Podcast: Reflecting on national cyber strategy

Amy Lane (00:02):

Welcome back to Into the Sphere. My name is Amy Lane.

Mark Tiervey (00:06):

And I'm Mark Tierney.

Amy Lane (00:07):

And we'll be your hosts as we explore various topics in the cybersecurity and IT world. Our goal is to provide you with tips, tricks, and tactics on topics circulating the cyber world. I'll even bring in some of my friends and trusted leaders to help dissect these topics.

Mark Tiervey (00:20):

Today we are honored to welcome a very special guest and a cio, first ballot Hall of Famer, Tony Scott. Tony is currently the CEO of intrusion, a cybersecurity company based in Plano, Texas. Tony comes to us with a very impressive background, having worked in the cybersecurity space for over 20 years for companies such as General Motors, the Walt Disney Company, and Microsoft. Prior to joining Intrusion, Tony was the founder and CEO of the Tony Scott Group, a DC and Silicon Valley based consulting and venture capital firm focused on early stage cybersecurity and privacy technologies. And if you're not impressed enough already prior to founding the Tony Scott Group in 2015, Tony was appointed by President Obama to serve in his administration as the Federal Chief Information Officer for the US government. Quite a resume, Amy.

Amy Lane (01:09):

Absolutely. Tony is the perfect person for us to chat with us about today's topics. We're hoping to leverage his experiences you heard, to learn about differences in cybersecurity across industries, from threat actors to talent. We'll also ask him to think about the evolution of cyber and what themes and maybe some takeaways that we need to consider for the future. We hope you like this episode. Thanks for listening. This is into the sphere. Hi, Tony. Thank you so much for being with us today.

Tony Scott (01:36):

It's absolutely a pleasure to be here. Great to be talking with you.

Amy Lane (01:39):

I was so impressed with your experience in this space, and as we mentioned, you are the perfect person to talk to about all of the things that have been happening over the, the last 20 years or so in the evolution of cybersecurity. So looking at the different cyber incidents that happen every day and looking at how more organizations are looking at these incidents and how they're impacting them, how do you think the cyber threats have evolved over the years? And then how do you think they'll be continue to shift in the coming years?

Tony Scott (02:06):

Well, great question, and I think all of us that are in this business have observed a marked change over,  you know,  the period of time you talked about. First and foremost, it used to require very specialized skills to mount any sort of attack. And today,  the tools to, to attack are readily available on the internet. I'm not going to specifically say where, but anybody who wants to confine these and can become an attacker.  and, and that's a problem, number one. Number two, the attack surface has greatly expanded,  with, you know, the internet and the internet of things,  mobile devices, you name it. There's just more points to attack or entry points where the bad guys can get in. And then third, you have this, what we call advanced persistent threat, which are very sophisticated, well-funded in some cases, nation state attackers, who can afford to mount attacks that,  a smaller group or cyber criminals,  couldn't do on their own.

(03:18):

And so the combination of these things has made it a, a perilous world really for,  many, many institutions. We've done a lot of things through technology to try to strengthen our defenses, but it's a asymmetric sort of problem. The cost to defend is way higher than the cost to attack at this particular point, and that's probably, something that we're going to have to deal with,  in the future. The analogy I would use is it's kind of like everybody having, to stand on their roof with a shotgun to defend against incoming ballistic missiles. and it's just not a fair fight in many respects today.

Mark Tiervey (04:04):

Tony, you have a unique perspective, given your background even what we're, what's happening at the national level, and, we've certainly seen a more active response to cybersecurity concerns, including the recent rollout of the National Cybersecurity strategy. What new things are you seeing in that policy and how do you see that policy impacting cybersecurity programs in, in private enterprises?

Tony Scott (04:28):

Well, I think one of the most remarkable things about the new national cyber strategy is it is the beginning of a shift in terms of making that, more balance in the equation that we talked about before. So there are large technology companies like my alma mater, Microsoft, and social network companies and telecom companies that are increasingly the place where, you know, this traffic occurs, where,  and, and up until this point, those large institutions haven't played as a bigger role as needs to be, as they need to in terms of defending ordinary citizens and small medium business,  from some of these cyber attacks. And so this policy that was announced recently begins the shift to say, Hey, these big institutions that have the resources,  they're in the right position in the game,  to affect a different outcome,  have to bear some more responsibility for defending all of us against some of these, some of these attacks. That's a national imperative, we have to begin to, do things to make sure we have the human resources available with the right skills and talents and abilities, to defend ourselves better as a nation from some of these. And so,  again, this strategy, doubles down on our need to to build up the the set of resources.

