, right? Well, who am I, Aaron? I have nothing. Okay? I don't either, right? But what can they get through me and who can they hurt on the other side? How can they find money through me and how can they manipulate me to get something that they do want on the other side? So that's, that's the bigger question. So again, not political. Please don't.
[00:18:37] All these are Aaron's questions and, and just with all that's going on, it's such a hot topic, so many folks are talking about it. Really just want to get everybody's perspective. Let me know what you think. But definitely like, and subscribe down here, definitely appreciate, you know, reach out. Love to have people that are, are more directly connected with this topic. Um, love to dive into this deeper and, and have maybe folks on both sides of, of, of the argument and, and have a deep dialogue around it. My, my, my ask and hope is that we as cyber professionals are able to look at this with, through, through lenses that just look at the, the facts and with, without putting the politics aside and, and with the goal of protecting our, our assets and our data. All right, thanks for your time. Thanks for joining us on Protect it all, where we explore the crossroads of IT and OT cybersecurity.
[00:19:36] Remember to subscribe wherever you get your podcasts to stay ahead in this ever evolving field. Until next time.
