X-Force

Operational Technology Attacks: The Curse of Cassandra or the Hype of Chicken Little?

Play the latest episode
|
Feb 16, 2022
34 minutes

Subscribe

Listen to the Security Intelligence Podcast wherever you get your podcasts.

Operational Technology Attacks: The Curse of Cassandra or the Hype of Chicken Little?
February 16, 2022
| |
22 min read

Listen to this podcast on Apple Podcasts, Spotify or wherever you find your favorite audio content.

Attacks on operational technology (OT) — the systems that control industrial equipment, processes and events — were once the domain of Hollywood, which roll out special-effect-ridden disaster movies about nuclear power meltdowns, collapsed power grids and poisoned water systems. Now life may be imitating art and we could be heading into a period where disasters that once lived only on the screen may have a very real chance of occurring.

Case in point: In 2020, there were at least two attempts to compromise Israel’s water system, and in 2021 a similar plot targeting a town in Florida was foiled.

OT attacks aren’t new, but what really thrust them onto the front page was the 2021 Colonial Pipeline ransomware attack, attributed to DarkSide, a Russian-affiliated cybercrime organization. While this attack was limited to only the IT infrastructure, it magnified concerns about this kind of attack making its way into the OT environment and the potential disaster that might cause.

But how much of the rhetoric on OT security is media hype and political jockeying — and how much of it is a legitimate concern?

In this episode of Into the Breach, we examine just how real — or imaginary — the threat to OT might be. Chris Kubecka, Chair of the Cyber Program at the Middle East Institute (MEI) joins me to unpack fact from hype.

Her work with MEI has given her keen insight not only into the security of the technology, but also into the impact a serious breach could have on economies around the world, and on human lives.

Join me, and together we’ll venture Into the Breach.

Listen to the episode: Operational Technology Attacks: The Curse of Cassandra or the Hype of Chicken Little?

Transcript:

Mitch: Attacks on operational technology or OT, the systems that control industrial equipment. These were once the domain of Hollywood who rolled out special effects disaster movies about nuclear power, meltdowns, collapsed power grids and poisoned water systems. Well, now life may be imitating art. And we could be heading into a period where disasters that once only lived on the screen may have a very real chance of occurring. In this episode, we’ll examine just how real or imaginary the threat to OT might be.

Joining us is Chris Qhubeka. She is the chair of the cyber programme at the Middle East Institute. And she’ll help us unpack fact from hype. Her work with MSI has given her a unique expertise on OT safety, given the heavy deployment of OT technology in the region. As such, she’s got a keen eye not only into the security, the technology, but also the impact a serious breach could have on economies around the world and the cost on human lives. I am Mitch main, and you’re listening to into the breach.

So Chris, thanks for being on into the breach today. We appreciate you joining us.

Chris: Well, thank you so much for having me.

Mitch: Chris, I want to start with the basics. Since we’re talking to you as you work with the Middle East Institute right now, and I kind of want to give the listeners a primer on who MTI is Middle East Institute. And I know that you guys started with an emphasis in the Middle East. But with cybersecurity over the past, you know, 24 months or so your scope is significantly more grand than Middle East.

Chris: Yeah, absolutely. So the Middle East Institute started 75 years ago, we started with this focus of trying to enlighten the US and North American public about the things that are going on in the Middle East, whether it be culture, education, or news. And recently, we expanded to include cyber and technology to discuss some of the emerging tech that’s going on, and also the effects of technology on civil society. So things like disinformation or censorship for political purposes, one of the very interesting things I find about the region is the fact that not a lot of people in the Western world know really what goes on in the Middle East, much less the tech world. I mean, we might hear negative news about the Middle East, but never some of the positive portions of information. We’re trying to bring that to the US public as well as right policy for the US and the Middle East, which actually works.

