Fighting Cybersecurity Threats Together | How Government & Private Industry Collaborate

Welcome to the Security Cocktail Hour. I'm Joe Patti.

I'm Adam Roth.

Adam, how's Staten Island treating you today?

Oh, God. We got three inches of snow today.

Oh, please. It's July. Always a wise guy. So today, we have a guest, as usual. We have Jennifer Goldon. Jen, welcome.

Thank you so much. Very happy to be here.

We're glad you could make it. And you know, as I was putting this together, I was trying to think of an intro for you or something or a little capsule. And I'm like, oh my God, you've done so much stuff. I'm like, how do I even summarize that? I don't want to say what do you call yourself these days, but you do quite a bit all around. Gosh, it's amazing.

Thank you so much. I appreciate that. I'm very, very passionate about this field. I love cyber security. I love the work I do. I really am focused on the mission of helping other people and protecting and keeping them safe, you know, on the cyber front. And the whole community is phenomenal. So it's just, it's a very rewarding career and I get involved in a lot of different things. I'm, I guess, mostly known as president and board chair of New York Metro InfraGard, the public-private partnership. So I've been doing that for a couple of years now and probably engage with people a lot on that front. And then by day, I head up a threat intelligence team.

Okay, great. We've talked about threat intelligence before. So please listen in if you need to know that, everyone. Okay, a little business first. We are going to remember early on to tell everyone if you're watching on YouTube, please like and subscribe. It really helps us. We're trying to grow the audience and follow us on Spotify or on other platforms. If you're on Spotify, that'll help us out. And today, it happens to be a Friday evening, and on a Friday evening everyone usually needs a drink. And today we've got ranch water that you suggested, Jen. So this was a summer favorite of yours, I think you said?

No, so I have been... going back and forth now from New York to Austin in my current role. And on one of my trips to Texas, I was introduced to ranch water, which sounds completely disgusting. And that's what I thought at the time. But people explained to me that it gets really hot down here. Trust us. Try the ranch water. It will cool you down. So I gave it a try. It's a very simple cocktail. And I thought you might enjoy it on a summer day. I brought it back to New York with me. It's a little Texas in New York. And they now make it at various places around New York City because I've shared with friends and family the recipe. So what do you think so far? You just made it.

I think it's good, and it is good for a hot day, and I can tell you it's usually hot in my extensive studio here. So yeah, it's not quite like Texas, but you know.

Yeah, go ahead. I think it's hot in your studio because you don't have air conditioning, Joe.

Yeah, I don't need better air conditioning. What can you do? Well, I'm not running servers in here, so it's okay.

So, I'm embarrassed to say that Jen is the president of an organization that I belong to and I've never gone to a meeting. I've followed online and I've communicated and emailed and read the emails in the portal, but I really got to get to That that organization, well, I can say it Metro Metro InfraGard, but I need to get there. Right? So. You and I, Joe, maybe we'll attend a meeting together and and I think non members can attend right? As long as they sign up.

In advance or no? Oh, absolutely. It just depends on the event. Some events are members only. Some are open to the community. And one of the things I've been really focused on is raising community awareness. How can I support people across greater New York area in their cybersecurity literacy? And how can I help? people, you know, small businesses across the city and, and beyond engage with subject matter experts and people who can volunteer and help them and provide guidance to them and support. So we're really entrenched in the community and helping others. We do a lot of fun programs. We have an event coming up in a week or so and yeah, it's, it's a great organization. It's been a really, really rewarding experience.

But InfraGard isn't your standard bunch of security people getting together. It's a little bit special because it's the government partnership. Maybe for everyone you could just describe a little bit about just what it's about.

Absolutely. So it's the public-private partnership with the FBI, and we're focused on information sharing and protecting critical infrastructure. And it's really, it's such a phenomenal organization. It's a national organization, and we have all kinds of groups that connect across the whole country, and we're really working holistically to solve some of our huge security challenges around critical infrastructure. It's also helpful too, we can bring in FBI speakers and we can connect the community to the Bureau and they have tremendous skills and resources to help people on the cybersecurity front. And so it's, you know, and they share information to us on best practices, trends, patterns, things that they're seeing. And we can take that information and we can educate the community with it. We can ensure the organizations that we work at are kept safe. And it's, it's just this really great partnership. So it's been a rewarding experience. I've been involved in it since about 2018 and Yeah, I involved in a few different organizations.

