October 18, 2023 | 30 minutes
Ep. 67 | Reimagining Cyber | Sustainable Cyber: Protecting Sustainability Projects from Cybersecurity Threats | Ed Amoroso
[00:00:00] Rob Aragao: Welcome to the Reimagining Cyber Podcast. Rob here with Stan. You may notice a little difference in the audio quality today. That's because we're actually talking from our hotel rooms from Vegas at Open Text World.
[00:00:14] Stan Wisseman: Though they are nice hotel rooms, I have to admit. By the way, being in Vegas is amazing, Rob, in the sense that just so many people.
[00:00:21] I, you know, again, I haven't been. In a, in a, in a place that has had such large crowds that everybody's back and so many conferences going on at the same time. So it's, it's pretty exciting to be here. As well as it's hot, going from the east coast where fall has happened and now it's like 90 degrees in Vegas.
[00:00:38] It's like, whoa.
[00:00:39] Rob Aragao: That's for sure. We're feeling it for sure. Right.
So Stan, who's our guest today?
Stan Wisseman: Rob, our guest today is Ed Amoroso. He is the founder and CEO of Tag Infosphere. Ed has a wealth of experience having spent an impressive 31 years with AT& T where he held the notable position of being the world's second CISO starting back in 2004.[00:01:00]
[00:01:00] Ed is a prolific writer. and educator. He's influenced and mentored hundreds of graduate students in the field of information security over three decades. We're delighted to have you with us on the podcast, Ed. Is there anything else you'd like to share with our audience about your background before we get started?
[00:01:15] Ed Amoroso: No, thanks for including me. Looking forward to our discussion.
[00:01:19] Stan Wisseman: All right, great. Well, hey, you know, TAG concentrates on three primary domains. From what I understand, there's the global cybersecurity emphasis, which makes sense, artificial intelligence, which is in everything now and then sustainability.
[00:01:32] And, and while it's evident to me why, given your background, the first two pillars are, are associated with TAG and what you're doing, I'm a little confused as to why you picked sustainability. I mean, I certainly believe in sustainability. I, I believe it's necessary, but why is that an area of focus for TAG?
[00:01:50] Ed Amoroso: Well, I did start my career as a physicist. That's where my, my origins are in in that area. What I do is pick topics that we think are consequential to the world. Things that have [00:02:00] existential consequence if we get it wrong. So obviously cyber, my whole life worrying about the implications of attacks on critical infrastructure and so on.
[00:02:10] We've all seen, you know, the beginnings of that. I don't think we've ever really seen it fully realized, but it can probably come. AI right now is certainly existential. I hope in a good way, like I hope that it, you know, we, we find ways to make use of AI to improve our world. There's certainly every reason to believe that we can, but there's also a dark side to any new innovation, any, any new type of technologies who were there. And then on the sustainability front, the just sort of the clarity that's emerged in the last five years around how important it is to rethink manufacturing, rethink the way we do transportation and more than anything, rethink energy. So all of those things sort of come together in topics that are prone to misinformation, topics that businesses are seeing [00:03:00] as really important.
[00:03:00] Usually have an executive lined up in each area. There's a CISO who does cyber, there's CTOs and CIOs and chief data officers, chief scientists who do AI. And there's chief sustainability officers who worry about sustainability and climate science and, you know, projects in that area. So we feel like that C-suite, we're, we're like a next generation research and advisory company because the C-suite has changed.
[00:03:26] I think years ago, you would have said that the key components in any C-suite would be the finance officer, the HR, you know, that those kinds of things. It's not that those topics are solved, but I don't see HR as an existential problem. In fact, if I was being a little snarky, I'd say HR is looking more like an app than a department lately.
[00:03:51] So we try and focus in areas where the legacy analyst teams, you know, are, are not looking because it's hard. [00:04:00] Like wrapping arms around how neural networks operate requires some skill. So we hire analysts who are usually academics. Like I'm a hybrid academic, we do well with that model where someone is college professor, wants to be an analyst, wants to do something in addition to teaching.
[00:04:20] And a lot of us lead that sort of bifurcated life between working with students and then working with clients on problems. It's been a good model for us. So we do that in climate with environmental studies type professors, we do it in AI with people who, you know, have that bent, that algorithmic background.