One of my pet peeves is the fact that sometimes when tech and policy merge, many times it isn’t actually implementable or the greatest of tech policy, because most of the time tech policy is not written by technologists. But lots of lawyers, my goals are to be very impactful. For instance, about a year ago, we were asked by the UAE Government to write the cyber addendum to the Abraham peace accord. So we wrote the world’s first cyber peace accords last year, because quite frankly, our entire modern world is technology. And it can be used for good or not so good.

Mitch: Well, you bring up a good point, because the Middle East is still a mystery to most of the western world. I’m speaking specifically of the US, and what they do technologically over there is extremely interesting. As I become, you know, professional friends with you. It’s like I’ve started learning more and more about the technologies that they’re developing how they’re applying them. And it is a little bit different than what’s happening in the Western world. And it certainly has ramifications in the Western world. So I appreciate you bringing that to bear and keep being vocal about that. Because these are things that we need to learn. And this is also very likely made you an expert on OT security, because there is a heavy emphasis on operational technology in the Middle East, because they are such a manufacturing of certainly about pipelines and petroleum.

Chris: Absolutely, as well as trying to diversify into things like aviation, tourism, and high tech. And that calls for a lot of automation.

Mitch: Yes. And so in many ways there may be doing different things, and maybe actually even ahead of us to some degree. Let’s talk about OT versus it. I know that’s a bit of a confusing area for folks and give me your two-minute primer on how those two things are different information technology and operational technology.

Chris: Well, you can think of it information technology as a way that data moves, whether you’re getting information or sending things back and forth. Now with operational technology. It involves a lot more automation and actually using technology to move things. So if you want to manufacture a widget typically the data will move and it will tell certain machinery to do certain things to make that widget and because you don’t want to be doing it basically by hand, you incorporate automation into that.

Mitch: So is it safe to say then that using images, sixth-grade level understanding the information technology has to do with data and operational technology has to do with goods and services? So physical things? Yes, very much. So. Alright. So I know that operational technology is fraught with a lot of challenges. I’ve done some research and you know, this stuff, it’s some of the manufacturers of OT technology are decades old, some of them are not in business any longer. So securing that infrastructure is fraught with a lot of problems, what factors combined to make OT so insecure?

Chris: Well, there’s been a lot of push to put more IT infrastructure into ot environments. So if you want to increase data collection on how many widgets are being made, and being made successfully, and you want to get that up to salespeople, marketing and management, you might add in an IT switch or to segment a network between business and operational technology, you will add in an IT firewall. And the problem lies here where ot technology is built to last for a long time. I mean, we still have ot satellites orbiting the Earth that are over 50 years old, and they’re typically much more expensive.

So imagine buying a whole kit of machinery that’s supposed to last at least 10 years, if not, could last for 30 years. And then you put in IT equipment, and it programmes that are typically expected to be replaced every three to five years. And you merge that you also incorporate it vulnerabilities into the OT environment, because OT has to be extremely interoperable. Think of it as a metal puzzle that once put together is absolutely smooth, and you can’t see the lines versus it which even many it protocols have all this error correction. There’s no such thing in the OT environment, everything has to work very, very specifically.

Mitch: So once upon a time, most ot technology was not connected to information technology or it but that is changing, which is introducing a lot of these security issues, correct? Absolutely. So let’s talk specifically about some of the events that have happened over the last couple of months ot technology has I call it simmering on the back burner for some time, then Colonial Pipeline hit in United States late in 2021. And it kind of pushed all of this front and centre to the headlines. But that attack was limited the it domain, because their security teams took action to contain it. At the same time. We’ve also seen a bunch of very blatant attacks on critical infrastructure.

I’m thinking of the Oldsmar, Florida Water System attack, similar attack in Israel, and then we had the October attack on the Iranian gas supply. And these are just a handful that I know about. And I’m sure that there are a lot more none of these have resulted in human harm. But the pipeline and fuel supply attacks certainly disrupted life and markets. Do you have any insight into how many close calls we’re actually seeing today? Because this is just a handful and I’m sure that there’s stuff happening that’s not rising to the level of media attention?

