Ja-Nae Duane Show

Ja-Nae Duane Show EP 2 - Pablo Breuer

Ja-Nae Duane Season 1 Episode 2

Share episode

SUBSCRIBE HERE:

YouTube: https://bit.ly/Ja-NaeYT

Apple and Spotify

For over 20 years, behavioral scientist Dr. Ja-Naé Duane dedicated herself to one mission: Make life better for one billion people. This award-winning innovator and expert on global systems focuses on helping corporations, governments, and universities understand and develop systems of the future using emerging technology such as VR/AR, AI, and blockchain. Ja-Nae guides companies forward, helping them get out of their own way to create exponential innovation and future forecasting. She has had the pleasure of working with companies such as PWC, Saudi Aramco, Yum Brands, Samsonite, Natixis, AIG, and Deloitte. A top-rated speaker within the Singularity University community and the author of the bestseller, “The Startup Equation,” Ja-Nae at helping both startups and multinational firms identify new business models and pathways for global scale. Her next book SuperShifts is due out in April 2025.

To Pre-Order SuperShifts: https://bit.ly/SuperShifts

Connect with Ja-Naé Duane:
Visit the Ja-Naé Duane PODCAST: https://bit.ly/40G1i7G
Visit the Ja-Naé Duane WEBSITE: https://bit.ly/Ja-Nae
Like Ja-Naé Duane on FACEBOOK: https://bit.ly/Ja-NaeFB

Hello and welcome to the Jane Dwayne show, where she explores the systems that shape human behavior in society through the eyes of technologists, scientists, executives, and leaders. From the algorithms that govern our digital lives to what the future of work will look like. We'll be taking a closer look at how these systems function and the implications they have on our lives. Welcome to this episode of the Jane Dwayne show where we dive into. The murky waters of misinformation and cyber security. Our guest is someone honestly who has seen it all. So he's battled disinformation campaigns. hacked his way to glory and still has found time to teach the next generation how to do it right. Dr. Pablo Brewer is a man who could probably outsmart your computer in his sleep. And his resume, in many ways, reads like a superhero's origin story. So 22 years in the Navy, Stints in the NSA, U. S. Cyber Command, and oh yes, he has won the DEFCON black badge more than once. Pablo has done more to protect our digital world than anyone else I can even imagine. And so with that, please join me in bypassing the firewall and sitting down and talking. to Dr. Pablo Brewer. Well, Pablo, how are you doing? I'm well, Janaye. How are you? Thanks so much for having me. Oh, well, thanks for being on. Um, as I had mentioned to you earlier, you are my first guest on this, uh, on this, this podcast of, of what I consider, I don't know, most people that I, I admire and want to chat with. So it's just an excuse to chat with more. So I hope you don't mind that. That that's that's very flattering. I'm just glad that we can hang out and drink coffee and talk. Yeah, that's that's that's the way I prefer all life to be. But, you know, I was thinking about this and preparing for the show today. You know, you and I have run in similar circles now for the past few years and I know very little about your journey into cyber security and into where you are today. So I was wondering if you'd be willing to sort of share a bit of, um, of that. I don't know if it's neandering path, but share a little bit about that journey. No, I'd be happy to. You know, when I talk to students, I always get asked this question, and the first part is where the students cheer and the teachers cringe, but I will be very honest about this. So, uh, I am a bit of a weirdo. I've been doing what we now call cyber for a very long time, uh, much longer than I'd like to admit, and the way I got started was, you know, early in my youth, I really liked computers and video games. And I'm, I'm going to date myself and say I, when I was a kid, used to be able to rent computer video games on floppy disks and, um, the problem with that was that, you know, you could run them a week at a time and then you had to, you know, return them, uh, library. Where would you run them from? Again, I'm going to date myself. So yeah, they were, they were like rental places, like used to be able to rent movies, except these places were for, for video games. Right. Uh, and, and so, um, I would, you know, go and rent the games cause I couldn't afford to buy them. Uh, and then I, you know, I didn't. They couldn't finish the video game in a week, um, and you couldn't really copy them because they had some sort of, you know, copy protection on them. And it was something like, you know, they'd come with these 400 page manuals and go, Hey, go to page, you know, 53 and look at the 13th paragraph and give me the 37th word. Uh, and if you do that, then it would, you know, let you, let you play. And well, I wanted to keep playing. Uh, so I got into programming and cyber security by figuring out how to break the copy protection so I could keep playing the video games and part of the video games. Sorry, sorry. Um, and then, uh, you know, that progressed later on, you know, there were the, the bulletin board systems with, with dial up and. Way back in the four times, um, the long distance was a little weird. So you could call maybe, you know, 10 miles in one direction. It was local, but calling two blocks. The other direction was long distance and you didn't really know. Uh, and so I racked up some. iPhone bills, um, and got my butt whooped by my parents a couple of times. And so I had to figure out a way around that Um, and then, you know, I just progressed. I kept teaching myself. Um, I was very lucky in high school They were running a research project on the effects of high tech equipment on education um, and at the time, uh, let me set the stage high tech equipment included the very first sony mavica, which actually Took digital pictures and put them on three and a half inch floppy disks, and we had, you know, uh, two super VHS recorders with a mixing board, and we had computers with, uh, Windows 1. 