[00:04:38] And in cyber, we tend to hire CISOs who also are at a point in their life where they want to work for purpose, work for topics that have meaning. That's, that's tag.
[00:04:52] Rob Aragao: So tag is all about, you know, a lot of. futuristic in some cases points of view that people need to start considering. I
[00:04:59] Ed Amoroso: guess [00:05:00] If you’ve been hacked last week, then cyber doesn't seem futuristic, but I know that's true.
[00:05:04] Rob Aragao: Very true. But let's double click on this a little bit from the cyber perspective, right? As you, as you think about the sustainability transformation type of project that are happening now. Yeah. How, how many, I guess, conversations have you and the team at TAG had where there's actually the thought process of cyber security being kind of baked into it and,then take that one step further what do you see as some of the examples of consequences of neglecting security?
[00:05:34] We always talk about in cyber security, baking it into anything that we do applications. And so this is a whole new world that we're thinking about that you're, you're going to talk about here.
[00:05:42] Ed Amoroso: It's pretty frustrating, Rob, because 30, 40 years of cyber security that we would have learned a lesson, but instead we're creating next generation infrastructure. like nuclear. Perfect example. There's really two strategies for nuclear. One is to use [00:06:00] safer infrastructure. Maybe more almost next generation fision the way we do now, but in a safer manner. Bill Gates has talked a lot about that. He funds companies and talks about different ways that you can avoid the fear of meltdown and stuff like that with using conventional vision.
[00:06:16] And then there are all the fusion companies that are still doing their research, trying to figure out whether we can do something, but back to fision, the way those things will likely work. would be these small modular reactors. They call them SMRs. Really interesting concept. And when we talk to the companies doing it, we say, how will this look?
[00:06:39] Like, how are you going to deploy? What would the grid look like? How are you controlling these? How are you managing them? And the words that come out of their mouths strike me as being somewhat devoid of any cybersecurity thought or consideration. Like, how are you going to protect this? Well, you know, and if you really push them, then you get to [00:07:00] that classic IT OT gateway concept, which to me sounds like a perimeter and everything I've ever learned in the last say 10 years about cybersecurity is that perimeters don't work.
[00:07:12] So why would a perimeter work? It works in a SCADA context because most of the time SCADA is old proprietary stuff, right? And it's more the diversity of technology than that gateway that protects you. But next generation, say manufacturing, say carbon free manufacturing and things like that, uou think they're using proprietary technology?
[00:07:35] Heck no, it's open source. Managed in cloud, accessible from your iPhone. It's all modern stuff. So no more diversity, no more SCADA. These are just extensions of your IT infrastructure with end points that look to me like next generation OT. So we would say Are you doing zero trust? And they say, am I doing zero what?
What? And you go, exactly. I guess they're not reading any of my dopey [00:08:00] books. But so that's the question we're building out climate infrastructure, sustainability, where there's just not proper attention to cybersecurity. There's some papers that I've read. There's DHS, DOE, all these companies that they'll fund things.
[00:08:19] It looks really conventional to me, it looks like if you just sort of ordered something up out of Wikipedia, like how are we going to, how are we going to protect like EVs? Well, you know, with DevSecOps and we're going to scan for vulnerabilities and we're going to, you know, all the basic stuff, but I would say the more dangerous problems would be, how do we build a grid of trusted communication with authority over the top?
[00:08:52] For example, you're barrelling down the road in an autonomous vehicle controlled y something in the cloud [00:09:00] software in the cloud and the stuff that's it's a rolling computer, right? That's what it will be. And then one of the road signs because that'll all be computing as well signals that there is a, I don't know, a 60 ft.
[00:09:13] ditch in the road. You got to go pull over, run into the grass, do something because there's a sinkhole. And if you go, keep going, you're going to drop 80 feet. Everybody dies in the car. So you're better off driving onto the grass, over the curb, take your chances with the trees and brush because there's a sinkhole.
[00:09:34] So here's the question. How do I know that that's not impersonated? I don't know. It's not some kid sitting up there.
[00:09:40] Stan Wisseman: Some kind of threat actors, could put that message there.