Mark Tiervey (06:10):

So how do you see some of that trickling down even to the small and medium sized business? How do you see the, the governmental organizations partnering with, obviously you had mentioned how they're partner partnering with the large organizations. How is that, shared or commoditized across the large organizations? So what can the small to medium sized business look for and what, what can they do?

Tony Scott (06:32):

Well, I think,  first of all, it should manifest itself in better products. So all of the common tools that we all use every day ought to be more cyber resilient going forward.  the networks that we use to,  or the companies we use to access the internet and so on, should begin to offer more protection just as a part of the service that they provide.  it's kind of like the electric company. You expect the reliable, you know, safe service from the electric company, and you shouldn't get shocked every time you, touch an appliance in your home. This is sort of the digital equivalent of that,  saying, let's make all of these things safer and easier to use and more protective. And so I think you can count on that.  but I also see some other positive trends, which is more information sharing in industry segments.

(07:30):

So financial services organizations sharing more,  in and among themselves, and also with the federal government who's charged with, certain responsibilities in the protection game, and then voluntary efforts to increase the human resources. One of the organizations I always want to give a shout out to is the Girl Scouts who do a great job today of getting merit badges. I’m not sure that's what they call them, but, making sure that Girl Scouts are educated around, technology and, and good cybersecurity practices. And to me, that's just a sign that this is an important thing for us to focus on as a nation, as part of our education curriculum as part of on the job training, as a part of really making sure that we have the right skills broadly across our,  communities,  to, to fight this, what I think is an existentialist threat today,

Mark Tiervey (08:35):

You mentioned earlier,  a lot of the comments you mentioned, I think point to, the talent,  being, the scarcity of talent in cybersecurity or a dearth of talent and even recruiting,  the way we recruit younger,  people to bring them into the programs and teach them the seriousness of it.  do you find, how do you find that struggle will impact,  small to medium size companies and and what role do you think MSSPs can play,  in that world?

Tony Scott (09:08):

We could probably spend a day on breaking that question down, but let me hit a couple of the high points. One is,  I think we have an image problem in our industry, like you have to be the super geek, you know, nerdy sort of person to be successful in cybersecurity. And the reality couldn't be further from the truth. What we need are people who have skills in a variety of different disciplines, the arts, the humanities, science, technology, you name it. But everything we do in society today is digitized in some form. And we need people who have excellent subject matter expertise and some cyber security skills in order to properly,   mount the kind of,  defenses and, and have the right conversations in our businesses and industries. And so you don't have to be a geek. You don't have to be, you know, super nerdy or any of the rest of the common perceptions.

(10:12):

 but the best combination is going to be some skills in some other discipline along with cybersecurity. The second thing is you don't have to have a college degree for all the roles. And we've been a little, I'll call it, you know, nose stuck up in the air about this in some industries.  and it turns out there's tons jobs that you can get the skills and the training that you need, and you don't necessarily need to have a four year college degree or even a advanced degree to do those roles.  so I think that's a sea change from,  where we've been,  and we can do a better job,  in terms of tapping into,  members who are leaving our military as good resources to fuel,  our teams,  in cybersecurity as well. Often these folks have great training,  and have exactly the kind of background that we need. And I think as an industry, we haven't done as good a job as we could,  in recruiting those kinds of folks,  into the, into the roles,  that, that we need to fill. So variety of different approaches here. And I do start to see that we're making good progress,  in some of those directions,

Amy Lane (11:29):

Even with those changes that we could potentially make in the recruiting process, as Mark mentioned, with those small to medium sized businesses that may not have the capital resources to then invest in those, that talent. How could you see working with some, someone like a MSSP or SEI Sphere, how would you,  encourage those small dominion businesses to look outside their own four walls, to have those resources be,  available to help them in the cybersecurity space?

Tony Scott (11:55):

Well, and I think the business that SEI is in is a great,  remedy for, for that very problem.  I think organizations of all sizes are going to have to look to MSPs and MSSPs,  to, to solve some of these problems. You know, when I was in the federal government as the federal CIO, I saw this problem firsthand. We had big agencies, Department of Defense, the Department of Education,  you know, the Department of State and so on, who are very large organizations, health and human services. Any of these would be a Fortune 50 company if they were standalone.  and, you know, tens of thousands of employees, big budgets, and they could afford to build a internal cybersecurity team.  and we had standards that we were expecting every agency in the government to,  meet in terms of,  you know, their capabilities and so on.

