Afternoon Cyber Tea with Ann Johnson 4.2.24
Ep 94 | 4.2.24

Nurturing Trust in Cybersecurity

Transcript

Ann Johnson: Welcome to "Afternoon Cyber Tea", where we explore the intersection of innovation and cybersecurity. I'm your host, Ann Johnson. From the front lines of digital defense to groundbreaking advancements shaping our digital future, we will bring you the latest insights, expert interviews, and captivating stories to stay one step ahead. [ Music ] Today I am joined by Jason Healey, who is a senior research scholar at Columbia University's School for International and Public Affairs, specializing in cyber conflict, competition and cooperation. Prior to this, Jason was the founding director of the Cyber Statecraft Initiative of the Atlantic Council, where he remains a senior fellow. Jason was the editor of the first history of conflict in cyberspace, called "A Fierce Domain: Cyber Conflict, 1986 to 2012". He also co-authored the book "Cyber Security Policy Guidebook", by Wiley. Welcome to Afternoon Cyber Tea, Jason.

Jason Healey: Wonderful, thank you so much for having me.

Ann Johnson: I'm really fascinated by your background. I've been really excited to have this conversation because you've done so many different things. Before we dig into the heart of the conversation and talk about cyber risks and talk about geopolitics and policy, I would love if you could tell our listeners a bit more about your journey. Let's go all the way back. Tell me how and why did you first get interested in cyber, and what brought you to your role at Columbia?

Jason Healey: Well, thank you very much. I'm going to borrow a phrase from one of my colleagues, the Woodcock, who's -- it's a wonderful phrase. He said he was lucky enough to get started early in cybersecurity, and never looked away. And it's just a really great phrase. So I started in the mid-1990s. I had been in the Air Force and turned down a pilot training slot so I could compete for a job in Air Force Intelligence. And just happened to land in Signals Intelligence. And especially for a lot of the old timers, came in that way, through Intelligence and especially Signals Intelligence. As we still see today, I guess, with, you know, with how many National Security Agency and ex-NSA people that we have around. And it was because, and it drew me because I really enjoyed national security and learning about national security, and those problems really fascinated me. And I loved technology, but at that point especially, I wasn't a technologist. And so I found that cybersecurity was a great way to do that. And especially I was one of the on the early edge of cyber threat intelligence, which really was a great fit. In the late 1990s, if we were worried about if a cyberattack was likely over the next two weeks, it was still largely a technical process of staring down the wire to see if there were any evil 1s and 0s coming at the Department of Defense. And so I was able to bring in that intelligence mindset of saying, Well, if we're worried, then let's see if Russia or China or Iran are more likely to be attacking us over the next week, because they are getting angrier at us. Some of the first, our work with some of the first to look at, hey, there's, for example, a Taiwanese election coming up. So, we should be worried about different kinds of attacks. And so I helped set up the very first Joint Cyber Command back in 1998, and that really got me on the path.

Ann Johnson: That's a great background, and I love the reference, being early enough in cyber. I started in the industry in the year 2000, so I understand those early days when it was very nascent, very immature, and we've come -- we have a long way to go, but we've actually come a long way also. So, you literally wrote the book on cyber conflict, and you've examined regulatory policy on cyber. You've looked back over the past 25 years or more. Can you give the audience a brief history lesson? I'd love it also, and comment on what stands out to you. Are there trends that came to the surface way back in the late '90s that you believe still exist today?