0, radical stuff, um, and then ended up working for a software development firm that, um, developed, Uh, what we called at the time AI, haha. It was expert systems for fortune 500 companies. Um, and so I, I really got to play with a lot of technology, got to, uh, really tinker with it and figure out how it works. And then I, then I joined the Navy and, and got my computer science degrees. Um, got to, got to work at the NSA on the red team, got to help stand up US cyber command, got to be the very first. Uh, chief information security officer for U. S. forces in Afghanistan in 2004. Uh, and, uh, Navy was kind enough to send me to get a master's degree and then, uh, send me back to my alma mater to teach, uh, computer science and cyber security. Uh, so I taught, uh, assembly programming and exploit development and malware reverse engineering and threat hunting and all the things, uh, and just got to keep doing it from there. So I've been I've been very lucky. That's amazing. Of those of those experiences. Which ones stick out to you as at least one of the most seminal ones that has put you where you are today? Cause I mean, I mean, when, when I read your bio and even hearing you talk a little bit about your, your experience, like to, to even be on the red team. I mean, these are phenomenal experiences, but what's really helped cultivate, you know, cultivate your path to, to where you are right now? Uh, you know, I, I'm going to have to say the red team, but probably not for the reason that you, you think. Um, so, um, you know, I was fairly, fairly young at the time. Um, the fact that the NSA had a red team was still a very closely guarded secret. And actually, could you explain to folks who might not know, like you and I know the red team, but could you explain to folks who might not know the red team? It was the best job ever. I got to lie, cheat, and steal, and be completely authorized to do it, right? I got to do things that would otherwise be illegal, and I had permission. No, so, so, uh, the red team, what they do is, they penetration test, they attempt to hack into Department of Defense and U. S. government systems, um, Usually no notice they're given the authority to do this by by the Secretary of Defense and then we go back afterwards and say, Hey, listen, we did bad things to you. Here's how we did them. Here's how you fix them and help them secure their their networks. And so, like, like a lot of. you know, people that get into cyber security and into hacking, I thought it was awesome. I, again, I got to, you know, light, cheat, and steal for a living, uh, and do really sneaky, dirty, underhanded things to, to good people. Um, and, um, at first that was its own reward. Uh, and then, and then as I got, you know, a little bit further in the tour, I started getting worried going, I, nobody should be able to hack into these systems. These things are all horribly, horribly, Horribly fragile and broken and that really got me going on that. I really need to help fix these things Um, and I think that really You know as I got a little bit older and realized, you know How much work needed to be done in building better more secure systems? I think that was uh, really seminal. Um, going to afghanistan was a seminal thing because Um, you know, that's, that's a no fail mission, right? You had active combat operations, and you had men's and women's lives that, that relied on those systems operating correctly and, and not being compromised. Um, so, you know, that was a really important one. Um, I really enjoyed my time getting to go back to teach NPFs. The students were amazing, and it was really great to see things that were considered, you know, black magic when I knew them at that age, right? There were now textbooks on how to do these things. So the students were much smarter at their age than I was at that age. And then, uh, Softworks was wonderful because I got to work really weird, bizarre, you know, crazy problems that, you know, special forces would show up and go, Hey, listen, we don't know how to do this thing, right? We need to hit this capability and there's nothing on the shelf, build something. Um, so it really, I've been very lucky. I've had a bunch of unique experiences. Uh, and they all kind of, uh, got me on this path or helped direct me in this path. You know, so pulling on that, that red, uh, that red team string a little bit, I'm curious within, um, you know, as you head into practice and looking at various industries, what are you seeing internally within some of these companies? Are there Are there red teams that are set up within, uh, within some of these organizations? Are there specific trends as to what really, from a best practice perspective, really should be set up? But, you know, they're not even remotely