Chris: Well, yes, there was an attack that was divulged during a panel I was moderating in Dubai back in May by Saudi Aramco that they had halted a direct attack against their critical infrastructure, which had the goal of actually killing 1000s of people. This is one of the dangers or risks of operational technology is when it’s disrupted. When it is directly attacked, it has a much bigger impact than saying it attack where your email might be down, or Twitter might be down whatever, or a delay of messages. And ot technology, you have to realise it involves safety of people safety of life and limb. And when we also discuss even things that were close calls when the Colonial Pipeline occurred, the disruption and also Panic actually led to some people dying from people unfortunately, filling up plastic bags with gasoline and then whoops, you know, someone was smoking nearby to disruptions and some logistics and emergency services. And unfortunately, that’s what happens is much bigger domino effect then not being able to access Facebook.

Mitch: Well, let’s talk a little bit more about that. So I’m thinking of the water treatment plant attacks and because that attempted to change the levels of this is going to be a little chemically. I’m going to put on my doctor science out here of sodium hydroxide that was being added to the process drinking water and low levels. It removes heavy metals, but at high levels, it’s fatal or it causes severe burns when it comes in contact with humans. So Florida, we managed to help skipped that one and no poison water reached the public. Same thing with Israel thinking of colonial, you mentioned a couple of things, what was the Hollywood outcome that we may have escaped if that had actually gone into the operational technology environment?

Chris: Ooh, if it did actually carry through, if we take a look at the water systems in the United States, it’s kind of unique for the fact that it’s one of two countries, the UK is another one that still has lead pipe infrastructure. And if you change the chemical balance of what’s going into the water system, like you said, it can remove heavy metals, but it can also start stripping those metals, putting them directly into the water system, which also can mean lead, also turn water into acid, which isn’t, I’m sure a pleasant experience. So imagine out of the tap, filling a baby bottle, and mixing up formula and heating that up what that could do much less to anyone who just wants to drink water, it can also just production. So to produce certain types of materials, you have to have pretty clean water, because you’re dealing with different types of metals. So again, changing the chemical composition, can also shut down production, especially in the automobile industry.

Mitch: Well, so I want to ask you a little bit about what you suspect is motivation behind these because these are sounding a lot less like extortion, and a lot more like terrorism. And maybe the two are blended. I know that in the case of the colonial attack, we have rebel demanding millions of dollars in Bitcoin in order to release the data. But what is the motivation behind these kinds of attacks? Is it just kind of a mixed bag of both extortion and terrorism?

Chris: Well, it can be a mixed bag of extortion and terrorism, especially if the group that is trying to extort money is going to give it or use it in some sort of terrorist activity, or if it’s a sanction government, or if it’s some sort of rogue group that is doing all sorts of Batty batty things, and will use it for weapons. So this is the reality of the situation. But I do agree with you that in some cases, also, it just seems to be pure cyber terrorism.

Mitch: That does seem to be the case, thinking about the Florida attack. And specifically I we don’t know a whole lot of information about that many of the details have been kept private, but there have been links to Iran and other nation-states for similar types of attacks, who have not actually demanded a ransom for the attacks. But they’ve been discovered before any sort of information could come out from the terrorist group, are we thinking that this is going to be a blended model of attacks that we are going to be seeing more of?

Chris: Well, I think so. I mean, it used to be in the past, in order to spread terror, you had to send people to the area, handle the logistics for arms for bombs and explosive materials. And now you can just do it with the press of a button from anywhere in the world. And it’s much harder to detect the build up to these types of attacks. But at the same time, instead of affecting a few city blocks, you are now affecting a region and scaring the bejesus out of them. Because if they can’t drink water, that also has a psychological effect.

Mitch: It does have a psychological effect. I agree with that. How should we be thinking about IoT security that we’re not considering today? Just from a US standpoint, what do you think is the most vulnerable critical infrastructure sector?