(12:56):

But you had really small agencies like the Marine Mammal Commission, you know, there was a couple of dozen people,  that just was never, ever going to have the resources,  to,  mount the kind of defenses that,  they needed to. And yet were being held to the same standards as the Department of State or the Department of Commerce. And, and so the, the only answer in a case like that is to, you know, go hire a good MSP or good MSSP to provide the services that you need. And I think many of our businesses are in exactly the same situation. And I think it's one of the responsibilities if you're in management, you gotta ask yourself the question,  look in the mirror really hard and say, you know, is this a capability that I should develop on my own? Or can I go find a competent partner,  you know, to, to provide this service for me? And,  I think increasingly I know what the answer to that question's going to be. It's going to go hire somebody who knows what the heck they're doing, and that's their court skillset.

Amy Lane (14:06):

I was going to turn it back to the national cybersecurity strategy that you, we kind of talked about a little bit. We, we touched on it just briefly, but I know,  you mentioned that you had experience drafting some of that with the, with the government. And you correct me if I'm wrong,  but from your take and the experiences that you've had in your past, how did that shape what this national cybersecurity strategy could be for what the federal government is, is coming down and encouraging,  businesses as, as well as the government to take stance on these current events as well as future events and how that will shape our, our United States and the future?

Tony Scott (14:41):

Well, I think the current strategy is the evolution of work that,  has been going on for the last 20 years, I'll say, in the federal government.  so many of the issues that are being addressed in the current,  policy are issues that we did a lot of work on even during the Obama administration.  the good news is it doesn't wear an R or a D or any other political label. It's just, you know, good practice in cybersecurity happens to be good practice no matter what party you're a part of. And so I'm grateful that, you know, the people who followed me also followed that same,   philosophy.  my two biggest supporters were,  in, when I was in the role, were a very conservative Republican and a very liberal Democrat. And, and they agreed that they couldn't agree on anything except for one topic, and that was good cybersecurity, and they were both strong proponents of advancing,  these causes.

(15:45):

 so, you know, let's talk about this in terms of a shift over a period of time. Some of you may remember or be old enough to remember the manufacturing crisis that we had in the eighties and nineties where American manufacturing quality was not keeping pace with, you know, the quality that was coming out of Europe in Germany or in Japan and whatever.  and it was an existential threat to the company. It was a threat to our economy.  President Reagan said, we gotta do something about this.  and they created the, you know, Baldridge Award for,  improving quality and in, in manufacturing specifically, and fortunately, the nation rallied. And over the next decade or so, US manufacturing quality became on par with anybody else in the world. And so that was a really good thing. We face that same sort of crisis today in the digital space.

(16:46):

 our trade secrets are being stolen, or IP is being stolen.  we have ransomware, we have criminal act. There's all kinds of stuff going on in the digital space that is as big a threat as, you know, this manufacturing quality crisis was in, in, in,  prior decades. And so this policy that has come out is trying to say, we need to address this in a very wholesome whole of government way and do all of the things that we can do from a talent perspective, from a technology perspective,  from a shifting of responsibility and accountability perspective,  in order to mount a credible and meaningful and effective defense for our country. And,  so I'm, I'm happy to contribute to that in any way,  that I can. And I think, you know, we're now taking some positive steps that I hope will,  you know, result in positive outcomes.

(17:51):

And the Baldridge Foundation, which I happen to be on the board of, has now created a cybersecurity category for,   for focusing our efforts on that. And,  and I'm proud to say, I think, you know, we're now, you know, taking the right kind of steps,  in cybersecurity that we did in manufacturing, you know, decades ago, and which solve helps solve the problem. Today in manufacturing, good quality is just table stakes for being in business. And I hope to see the day where good cybersecurity practices are table stakes for being in business, no matter whether you're in financial services or manufacturing or retail or whatever. We're not there yet.

Mark Tiervey (18:39):

So we'd love to see the Tony Scott Award,  come out now pretty soon. And,  maybe the, the award can be Girl Scout cookies will be,  that'll be

Tony Scott (18:47):

Our, I'd be glad to do that, <laugh> for sure.

Mark Tiervey (18:50):

 I was going to take a peek quickly into the future, which is actually many people consider the current right now, but looking at,  like any industry, there's a lot of hot buzzwords,  that go around,  two of which I'll throw at you today and get your, get your response, but one is,  zero trust and the other,  chatGPT and, and your thoughts on how,  both of those things may affect the future of cybersecurity.