[00:09:44] Ed Amoroso: Yeah, where's the protocol? Where are the standards? Where is where's the certification authority that's going to sit for these rolling computers?
[00:09:53] And you would think, well, I'm sure somebody's doing it. And the answer is I'm kind of not sure that that's happening. I think [00:10:00] right now there are people fish to fry in that industry than worrying about cybersecurity. And where have we heard that before?
[00:10:09] Rob Aragao: No kidding. It's a rush to market, right? Rush to revenue.
[00:10:12] Ed Amoroso: Yeah. So, so we spent at Tag, we spend a lot of time on the things that we think the industry should be worried about and should be doing. I'll give you another example. You know, in in the area of say Direct Air Capture. This is an interesting one. So think about what irect Air Captureis.
[00:10:34] It's basically vacuum cleaning CO2 from the sky. Have you ever seen one of these things? Right.
[00:10:39] Stan Wisseman: cYou're trying to get the
acrbon out of the air.
[00:10:40] Ed Amoroso: Right. Yeah. You know what they really are? It's printing money from thin air because you vacuum clean the CO2 and then a little carbon accounting receipt pops out that somebody's paying for.
[00:10:57] And it's basically, you're basically printing money. [00:11:00] I have no problem with vacuum clean away. It's okay. I mean, I don't like when it gives license to someone to continue to pollute. I'm not for that, but I think that the idea of vacuum cleaning CO2, I have no problem with that. But look, we're all cybersecurity folks.
[00:11:17] What does that scream? Fraud to the max! Right, right, right, right. So you look at the company setting the standards around doing the verification, like it's company called, it's a non-profit called Vera, awesome group. And you look at their board of directors and these are wonderful people, exactly the kind of people that you'd like to have dinner with, their climate backgrounds, environmental backgrounds, their universities and non-profits.
[00:11:44] They're wonderful people. But, but
[00:11:46] Stan Wisseman: But maybe a little naive
[00:11:49] Ed Amoroso: But guess that's what's missing from that group. Any concept of cyber security or anti front, nothing like that. So we would all go, where have we seen that before? [00:12:00] Right. Yeah. So it's like that. It's this innocence of wanting to roll out good things, wanting to do the right thing.
[00:12:08] But then, you know, we look at it, we go, Hey, listen, we've been doing cyber for 30 years, we've learned that if you're doing something consequential or potentially vulnerable, you probably ought to have one or two board members who helped to the culture and mood and priorities. That's what a board does.
[00:12:25] It governs not manage, but govern sets a mood that. We better make sure that we put security infrastructure in place to monitor the behavior, to do anomaly detection, to make sure there's no fraud in this vacuum cleaning of CO2. We, we could be, you know, dealing, basically funding massive fraud complexes.
[00:12:48] Do we want to be doing that? No. And the people on the board are so nice. I'd get the impression that they're just innocent to this. So it bothers me.
[00:12:57] Stan Wisseman: You made the observation that some of these controls [00:13:00] and practices that we put in place may not be adequate for some of these sustainability transformation projects and there may be some additional things we need to be thinking about.
[00:13:10] What, what are some examples of those?
[00:13:11] Ed Amoroso: I think the OT case for sure. It's considered best practice right now to police an ITOT gateway. It is. There's companies that sell, that sell diodes. Build the separation. You probably would see in most of the literature from groups that regulate conventional industrial control systems as dictating separation, segregation.
[00:13:35] That's a, these are words right out of the standards. When did that ever work? Micro segmentation, maybe. Like, I'm okay with the idea of minimizing functionality so that the interface is small enough that I can use a micro segmented approach. But when you put a big blob of complicated stuff behind a gateway, haven't we learned our lesson that that doesn't work?[00:14:00]
[00:14:00] And that's literally the canonical architecture that we have for OT security. So, I scratch my head and think... All right. We've gotten away with it because SCADA but it's not going to work anymore. So fall, who do you tell? When you go look up the papers that are funded, they take best practice and apply it to next gen.
[00:14:21] And we're saying, I guess that would work if we were doing great. Like, let's say we hadn't seen a cyber hack in the last 10 years. You know what I'd say? Keep doing what you're doing, but if you get, if we get one hack after another, each one worse than the last one, didn't you learn when you were in high school playing soccer that if you're losing 18 zip at the half, you do something different.
