Building Trust Through Cybersecurity
Ann Johnson: You're listening to the CyberWire Network. Welcome to "Afternoon Cyber Tea with Ann Johnson," where we speak with some of the biggest security influencers in the industry about what is shaping the cyber landscape and what is top of mind for the C-suite and other key security decision-makers. I'm Ann Johnson, and today I'm joined by global cybersecurity expert Sean Joyce.
Ann Johnson: In April 2010 Sean became the executive assistant director of the Federal Bureau of Investigation's National Security Branch, which composed of the counterterrorism division, the counterintelligence division, the Directorate of Intelligence and the Weapons of Mass Destruction Directorate. Then, in September 2011, Sean was appointed as the 14th Deputy Director. With more than 26 years of service with the FBI, Sean brought a wide range of operational and leadership experience spearheading several strategic initiatives, including Next-Generation Cyber, which was a cross-organizational initiative to maintain the FBI's world leadership in law enforcement and domestic intelligence.
Ann Johnson: Sean also established a framework to operate and evaluate the FBI's 56 domestic field offices. Meeting regularly with congressional leaders, senior White House national security team members, he has become a well-respected member of the cyber intelligence community, having received the director of National Intelligence Distinguished Service Medal, the CIA Directors Award, the DIA Directors Award, the FBI Meritorious Service Award and the Presidential Rank Award. Today, Sean is a principal for PricewaterhouseCoopers advisory practice, working with clients in different sectors, providing strategic guidance, leading transformational initiatives and advising on incident breach response and cybersecurity.
Ann Johnson: Welcome to "Afternoon Cyber Tea," Sean.
Sean Joyce: Hi, Ann, and thanks for having me. And as everyone is probably hearing that lengthy introduction, it shows how old I am. So thanks for having me on today. And it's - a big hello to all the listeners out there.
Ann Johnson: Thank you so much. And your background is always so fascinating to me. Your tenure with the FBI didn't start out in cyber, I know, however. So it actually began with what sounds like kind of a Hollywood movie involving drug cartels and fugitives and bank robberies, kidnappings, extortions. So can you share a little with our listeners how this experience led you to focus on cybersecurity?
Sean Joyce: Yeah. It's a great question, Ann, and sometimes I wonder myself. But at the time, I think the FBI was more focused on criminal investigations. They were not, at that time, an intelligence-led organization. And as I move from what I would consider, you know, the core of the FBI, which is those investigative and intelligence collection activities, into more of a management role, it became apparent both in my national security role and then later as deputy director that cyber was going to be a critical component of each of those areas.
Sean Joyce: So, you know, in talking with Director Mueller, we also saw the need to actually, as we talk about now, disrupt ourselves and really look at how we could leverage this not only within the intelligence community but throughout our field offices both in the United States and overseas. So, you know, cyber is a critical component of everything the FBI does now as it is for us in the private sector. And I think, you know, folks realized how important it would be. And as you know, it's just so different as far as the paradigm with having really no geographical boundaries, and it's just, you know, a very difficult environment to operate in.
Ann Johnson: Yeah. And it's critical - right? - that the FBI and all of our government entities, both in the U.S. and internationally, have a focus on cyber. And I know that's something that's truly evolved over the past few years. And just in the past year alone, we've seen this unprecedented rise in cyberattacks, both the velocity of attacks, the sophistication of the attacks. When you look at how these attacks have evolved, what concerns you the most? And how do you think governments globally are better-equipped to respond than they were in the past?
Sean Joyce: Yeah. I do think, as you mentioned - and, you know, you and I have talked when there's been various breaches that have affected many companies. The complexity of the environment just keeps increasing not only due to technological advancements and, you know, the sharing of some of these malware toolkits. But it is really a space where there are no policies, no legislation, no regulation and no norms. And I say no where there are some. So that - it would be unfair to say there aren't any. But I would say a comprehensive law - like for instance, as all the listeners are aware, there's 50 different breach notification laws. As many of our listeners are aware, the privacy laws in California are different than the privacy laws in Massachusetts.