Chris: Well, I think one of the ways that we should be thinking about ot security is, and there’s probably some lawyers listening, take a lot of the lawyers out of the equation, this is much more important to human life and safety than worrying about all Will somebody find out, will we be liable. Turn that around and start thinking about if you don’t share this information with, for instance, the UK Government, and you don’t have a robust and tested plan, in case this happens, because it will happens breaches happen. That’s why there’s such a thing is cyber insurance, we have car insurance, we have house insurance, we have cyber insurance, because things happen. But all too often, even though there might be public and private data sharing agreements, the lawyers, unfortunately, not all but some get involved and are like, No, we can’t do that. We can’t tell them everything. And it delays containing the incident. And it can lead to real physical harm.

Mitch: I agree with that statement. And it’s not just our lawyer friends who tend to throw up roadblocks in that we also have folks who are just concerned about PR, which is another thing that I think should take a backseat to public safety and disruptive markets. But that’s just niches two cents. I want to talk a little bit about the Biden administration’s executive order. And I shouldn’t say talking about that in a minute because that is more more than a minute long conversation. That order is sure to impact operational technology. And in fact, that part has already begun with plans to impose cybersecurity mandates on railroad and rail transit. If you recall back a few months ago when those announcements about rail and rail transit were made, there was a response From the transit industry with one leader specifically saying I’m going to get this quote wrong, but to the effect of this industry does not need the heavy hand of government in order to follow cybersecurity safeguards. What’s your perspective on that response?

Chris: I would have to respectfully disagree. When we’re talking about logistics and railroads, the majority of cargo in the United States is run by rail. And there’s already been a long standing problem with how to handle hazardous material spills in the middle of nowhere, where there might only be a volunteer fire department that does not have the necessary tools to be able to deal with a derailment of these types of materials.

Many years ago, when I first got out of the military, I did disaster recovery for some of these municipalities involving hazardous materials and rail crashes and derailments. Now, if you can do the same type of thing, but again with a computer and switch tracks, leading to derailments, and you already have the existing problem of what to do, if there’s a spill, this is a problem. I encourage our listeners to look up videos of runaway trains because they already have a physical security issue where you can access some of the yards and turn on trains. These switches can be in far flung places where you can physically tap into them and change them. And because they’re in these far flung places, it’s difficult for the physical security to be implemented.

And lastly, one of the scenarios that we ran in the EU NATO cyber warfare exercises a few years ago was concerning the London Underground, which is a rail system and in the scenario, because I’ll just say signalling systems can be up to 40 years old, they’re hard to replace and keep them interoperable. What we did in the scenario was during the rush hour in central London made the trains smash into each other, killing 10s of 1000s of people. And that was a very realistic scenario that I set up because I used to lecture produce ch cues, centres for protection of national infrastructure. And one of our customers so to speak, was the London Underground and overground. So these are very realistic things. And if the UK, the EU and NATO have been starting to take this matter seriously years ago, it’s about time the US which is more vulnerable actually does something about it. We need to be leaders in this field, not followers.

Mitch: I actually had the same reaction to when I read the response from the rail industry, I was quite surprised to see the adamant resistance to any sort of oversight and impact to the rail system. I was surprised. Let’s focus a little bit more on the Biden administration’s executive order. What do you think we’re going to see coming out of that from operational technology? And is it actually going to help us be more secure?

Chris: Well, it has potential, and I say it has potential because in writing, it looks very good. In reality, they would also have to set up basically the back office port of cybersecurity to support the new policy. So hiring more cybersecurity professionals, beefing up seiza, beefing up US CERT, etc. and implementing that new department that they want to start to handle some of these things, while also bringing the FBI into the modern world, the FBI, so has kind of a small cyber team in comparison to financial crimes. And we’ve seen especially with the pandemic, that physical real world crimes have actually decreased but digital crimes have increased. So in order to successfully implemented all of that support function has to be there.

Mitch: What do you think is our ideal state then for operational technology security? And more importantly, do you think we’re ever really going to get there?