Jason Healey: There certainly are. You know, I'll start on cyberthreat intelligence, one of the first lessons that we had to learn in the 1990s. In the military, that was at the unit I was at, the Joint Task Force Computer Network Defense, with people like Bob Gorley and myself at Defense Intelligence Agency, with people like Mike Tangy. In the private sector, companies like iDefense, which started the private sector cyberthreat intelligence, with people like Matt DeVoe. And one of the early rules was physical conflict begets cyber conflict. So we would say, All right, you know, hey, we're seeing a Taiwanese election, we're seeing that there is going to be a World Economic Forum meeting, we see. And as we were seeing these physical events, we got trained very quickly to be looking for the cyber echoes of that, of that spillover that would reflect that physical conflict, and maybe sometimes you even predict it might be a precursor to. But the trends go back substantially further than that. To me, I start with the first report, first published report that we can find that really dove in on cybersecurity. And it was called the Ware Report after the lead author, Willis Ware. And it was the first report, it's really the founding document of computer security. It's the founding document of our field, and many people don't know about it. And it had what to me was a really stunning finding, which was if you've got a computer in an open environment, that is, it's not behind the vault door, that we don't have the technology to secure it. Like, it's unsecurable based on today's technology. And that came out in 1970. I mean, to me, it's a very stunning finding that from the very earliest days, the defense has had the deck stacked against us. From 1970, just two years after that, there was another report done for the US Air Force called the Anderson Report. It had two findings that I just find really incredible. One is one of the findings, and is that we can't, the report said, continue to think we can add security on after the fact, but that must be included as part of the core design. Like, wow, like, secure by design, right there, we've been talking about secure by design since 1972. And only recently are we now seeing real investment in it to try and get ourselves past. That 1972 report, that's amazing. It gets even better, right? And so I really like this. Well, let me give you the second one, because it also said that the red team basically always gets through. In 1972, they called red teams tiger teams, but it said basically tiger teams are able to accomplish whatever tasks that they need. Which, if you think further, it means that the attacker can do what they want to in general terms, and that the attacker has the advantage over the defenders at the structural level. Of course not always, but that, not just for a particular computer, but that in general, that this is the case. And so think about that, Ann, right? So for 50 years, the attackers had the advantage over the defender. All of the billions of dollars that we've spent, all of the innovations, right, all of the patents that we've come up with. The missed kids' birthdays and worked weekends that we've collectively had to do for the last 50 years hasn't advanced us to where Defense has the advantage over the attacker. If anything, in many ways it feels like the attacker is still running further away from us. So that's where I try and focus a lot of my work. What can we do to try and flip this around so that the defender has the advantage rather than the attacker?

Ann Johnson: Yeah, I was commenting on this same type of concept earlier this week with someone, where we talked about how the people who are defending your environment, you have to be right 100% of the time. People who are attacking only have to be right once.

Jason Healey: Yeah.

Ann Johnson: And that's really how we changed the narrative and how we flipped the script on that. I'm still an optimist, and we'll talk about that later in the podcast, but I think that it's really interesting that 50 years later, because you as a cyber historian can call out that we're still in the same place.

Jason Healey: And there's one last that I wanted to mention, because it's a cyber pioneer that we need to know, right? Many of us, like, I'm sure everybody listening to this podcast will have heard of Grace Hopper, but I doubt anyone, maybe a few, have heard of Hilda Matthew. So in that 1970 report, one of the, like, eight authors was this NSA engineer, Hilda Matthew. And just think about how tough that must have been in the '70s to be the lone woman in the room. And according to the NSA Hall of Fame, where she has been inducted, Hilda was the first person at NSA in the '60s to start seeing the opportunities and challenges of these new computer networks. Of saying, Boy, these are going to be an amazing intelligence target if we do this right, but it's going to open up this incredible vulnerability. And according to the NSA Hall of Fame, she was the first person in the 1980s to start hiring people in for that offensive cyber mission Like, what an amazing person who we just haven't heard of. And it even gets better. You can't make this up, Ann. So the person, the NSA executive or engineer, who first realized that cyber was both good for our US intelligence agencies to hack and go after but also would -- was important, America would be strategically vulnerable to these attacks. Before she was married, her name was Hilda Faust. It is the original Faustian bargain of cybersecurity in the United States, that the same thing that we need to go after our adversaries leaves us vulnerable ourselves.

Ann Johnson: Thank you for sharing that. I think that it's a great call out. I agree with you, 50 years ago it must have been close to impossible to be that woman in that room. And the fact that she's set such a standard, but also real issues that we're grappling with, again, 50 years later, and how cyber has become this national security threat, it's amazing. So, last year, you wrote on this concept that I found interesting, because I'd never thought about it before. And it was fascinating to me, and I'm always -- I pride myself on trying to be a lifelong learner, but you talked about soft cyber power. Can you explain what soft power is and how you've seen it play out, particularly in context to the cyber industry?