Sean Joyce: So, you know, really, I would just say we're not looking at it from a comprehensive public-private approach. To really get an idea of what this, I would say, threat picture looks like and really being able to partner together - because neither the government nor the private sector can do it alone - but be able to look at that threat picture. So not only is the environment getting more complex with, you know, the use of artificial intelligence - right? - and leveraging the cloud. But then we're still struggling to really get a comprehensive picture of what's going on to be able to address, I think, some of these issues in a cohesive and comprehensive manner.
Ann Johnson: Do you feel like, as an industry, we've made strides in the past few years on the public-private partnership part of threat intelligence sharing?
Sean Joyce: I do. I think we've made, you know, great strides. So regardless of your political affiliation, you know, I think the Biden administration has incredible people there when you look at Chris Inglis as the national cyber director, when you look at Jen Easterly as the director of CISA and really the outreach that they've done - Anne Neuberger in the White House, the same thing with her outreach. And I think, you know, companies like Microsoft and others have done a great job working with companies. When I think of some of the work being done, when you look at the - you know, the JCDC, the joint cyber defense collaborative that CISA has organized and if you look at what they've done recently with their Shields Up – I think that's a great way to really - how we're collectively working together. Here's my point, though. We are doing Shields Up. Shields defend us. I say shields up, swords out. So - right? - as the private sector actually defends the country - right? - giving them the tools - right? - the government the tools to be able to strike back and make sure there are costs and consequences. So, listen; I think we've come a long way. We have some great civil servants in place that are working hard every day. But I think we have to do more. The last thing I'll add, though, Ann, is I also think the government has to partner with the private sector when there are ongoing major cyberattacks to actually, actively stop them. So, you know, I would just say, hey, are we doing much better? We certainly are. But we've got to continue to push forward and actually do better.
Ann Johnson: Yeah. And I think it's a continual - right? - as threat intelligence sharing is so incredibly important. But the speed of doing it, you know, the real-time need to do it and being super transparent, I do think we've made tremendous progress. And I agree with you that the folks that we have, you know, currently leading these efforts gives me a lot of confidence. I mean, Jen Easterly is just simply amazing with just how transparent she's been. But also, I find her guidance - and this will take me to my next question. I find the guidance that she puts out there something that's easy for people to consume. It's written and it's presented in a really consumable manner. And she talks about things like the trends. So that leads me to asking you, what are some of the trends you think we should all be paying attention to right now?
Sean Joyce: I think there are a couple of things. So I'll do the - the obvious is ransomware continues to proliferate around the globe. You know, I think the FBI has identified over a hundred variants. So that first and foremost, it continues to be of utmost concern, I think especially related to some geopolitical risks that are constantly - you know, we're experiencing now and will continue to experience in the future, I think in the - for the next several years. And then when you talk about, I think, the complexities of a multi-cloud environment - so the risk is becoming more centralized, but it's also the complexities of organizations trying to operate effectively, and that multi-cloud environment comes, you know, with its challenges.
Sean Joyce: And I don't know if folks are aware that are listening of, you know, recently - matter has come out, which is really this consortium that has allowed the interoperability of a lot of our home products. So your Nest thermostat can, you know, actually work with your Amazon Alexa and your - you know, name another home product - but, really, that orchestration level. I think we - you know, I think in the multi-cloud environment, you know, I think people are obviously, rapidly, you know - Kubernetes will continue to be and I think will become the orchestration of choice. But I think we've got to look at how do we help organizations that are adopting this multi-cloud environment, you know, that interoperability, with the security that they're going to need.
Sean Joyce: And then the last big area that - you know, it is nothing new but, really, that supply chain third-party risk that we constantly see. So, you know, there is no defined end to your network, and it's really about your ecosystem. And so how are we making sure that that is secured appropriately? So I don't know if there's anything new there, but I would say that one area where I see something new is the adversaries actually leveraging, like most of us are trying to do, AI, right? And so actually leveraging that and leveraging the cloud to launch these attacks that are going to be, I think, a little bit more disruptive as we come to see as - you know, we've seen ransomware move to ransomware as a service, going to, you know, double extortion, triple extortion. So I think we just continue to see that technological advancement of the adversary in the areas that I just talked about.
Ann Johnson: Yeah. And I think that we have to also keep pace with the technological advancements, right? We can't become complacent because they're investing heavily.