prepared for what might be coming. Where, sort of, give us a baseline, if you will, of, of, Practicing and sort of that lay that land for us sure so many many large corporations have their own internal red teams or these days purple team so we talk about red teams do the penetration test and go back and say here's how we did bad things the blue teams kind of come in and inspect and say here's how you build things better without. Looking for just one way and they just look at it in whole and now kind of the latest trend is purple teams, which is you combine the red and blue and you get purple teams, um, and those are great, um, the best companies, uh, because people fall into patterns. We all do it. The best companies will also seek external red teams because Yeah. You know, when you're internal to the company, you kind of know the way things work, you know, the people you have some insight, you've got your own biases and you've done things a certain way when you're coming in from the outside and you don't know anything, uh, you're gonna make different assumptions. And so you're going to get different results. So, so the best companies are going to do both. Um, what am I seeing that that needs to be done or shouldn't be done? Here's what I'll say. Um, uh, one of my one of my favorite movies growing up, um, Was, uh, gosh, and I just lost the name of the movie. It was a basketball movie with Gene Hackman, Hoosiers. That's what it was. Hoosiers, right? And, and, and Gene Hackman shows up and he says, For the next six weeks, we're not going to shoot, we're not going to pass, we're just going to dribble. Right? He says, basically, we're going to work on the basics. There's no point doing anything else to your basics. And I think most companies, that's where we need to be with cybersecurity. OWASP, the top 10 OWASP, really hasn't changed that much since inception. I think 7 to the 10 or 8 of the 10 are still there and that's because we're not doing the basics. Um, I was, uh, last year I was at a CISO conference in Latin America and, and I was speaking on a panel, uh, with, with Liz Wharton and with, uh, Bryson Bort and some other, uh, you know, luminaries that are currently in the field. Uh, and we get asked the question of, Hey, how do I stop all zero days? And so we all just kind of chuckled and said, okay, let's play a game. Everybody stand up. So all these sisters stood up and I said, if you know that you have a bulletproof inventory for what's in your network, sit down and nobody sat down. And so if you, if you don't have a good inventory, if you're not doing those basics, you're really not going to progress. It's really going to be the simple thing. And if you listen to Um, to talks from, uh, you know, other luminaries, I believe it was James Joyce that gave a talk, um, you know, uh, maybe 15, 20 years ago, talked about how, you know, the NSA gets into systems for, for penetration testing purposes. They said, we get into your networks because we know them better than you do. Uh, and, and that's true. If I can. Guess things about your network and you go, well, gee, I don't know. And you go back and you figure it out. And it's true. That's, that's not a good sign. So really doing the basics correctly works, you know, onboarding employees, offboarding employees, having a very good inventory of your network, you know, Everybody's got legacy systems, knowing where those legacy systems are, knowing what traffic should be coming to and from those systems, right? And then the last one is, uh, we, we keep coming up with these, these marketing terms, right? So we talk about the, the software development life cycle, and we talk about, uh, you know, pushing left, and we talk about all these things, and you go to the corporations and you go, well, do you have a software development life cycle? Yes. Do you have a security architecture? Yes. Do you have a security? Uh, design. Yes. Great. Do you have all these processes documented? And in many cases, they do. But they're documented in these stovepipes, so the left hand doesn't know what the right hand is doing, right? So it's, you know, it's not best practice. So really doing the basics correctly, making sure that everybody's on the same page, everybody knows where they're going, helps. Um, probably the biggest thing after Really having a sound inventory and doing the basics of cyber security itself is having a good security culture that is absolutely critical if if your users feel comfortable. Or better yet, feel like it's their job to call up and go, Hey, listen, I clicked on a link and I think it was spearfishing or I picked up a thumb drive and I lost my mind and I put it in the machine and they feel comfortable doing that because they feel it's their job, their duty, and they know that they can do that without being chastised or punished. That probably is gonna get you more wins than anything else. You know, I'm really glad that you brought up, uh, two things, both legacy systems and also creating that, that, uh, cyber culture, um, or that security culture as, as you, as you called it. What I, what I have found within organizations is that many Do not know where their legacy systems are, or there's just a handful of people, and there might be one guy that's left throughout the years who knows where the bodies are buried, um, and I see that more often than not, so it's, it's one of these things where, you know, there's