Jason Healey: Yes, soft power comes from the international relations community. And it was written about by one of the real leaders in the field of thinking about political science and international relations, Joe Nye of Harvard University. And around the time of the end of the Soviet Union, 1990, Joe looked at power and said, Boy, too much of our thinking about power, you know, power generally meaning trying to get someone, trying to influence others so that the outcomes are in line with what you want, with your preferences. And he said, Too much of the writing and thinking about power in international affairs was about force, right? It was about militaries and diplomacy and it was about, you know, twisting the other guy's arm to influence him so that he would do what the United States wanted or whatever country that they were with. And he said that's obviously not quite right, or it's not the whole story. So of course you have that hard power, sanctions or diplomatic bullying or military force at the very highest ends, nuclear threats. But a lot of it is soft power, right? This convincing the other person to act in line with your preferences, and maybe even in a way they don't even know that they're acting in line with your preferences. And a lot of the early work was looking at, boy, just the way that the United States over the Cold War was able to influence people with our culture. And, you know, with jazz and Coca-Cola and blue jeans, and the ideas of all of these things, these trappings of liberty and capitalism that were a beacon to the rest of the world. And it helped lead to the end, the fall of the Berlin Wall, and the ultimate end of the Soviet Union because people were enticed by the idea of the West and the United States. And so what you can do by convincing, and again in many ways that people don't even know they're acting in line with your preferences, And this really struck me, especially when I was writing that history book, "A Fierce Domain". Because the attack on Estonia by Russian hacktivists in 2007, it always struck me that we never got that story quite right. Because the way that we would tell the story was that, well, Estonians got wiped off the network, and, you know, they really got defeated and, you know, so we should learn lessons from that. And neither one of those is really true. They unplugged themselves from their internet exchange point from external traffic. So they didn't get wiped off the network. They took themselves off the network so that way they could continue to have internal communications, even if they couldn't communicate externally to the country. And also Estonia won, right? The Russian hacktivists were doing this to try and coerce Estonia into not moving a statue of a Red Army soldier, and they still moved it. So the Russian hacktivists didn't meet their ends, and in the end, Estonia was able to get substantial help to mitigate the event. And a NATO cyber center was ultimately hosted in Estonia, and it made me to look and say, Hey, wait a minute. Estonia succeeded because they had friends and allies. Bill Woodcock from the Packet Clearinghouse, who I mentioned before, and a Finnish colleague traveled to Estonia so that they could help mitigate the event. RIPE, the operating group, the network operating group, was meeting in Estonia at the time and said, We have to roll up our sleeves and help out. Heck, the President of Estonia is actually an alumni from Columbia University, where I teach, spoke English, right? They were in the EU. They were joining -- they were part of NATO. So they were able to rely on friends and allies to mitigate the impact of the attack. And we're seeing the same thing today with Ukraine. And this is what I've written in Peace and Law Fair, looking at this role of soft power, that Ukraine, like, if Ukraine would have been a noxious regime that nobody liked or tolerated, you know, they trampled on the press, they were, you know, they were just tyrants, they would not have gotten the support. The extraordinary support they got from Microsoft, the extraordinary support they got from Google and CloudFare, the companies of the Cyber Defense Assistance Coalition run by my Columbia colleague, Greg Rattray, who co-lead. All of this support, much of it is quite extraordinary, was because people were able to see Ukraine as the victim. They were able to effectively use this soft power to get themselves out of the situation. Now, when we compile soft power, you know, cyber power statistics, you know, we look at, like, all right, do they have a cyber command, do they have a cyber strategy, do they have adequate number of defenders and attackers? We don't look at, Do they have friends, do they have allies whom they can lean on when the going gets tough?

Ann Johnson: I think that's an incredible way to look at it. A couple things struck me by what you said. The first one, which is really going to sound like something unrelated to cyber, but it goes to that soft power and making friends and influences. I recently watched this wonderful documentary about The Leo Burnett Agency, which was one of the premier ad agencies in Chicago during the heyday of advertising. And they were the folks that brought out, like, Tony the Tiger, if you remember, kind of older advertising. But they also had a lot of the jingles and a lot of the characters you'll remember, the Pillsbury Doughboy, all of those were Burnett creations. And they talked a lot about influence and culture and power. So, and they understood it. They understood how to wield it right for the clients. You take that further, you talk about someone like Zelensky, right, and his ability to, it's too strong of a word to say ingratiate, because that's not the right word. But his ability to bridge the gap and to bring together allies and to have people respond in a way that they really saw it as a virtuous cause. That type of soft power and the ability, and then you talk about Estonia, we're very familiar with the Estonia Institute, but no one even, you know, you could have asked, you know, 100 Americans and they don't even know where or what Estonia is, right? But their ability to drive that type of response goes a lot to that soft power. I love the fact that you talk about that concept, and I think it's a concept we actually need to talk about more.