[00:14:46] Like you don't just keep doing the same. If you're just getting highs, what is best practice even mean when you're losing 60 to nothing? Like, do I call up a team? That's my, my beloved Giants are having a [00:15:00] little rough year this year. You call them up and say, Hey, I want to do what you're doing. You guys are losing every game.
[00:15:05] What's your best practice. It's insanity. So in cyber we have to change the game. And I think part of it is AI. Like that's, again, one of the reasons we focus on artificial intelligence is because I think the prospects are spectacular for artificial intelligence as a base for having a really amazing defense, cyber defense that scales.
[00:15:28] That's maybe one of the brightest, I think sort of prospects that we have in our industry, this idea that the offense and defense ultimately become very automated. And then it levels the playing field. Everybody has access to good automation for offense and defense, and it levels. And suddenly we'll see that this disparity between the office and defense goes away.
[00:15:52] Rob Aragao: Maybe you can kind of interconnect these things a little bit and potentially, it's a path of from an audience perspective, kind of [00:16:00] having insight as to a way to maybe take a step to make this work. And that's about collaboration. Right? So, your example, these board members are in some case innocent because they don't know these other things, right?
[00:16:13] Right. So it's not that they're trying to be negligent per se, right? It's just, they're not aware of that. What do you see as the opportunities around, you know, how we can actually take the cyber expertise in conjunction with sustainability practitioners, educate them to think about this so we can actually help that whole approach of baking security in as opposed to kind of continuously banging our head against the wall and saying we've been dealing with and everything else, right?
[00:16:38] And this is going to be yet another repetitive situation we're dealing. So, so what are some things that you're seeing maybe work in that kind of collaborative environment?
[00:16:46] Ed Amoroso: Dude, you just wrote the manifesto for my company. That's what the idea is that the C-suite we're trying to break down silos between these groups.
[00:16:56] So that, so if you do sustainability. [00:17:00] you noticed a couple of years ago that, hmm, data centers certainly eat up a lot of electricity, don't they? Hmm, maybe I should be talking to the CIO. And they'll have little beginnings of discussions over there. And then, like, the, the CISO notices, hmm, my EDR really looks like a big hunk of machine learning up in the cloud.
[00:17:24] And now everybody wants to use ChatGPT. Well, maybe I should be talking to the CTO about that. And they have the discussions there and so on. So I think that again, that's why I started Tag to build this interdisciplinary thing. I teach at NYU, which is an interdisciplinary school, like a course that I teach right now is a combination between computer science department and the law school.
[00:17:48] And we get people like sitting members of Congress who come and take our class for a master's degree. And, and we're teaching them sort of the interdisciplinary components of both cyber, policy, [00:18:00] strategy, and so on. So that's always been our view that breaking down silos, having C suite members work together and having practitioners take more of an interdisciplinary view.
[00:18:12] That's how you do it. And that's how businesses work more effectively. Like, think about a company like Google. I think they're a cool company. When you interact with them, the people are creative enough that they'll go from here to there, from this topic to that topic to this other topic, without as much silo as you might see in a more traditional company
[00:18:33] that may not be as creative and frankly might be struggling. We almost see a direct correlation between the willingness of senior leadership teams to let people kind of paint outside the lines versus companies that demand that people stay very much inside the lines. Those are not your favorite places to work.
[00:18:55] Who wants to work in that? So that's to answer your question. [00:19:00] Fostering that at the senior leadership and board level down that people should love It's more interesting outside the lines. That's where life is way more fun than living in some sort of a box. I think we're dealing with a generation of young people that were raised to think very creatively.
[00:19:20] And I'm, I'm very bullish about that, but the one place I'm not bullish is that we in cyber, we just haven't learned these lessons and it's urgent.
[00:19:30] Stan Wisseman: So, so, Ed, just pull that thread, you know, because we, we talked about you know, why repeat things over and over again if, you know, it fails and sometimes the, there is a lag, let's face it with the regulators and those that create guidance, right?