Tony Scott (19:15):

Well, well, let me address the first one first.  I think zero trust as a concept is exactly the right concept.  the problem with it is been it's a little hard to implement,  in conventional technology,  because just given the proliferation of devices that exist and the complexity of networks,  it's, it's been traditionally hard to do. But the good news is there's some great software companies now who've come along and are providing the tools that allow you to take these concepts of zero trust and scale them to much larger,  surface areas using great visualization tools and automation and, and so on. So I do see a point in the not too distant future where this will be the standard for,  cybersecurity in every organization, and it makes sense.  the problem, just to roll the clock back a little bit, was the internet and networking technology in general when it was invented and as it, it has evolved, was never really designed with cybersecurity in mind.

(20:28):

In fact, we've done just the opposite. We've said we want to make it as easy as possible for anything to connect anything else on the internet or on in networks in general. And today, you know, even a third grader can figure out how to make one thing connect to the next thing. It's probably going to be preschool next year, but,  it's just the easiest thing in the world to do. What we didn't build into the protocols was the next level of question, which is, even though I can connect, should I, is this thing I'm connecting to safe? Is this thing I'm connecting to patch to the right security levels? Is this thing I'm connecting to, been hanging around with unsavory characters and picked up something that maybe, you know, would be of concern to me? None of those questions are really well addressed in the current state of technology.

(21:24):

And as humans, we know that all of those things are important. You know, we build trust in other individuals over time based on our experience.  you know, our mothers taught us don't take candy from strangers,  on the internet. We shouldn't take packets from strangers unless, you know, they've been vetted. So this is an important area for technology to evolve, but in the meantime, zero trust is the way to,  really enforce that and make sure that we don't get,  infected,   in, in ways that we don't want to be. So I'm excited about it. It's now become the standard for the federal government,  and I think you're going to see a lot more,  on that topic,  come and I'm glad to see SEI embracing those concepts on ChatGPT I think there's,   you know, we could spend a day probably on that, and we don't have that much time, but I think it holds great promise and also potentially great peril.

(22:26):

 as with any tool, there's the positive side of it, and there's the negative side. We've already seen cyber attacks that were crafted by artificial intelligence, translate that to mean,  I talked about in the beginning of this podcast, the tools have become really easy for, you know, script kitties and everybody else, or anybody else who wanted to be a cyber hacker ChatGPT and other AI tools are going to make it even easier and,  and also make the kinds of attacks that can be crafted easier and more accessible. And so I think that's a challenge that we're going to have to deal with. On the positive side, those same tools can be used to create better defenses and to give us better information about the attacks that are coming our way and be more predictive in nature.  so I think it's a, you know, it's an escalation on both sides that you're going to see the stakes are high and,  I think we're going to have to get better and faster, and some of these tools, I think could provide,  better capability for us. So I'm cautiously optimistic, but,  what we do know from the past is the bad guys are often quicker at adopting technology than the good guys. And, and so I think the one mandate we have is we gotta get faster, we gotta get quicker,  in order to build better defenses.

Mark Tiervey (24:00):

Yeah.  outstanding. Tony, thank you.  I was going to turn the spotlight a little bit to you more personally,  now with a couple of questions. One is,  clearly you've worked with some of the biggest corporations in the world, the federal government,  but most recently as CEO of Intrusion and, and of a smaller company helping out in that same world.  what what led you to that decision? And can you tell us a little bit about intrusion and what you're doing there?

Tony Scott (24:27):

Sure.  so our commercial product is something we call Shield, and it looks at all of the traffic that goes to and from the internet, and it either blocks or PA allows the traffic to pass based on reputation. So we touched on this a little bit earlier, and I thought that was a very unique approach to,  some of the cyber issues that we have today.  we have the world's richest database of history of the internet, IP addresses, domain names and traffic and and so on. And so, unlike a traditional firewall that has limited capabilities,  they have small blacklists and small whitelists. We have, you know, much bigger database. And, and I think,  with fidelity can help make those decisions about what passes or doesn't.  and it's part of an overall, I think, zero trust strategy that a, a company could put in place.

(25:25):

 we also have a very thriving government business,  where we service DOD and the intelligence community. And,  that helps us understand where the tip of the spear is, what, what some of the hardest problems in cybersecurity are. So for me, that's a great way of funding our r our r and d and building better,  commercial products. So I was proud to join the team at Intrusion.  we're actually a 30 year old publicly traded company, but,  very small, but hoping to get,  much bigger as we go forward. So it's fun to be there.