Jason Healey: Yeah, and I love that phrase you used there, virtuous cause. It's such a wonderfully chosen phrase. And so if we think about this in practical terms for the United States and other countries, right? What's hit us most in the United States and cyber on soft power? Well, it was Snowden's revelations about what NSA and others had been getting up to, right? It substantially hurt us with Europe and with others and really hit our soft power. Not normally considered when we're thinking about, for example, what are the proper intelligence targets? Things that have helped, well, boy, I mean, seeing how much the State Department is investing in their new cyber diplomats and making sure that that the diplomats understand the cyber issues and can represent, led by Ambassador Nate Fick, but also the US Cyber Command's Hunt Forward missions. Of saying where they have US Cyber Command defensive operators working side saddle with defenders in countries in NATO, in the EU, in Asia to look for threats within the networks of that country's military. Boy, that's a really great trust building exercise, right? Are they helping, you know, how much is that investment helping the cyber security of those countries? I'm not sure. I hear it's pretty good, but certainly it sounds, it's one of the things that can help build trust in a way that is really important.

Ann Johnson: Well, it's also really important because, you may not have, but I would wager you might have read the book that Ronan Farrow wrote called "War on Peace", which talks a lot about how we as a country, and it's across multiple administrations, bipartisan, he interviewed every State Department leader for decades. We as a country had taken, the US has taken this stance of being less diplomacy-oriented and more militaristic-oriented. And that paradigm shift to having cyber ambassadors actually is so necessary because it'll again change how the world works together.

Jason Healey: Yeah, and just on that concept of war and peace, and how often we look to the military to solve the problem. A couple of years ago, I did a comparison of the President's budget on how much was going to various cyber causes. And the military budget for construction, that is, to pour concrete and, you know, assemble steel I-beams, was higher, or, actually, it was almost exactly the same, about $1.1 billion, as the entire DHS budget, Department of Homeland Security budget for cybersecurity. So that covered their own internal cybersecurity purposes as well as everything that SISA was going to do. And so I was thinking, Boy, this is not, it seems like these spending priorities are off when we're spending as much on cyber military headquarters as we are on things like secure by design, or working to buy down cyber risks, or working with, you know, the water sector or the finance sector, and the things that SISA is doing.

Ann Johnson: Look, Jan and SISA, they're driving a great program. I don't think we quite understand it yet because it's not tangible. Kinetic warfare is incredibly tangible to people. Cyber warfare isn't as tangible to people. Let's talk about things we're doing. The New York Cyber Task Force recently released a report, "Bridging the Trust Gap", which is a great read. Are there further recommendations in that report that you think the public and private sector leaders need to be thinking about?

Jason Healey: Yes, thank you. So my Columbia colleague, Erica Lonergan, had just helped see that report. And I'm glad you asked, because it fits in so nicely with that idea of soft power. Whereas the main concept of soft power was meant to be in international relations, right? A country's relation, you know, a US relation with Russia, for example. Dr. Lonergan's work looked at how can we improve trust between the government and the private sector? You know, so for example, how can we best learn the lessons of the SISA Shields Up campaign to reinforce the trust so that each side, the government and the private sector are able to work best together towards common ends. And it is very good. I really do recommend it to your listeners. It was the third in our series. The second was overseen by Dr. Greg Rattray, who did one that looked at operational collaboration. And I led the first, and it gets back to what we had talked about at the beginning of the session. Because it noted, it highlighted that, boy, it's been 50 years, and the attackers still have the advantage over defense. And it looked at, What can we do about that? Like, what are the reasons for that? And how can we get past it? So, for example, it looked at defensive innovations over the last 50 years, and whether they took place within an enterprise or across the entire internet as a whole, and whether they were technological innovations, operational innovations, or policy innovations. And one of the findings was that, boy, we spend the bulk of our money in cybersecurity on technological innovations inside the enterprise. You know, go back to the very beginning, like, passwords or firewalls, intrusion detection systems. You know, the bulk of you walk the floor at RSA or Black Hat, right? For the most part, you're going to be seeing vendors that are selling to CISOs and CIOs to protect their individual enterprise. But when we asked experts, What's the number one thing that we as defenders collectively have ever done to get defense better than offense at the largest scale and the least cost? It wasn't any of that stuff. The number one that came up was Windows Update and other automated update, and end-to-end encryption, NAT firewalls, right? These things where those that are in the position to make the change, make a small change. Like, what's the smallest turn of the screwdriver that's going to give us the largest impact? And like, just look at Windows Update. It wasn't easy or cheap for Microsoft to do that. But once it did, then a billion users and devices were able to benefit from that. And so we're happy to say that that work influenced a guy named Rob Knake, who went on to work at the White House and drafted the new National Security Strategy. And he incorporated a lot of these ideas into that National Cyber Security Strategy, which came out in early 2023.