[00:19:43] And so and you note that there's potentially a void, right? Who's, who's providing this oversight? of these transformations and providing this guidance. We, we had a chance to speak to last year in our podcast, we interviewed Virginia Wright, who is a director over at [00:20:00] Idaho National Labs. And she has a focus around energy and supporting transformation projects and guidance provided to those that are in that field and operators.
[00:20:10] It sounds like what INL has done with this whole cyber informed engineering guidance is what you're looking for as far as what you could apply for these. Other sustainability projects, you know, is there somebody similar to INL that could be doing something in these others sectors that are, you know, dealing with sustainability projects, or are you familiar with what they're doing at INL and whether or not that's something that could be mirrored?
[00:20:36] Ed Amoroso: Two dimensions to the problem. One is, yeah, I mean, I'm all for, you know, trying to bring process engineers and industrial control engineers and scientists and researchers who live outside of cyber up to speed on, say, state of the practice in how things work. And most of those programs tend to be very state of the practice.
[00:20:57] Here's how governance risk and [00:21:00] compliance works. Here's a little bit about authentication methods. Here's some basics on cryptography. Here's how you build a next generation security infrastructure using firewalls and so on. So that brings them up to speed. But the problem is we don't want to be where the puck is now, you got to where the puck is going.
[00:21:19] And that's like training people and showing them, Hey, let me show you how we protect, say a pipeline industry. We do boom, boom, boom, boom, boom. Now let's take in a case study. Colonial pipeline. Let's see how they did.
[00:21:38] Oops, we better not do what they do. Let's take another exam and you go one after another, you pick an industry, say, do this. And then you go, oops, wait, there's been like 20 hacks in that area too. So you realize, hmm, I have a feeling maybe we should think about where the puck is going. And that's where there should be collaboration across DHS.
[00:21:57] That's the place where it should be happening in the U. S. [00:22:00] It should be more collaboration between science and technology, S& T and SISL. Those two need to be working a little bit more aggressively on what the next five to 25 years look like. And I've had personally some involvement in those projects are wonderful people again, you know, to Rob's earlier point, you know, nobody who wakes up in the morning and says, let's do this wrong.
[00:22:23] Everybody's trying really hard, everybody’s very sincere and trying to work things. And Lord knows. It's no picnic working in government. That's a hard place to work. You take a lot of grief. They don't make a bunch of money. They usually really do it with a lot of, they have all my respect in the world, you know, and, and, you know, when I'm critical
[00:22:43] I always think of my uncles. I've three uncles from World War, World War II. And they would sit in the back, you know, by the pool, those chairs as they got older. And they'd be very critical of the military, but these were patriots who almost lost their lives in World War II. Being critical [00:23:00] is an act of respect, right?
[00:23:03] When you care about something. I want it to be better if you're, maybe critical isn't even the right word. Like, are you tough on your kids? You should be, do you, do you demand more from your kids? You should. Do you, when you see your kids doing something wrong, do you step forward and try and help and correct.
[00:23:23] You know, maybe my generation does a little too much of that, but you get the point. It's a show of respect. When we don't do that with government, it's a way of, of, of showing non respect when we, when we just say, oh, thank you for doing what you do, without taking a moment and saying, but let's make this better.
[00:23:44] Here's where we can improve it. I'll be honest with you, I don't know too many people that are as vocal as me. I, I get away with it because I'm old and I'm sometimes, I run a cartoon series called Charlie Ciso where we poke at government all the time. And I get away with it [00:24:00] because I know most of these people, they know I'm not malicious, but boy I let them have it sometimes.
[00:24:05] And, and I don't think enough people do that. I think there's a fear. If government puts out something like a directive that I think is bad, then I publish, I say why I think this is terrible. And I read a lot of my peers going, Oh, right on the money. Good. Wayy to go. Government. Good. And if it's some dumb thing, then I say it's dumb.
[00:24:26] And it's not because I just say that I'm saying, cause I want to make it better. You know? Right. Well,
[00:24:33] Rob Aragao: but, but I think that's, that's what it's all about. Going back to a couple of examples you mentioned, it's we are all people who want to actually color outside the lines. That's typically why you're in cyber security as well,because it's such a dynamic space.