Sean Joyce: Absolutely. And, you know, I think that's what Microsoft has done and many others, right? There has been definitely a movement towards addressing this where, you know, I feel like probably five years ago it wasn't as front and center as it maybe should have been for a lot of companies. And I think everyone's paying attention how also this is becoming a brand differentiator, right? And so I think many companies are realizing that and making sure that this is part of what they do.
Ann Johnson: Yeah, makes perfect sense. So you've consulted, I know, on some of the most prolific cyber breaches, and you've provided guidance and expertise to top executives and their boards on how to mitigate, how to manage threats, how to respond, how to be resilient. So I kind of have a two-part question. What do you believe organizations should be implementing as far as best practices? And what should they be investing in terms of defense? And how do you use cybersecurity to actually build operational resilience?
Sean Joyce: So I have actually worked with a lot of companies on different breaches, and I can tell you, it's always the same at the beginning - it is mayhem. And regardless of how many times you've practiced, there is just still a lot of moving parts and really being able to contain those quickly. But the companies that are practicing, that are doing those tabletop exercises, that are doing those full exercises, those are the ones that have really, you know, built what I call resilience into their business model. But when I look at best practices, I think, you know, we all know sort of the whole zero-trust architecture. And in looking at that and making sure, you know, hey, is our - you know, our user access privileges and - you know, is it based on identity and not just user but device identity? Is our network segmented with different policies and access rules? Are we using software-defined parameters? I believe, you know, Microsoft actually defines it through, you know, verifying user identity, through multifactor authentication, you know, validating the health of the device, which I kind of like 'cause you're getting into sort of the telemetry and user behavior analysis and then applying the principle of least privilege. So, like, when people talk about zero-trust, I think you've got to put guts in it a little bit and really explain what that is. But that is, you know, I think, 100% of best practice. We've all seen that OMB put out the zero-trust memo. But I think it's really a concept that many companies are adopting as a best practice.
Sean Joyce: The other thing is, you know, defense in depth. I am a fan of that where you have a multilayered approach to, you know, however you're defending your ecosystem and, you know, making sure you have the appropriate network security controls - you know, your antivirus, anti-malware software, looking at your data integrity - and then some, you know, user device behavior analysis. So these are all things - I think some of those are part of the - you know, the zero-trust principles but, you know something that I think we're all looking in.
Sean Joyce: The last thing, though, I think people do not sometimes consider is how are we making this part of our integrated risk management. So when I look at what we would call in enterprise risk management lines of defense, I describe that first line as the ones that own and manage the risk - so when you think of all your SOC analysts out there, the people that are doing and managing that risk every day.
Sean Joyce: And then that second line of defense is where you really oversee and monitor the risk. So think your - you know, your chief risk officer, your chief compliance officer, sometimes your general counsel - but really setting that broad policy and really aggregating that risk and making sure they're monitoring what's happening below.
Sean Joyce: And then that third line is typically internal audit, where they're really looking and working with those other two lines and testing the efficacy of the controls that are in place in the key risk areas. So that integrated risk management I don't see a lot of companies doing as well as they possibly could. But definitely those are some, I think, best practices I see in that area.
Ann Johnson: Yeah. I feel like there's this really large cliff. There's companies that you know that have incredibly sophisticated and mature security programs that are doing all the best practices. They have good cyber hygiene, and they have integrated risk management and integrated cyber resilience. And then you have just this really large drop-off. And I wonder, Sean, if it's people at capacity that - they're just struggling to keep up with even the basics. And going beyond that is just beyond both the capability, but they don't have the humans to do it, either. Do you have thoughts on that?
Sean Joyce: Yeah. I do think we're going to go to somewhere where there is an expectation. So when you look at the GAAP - I think it's the generally accepted accounting principles - right? - that all companies are expected to adhere to. I think we need the same thing in cyber, right? We need to make sure that all companies have a baseline so there isn't that drop-off, Ann, that you're talking about and that there is a common foundation that is expected of any, you know, publicly traded company or whatever it might be.