Yeah, I was gonna say there's a lot of associations. There's a High Crime Technology Industry Association, the United States Secret Service, there's Metro InfraGard, there's the Marine Auxiliary Cyber Unit, then there's the Coast Guard Auxiliary that has an auxiliary team doing cyber. So there's a lot of places to to join and donate your time and expertise.

Yep. And I belong to all of those that you just named. So I'm also.

Oh, wow. OK. And Jen, ironically, I belong to all of them, too.

Yes, I believe this. No. And I think you touched on the Marine Corps Cyber Auxiliary. So if we could just talk about that for a quick moment and how special that is. So I love that. across all branches, there really, there wasn't a cybersecurity auxiliary unit, which was really surprising to me because of all of the people in this industry who want to contribute and can contribute to support our armed forces.

And- Okay, Jen, I'm sorry, but I'm not a military guy. You've got to back up even more on what an auxiliary is. I don't even know that, and I'm sure a lot of other people don't. Adam does, because he's into all this stuff.

And an auxiliary just means you're a volunteer. Auxiliary force, volunteer. So while I'm not, I have not gone through any form of boot camp, I would never call myself a Marine, I am a cyber security specialist for the Marine Corps Auxiliary, the volunteer force. And it was started late 2019. and took off in early 2020 with a focus on pulling together people who were subject matter experts in the field of cybersecurity and this grassroots effort to create a partnership where we could provide training and mentorship to Marines as they're learning cybersecurity. which you'll be happy to know, is taught across DOD. So everyone is really becoming up-skilled in cybersecurity in very, very meaningful ways. So it's been this very rewarding experience for me. I come from a family that has a military background, and my godfather passed away in 2019. He was a very proud Marine and served in the Marine Corps. So getting involved in this for me was a way to honor his legacy, use my skills, and then just help, help support some of the national security efforts.

So I wanted to clarify something and correct me if I'm wrong. For those out there that are listening to this, we do not get access to military networks. We are just providing training and materials to learn from and our experiences, but we're not going out there attacking other countries or on the military network protecting the network. We're helping to train the Marines to protect the network. Is that accurate?

That's accurate. And it's really focused on training and mentorship and support. And there will be various projects that they put out to help. There's also participation in cyber war games. So that's another really fun thing to do. I especially appreciate it. So during the pandemic, I was connecting up to the national range and we were, you know, I'm a, well, I'm a red teamer for cyber war games. So I was participating on that front from my breakfast bar in my kitchen with my teenage sons. I mean, it was just, the dynamic was kind of funny, but it was, it was a great, it's just such a great experience. So.

Well, I was going to ask you, when you mentioned you started the one organization in 2020, which in early 2020, everyone knows what happens then. Was that very disruptive and difficult, or was it a case of people had a lot of time on their hands and were able to contribute a lot? You can kind of go either way.

I know. I think it was really good. I look at some of the things that I worked on during the pandemic, and I feel like it was actually really good. So I got involved in a lot of different initiatives besides that. I also got together with a group of people from Silicon Valley and DoD and the intelligence community. And we were talking about the challenges around AI and cybersecurity at the time. and the lack of policies, the lack of frameworks, and just lack of security tools, and our mutual concern around how quickly things were evolving. And we put together, we formed an ISAO, Information Sharing Analysis Organization. So it's called the NAIC, National AI and Cybersecurity ISAO. And now we see, four years later, how compelling and meaningful that is. And we've been able to advocate for policy. And we've all participated in writing frameworks and controls and educating people. So it's another outlet, really, to connect with community on these topics.

Yeah, if that's been around for four years, that was really forward looking when that came out. Boy, that's pretty impressive.

I want to wait for the NSA to come out with their own luxury remote operation center or tailored access. I'll join that when that comes out.

I'm joking.

I don't think that's coming out, but it was funny.

Yeah, it is. So some organizations have public-private partnerships, certainly in the FBI. We know NYPD does, right, SHIELDS, which is a great program. And there are different programs, but I am not familiar with anything like that from the NSA at this time, but maybe a future state.

Yeah, I made it up.

I thought it would be cool. Well, you know, it's interesting that you bring it up because, I mean, I have not been involved in these public private partnerships or anything with law enforcement for many years, except way back when I was way earlier in my financial services career. And I know that there was at one time a tremendous reluctance to work with law enforcement and to work with the, you know, like DOD and the intelligence agencies, partially because of fear, but also partially because And I'm talking, this is like 10, 15 years ago. It wasn't felt like it was very reciprocal, like they want a lot of info and we didn't get much back. I've got to think and hope that that's changed quite a bit over the years.