a lack of knowledge transference that occurs and, and just a lack of I'll say transparent documentation within the organization. So it was, it's interesting to hear you say that. So next to, you know, how do I get into cyber and how do I, how do I, you know, protect myself from all zero days? Uh, my other favorite question I get usually from students is, hey, how do I get one of those, you know, Big pain jobs like right out of college. Uh, and my answer is always the same It's go back and learn how to program cobalt on mainframes. Oh my gosh You will be golden I will be I guarantee you if you know how to program cobalt on on mainframes I can find you a job making six figures day one and you are never being let go because so much Of the critical things that happen at very large corporations happen on these mainframes with software that was written 40 years ago that hasn't been touched because nobody knows. And so, you know, the, the, the, the lady or the gentleman that's getting to, you know, age 65, 70 and retiring is there. That's it. They're the last bastion of, of the COBOL knowledge. Uh, so there you go. Yeah. So if you want, if you want the competitive edge now, you know, it's true though. It's, uh, unfortunately, uh, that's the case, but it's, it's true. So thinking about now, now heading over to thinking about creating. A culture of security. And this was a question I wanted to ask you. What are some of the ways in which organizations can encourage that as well as encourage, um, security literacy, right? Because I find that most folks, you know, they go through a training, but they don't know. And it's not in me. It's not ingrained in their heuristics. That's if you actually have that culture. So how, how does an organization really start to create a robust culture like that? Can I start with how not to do it? Yeah, sure. Whatever you want, Pablo. For 15 or 16 years, I went through the same awful computer based training for information assurance awareness in DoD without a single slide changing. Really? Really. It was, like, the first time it was like, okay, it's good. Really, by, like, the ninth year, it's like, I, I know the answers. I, I know what Jamie's gonna do. Right? Like, I, update your training. Make it entertaining. Make it engaging. Right? Make it fun. We all have to do mandatory training. I get it. We, we do. Not all of it can be fun, but for goodness sakes. Make an attempt to make it fun, right? If, if your organization doesn't care enough to sink some time and money into creating worthwhile training, then what are your employees supposed to think when they take that training? How important is it to your organization? Uh, so that's the first one, right? Show that you care by providing worthwhile training. Then there's, you know, there are ways to gamify it. I think most large corporations right now use phishing simulators. That's great. Um, I had a friend that passed on a great idea to me. Uh, he worked at one of those places where you had to wear, uh, uh, an employee badge to access things. And so he would routinely take off his badge and walk around, or he would try to tailgate behind somebody. Uh, and if he got stopped and challenged, he would hand them a gift certificate to a restaurant. That's amazing. And that became so popular that he could no longer do it. He had to go pick out, you know, a secret shopper and hand them, you know, a get out of jail free card, basically, that did that. Uh, and so he would have people randomly, you know, walk around either without a badge or without a, um, you know, or trying to tailgate and people would stop. Hey, where's your badge? And maybe you were the person that had. The gift certificate, maybe you just legitimately forgot your badge. Either way, the security objective is met and people saw it as a game now instead of a punishment, right, as a challenge. Um, I've seen similar things with people leaving, uh, you know, either, uh, USB sticks or again, back in the before days. Um, leaving, uh, CD ROMs out, and it's like, do the people turn it in, or do they put it into the computer? Which one is it? Um, if you're really, really sadistic, um, you know, what you put on that USB drive is a script that immediately auto plays, uh, you know, the Rickroll video at maximum volume, and that way everybody knows that you did it. Have you seen someone do that? Because that would be amazing. I have no recollection of ever having done that. So you gotta make the things fun, right? And then when you have real incidents, right, you gotta let people know that, Hey, listen, I appreciate you coming. I appreciate that, you know, you kind of swallowed your pride. You admitted you made a mistake. It's okay that you made an honest mistake. let's figure out how to do it better and move on. Uh, what you can't do is, you know, put people on report because they clicked, you know, the first time that they click an email and in six months, it's a spear phishing thing. It's like that, that doesn't work. Um, so you have to make them feel vested. It's okay to give rewards, right? It's okay to publicly thank people when they Hey, listen, we received a report of, you know, X, Y, and Z, and we looked into it, and it was a real world incident, so thanks, Johnny, for letting us know. It doesn't matter that Johnny was the one that clicked on the pirated email, right, or on the spear phishing email. It just matters that Johnny was