Mark Tiervey (26:02):

 and last question are our audiences, as you mentioned, you made a great point about not pulling just from,  technology fields, but also from humanities and, and, diverse group with a background. Our audience is pretty diverse in their interest. You have a very,  very interesting hobby,  and you're a pilot and,  I think our audience would like to know a little bit more about, what inspired you to learn how to fly and if you have any interesting,  flying stories for us.

Tony Scott (26:28):

Sure.  well, when I was at Microsoft, I found myself,  you know,  kind of looking around and,  wanting to explore, you know, some different hobbies. I was a skier and motorcycles and did every, everything that you could do practically. But I had learned about this, new airplane company called Cirrus. And if you haven't heard about a Cirrus, this is the, it's a single engine at that time, single engine,  carbon fiber, you know, modern materials,  airplane that had just come on the market. And the unique thing about this airplane is it has a parachute for the whole airplane. So if the pilot screws up, which is what happens in most airplane accidents,  you can reach up and pull this red handle and a parachute pops out the top and you float to the ground. And,  and this has saved tons of lives,  in the 15 or 20 years the company's been in existence.

(27:31):

So I was captivated by this,  technology. It has, the plane has modern flat screen electronics, not the old steam gauges that you find in the old plains. So I decided this would be a interesting thing to do.  I went out and found a top-notch flight school in Seattle who were Cirrus factory trained,   pilots.  I bought the airplane before I had my license, did all my training in that airplane. And,  I've been the proud owner of that plane,  ever since. Since then, Cirrus has also come out with a single engine jet airplane. So,  it has many of the same flight characteristics as the single engine propeller, but I haven't upgraded yet. <laugh>. The interesting story is I passed my, I took my plane, learned in it, as I told you earlier. And on the day I passed my check ride, we went up to a neighboring airport, did the test, passed the test, stopped for lunch, and now for the first time I could legally fly my plane back to my home airport.

(28:43):

Got in the plane, tried to start it, and discovered the battery had gone bad and there was no fly in the plane that day. So humbly, my flight instructor had to go to one of the little shops in the, in the, on the airfield and hire a, a old rickety Cessna 172 that had bailing wire and duct tape all over it to fly us back to the home airfield cuz we couldn't get my plane serviced that day. So here I am a, a newly minted pilot, and I'm writing in the back of this kind of rickety,  thing.  and instead of the big celebration I was expecting,  I ended up,  being in the back of a taxi basically. So it's probably my most memorable moment in the, in the whole experience.

Mark Tiervey (29:34):

I'm just glad there wasn't, I was expecting a parachute, the parachute people, the way you started

Tony Scott (29:39):

So far, I have not,  had to use the parachute. And there's a, there's an old sailing or saying that pilots have, which is,  a good flight is,  you know, when,  you, you can land and everybody's safe. A great flight is when you can use the airplane again. Yeah.  and I was happy to have a great flight back eventually where I could use the airplane again.

Mark Tiervey (30:02):

So we, we have a similar saying around our head of sales, Dave Detweiler and the Tesla he drives around at airplane speeds. So <laugh>, let's cut that out there. I think he's got a parachute installed in his team. <laugh>.  Thanks again, Tony, thank you so much for taking the time to talk to us today.  this has been incredibly helpful and insightful,  and you've given us a lot to think about and I'm sure our audience will love and enjoy the, the insight you provided today.

Tony Scott (30:30):

It's been fun talking with you and,  look forward to the next conversation.

Mark Tiervey (30:34):

Thank you. Amy, what do you think?

Amy Lane (30:36):

I thought it was a great conversation as well. We provided some great information for our listeners as well as some key takeaways. And looking back at what Tony was saying and the conversation we had, we really wanna look at the importance of talent and broadening the ideas of how to secure that talent and making sure everyone is responsible for cybersecurity. Looking at federal policies, we know they will continue to evolve, but we still have a need for speed, so to say. We should work collectively to progress our cybersecurity strategies against the bad guys and looking at various trends and concepts. And as they hit the surface, we really need to understand how they may impact cybersecurity in both negative and positive ways.

Thank you to our audience. Again, you've been wonderful listeners today. And as always, we are your hosts of Into the Sphere.

31:18 – can we add Mark saying I’m Mark Tierney

And I'm Amy Lane. If you have any questions or recommendations for future podcast guests, send us an email at sphere@seic.com. That's S P H E R E at seic.com. Thanks again for listening to today's episode. Don't forget to subscribe or visit our website to learn more at www.seic.com/sphere. Talk soon.