Absolutely. On the FBI side, they're sharing info with us. They're giving us information to help us support our organizations, advising us on the threats, on the things they're seeing. And then if we're seeing patterns or issues, we have that direct connect to them. Or if we know of someone who is experiencing a ransomware attack or something that they need, that type of intervention and that's where they are, it's great to have that direct connect into resources. Or if I have a question, I'm seeing something that doesn't seem quite right and I want next level guidance on it, I have those relationships and I can make a phone call and the amount of cyber enabled fraud that we see, the amount of things that we see and how resourceful and helpful the FBI has been is tremendous. I mean, I'm truly grateful for them and I think they have a very challenging, a challenging role to play, but they're really, really supportive. And I think it's this, you know, a lot of people have this idea that the FBI comes in and they're looking for other things if they're responding to a cyber incident, but that's not the case. So it really is the government there to help.

Yeah, I've heard, it's interesting you mentioned the relationships. I'm from the government and I'm here to help. It scares people, but no, it is interesting what you talk about with the relationships, because I've heard people say it. I mean, I've even promoted myself. When you put up your incident response plan, they say that when ransomware hits or when fraud or something very bad happens, it is much better if you have those relationships with the people in law enforcement and in the government, rather than calling a number in the phone book and saying, can I talk to an agent?

Yeah, I think it's better to have the relationships in advance and utilize them as needed. You don't have to, you know, you don't have to use them. It's like having a fire extinguisher in your house. You know, you hope that you never have to use it, but if you need to use it, you know where it is and you can use it, right?

Absolutely. And that is actually a great piece of advice, Joe. So that's one thing I tell people all the time. Just understand who can you contact at your local field office. Have a relationship in advance. Connect so that you have them as a resource if you ever need them, and hopefully you don't. But the world we live in is what it is. And so it's definitely helpful. And I always try to connect people into different resources. And I'm a huge believer in really knocking down those silos that we have between government and the private sector and the military. We all need to work holistically to tackle the security problems that we face.

I do remember one of the things when we talked earlier to prep the show, as you said, you were very much about building connections and bringing people together, which is, Not only nice from a general standpoint, but especially in security, it's important because I don't know if people understand it, but security people work for different companies that are often competitors, and they don't always share. There is a lot of sharing that goes on, but security people are security people. They worry about giving up too much or talking too much. So having those forums where you can build those relationships and build trust where you can share and do that kind of stuff is very important. It's great to see that you're doing that, including with the government too, which people in private industry don't, I mean, many don't know if they don't work with them regularly.

Right, of course. And there are areas where you're not sharing information or doing things, right? But having a trusted forum that you can engage with and building those relationships with people across the board, I'm constantly learning from people in other sectors and bouncing ideas off people of things I'm seeing and challenges that we're facing. And we all become better when we start using these models and working together across sectors. And then you get the perspectives from the defense side, from the law enforcement side, and from the private sector side. And we all have different lenses that we're seeing threats come through and the impact. But we need to look at it from a larger perspective and really work together to counter the threats and come up with better strategies, quite honestly. which brings me to the intelligence piece. So definitely a big advocate of early warning threat intel and looking at ways that we can leverage traditional models of intelligence, meaning human, human intelligence, monitoring forums and all of the different dark places, right? And collecting all of that information so that we can get ahead of threats and attacks while they're in the early planning stages. And I've been working with this model and it's really, really effective. And so I think it's a very important strategy. We really need to shift our mindset and thinking and how we approach some of these problems, work collectively together, and then also leverage tools like intelligence in a more meaningful way. That's my credit.

Okay, so let me ask you something then. Well, since you mentioned threat intelligence, I'm a big fan of threat intelligence. I mean, I think that's one of the big advancements that we had. You know, years ago, we had no idea what the bad guys were doing. Now we have much more available. We have more feeds from the government. We have commercial things like yourself and the sharing groups and all. But what always troubled me, what I always ask a vendor for is I say, okay, you can tell me about And there is dark white monitoring stuff, but things like, okay, you can tell me about what the landscape looks like, what the bad guys generally are, what the armies of barbarians are in the field out there, so to speak. But I really want to know who's the guy who's just over the hill from me, who's setting up, who's gunning for me. And what's he going to do? And those Not even targeted threats, necessarily. Targeted threat is when we talk about, you know, bad guys coming after you specifically. But even if they've decided, you know, opportunistically, we're hitting these guys or this group, you know, that to me, to a certain extent, has been sort of the holy grail. And I don't know if you've gotten closer with that lately. for specific organizations.