professional enough to pick up the phone and go, this isn't right, and I need to report it. Yeah, I mean, you're training the right behaviors instead of, you know, where if you're punishing someone, they're less likely to come forward. And so you're, you're, you're actually making it much worse than, than you should. I love, love the idea of gamifying this, because I think that that is a great way for folks to engage where it feels It feels lower, um, than it is, and you're, and to your point, you're more likely to engage with it. Uh, speaking of gaming, so one of the things that I did not realize until reading your bio is the fact that at DEF CON, you actually have won a, um, a black badge. I have, yeah. But tell, tell, so to me, I, that was, by the way, I was very impressed when, when I read that. Tell folk what a black badge is for those who don't know. Okay, let me clarify. I did not win a black badge. Oh, the team. It was part of a team that we won The team, yes. So, um, DEF CON is the world's largest computer hacker convention. It happens in Las Vegas every year around August, uh, and they hold numerous contests of various types, and if you win one of the one of the harder contests, you get a black badge. Um, That says Uber on it. Uh, and among other things, what that really gets you is free entry for life, uh, to DEF CON and to a lot of very cool parties in Vegas. Uh, and so one of the contests is what they call the CTF, the capture the flag exercise. Uh, and that one is kind of seen as the world championship of hacking. Uh, and so the, the years that, that I was playing and involved, it was the top 11 hacking teams in the world. Uh, and then the previous year's winner. And it's a, it's a really great contest. Uh, the way that it, that it works is. All of the software is custom written, and so on the day that you show up to the contest, you have no idea what you're gonna, what you're gonna get, you get handed basically a CD or virtual machine with a server, uh, with a bunch of custom written applications on it that don't get explained to you, they don't come with documentation, they don't come with source code, uh, and you know that every team has exactly the same thing running, so you have to figure out, okay, what's running on your machine, how do I protect it, you know, Is there a vulnerability here? There's a vulnerability. How do I patch it without changing the functionality? And then how do I write an exploit to hack the same application on everybody else's server? And so you get a certain amount of points if you can. What happens is that there, there are flags, which are these. Pseudo random numbers that get replaced on the box every usually three minutes, I believe. And so you get a certain amount of points if you can steal another team's flag. You get more points if you can overwrite their flag with your flag. And that's just because it's harder to get write access than read access. And so it is, you know, two and a half days of, uh, looking at a lot of assembly code and not sleeping and eating like a teenager. But honestly, sounds like so much fun. It is. It is an absolute blast. Um, it, it really is a great time. That's what I spent probably 10 years doing that. Um, With the team, I was part of our with various teams and it is a good time and every year you walk away going, I need to learn about this and I never want to do that again and you just go back the following year, but it is a you talk about motivation for, you know, you get to a point. It's like what I want to learn next. It's well, you want to learn about whatever. You know, puzzle kicked your butt last year. It's like, that's not going to happen again. That's right. That's right. I love it. So I want to switch gears a little bit and talk about the role that myths and disinformation play within cybersecurity. Um, I mean, this is the area in which we, we have, uh, where we met. Um, but I'm really interested in where you're seeing sort of the, the state of disinformation, particularly within industry. Um, you know, I know you and I both work. For have worked within agriculture, what are you seeing out there right now that has your, I don't want to say has your, your hairs on end, but at least has, has raised, has raised the flag? Uh, wow. A lot of things. Uh, first of all, I'm going to say something radical and problematic, which is all cyber operations are influence operations. And the reason I say that is. At some point, even when you're hacking a network, you're trying to get somebody to open an email, open a document, answer a question on the phone, but more importantly, the end result of what you're trying to do is you're trying to change somebody's perception, usually the user at the other end. Of the network, you're trying to change the perception in such a way that they either make a decision that that's advantageous to you or don't make a decision that's advantageous to you. Right, so, you know, when you watch the bad hacking movies and the hacker goes in there and shuts off the lights. Why do they do that? Well, it's not because they want to make it dark, right? Most of us aren't afraid of the dark. What we are afraid of is that somebody is so deeply rooted in our system that they can. Change something as basic as our lighting, right? Like, if you can, if you can virtually go in there and flip my light switch, what else can you see? What else can you do? Um, so, um, I