Ann Johnson: There are so many, and I will say, little things we can do as an industry that are actually not little, they're big things, like using --

Jason Healey: Absolutely, yep.

Ann Johnson: Getting rid of passwords is one example, that are huge, huge, huge security improvements for the industry. Automatic updates are one of them, getting rid of passwords, so it's great that you referenced that.

Jason Healey: Memory-safe languages, yep.

Ann Johnson: Memory-safe languages, which is also in that 2023 supply chain, SBOMs, all of those things. I want to talk a little bit about some of the work you've done, researched and written, on financial stability and the intersection of financial stability and cyber risk. This is a topic that every business and every public sector leader and organization should understand more, and we don't talk about enough. Can you talk about the risk here, and what is the industry collectively doing about the financial stability risk?

Jason Healey: Yeah, thank you, and I'm glad that you wanted to ask about this, because it goes back to, because most of our attention, most of our investment, most of the VC attention goes into technologies for individual enterprises, we end up with a very narrow focus. And I'll make the comparison between microeconomics and macroeconomics, right? Microeconomics is looking at little change, you know, like, looking at, you know, an individual consumer's decisions or what's happening within an individual firm. Macroeconomics looks at the system as a whole, right? It cares less about any individual set of decisions, but is a top-down and looking at the dynamics of the system, which may not be apparent if you're only looking at the lower level. I'm sure I'm angering a lot of microeconomists with that, so my apologies for it. And that's what I like working for this project of cyber risk to financial stability. I've teamed up with my colleague at Columbia University, Trish Mosser, who's a real central banker, right? She is, her entire career has been focused not on individual banks. They don't care if an individual bank fails. They care about what is the impact on the overall system of financial stability to make sure that individual banks may fail, but the system thrives. And I love that concept for our field. What can we do to make sure, because we know we're going to fail, we know there are going to be intrusions, we know we're going to make mistakes, we know the adversaries are going to win. But how can we make sure that their wins don't turn into catastrophes for us? I mean, how can we make sure that a single Russian GRU hack on a Ukrainian firm stays local and doesn't become NotPetya? And so I really enjoy working with that community. And they've got amazing research, Ann. For example, so we teamed up with the New York, the Federal Reserve Bank of New York, and so we've been looking at research coming out of this community, it's astounding. For example, Fed researchers, economists, did research on NotPetya because they've got access to all of these nonpublic databases. And so they said, Okay, well, what happened to the supply chain of the companies affected by NotPetya? Because they can look at that, and they have that data. And they found, for example, that up to, like, months after the event, if a company was relying on a supplier that was hit by NotPetya, they not only switched away from that supplier, but they stayed away from that supplier for longer periods of time. They didn't rely on them enough. They found that even though it did cause financial crisis, companies were using their credit lines and they were borrowing heavily against their credit lines and able to get through NotPetya. If it had lasted longer, it might have had a much more substantial impact, because those credit lines would have zeroed out. Like, wow, who knew that? In cybersecurity, using our methods and our databases, that came from that. The last I'll say is working with them has really helped me to think about these areas of defensibility that we started the show with, about how to get defense better than offense. And so I've really been attuned to what meant and I hope to do more of this in 2024, a lot as well as our work building a cyber regulation lab, on what indicators do we have that defense is actually getting better than the attackers at scale? Most of our metrics are based on individual enterprises, but there's a few, there's a small few, that look at this actual balance between attacker and defender across the entire internet, and I really want to seize on those and nurture those and learn what we can from them.

Ann Johnson: I think that's right. I think your framing is very, very pragmatic also. And as I mentioned, I do think it's an area that people need to think about more as you have more supply chain attacks, and we're seeing more supply chain attacks, the actual efficacy and the productivity and the performance of the supply chain obviously is going to be impacted, which is going to impact the economy, which is going to impact a lot of different things. So we can't go any further, Jason, without talking about AI. We're in the year of AI. I want to talk about it in two dimensions. The first thing I want to talk about is you've published this really interesting point of view on the impact of AI using NIST, using the cyber kill chain framework to define the advantages for both defenders and attackers. Tell the listeners more about that, and as every business and organization navigates how they're going to use AI, particularly for cyber defense or specifically for cyber defense, what should they be thinking about?