Yes. So that's exactly what we do. And so I spent two decades to age myself here in the financial sector, working at investment banks, hedge funds, private equity, across infrastructure and various technical roles, and became several years back, very focused on the security space. And what I wanted to do was, my last role was as a CTO. And as I made the move into the role I'm in now, I really wanted to do something that was impactful to solve the problems that we have. And I keep thinking that cybersecurity and our approach to it is fundamentally broken. We're very reactive. and we're holding up a bucket to try to contain this ocean that we just can't, right? So we need to come up with a way to prevent, be proactive and start preventing these things before they become an issue. And for me, just thinking about it logically, and thinking about how do we counter terrorism? How do we counter physical threats? What do we do? We utilize intelligence and we figure out if somebody is targeting the Empire State Building. We deploy the appropriate resources around it. We monitor the channels. We understand the chatter, what it means, and we have our resources aligned to protect it appropriately. And quite simply, the model that we're using is essentially the same. So we're able to determine if there are specific threats targeting organizations and the ones that we work with. The other piece to it is that people are so inundated with the amount of alerts and they have alert fatigue. And we're consuming so much data. We're taking in tremendous data. And of course, IOCs are tremendously helpful because They provide us with the information we need to appropriately block adversarial activity. But when we receive all that information first, an IOC is an indicator of compromise, meaning somebody was compromised first. That's not the space I'm trying to be in. I'm trying to get to the left of that before that occurs. And look at how specific organizations are targeted and who's targeting them, what makes them appealing and attractive to cyber criminals, and how to make them less attractive, and ensure that they're different.

Well, that's it. That's so important because, you know, like you say, when you're, you know, a lot of things have to do with volume. When you're a defender, you say you regularly get all these IOCs, which is basically what the bad guys are doing to break in the techniques that they're using, essentially. And, you know, unless you can be told that, well, you know, you're most likely to get hit with this, the guys interested in you are doing this. You essentially have to defend against all of them, which of course stretches your resources.

So from a use case standpoint, and I don't want to get into the politics of it, I just want to talk about factual, right? If you look at the possible assassination attempt, look at the intelligence that's out there. Do we effectively use the intelligence that we have to communicate and channel correctly, right? So if you look at what happened with the assassination attempt, people had intelligence. but because it wasn't communicated effectively, there's a possibility that might've been an issue. And that's very similar to cybersecurity, right? We get different sources of intelligence. We get open source intelligence. We get dark web intelligence. We get intelligence from law enforcement agencies. We get intelligence from actual threat actors. We get intelligence in all these different ways. Quantified intelligence and then qualifying it seems to be the issue in general in any type of intelligence gathering situation. What is important and what is not important? What is actionable? What is not actionable? And these are the things that are always gonna be that cat and mouse. And the last thing I'll add is, okay, now we have the intelligence. Is there a manual intervention? Is there, are we gonna use automation? If we use automation, then we start getting more, and back then, automation wasn't AI. Automation was more about, if you see this, this, and this, do this. Now, automation is, I think they're doing this, so let's do that, you know? So, you know, it's crazy days, crazy times.

It is, and I find that organizations, in addition to alert fatigue, right, they also struggle with having the operational resources or ability to stop for a moment and process what they need to do with this information. So it just becomes another burden in a lot of ways. And so one of the things I wanted to do is build a model where instead of just hurling Intel over a wall at someone, in large amounts, figure out very specific threats to the organization, to their sector, and monitor all of that, and then provide someone who is a subject matter expert who can take that intelligence, contextualize it, work directly with the business to prioritize the remediation, but to provide that expertise in remediation guidance. So finished intelligence products, this is what you do step by step. And really developing those trusted partnerships directly with the organizations so that you can effectively help them. And we've been working with government agencies, we've been working with Fortune 500s, and it's a really effective model. So I know it requires a lot more than automation, but it works.

Well, it requires more, but I mean, if you're doing that, the payoff is gigantic. I mean, that's what you want, because you have to invest in, I mean, to explain to everyone, you have to invest in all of that, but it means that the things that you do are very targeted. You know, you know what are the most likely things to hit you, so you defend against those, so you focus on those instead of on the whole world, because you're right, there are so many alerts, there are so many so much intelligence, so much stuff. I tell people all the time when they go, oh, I saw this hack and they said that they, you know, that they got an alert for this and they knew it. But what people often don't realize is, yeah, that was one of 10,000 in this period or something. That's exactly the point. How did you know it was that one?