Sean Joyce: So, you know, I think we've got to start looking at ways where, you know, this risk that we've been talking about for the last several minutes is something that companies are expected to manage effectively. And there is, you know, some type of independence verification that's being monitored because I think it's almost impossible. When you think of some of these large companies and the number of companies in their ecosystem, I think it's a little bit of a bridge too far to expect them to hold those companies accountable and to be able to verify that.
Ann Johnson: Yeah, I agree. And I think that, as an industry, we just need to help. We need to make tools simpler. We need to make the guidance we give for tooling simpler. We need to make sure that we minimize the tooling to a set that's really required. And we need to have humans that help, right?
Sean Joyce: Absolutely. I mean, everyone - right? - it's a team sport. We all have to chip in.
Ann Johnson: So I want to switch topic, and I want to talk a little bit about disinformation. The spread of disinformation, the proliferation of doctored narratives that are spread by humans and bots online is increasing. It challenges publishers. It challenges platforms. Content moderation is super-hard. There's this use of manipulated or miscontextualized or misappropriated information, deepfakes. And things in the cybersecurity industry that would consider as cognitive hacking is a term I've heard recently, an increasing part of the cyberattack delivery method as well. How concerned do you think cybersecurity professionals should be about the intersection of this disinformation and cybersecurity?
Sean Joyce: I think we all should be very concerned. And when I - you know, I mentioned before about, you know, that intelligence-driven organization. This is an especially an area where I think companies have to make sure they're paying attention. So when you look at what I would say is some type of digital risk to companies where - you see it especially in financial services, where there are websites popping up that actually, you know, try to impersonate the website of an ongoing financial institution. How do you actually look at some of the disinformation or misinformation that's spread about a company that causes a massive drop in stock price, right?
Sean Joyce: So I think it's going to be incumbent upon companies to become that intelligence-driven and to use it not only as sort of managing risk and more mitigating risk but also looking at opportunities. How do you look at how your products are being adopted, you know, not only geographically, maybe through demographics and some other areas? So I think it's going to be really important especially. I think this is probably one of the biggest areas that can, you know, not only affect this country but affect the world if we don't get this under wraps. When you look at the GPT-3 - right? - the Generative Pre-Trained Transformer, which is that auto regressive language model that uses deep learning to produce human-like text, it is incredibly and nearly impossible to distinguish that from the actual human being.
Sean Joyce: So, you know, I think we're just looking at all of these challenges. And I think it is one of the greatest threats facing us where, you know, every individual - it is hard to determine what information out there is actually accurate and what is inaccurate. And we still haven't decided who's responsible for that, Ann, but I'd love your thoughts on that if you have any.
Ann Johnson: Yeah. (Laughter) I think that platforms do have a responsibility - right? - to the extent that they can recognize bots, to the extent that they can recognize fakes, to the extent that they can recognize disinformation. The challenge is it is absolutely both prolific and it's also very good at being obfuscated. So I do - you know, I spend some time on social media, as you know, because I think it's good engagement for folks. But I do worry that the platforms are both overwhelmed and some of the things they put in place have unintended consequences and can also take down opportunities for people, you know, to share in a real way. So I think it's a super hard problem. I think platforms have responsibility. I think there are going to have to be some sort of, you know, regulatory framework around it. And I think it's going to become a law enforcement responsibility, too, to your point. If something takes down, you know, stock price by some percentage, certainly the SEC and the enforcement entities are going to have to become involved.
Sean Joyce: Yeah, I agree. Like, this is not a simple issue. And I think for too long we're maybe not recognizing some of the platforms for the actual service they're providing customers, or at least how, from a customer perspective, that they use that platform. So, you know, one could argue that some of these platforms are actually media companies. And, Ann, as you and I know - right? - there's rules around what you can actually print as a, you know, newspaper or even, say, in the news. But I think it's something we'll continue to grapple with. I think regulation is going to be part of the answer. But then I think we're going to have to be able to leverage technology and then human beings.
Ann Johnson: Yeah, exactly. So as we think about trust, which is a great part of disinformation, I know that you actually joined Airbnb as their first trust officer. So what is your philosophy about building this trust in the era of disinformation, and how can cybersecurity help?