[00:24:47] But I think, you know, your whole thing about your uncles and the story there, to me, that's, that's about passion. But it's also your example back to you know, when these directives come out and whatnot, we review them and we go, Okay, you know, what about these [00:25:00] other things? So skating to where the puck is going to be, but again, that's what's exciting.
[00:25:04] That's what's interesting. I think that's a lot of what, you know, you talk about a lot of what your organization shares out there, you know, maybe kind of in closing, if listeners want to go and learn more about what you guys are doing, best thing to do, I assume to go to your website. Is there anything particular research wise you want to point out?
[00:25:20] Ed Amoroso:
[00:25:20] We publish a quarterly and a bunch of special publications. The last one was on space. Like we were looking at cyber security issues in outer space. I loved it. It was so much fun. We have some interesting guests writing things. The one before that was our prediction that AI is going to be end of cybersecurity.
[00:25:38] So it's that kind of a quarterly before that we wrote a publication about China. And cybersecurity issues in terms of supply chain and other things. We had some really provocative points on why, you know, avoiding a country is not a supply chain strategy. You know, there's much within that. [00:26:00] So if people want to read things that are different,
[00:26:04] way different, you know, going down, download our quarterlies, and you'll notice when you download them, there's no contact wall. That always surprises me. They click on it and boom, it's there. They go, wait, it's there. I didn't give a name, an address, and Right. My firstborn. You know, when I started Tag, I said, one of the things we're gonna do here is violate every marketing principle on the book.
[00:26:28] and it's worked out. People, I think, respect that they see us as a bunch of practitioners who want to reinvent how the analyst community works, because I'm not a big fan of, you know, who, and you know, who the big analyst firms, I think that they are play and most of them never ran a program.
[00:26:46] And most of them just rehash a lot of, you know, I would use a curse word here that describes manure. It's, that's what you get there. And I think what people pay all this money for that. It's not even data science. Like when [00:27:00] the 87 percent of people are using cloud, I go, well, show me the Jason or the day where's the data.
[00:27:05] I'd like to eat it and show you that. And also, yeah, 87 percent of people, he's like, I don't need it. That's what I'm telling you to tell me. the obvious. So we just said, man, you know what? Let's go kick some butt here. Let's change this. And we got featured in fast company and entrepreneur magazine. All these cool places.
[00:27:26] Yeah. Yeah. And also the biggest thing of all your podcast. Look, we're out. We're here.
[00:27:32] Stan Wisseman: there you go.
[00:27:33] Rob Aragao: We loved having you on it. I think, you know, again, the, at the title Reimagining Cyber, that's just what it's all about. So we love having guests come in and talk about different things.
[00:27:42] And I think, you know, from your perspective, I do look at it as very futurist. I'll go back to what I said in the opening about what you are doing with Tag. I love it. I think the audience is going to love this episode. We'll include links back into the updates the show notes as well.
[00:27:57] And we truly, you know, appreciate you taking the time to be with [00:28:00] us today. We're looking forward to maybe a future conversation with you as well. Cause I'm sure there's plenty of other topics that we can actually play back and to discuss
Ed Amoroso: Anytime at all.
[00:28:06] Stan Wisseman: Hey, thanks Ed.
[00:28:10] Producer Ben: Hello, I'm Ben, producer of Reimagining Cyber, and during the conversation you'd have heard Stan talking about an earlier episode featuring Ginger Wright.
[00:28:21] Ginger leads programs focused on cyber security and resilience of critical infrastructure for the Department of Energy. It's episode 60 in the series and here's a clip for you. I
[00:28:33] Ginger Wright think a lot of engineers understand materials that they build with, they understand wood, they understand concrete, but they don't often get taught to think about digital systems in the same way they think about materials, that these systems have stress points and failure points, and they can be trusted to a certain level.
[00:28:54] But after that, we need to build protections into our system to protect us from the ways that they can [00:29:00] fail or be brought to failure by an adversary.
[00:29:01] Producer Ben: Ginger Wright there, and it's well worth going back to listen to the entire episode. And whilst you're there, why not follow or subscribe to Reimagining Cyber for your weekly dose of Rob and Stan.
[00:29:16] I know I do. Thanks for listening. Goodbye.