So I worked for a billion, almost a billion dollar organization. And that billion dollar organization had pretty much one threat intel person for an organization that dealt with proprietary data, people don't realize that a lot of organizations, even that bring in revenue over almost a billion dollars, don't really have the staff to really know the Intel. And then what we used to use is Intel providers where we do RFIs, right? Okay. This week, this week, this organization is negotiating with this person, with this entity. What is, please let us know, do a targeted search to see whether or not people are gonna go after our organization to do something. Sometimes it's political, sometimes it's motivated by money, but even those Intel organizations that you pay for, those big ones, it's really, really hard to decipher. So, you know, like people talk about, things that happened. Oh my God, did you see what happened with this EDR company? You really don't know what's happening. You really don't understand where it's going or what, look what happened with this law firm. They got targeted or this financial. Everyone wants to be an armchair quarterback, but you know, like put that person in that situation and see if they would fare as good. better or worse. It's very easy to say what you would have done, but if you're not in the situation, you really don't know. Even if you've been in similar situations.

No, it's absolutely true. I mean, these are very, very real problems. And to your point about all of the different vectors and things that impact cyber security threats, we have, it's hitting us on so many fronts, and the impact can occur in the physical world. You have cyber enabled fraud, cyber into kinetic threats. how we see cyber becoming a physical threat. A great example I just heard recently was talking about a ransomware attack and how extortion tactics have evolved. So if you think about our footprint, our digital footprint in the world, And all of the data that cyber criminals can collect on a person, how that's rapidly expanding with social media and AI and getting all of that data, you can get so much information on a person. And we see situations where cyber criminals. will conduct a ransomware attack, and as a method of extortion, they're now calling people up and threatening them, and they're sharing pieces of data around their family, children, what their house looks like, all things that you can really collect.

That just happened during the Olympics. This just happened.

Yes, yes, exactly. And this is happening here. No, no. So in the past, CSOs and CSOs have essentially worked in separate domains and everywhere I've worked, I've always made friends with both and wanted to work closely with both because Ultimately, at the end of the day, we have to look at security holistically. We have to look at risk holistically. What is the business impact of the risk? Are we keeping people safe? And looking at the geopolitical pieces, which are enormous, right? But being able to track all of that information and data, and then how things can become a physical threat. So you have to really kind of weave it together And I think the best method to do it from what I'm seeing so far is really be able to look at organizations from a 360 degree perspective. So the type of work we're doing is certainly it's focused on external threats. coming toward an organization. So being able to assess those using intelligence.

And then also being able to conduct more meaningful threat assessments, looking at all aspects of an organization.

Is there insider threat? What's happening within the organization? what are the vulnerabilities, looking at their tech stack, and across the board, and doing these things holistically, give us a picture of how we can advise organizations to become more secure in a more efficient way. So I think that's really a great approach.

I was going to say, and just to let people know that, you know, it sounds like, oh, we'll just look at everything together. That's actually a really big challenge to let people know because, you know, a lot of IT and a lot of security too is fractured. It's become so specialized that you have people and systems that specialize in different things, but looking at the whole picture and putting it together is, and especially in the case of, you know, there's a threat, like someone's trying to attack us or something. just figuring out what the impact might be. You might have to talk to a whole bunch of people or test a whole bunch of systems. So that approach, just to let people know, is important and difficult.

So I'm one of the people with the pom-poms that talk about, and watch Joe cringe, I talk about physical security information management, or PISM, and I talk about how to integrate how to integrate all of this and how to work together to make sure both are done. I've always been both on the physical security side along with cameras and network video recorders and artificial intelligence and cyber. I love that. And then the other thing, what a lot of people don't know, and this is a really big thing going on that people don't talk about, violence as a service. Violence as a service is people on the internet that will target you And then even go to, like, oh, you want to get information on Joe Smith? Okay, great. If you want, not only can I get information on him, but I can beat the crap out of him if you pay me a certain amount of money in Bitcoin.

Adam, I think that's called a hitman, violence as a service. I don't know.

But it's called violence as a service. And now these hitmen have incorporated cyber into their tactics. So violence as a service is a big thing. Google it, everybody. Take a look at it.

No, I mean, I can tell you in the dark spaces and places that I'm monitoring, you know, you certainly see all kinds of forms of swatting, for example, that's a great one to mention in this category. So there has been an ongoing sale for swatting. It's, you know, everybody's offering a sale on that right now. And it's for very little money, people will do conduct these operations and do these things. And it's pretty horrifying. But I'd rather have the data and know about it and be able to help people have an understanding and awareness of it.