started, uh, really looking at, uh, countering disinformation in 2017. Uh, I was at the time, I was still in uniform. I was at, uh, Softworks in Tampa, Florida, which is, uh, U. S. Special operations command innovation space. And once a quarter, we would hold what we called a radical speaker series where we examined something that represented either an asymmetric threat or opportunity to the country. And so in 2017, we did disinformation and deep fakes. So we brought in people from all over the world. Uh, and there were a couple of takeaways from that. One was that this was very much a problem on the rise that was not going to go away. And the second one was nobody was Doing any real research on it because nobody was funding research on it, right? Uh, and so I, I sat down with, uh, my dear friend, uh, Sarah Jane, uh, farmer, uh, also known as Sarah Jane Turp, and we started working on a framework for how the disinformation attacks happen. What are the tactics, techniques and procedures and then what things can be done to either counter those or dissuade those things from happening? Um, yeah. What I want to be clear about is the framework, which we call disarm, and you can find it disarm. foundation, doesn't tell you what is and what is not disinformation. What it does is, once you find disinformation, or if you're worried about disinformation happening, what can you do about it proactively? And then if disinformation comes out, what can you do With it to respond. And we'll link that in the show notes, by the way. I appreciate that. Thanks. Um, and it is open source, right? I'm not, I'm not trying to sell anything here. So that that's important. Um, so we are seeing many, many, many more types of disinformation attacks, right? Without getting too political. Um, we, when we're presidential election coming up, uh, we saw a Fantastic number of what we call pink slime accounts stand out. What are those? Pink slime accounts are these disinformation factories, uh, and the name comes from this disinformation, uh, that came around, uh, for this filler that gets used in meat that people called pink slime because they wanted to dissuade people from accepting it. Um, and so what they are is they're, they're quote unquote news, uh, but it's illegitimate. They put out disinformation narratives and what we've seen is a number of disinformation pink slime accounts come up rivaling the number of legitimate news accounts, right? And somebody's going to go, what's a legitimate news account? However you define a legitimate news account, right, whether you're a, you know, a Fox News or CNN or, you know, things that people might consider, it's, you can look at it by orders of magnitude, you've got the same. I'm not going to get into trivialities of ones and zeros on that. So, I, I am concerned about that, uh, you know, there, there's election stuff, there's vaccine stuff, uh, there's been at least three cases that I'm aware of where somebody used deepfakes to embezzle large amounts of money, uh, via a cyber attack. So, the first case I'm aware of was in the UK, that was about 250k, there was another one in the Middle East, that was up to 250 million, uh, Are these from individuals or from organizations? Um, companies, companies. So in the first one, they, uh, made a deep fake of a CEO of a company that they were partnered with. Uh, and so they made a deep fake call and were able to get them to transfer money to an illegitimate account. Uh, the second one was, was also very similar. And, um, there was recently, um, Another one, who, who was it? Uh, there was recently another one where they tried to do a deepfake voice call and it didn't quite work out. But, uh, what that says to me is that it's becoming more common. Uh, LastPass, that's what it was. Somebody tried to clone the voice of the CEO and it, it's becoming that Yeah. Technology used to require like a Hollywood studio, it doesn't anymore, right? Microsoft has a tool that will clone somebody's voice with 3 seconds of audio, OpenAI has one that will do with 15 seconds of audio, and you look around and you go Where can I find a politician or a c suite leader of a fortune 100 company that doesn't have several minutes of video on YouTube, the company website, or what have you. And every year it gets easier. We're doing it with voice and You know, three years, we're going to be doing it with video, you know, three to five seconds of video, and we're going to be doing on our smartphones just because that's the way things go. And unfortunately, what we've done is in order to get past some of the challenges we have with authentication on the cyber side as we go, well, you know, the backup is we'll call the person. Right. Well, what happens when you can no longer believe your ears and no longer believe your eyes. Right. And so you, you call them and you get a Zoom call and you get me, but it's not really me. So those things. Well, no, it's really interesting where, I mean. I'm running studies right now using Haygen and Eleven Studios, and it's very, it's very hard to distinguish between the real video that's being used and, um, and the deepfake. So, and people are just, to your point, getting socially engineered, um, on a personal level as well as within organizations. Yeah, and it's, you know, it, I don't even have to directly socially engineer somebody in your business, right? So, um, I gave an example of my, my 2019 black hat talk of, you