Chris: Alright, I’m gonna say a dirty word. Regulation don’t fight. Yeah, regulation comes into play a lot with safety issues. I was doing a podcast recently with national blast Kenan Skelly. And she stressed this point where we brought in regulation with automobiles, because people were dying too often. And so we have these things called seatbelts. But at the same time, I also like because I live in the Netherlands, the Dutch have purchased well, when there are regulations put in place by Dutch government, in order to enable them they also earmark funds to actually pay for things to be implemented due to those regulations, and they’re sent to the companies themselves. So it’s a no brainer to go, Hey, we don’t have to wait to do this or try to do it with the lowest bidder or whatever. Cuz that never works. We actually have the funds available to implement the regulations. So it’s not going to bite for not going to lay off people. We’re not going to do it in such a terribly ad hoc way to try to squeeze and scrimp and save money. We’re actually going to do it the right way. So the government supports the regulation by actually paying for the regulation.

Mitch: So it’s the magic marriage of regs plus funding.

Chris: Yes, yes.

Mitch: And to the question of will we ever get there, your guests may be as good as mine, given what we go through, it seems unendingly in the US political system around budgets, I want to ask you to tell me a little personal story, though, because I know last fall or just this fall, you had a really interesting experience. I believe it was coming out of Iran. Do you want to share what happened? Because I just think that’s just an interesting little vignette.

Chris: Well, about four years ago, I got an interesting message on LinkedIn. It’s amazing how that the platform’s use nowadays. And it looked like a very vanilla request asking about doing an in person hands on offensive security course. And at first I was like, Yeah, you know, I can give you a quote, whatever, whatever. But then the conversation started taking a turn turned out that it was from the big Iranian Telecom, which is owned by the Iranian government, obviously got suspicious, started writing down names, recording conversations, etc. And some of their requests were information about Saudi Aramco infrastructure. And finally, they flat out asked me, they wanted me to come in country, they would pay me 100,000 euro a month to do so put me on a VVIP tour for photo opportunities with various Iranian generals to teach them how to hack critical infrastructure with a focus on nuclear facilities. Oh, wow. Yeah, fun stuff, right. So I learned the FBI. And although they took a bit of time to come back to me, they’re like, yeah, yeah, this is bad. We now actually fear for your safety. And there’s been assassinations in the Netherlands, where you live by the Iranian government, don’t contact them again, tell us if they contact you again. And when I broke, contact some of my friends from various European certs, and the Dutch government alerted me that pictures of my house had been taken and put on religious extremist websites, labeling me as an enemy to Islam. So those were luckily taken down. And I thought everything was over so I could tell the story.

So an article breaks this year in January, and I will say I was a bit cheeky, I explained the story as well as to take revenge, I said, revenge is best served over IoT. I had taken advantage of this recent law that had come into place in Iran. We’re all mixed gender facilities like restaurants, entertainment places, had to have IoT cameras that went back to the religious portion of the police to make sure ladies didn’t take their hijab off or there weren’t bachelor sitting in the family section, because things are segregated like that, and much of the Middle East. And of course, when you’re dealing with over 10,000, IoT cameras going to a central location, how much security and how strong is that password, if there is one is an existence, and it turns out, there wasn’t I could remotely access these cameras. I could adjust the resolution, some of them had voice. And so I handed that over to some friends in the US government and the European government to do with it as they would and will. When the story came out. Shortly thereafter, the person who was trying to recruit me sent me some very angry messages, which I asked a few peers because I didn’t want to, you know, freak out and too much. So you ask people like do you think this is threatening? And it turns out, they thought it was a credible threats against me. So my neighbours and the Netherlands suddenly found out what I did for a living because the police were called out to address the situation they had to talk to all of my neighbours told them to call the equivalent of 911 not the non emergency number, if anything was unusual. They told me get out of town, the terrorism police in the Netherlands were involved. Then when I went to the UK, Scotland Yard got involved. My next trip was us. So Secret Service got involved. I ended up in a White House Intelligence Report. The funniest part about it, because you know, things happen. And I like revenge is one of my good friends. We’ll just say a person who works with the police use the phone number that the angry messages were sent from told me one of the domains which had been registered with that phone number using that domain, went back and saw there were over 100 domains, one of which was some fake Saudi Aramco domains, and also a bunch of fake news set up by the Iranian government propaganda news websites, which I don’t know what happened. I mean, I just briefly remember something something FBI took down a bunch of sites related to that basically, the person gave up an entire operation by being angry with me.