Jason Healey: Yeah, thank you. It comes down to, I'm a framework person, right? Whenever someone, you know, I'm talking about an issue, my brain naturally starts to categorize and walk through how to think about these things. And especially in complex systems like the internet and computers. You can't ever do just one thing, right? There's going to be this interaction, this back and forth. It's tough to unpack cause and effect in such a complex system. So I love going to frameworks. And I was a bit frustrated with the conversation on AI because we tended to, you know, people that were bullish about it would say, Here's how AI is going to help defense and, you know, thank goodness it's here. And the worrier is saying, AI is going to help the attackers and here's why. And in that kind of conversation, it's difficult to compare the different arguments with each other. And it's hard to know if we've exhausted all of the arguments on either side. You need a framework. So for a piece for the Australian Strategic Policy Institute a couple of months back, I said, Well, let's tackle that, right? We've got an attack-minded framework in the cyber kill chain. Actually, I wanted to actually use MITRE ATT&CK framework, but it's got a few too many elements that I could do in a relatively short article. So I used the kill chain, which has fewer steps. And so if someone was saying, Cyber AI is going to assist the attackers more because it, for example, helps discover vulnerabilities faster than we can patch them. Or it will assist access brokers to understand what they have, or it will allow malware to change itself. I'm like, There's several of these arguments, and so I pop them, well, where do they fit into the cyber kill chain? Likewise, on defense. On defense, we've got the NIST Cybersecurity Framework, is the primary, or one of the primary frameworks that we defenders use. So I take all of the arguments about how AI might help defenders. We need fewer people because we can automate. We'll be able to spot vulnerabilities within the system faster, I mean, all of the arguments for the defense. And it helped you see these side by side and help us figure out which way this is going to go.

Ann Johnson: I think frameworks are incredibly important with anything new. I believe it was Newton's third law, you can correct me if it's not, that says that for every action there's an equal and opposite reaction, and that's the same with AI, right? For every action we take, the cyber attackers are going to take. I like to think about cyber in that context, by the way, because I think it helps people think about the problem. Well, I have been told we're running a little long, which is great, because we've had this great conversation, but we're going to need to wrap. So I want to thank you for being with us today. And I do have one more thing I want to cover. I said at the beginning earlier that I am a cyber optimist because I see a lot that happens in the ecosystem and the community. And I know that for every big event we see in the news or hear about, there's thousands of cyber defenders that actually managed to stop. They've detected and stopped it. I'd love to hear why you're optimistic about the future and your perspective about how we continue to come together and defend our digital world.

Jason Healey: Thanks for helping us finish on a high note. It's -- I'm very impressed. Like, some of these things that I talked about, it was 1972 that we first started to talk about secure by design. Like, we're making real progress on it. The things that SISA is doing with Bob Lord, Lawrence Zubirich and others at SISA is just incredible. I'm very happy to see it. I should mention I do part-time work as a SISA employee. So a nod to my colleagues there. And also things like cloud, right? I was surprised when I worked in Washington, DC, the conversation was the cloud is great, but. And as soon as I got to New York, the CISOs that I was working with, Phil Venables and others, where the cloud is great, and we haven't even begun to see the security benefits from this yet, because the internet was built insecurely. The software was built insecurely. It's all band-aids to make it secure. Bo Wood said, you know, it's, we put band-aids on everything and it's band-aids all the way down. And the cloud allows us to bypass that, to start it from scratch securely. So I think there are real reasons to see 2024 as a very positive year for security.

Ann Johnson: I do, and I will say this, just a couple call-outs. Phil Venables, despite the fact that he works for, you know, a Microsoft competitor at the moment, is one of the smartest people I've ever met, particularly in cybersecurity. And Bob Lord is just a gentleman and so great to work with. So call-out to CISA and all of the great work they're doing and all of the great people there.

Jason Healey: Great reason for optimism, yep.

Ann Johnson: Yep, the people are a great reason for optimism. Thank you so much for taking the time to join me today.

Jason Healey: Thank you very much, Ann.

Ann Johnson: And many thanks to our audience for listening. Join us next time on "Afternoon Cyber Tea". [ Music ] I invited Jason Healey, who's at Columbia, to join me on "Afternoon Cyber Tea" because he's a cyber historian. There aren't a lot of cyber historians in the industry because the industry is actually still kind of new. He also is an expert on cyber conflict, policy. He's done a lot of different roles within his career and we managed to fit in references to things like Leo Burnett Advertising and Newton's Law. So this was a fascinating episode. I am sure you will love it.