know, imagine you're a company that sells networking equipment and I put out a deep fake video where, uh, your CEO is talking to, you know, Oh, A man in black who, uh, you know, and it makes it sound like you are intentionally putting in back doors into your networking products for country X. And you're selling to country Y. Are they going to buy your stuff, right? Or, you know, you make baby formula and you put out that your competitor has salmonella, right? I have to have no proof whatsoever. Yet, if I'm a mom and I know that company B, there may be salmonella and company A, there is no. Accusations of Salmonella, whether there's any truth to it or not, I'm going to buy company A because there's no cost to me, right, as a consumer. There's a lot of cost to company B who's losing all of this, um, and, and so we're starting to see that. You mentioned agriculture. We see a lot of that stuff, uh, where, uh, Players are using it for unfair trade practices and technical barriers to trade. Um, and you can see it, you know, the, the well known ones are when we talk about things like GMOs, or we talk about things, uh, like, um, organic. What they say is one thing, what it means is something else entirely. Uh, and, and it misleads consumers, but people People go out of business. Um, yeah, and it erodes trust. So it makes me wonder, you know, as we also as we head in and wrap up. Um, I'm really curious as to what your thoughts around the future of cyber security looks like. You know, how do we you and I have? Um, I know we have a shared passion around cognitive security. Um, Because there's definitely a need to identify ways to increase that for the individual. Um, but where do you see the future of, of cyber and cyber warfare going over the next, you know, I'll say over the next five to seven years? Um, yeah, so I, I will tell you that I personally hate the term cyber warfare. Oh, why? Tell me. Because it makes it sound like you can conduct warfare in the networks absent of anything else. And it never, it never really happens that way. You can look at the current Ukraine Russian conflict, and there were all sorts of offensive actions in cyberspace. And yet there's still people arguing about whether, whether or not it's valuable in warfare. I mean, the first thing the Russians went after were the command and control systems of the Ukraine, Ukrainian government and military. I mean, there's absolutely no doubt, uh, Starlink became a valid military target because it was providing connectivity to Ukrainian forces. Um, and so, Warfare is warfare, right? We don't, we don't typically talk about air warfare and assume that it's only air warfare without land warfare or sea warfare, uh, but somehow we do that with cyber warfare. Uh, warfare is warfare and you conduct it on all domains, including the information environment. So, uh, we've definitely seen an uptick. We've seen, um, not just during active combat operations, but, uh, during what we call great conflict, which is action short of kinetic warfare. We're seeing. Uh, offensive actions in, in cyberspace. We're seeing other countries attacking national critical infrastructure in the United States. Maybe they're not having negative actions yet, but they're definitely implanting capabilities there so that if things do go kinetic, they can, they can take actions and, and, uh, and have effects. Um, I, I think that's going to get, it's going to get worse before it gets better. Um, you know, do you think we need a cyber force? I absolutely think we need a cyber force. Um, I'm gonna make a lot of people upset here. I think, uh, I think DoD has done an absolutely horrendous job. With cyber and the reason there's several reasons for that. But one of the reasons is that we, we have always given kind of like short shrift to cyber. And what I mean by that is, you know, I was a Navy officer for more than 20 years. If you're a ship captain, if you drive a ship. You spend your entire professional career driving that ship. And the end all be all of your career is to be commanding officer of a ship, and that usually happens at the, at the rank of Commander O5 or Captain O6, which gets you through retirement. If you're a pilot, right, the end all be all is to be a commanding officer of your own squadron, and again, that happens at the O5 and O6 level, but you get to fly a plane up until that point. If you work in cyber, the last time you get to touch the keyboard is four to five years into your career. Really? Yes. Uh, and so I think we're doing a horrible disservice. Um, and then on top of that, um, most of the services, some of the services do this better than others. Most of the services is like, well, you get to do cyber, but now you have to go out and do traditional communications or, hey, you get to do cyber, but now you get you. And by cyber, what I really mean is computer network warfare of computer network operations. Um, You get to computer network operations, but then you've got to go out and do traditional cryptography or traditional radio battalion stuff. And these skills are so perishable. And the state of play and technology changes so quickly that if you're out of it for two years, you're almost starting at ground zero when you come back. So we've got to, we've got to stop doing those things. We absolutely need a cyber force. It needs to be dedicated. Um, And there are lots of ways to do that. One would be to stand up a dedicated