Mitch: That is a hair-raising tail. Chris, that is absolutely amazing. And you know, from your own personal perspective, of course, I want you to be careful because you are not only brilliant, but I just think you’re awesome. The other part of this though, too, is it really drives home the point that you know, this stuff is serious business to a lot of our nation-states actors. Getting into operational technology is a well run business. It is not some singular actor in a hoodie, but involves many, many organisations and is deep into a lot of our nation-state organisation administrations. So thank you for doing what you do. And by all means stay safe. You can come stay here if you want. Nobody knows where I live, I just moved again. So yay, we’re right on the water. That’s all to say, alright, so I’m going to ask you another spooky question. And I know the answer to this one, I think but I’m going to let you go there anyway, what keeps you awake at night? I mean, that story that you just told is probably going to be first and foremost. But in general, what does keep you awake at night when it comes to OT?

Chris: Well, I think it comes from my passion with space. But that’s one of the things that does keep me awake at night. It was only recently about two two and a half years ago, that the FCC mandated that us new space IoT actually had to use a basic form of encryption. That, to me was mind blowing. Because we rely so much on space. Think about the last time you pulled out a paper map and actually charted things. I remember when I was a kid, my grandparents would get these flipbook maps from AAA when we had to drive a long distance with the route highlighted. I remember those, right? We don’t have to do that anymore. We pull out our phone, BP BP done, right? Perfect route, it’ll even update us if there’s too much traffic and to change the route. The aviation industry relies on it, the maritime industry relies on it. We can also see all sorts of things going on. Like if you’re trying to see if there’s a big fire and where to send resources, that type of stuff can be picked up our communications to use credit cards. And this has happened before when we’ve had various not super dangerous solar storms, but payment systems have been knocked out because of interference. And yet we rely so much on this but there is so little security when it comes to it. I was asked to be quoted for an article in the register I think was back in September. With the title of in space cybersecurity professionals can’t hear you scream kind of a blunt article and also listed a PDF from the inspector general on unfortunately, how poor the cybersecurity was in NASA. The last three years they’ve suffered over 6000 notable attacks everything from insiders mining bitcoins on supercomputers, to not classifying critical operational technology that people’s lives depend on as actually critical because they didn’t want to do the paperwork.

Mitch: Oh my goodness, that will down keep me awake at night. The one thing that I did want to ask you about. So it’s like when people think about space, they think about the satellites. And of course the missile defence system comes into play. In order for us to actually patch that stuff. We’d actually like to fly up there. Is that correct?

Chris: Um, yeah, or just send new stuff up. And hopeful. This is another thing that worries me is, it was also only recently required that the stuff you put up in space, if it degrades or something goes wrong, it should be able to basically enter what’s called degradation orbit, and then land in the middle of the South Pacific. So it doesn’t hurt anyone. That’s all also only been a recent requirement instead of the other way, the bad things that can happen is they can actually just smash into other space apparatus take out critical things, cause even more space debris, or land in someone’s house.

Mitch: Yeah, that’s an equally distasteful outcome. I’m definitely going to be staying awake at night, then thinking about that space is something that I’m enthralled by as a Trekkie nerd. But I didn’t think about the space garbage and the danger of the space garbage. Yeah. So let’s talk about something a little more optimistic. We have a good horror story from you on what happened with Iran in recent past, we have a second one with all of the attempted hacks of water systems and pipelines, and a third one about space. So let’s talk about something a little optimistic. Given all of that, what brings you down off of the ledge?