Those who don't know what swatting is, a lot of people probably know, but some people don't know. Swatting is calling up the police and telling them that there's a situation going on. Oh, my God, there's a hostage situation at 123 or 1234 Main Street. The guy has a gun to her head. They go in with guns blazing or they break the doors down. I mean, most of the time.

And it's someone sitting on their couch watching TV.

There's nothing going on. That's the thing. 99% of the time, you know, the law enforcement agencies are able to go in there carefully and quietly. But there's always that rare time where something doesn't look right or something. They go to go in and they see something and they're not sure. And sometimes people but very, very, very rarely do they get hurt. So the point I'm making is swatting is a very dangerous thing, not only for the civilians, but for the law enforcement people too. They have the risk of getting hurt. And this goes the same for highway police officers that are driving the highway to speed. People always talk about what can happen to the individuals. They never talk about what can happen to the law enforcement agents, but The point, I think you made that point abundantly clear. That's a good use case, Jen. You know, swatting is a very, very dangerous thing.

And the weaponization of information, whether it's someone falsely calling in something for swatting, or it's a disinformation campaign like we're currently seeing in Paris at the Olympics. There's a tremendous danger in putting resources in places when they're needed in other places, right? So redirecting resources and if law enforcement is called away for something else, and then something bad happens, right? And they're not available. So just the resource piece is really concerning. And I'm especially interested in the types of technologies that are out there and things that we can utilize to counter disinformation, to validate information. And I think that's really a great forward place to start looking at.

Wow. You just touched on such a crazy subject because these days, with the incredible AI, whether it's videos or audio or whatever else, like there's one, I saw this on LinkedIn, you may have saw this, Janet and Joe, where somebody takes, and it's being done in China, there's like, let's say, an 80-year-old grandfather or grandmother that passed away, and then there's a granddaughter who's like 14 years old, and they put them in the same video and it looks like literally a real video of them interacting. Meanwhile, one's been dead for X amount of years. And there's no way, there's no way to validate that from a visual view, it's hard. Like I was, so Joe, one other thing, I was talking to this guy, he had mitts on and he had a robot that was boxing and it looks so real, but it was fake. And then Sal from my gym says, look at the feet. And when I looked at the feet, I can see the green screen for like an eighth of an inch or sixteenth of an inch, but it was so good. So we've spoken about this in January. I'm sure you're going to tell the stories where, you know, somebody's being claimed a helpful hostage, same heightened voice, same characteristics that a person might do the stuttering, the screaming only, We don't to that mother or that father that looks so real. It sounded so real.

Sorry, right and And so here's an interesting piece of information. So one thing that we're seeing a big trend on and pattern is we're seeing call centers get hit. And the information that's getting exfiltrated is not traditional data, it's voice data. So the harvesting of voice data.

Wait, do you mean are they getting the call center's people voices or they're stealing the recordings of the customers?

These calls are recorded for informational and quality assurance purposes.

That stuff is what they're stealing?

Oh, that's bad. Yes. Oh, it's very bad. And here, so it's very bad. And so there are a lot of financial institutions, especially around Retirement plans and some different organizations and now this is being changed. So this is good. Because there's more of an awareness of it, but where you can conduct a transaction and have voice authorization to conduct a certain transaction. And so if you have someone's voice, it's very easy to conduct another form of fraud and do these things. So, I mean, there's so many ways that this can be weaponized and used.

Oh, yeah. Well, we've we've talked before. in the context of, you know, AI and identity is, you know, how do we prove people's identity? One of the old security tricks is to say, well, call them or see, even if it's someone you know, you know their voice or whatever, but what you're talking about is, you know, voice cloning is obviously that you can imitate someone's voice and with more information if you know more info about them you can get them to answer questions and seem real and you know that's scary enough but when things get really scary and security is when not only that those things are possible, but when the bad guys start doing it on an industrial scale. And that's why I'm freaking out about this thing with hearing call centers having all the customers' calls stolen. That's thousands, tens of thousands of people's voices that they can copy. Like, oh, that's bad.

Wow. So Jen, I've done this more than once. People will call me and I'm like, are you sure you're you? Adam, yes, I'm gonna challenge you. Last March, where did we go to or what did we do? What restaurant did we go to? Are you serious? Yeah, I'm serious. Well, we went to this restaurant and you, what did I eat? I don't know. Of course you know. I'll challenge people sometimes, every once in a while when I'm not sure. I love it when people call me, I'm from your health plan. I'm like, okay. I go, are you gonna ask me a PHI? Uh, yeah, we have to I go. So you're gonna call me and ask me phi I've never heard your voice.