cyber force. It's a completely separate force like Army, Navy, Air Force, Marines. Um, that would be my preferred. But, you know, politically, it might be more palpable to follow a special forces model where it's, you know, U. S. Cyber Command becomes a functional, what we call global component commander. And then all the services give their cyber people to U. S. Cyber Command and U. S. Cyber Command man trains equips them and gives back functional units to the services that would also be acceptable, but what we're currently doing down most of the services just isn't going to cut it. And the proof is in what's going on in the real world right now that we that we hear about. Wow. A ton to, to really consider. I have one last question for you, Pablo. As we move into, um, an interplanetary, um, race, what are some of the cyber considerations that we should start to think about now? Um, I know that we have, uh, we have some friends who are, are dealing with space security, but yeah, what are some of your thoughts as we're, we're heading in that direction? I will tell you that, um, cyber security and space are, are not good friends right now. Uh, I've had the opportunity to, uh, act space systems as part of the red team, uh, and I've, I've never failed to do that. And it's not because I'm so darn good. It's because. Until very, very recently, the going in assumption for designers was that you needed to have a space program in order to affect satellites. And that is just not the case. Um, so people forget, um, that. There are two portions to a space vehicle. There's the space vehicle that is up in space orbiting the earth at whatever altitude, uh, and then there is the ground control station. And the reason that the ground control stations have these huge antenna is because you need to When you transmit from ground to the space station or the satellite, you need to transmit a huge power to get through the atmosphere and to reach the space vehicle. And the reason you need on reception end is because these things are in space, they cost a lot of money to get things in space. Their transmission power is lessened, so you need much bigger ears to hear the signal. Uh, on the ground that gets transmitted. And so you can really do bad things to satellite by either, um, blinding the ground control station, right, which you can do with, you know, a high power amplifier and an antenna on a van pointed right at the ground control station, or, uh, blind the satellite if you know where it is in orbit, and you can do the same thing with orbit. And because these things are expensive, there are certain requirements for, um, For insurance, right? You don't want to, you don't want to completely lose a satellite if you're, if you lose communication because of your high security pencil beam using, you know, nation state encryption. Um, if you can't contact it, you don't want to just lose it. You want it to go to progressively less secure modes until you reattain it. Well, when you go to less secure modes, now all sorts of other possibilities open up. Uh, and so there's been great work done by by many people on on hacking satellites. Uh, Matt Blaze from, uh, UPenn has done some fantastic talks on hacking decommissioned U. S. Navy UHF satellites, um, that were being used in favelas in Brazil as party lines because a CB radio and, uh, uh, Direct TV antenna could be found in a junkyard and it was cheaper than a cell phone. The other thing is that, um, when you look at the protocols that get used for satellites and the networks that get used in satellites, the network within the satellite itself uses a bus architecture. That's something we stopped doing in IT networks 40 years ago because we realized it was insecure. Um, we still do it that way for, for space vehicles. The protocols that we use that the international standards are space wire and space packet. Um, there are horrible, horrible vulnerabilities in those protocols that I won't get into. We probably need updated protocols. And then the last one, I'll throw in a bit for my, my dear friend, Dr. Mike Lipstein, who works on the policy front of this. We don't have good policies. Uh, we have, uh, An agreement from 1967 that really hasn't been accepted hasn't been updated since that talks about having not weaponizing space and we know full well that both China and Russia have done that they've weaponized space. And so it's fair game are our adversaries know that the US has an asymmetric advantage in space. And so our space capabilities are are valid military targets as far as they're concerned. And I don't think how. Many people realize how much we rely on the space systems, um, things like GPS timing are absolutely critical for things like modern, uh, encryption systems that need very precise timing to do things like, uh, you know, uh, frequency shifting. Right. Uh, and so if we lose GPS, we've got significant issues, not because of the positioning, but because of the timing. Yeah, there's just tons. I didn't realize how much, um, how much room for improvement there was, but this is, as always, Pablo, this has been eye opening. I want to thank you very much for your time and thanks for coming on the show. Thanks so much for having me today. It was fun. Take care. Thanks for listening to the podcast. You can find us on all the major podcast platforms, and at www. janae. io, as well as on YouTube under Ja Ne Dwayne. See you next time.