Chris: Well, I think one of the things that brings me off the legends actually looking towards the Middle East, they pointed about two years ago now a minister of artificial intelligence. They have a minister of advanced technology, as well as a Minister of Information Technology. And they’re trying to lead the way in embracing high tech by saying this is our future. We need to streamline our healthcare. UAE was the first country to put up on GitHub, different types of machine learning that you could use to look at CAT scans to see if someone had COVID before we had COVID test and that was freely available. They know that digitising a lot of their paperwork and so forth will cut down on the bureaucracy and also benefit people of all walks of life because right now, I’ve heard the horror story I haven’t had to go for a long time, but the DMV giving up your entire day to do something that should be able to be done online. And you know, giving people back time improving health care, improving technology and embracing it, they have all sorts of programmes, of course, their university is nothing to get their population up and running with things like machine learning, things like embracing and looking at quantum communications and quantum computing. And also at the same time, they are incorporating high tech into their national policy. So it’s very promising. And again, I think that the US should actually be leading that as in being the leaders not trying to play catch up. So that’s one of the things that gives me a lot of optimism is looking to the Gulf region.

Mitch: And that’s an interesting perspective to have. It sounds like we could learn a few things from our friends over in the Middle East. And, Chris, I want to say thank you for joining us today, you’ve given us a lot to think about and raise the hair on the back of our necks in a good way. One last question that I didn’t get to is we have a section of the general public and even into the threat intelligence and the incident responder community who thinks that the OT security threat might be a little more hype than fact, what would you say to that perspective?

Chris: Well, I would say to that perspective, someone who has actually handled four or five new killer cyber incidents, it is actually less hyped in the media. And if it was actually told the way it was. The general public would be scared more of that, then my space story.

Mitch: Oh, also not optimistic. But. But thank you, Chris. That’s a good perspective to have. And it’s also this, you know, being in the industry myself, I also see a good deal of that. And it’s amazing to me how naive the perspective is that it’s just simply, you know, clickbait when a story like this is run, and it indeed may encourage clicks, but I would drop the word bait. Chris, thank you again, for your time today. I very, very much appreciate you taking the time out of your schedule to join me and to join our listeners. Any final comments? Before we wrap?

Chris: I do have one final comment. I think one of the ways that people like myself yourself can help is that 80% of critical infrastructure cybersecurity issues are actually reported by ethical hackers. Yet there are a lot of challenges to do that a lot of risks because the legal code in the United States doesn’t quite allow yet for ethical hackers. But I do think we need to start looking at ethical hackers more as hacker responders trying to hold things before they get big, they see your door open, they should be able to tell the police or the powers that be Hey, somebody left their door up and before a criminal gets in. And we need to recognise that with the skill shortage in general cybersecurity, across the board and around the world, that people who are trying to do good and tell you hey, your technology is not so great as insecurity. Please don’t put us in jail. And we like stickers, the Dutch government, if you find something in their government, they actually we’ll give you a t shirt that says I hacked the Dutch government and all I got was this lousy t shirt. Awesome. Right? And that’s all we need. So be kind to us hacker responders and also to close. It’s always a pleasure talking to you.

Mitch: Well, likewise, likewise. Thank you, Chris.

Chris: Thank you so much.

Mitch: A special thanks to our guest Chris Kubecka. For her time making today’s episode. If you want to hear more stories like this, make sure to subscribe into the breach on Apple podcasts, Google podcasts and Spotify you’ve been listening to into the breach and IBM production. This episode was produced by Zach Ortega and Clara Shannon. Our music was composed by Jordan Wallace with audio production by Kieron Banerji thanks for venturing into the breach.

Mitch Mayne
Editor in Chief, IBM Security X-Force Thought Leadership

Mitch is the Editor in Chief driving IBM Security X-Force thought leadership. He’s also the primary cyber-crisis communication consultant, working directly...
read more

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
Press play to continue listening
00:00 00:00