I have no clue who you are and you're challenging me Get on i'm like don't call me again Right, but the thing is that you know, you know, and that's the very thing you have that knowledge now think about all of the people in our country and globally who are so vulnerable to this and think about the aging parents who don't have an understanding of this, or communities that aren't educated in this, and how people are blindsided. It's really something that, you know, educating people is one way of doing, just raising that awareness to prevent bad things from happening, but also how do we really get ahead of it with how we innovate in technology? And so looking at this from the Olympics and what's happening in Paris, there's a company actually based in New York that's in Paris right now. They came up with a product to defend against this from a disinformation standpoint. And they're doing incredible work. And I see things like that, and I feel really inspired by it because we're innovating and getting ahead of it. And so there are solutions out there and in progress to get ahead of this, but it's very important.

As I said, it's one industry that people are not paying attention to, and they need to start paying attention to. and those are the recruiting industry. We have a lot of people offshore, getting a lot of people in the U.S., getting their resumes, and in that resume, it's usually your address, your phone number, your email, and some other information you really don't want them to have, and then they'll call you, And they're like, hi, how you doing? I'm calling from, is this blah, blah, blah. Yeah, yeah, yeah. And then they'll like, and eventually some people what they end up doing is like, we need the last four days of your social security number. And I'm like, I tell people don't ever, I don't care who they are. Don't give your social security number. Don't give your old boss's phone number. Don't give your old boss's email address. Wait till they make you an offer. Cause if they're not making you an offer and you're giving this information out, they might do something as if they're you to your old boss, your old companies and do stuff. People don't realize you get one piece of information that's hard. You get two, it's a little less hard. It's like getting three or four pieces of information. You could do a lot with that.

There's so much out there, though. And, you know, we've spoken before about surveillance on an earlier show. It's like, you almost want to give up. You're like, look, It's out there. You think certain things are private and you can keep them out of the hands of people. It's out there. I think you're right, Jen. We need to innovate and assume the reality of it's out there. So how do we protect ourselves?

Right. I'll just say this one piece. So I can't even articulate the amount of co-pilot and chat GPT data that I see all over Telegram. It's out in the open. we need to understand before we start utilizing these tools, we have to have a data security strategy. We have to classify our data. We have to protect our data before we start adopting AI and doing anything with it in our environments. And then to the point, for people personally, the deep fakes. So we hear stories of grandmothers getting calls from grandsons who are saying, I'm in trouble, I'm overseas, and I'm traveling, and it's their voice. And please send me money right away. And the person who's not educated in that might run to Western Union, or they might go and do something and send money. So what I've developed, at least with my family, and I recommend for other people, is for your immediate family, have a password. And know that you're authenticating your connection and have a word that you use to validate. Right. And sad to say, but things like that, but it's a simple step, but it can save you a lot of headache because some of the deep fakes are really good. I will direct everyone to check out the Tom Cruise movie for the Olympics. There's a deep fake movie that you, you may or may not have seen. So.

I haven't seen that. I'll have to look at it.

It's pretty good, but if you listen closely, like if you look at the feet, if you listen closely to the dialogue, you'll be able to detect it.

Now I'm going to have to go look for it. I'll probably get some malware looking for it, but I'll look for it.

Yeah, be careful. Don't go for the fake fake. That's got the malware attached to it. That's how devious the bad guys are.

In order to play this video, you need to download this player. I'll do it.

Yeah. Yeah, and to let people know too. I mean, you know, I kind of have to smile at it and we've all been in security for a long time. This is, you know, people may say, what are we going to do about it? How come you guys can't fix it? This is the cat and mouse game that's been going on for decades now. And it just continues. And seeing all this AI is just that much more. New tools come out, the bad guys figure out how to use it. We figure out how to stop them. And it just continues on.

You know what the irony is, everybody thinks because we are in this industry, That we're never gonna get faked, we're never gonna get corrupted, we're never gonna get viruses and malware. We can get it too, so. Yeah, we're not infallible. Maybe Joey's, but not me.

Don't send me on that ego trip, you know. It's gonna cost a lot of the therapist, but no.

This has been amazing. I know we're wrapping things up, but this has been amazing. You know, time goes so fast when we really start digging in and we probably should revisit this in another episode, like, you know, but there's so much to learn and so much to do. And by the way, anybody listening to this, if you want to know more, We're thinking about putting out maybe a newsletter shortly, a direct message us or email us and we can work with Jen to put together some tips and tricks. We would love to build up a nice mailing list, get people that information. We want to disseminate this and get more people knowledgeable of what's going on because this helps all of us. It's almost like a pay it forward. So we're looking forward to connecting.