Sean Joyce: So I think we're seeing trusts really become a brand play for a lot of companies. So as we, you know, look at Apple and we see the stem become a lock to represent customers' privacy, when we see, you know, Google putting out their ads regarding how secure your Gmail account is, when you look at some of these others that are doing it. So it's become a real brand play - you know, and Microsoft has certainly done a lot of work in that area, too. But, you know, trust is, again, one of those words that - what's behind that meeting? And to me, it's actually doing what you say you're going to do and being able to, like, actually back that up and deliver. So I think it's key that, you know, in cyber - that we have to continue to ensure, you know, that we are custodians, right? All of us as companies - we're custodians of data. It's not our data. We're custodians of that data, regardless of what agreement you may sign. But I would just say, we're trusted custodians of that data. So how do we actually, you know, ethically, responsibly use that data in the best interest of our customers? That's about building trust and becoming that.
Sean Joyce: Being transparent, right? So not only in, you know, our human interactions, but I think in our machine interactions. So making sure that we're, you know, showing each other - right? - that we are going to be truthful and transparent on what's going on. And I really think - you know, I'd like to call out - Mandiant went through their breach. Kevin Mandia did a fantastic job regarding transparency and the way he approached that and the honesty he had with his customers. And I think that is really critical to sort of driving trust. So I think you have to also look at all your stakeholders and make sure that you're, you know, taking their input, looking at sort of the diverse perspectives that they provide and making sure you're addressing, you know, their concerns. So I think, you know, when you take those and put a little bit of detail around it, if you do those things, that word that I think is sometimes overused actually becomes something that represents your company and helps define it and becomes, I think, a business differentiator.
Ann Johnson: Absolutely. So let's look ahead for a minute. Let's look towards - I'm always a cyber optimist, by the way, Sean.
Sean Joyce: All right.
Ann Johnson: I think we do a good job staying one step ahead for the most part. I tell folks, for every big thing you see in the news, there's thousands we have blocked - thousands of (unintelligible).
Sean Joyce: I would agree with that. I would agree with that. I would say, as a country, we do an awesome job. But I would just say - right? - we get - we have to stay ahead. So that's why, Ann, I'm a striver for excellence. So I'm with you though on the optimism. I think we do - right? - fantastic job. But we've got to keep staying ahead of it.
Ann Johnson: We do. And that's why I want to talk about 2022 and beyond.
Sean Joyce: Uh-oh.
Ann Johnson: You know, there's so many positive innovations, but what do you think we're going to see as the top threats, you know, this year, next year? And it's a unique time, I recognize, because the world, you know, once again, is in a state of - disorder's not a strong enough word. But the world, once again, is in a state of crisis.
Sean Joyce: It is. And I think we're going to see - listen, we didn't touch on, Ann - we didn't talk about resilience too much. But I want to bring, like, that word - there's another word that is used a lot. People are - although sometimes not sure what that means. But I think if you take that - what I'm seeing is a big trend - is what I'll call nation-state resilience. So I think countries throughout the world are looking at the future and actually saying to themselves, how can we be self-contained? And I say, in some ways, that's an unfortunate perspective, but that has some enormous repercussions for us that live in the cyber world. And when you look at some of the laws that have been passed in certain countries that limit the movement of data, that really bind it by geographical boundaries, that I'm concerned we're going to continue to see more of a Balkanization of the internet, and it is going to become an incredibly challenging space to operate in. And I think we're going to have some more complex issues. So I don't see - you know, when I even look - so you look at geopolitical tensions, which are going to be a business disruption. When you look at the number of climate events we're having, it's another business disruption. When you look at all the cyberattacks and the different adversaries from nation-states to organized crime to hacktivists that are getting involved in that space because there's such a low barrier to entry, it is becoming a very complicated world. And I think it's going to be important, as we look towards the future, that companies define what that is.
Sean Joyce: So as you said about, you know, ongoing crisis - like, we all know now we're constantly change managers. I say we're all going to be constantly crisis managers, and we need to be able to deal with these business disruptions almost as a normal course and be able to, you know, not only prevent them but respond, recover and then emerge stronger. So that's really, I think, a key going forward. I think we're going to see, you know, technology through AI, machine learning that's going to significantly help us kind of defend ourselves and what we can do in that space. So I think we're going to see some incredible progress there.
Sean Joyce: I think we're going to see a lot of activity in privacy, a lot of activity. So - and by that, I mean I don't think we're going to see five years from now those 30 pages of user agreements that everyone just clicks on their phone. I think we're going to see users actually owning the data in a very decentralized, in some ways, simplified model. And then the last thing is encryption. So I think, you know, quantum computing is coming. I don't think this is coming as fast - it's here, but I'm talking about widespread use. I don't think it's going to come maybe as quickly as some folks think, but I think we have to be ready to deal with that and prepare now for that going forward. So those are some of the trends I see.
Ann Johnson: Yeah, I agree with you. And I think that, you know, as you talked about the Balkanization of the internet - we have data nationalization, and obviously, encryption is top of mind, not just encryption from quantum but also encryption related to privacy and some of the - and we don't have time to get into it today but just things I'm thinking about - some of the regulatory concerns around, you know, things that governments are concerned about - balancing the need for police or investigations with the need for privacy and how that impacts, you know, encryption. It's a whole 'nother conversation we could have.
Sean Joyce: (Laughter) No, but it's good. And I think you said it much more eloquently than I did.
(LAUGHTER)
Ann Johnson: Thank you. Sean, I know you have a lot of irons in the fire, so what are you working on now? What's top of mind for your team?
Sean Joyce: I think - you know, I've been working on our broader strategy because recently, all the different parts of risk were brought underneath my platform - so really bringing together those elements that we talked a little bit about; been working a lot on automating and automation of, I would say, some of the orchestration layers there when we're talking about ASIM.
Sean Joyce: We've been really looking at the interoperability of a multicloud environment - so really looking at the - really the compliance, the controls and the security of a multicloud environment, as we talked earlier about the complexity. So I think, you know, those are, I would say, the areas - and then as we kind of go - so as you, you know, highlighted in my intro there, you know, I've been around. So I was a software engineer at Raytheon Data Systems when I first came out, and I was a comp sci major. And it's just amazing.
Sean Joyce: So I, you know, did programming on an IBM mainframe. But it is amazing how the evolution has gone for - it went from a mainframe to the minis deck and wing to laptop to, really, a smartphone, like, really back out to that mainframe - which is the cloud, right? But we've moved to the edge quicker, right? So when you look at all the IoT that we're, you know, connecting there and the number of devices that have been connected, I think you're going to see, as we all know, a lot of that compute power moved to the edge and then the cloud being used for that, you know, higher level analytics that is going to bring better performance and inform the user of many different things. So, you know, IoT, OT, that is another big area that we're investing in and focusing on.
Ann Johnson: That's fantastic. I really appreciate you joining me. I know you're incredibly busy. I love your insights. I always love talking to you because I learn, and I know our audience has learned a lot, and we try to send the audience away with two key takeaways about just, you know, pragmatic things that they can do today to overcome the cyber challenges or just things they could implement. Any thoughts about just two things you would tell people if you could only tell them two things?
Sean Joyce: Boy, that's a tough question - only two things. The first thing I would say is you must do the fundamentals. I know we all hear that all the time, but that basic blocking and tackling the foundational, you know, elements of security you have to do. And then the second one is we're all in this together, so making sure - right? - that we work together, we help each other, respect each other. And, you know, collectively, like you said earlier, Ann, like, if we do this together - right? - and not focus on all of the things that aren't going right but talk about the advances that we're making, the work that's being done, I really think that we are going to create a safe environment for our country and hopefully all of our allies to, you know, grow and prosper.
Ann Johnson: Completely agree. I appreciate you joining us today. Thank you so much for making the time.
Sean Joyce: Thanks, Ann. I had a great time and appreciate the offer to have me here.
Ann Johnson: And many thanks to our audience for listening. Join us next time on "Afternoon Cyber Tea."
Ann Johnson: I invited Sean Joyce to be a guest on "Afternoon Cyber Tea" because of his background, his credibility, his knowledge. There's so much he brings to the table from being career law enforcement and growing through the FBI and going from things like, you know, working with drug cartels to cybersecurity. It just gives such a unique perspective for our listeners. And he just has a wealth of information. It was an amazing episode, and I know our listeners will find a lot of value in it.