I just wanted to say I'm speaking at Black Hat in about a week or so on this topic, right? And with a group of people to talk about cybersecurity and AI. And if anyone wants to reach out to me on LinkedIn, anyone has questions, I am so happy to share any knowledge I do have. And that's so important. So I'd be happy to contribute to a newsletter as well.

Is your Black Hat video going to be available? And if so, do you know where? Is there a way people can see it?

I don't know. Good question. I'll find out.

So let us know when you do know, and then we'll post it on our website and our LinkedIn. And obviously I know you will too, but this way we would love people to get more access to what you're providing. So it's good for everybody.

We appreciate that. Thank you so much.

No, thank you for joining us. You know, I got to say I'm unusually inspired, you know, I'm insecure and I tend to be a little on the negative side, I've been told sometimes. And we have, you know, we've heard about some scary stuff that even I didn't know about. But. It sounds like people like you and the people in your field and the partnerships that you have, that good people are really on top of it. Actually, much more so than I realized as not being my particular field. So there's hope. The good guys are working hard, basically. I don't know how else to say it.

Yeah, and I think it's really mission driven. And I love the security community in that way. I said that at the beginning. People are really focused on the mission of what we can accomplish together and how we come through this on the other side. To me, I love this work from a very nerdy technical perspective. It's just who I am. I love the work I do. But I love the mission, and I love helping people. And at the end of the day, that's really what compels me and gets me up out of bed every single day is, what can I do to stop something bad from happening to another person, an organization, our country, whatever that looks like? So I feel inspired being around people who are doing this work as well. And I really believe that in the future, we will evolve.

Yeah, and I think that's very important to say that, you know, Also for a lot of people in the industry, this stuff isn't just a geeky pursuit or a puzzle to solve or anything. It is important. It does matter to society and people and everything, whether you realize it or not. So, you know, stay with it. Feel good about yourself.

Well, there's no puzzle to solve only because this puzzle keeps on evolving in a world for the rest of our life. If any of us five years ago thought I don't think any of us five years ago thought that the AI would get to where it is. And oh my God, it's nowhere near where it's gonna be in five more years from now. I mean, for all I know, you'll have holograms of people walking around. You're like, oh my God, I thought you were dead. You're still alive.

People are having their loved ones record things that can be matched with an AI image. So after they're gone, they can watch the videos and they can interact with the AI and ask them questions and still engage. See? I didn't even know that was a thing. It's a thing.

That's creepy. That's going a little too far.

Very creepy thing.

Tell me where I can get that, Jen.

There are apps. Check out the iOS app store.

Oh yeah, there are a whole bunch of apps. I'm going to get rid of Joe, and then use his app as a podcast person. I don't have to deal with him. But you know what's funny?

You know what? You may not have to deal with me, but I still get my end. OK? You start making money off this. I'll sit on the beach while you use the AI. OK?

40 years ago, I think, there was a movie. I can't remember the name of it. And they were knocking off TV stars or celebrities on TV and videos. And they did this, and they faked these people. 40 years ago, there was a movie. And I can't remember the name of the movie. I've got to find it. And now, this is really happening where people are being replaced. I might say knocked off, but being replaced. But I wouldn't be surprised, they'll come a day, like, oh, this person gets $10 million a movie. We can get them for $0.40, but you know. or Google or Apple app, but we're getting there.

It's exciting stuff.

It is exciting and fascinating and a lot to absorb. So thank you guys so much for having me on the show and just chatting away about these topics. And I really appreciate it. And I appreciate what you're doing with the community and supporting people and having these great conversations. So thank you.

Well, thank you for joining us. I always think it's been a good show when I learn a lot and hear about a lot of stuff I didn't know. So thank you so much. Thank you, Jim. Really appreciate you.

Awesome. Well, thank you and enjoy your ranch.

Adam. Oh, yes. I have been enjoying this. In fact, I suspect this is a little bit dangerous. I don't know how much tequila I put in here, but I'm not tasting it. So I'm going to be careful with these.

That's the piece I forgot to tell you about. The warning that, yes. Oh, thanks. It doesn't taste like much, but you drink it Surprise, okay.

All right.

Enjoy your Friday.

Thank you. Oh, thanks. Thanks again, Adam Thank you for talking to you. Thank you