Podcasts
Caveat
Ep 245
Caveat 1.9.25
Ep 245 | 1.9.25

Cybersecurity’s role in safeguarding leadership.

Show Notes
Transcript

Dave Bittner: Hello, everyone. And welcome to Caveat, N2K CyberWire's Privacy, Surveillance, Law, and Policy Podcast. I'm Dave Bittner. And joining me is my cohost, Ben Yellen from the University of Maryland Center for Health and Homeland Security. Hey there, Ben.

Ben Yellen: Hello, Dave.

Dave Bittner: On today's show we are joined once again by our friend Caleb Barlow, CEO at Cyberbit, to discuss executive protection and its intersection with cybersecurity. While this show covers legal topics and Ben is a lawyer, the views expressed do not constitute legal advice. For official legal advice on any of the topics we cover, please contact your attorney. All right. Well, let's jump in with our topic of discussion here. Let me start by welcoming Caleb to the show. Caleb, great to have you back.

Caleb Barlow: Hey, gentlemen. How are you today?

Dave Bittner: Not bad, not bad. So today we're focusing on executive protection. And, Caleb, you brought this to our atten -- obviously, we were all aware of the situation in New York with the CEO of United Healthcare, the shooting there. Can we start with that. I mean, describe to us, Caleb, your response as you saw that story play out.

Caleb Barlow: Well, first of all, you know, I think let's acknowledge this was obviously a very tragic situation in that, you know, someone died in a pretty dramatic way. But I think, now that some time has passed, you know, like every incident that we often talk about on this show, let's go back in and unpack this. And, you know, executive protection has existed, certainly in the United States, for a long time. It's obviously very different when we're talking about executive protection in the United States for a corporate, you know, Fortune 500 executive versus, let's say, then an oil executive working in maybe, you know, Columbia or something like that. Those are two very different things. But, when we talk about this as someone in the US effectively walking across the street from their hotel to an investor conference and then, you know, I think we'll -- we kind of use the word here allegedly assassinated in the street, this is something that is in many ways unprecedented, right? Like, normally we think about the biggest issues that might happen to an executive is they get embarrassed. They might have -- we've seen executives have things thrown at them, which has been everything from, you know, whoopie pies and cakes to, you know, sometimes things a little more disgusting. But a murder in the street is a whole other level. And I think this really rattled the cage of what is executive protection. But, of course, what is also interesting and I think where it comes in play to a lot of listeners of this show is there's a huge cyber component to executive protection. And, interestingly enough, there's a huge tax component for these executives to executive protection as well. So, you know, I think it would be helpful to kind of unpack this a little bit and talk a little bit about how we might want to think differently about this.

Dave Bittner: Yeah. I think it's a great idea. Before we dive in here to some of the details, Ben, let me check in with you. Your thoughts reacting to this story.

Ben Yellen: Yeah. I mean, I want to give the same acknowledgement that Caleb gave. It is a tragic incident. I'm kind of disturbed to see the folk hero status that this alleged assassin has received online. And that's a topic for a different podcast. It's something that has kind of surprised me in a lot of ways. Granted, it's probably something that's very isolated to the social media sites that I peruse, but that's an angle that's important here. But, otherwise, yeah. It was a tragic incident, and I think it does force us to look at some of these security protocols. And I think -- one thing I'm sure Caleb is going to talk about is it's not just, like, you think about your old mob movies. And there were just, like, a couple of big dudes standing in the doorway protecting you. I'm like --

Caleb Barlow: We call that the muscle.

Ben Yellen: The muscle.

Caleb Barlow: The muscle, Ben.

Ben Yellen: I'm picturing in The Godfather when Michael goes to Sicily, and he's just followed around by two guys with long arm rifles. And I just think it's, like, important for us to move past that frame of reference, that there are 21st century ways of protecting executives. So I'm glad you brought the story to our attention.

Caleb Barlow: Well, let's talk a little bit about what those components typically are, kind of pre this incident and maybe how those have changed, right? So, before this incident occurred, executive protection could be -- involve a bunch of different things. So, first of all, you have the muscle component of it, all kidding aside, right, in that, you know, depending on the type of executive -- and obviously the executive protection program for a big social media and prominent executive, like, let's say an Elon Musk where there's lots of reasons that people may be, you know, unhappy with him and the things they might do is very, very different than, let's say, the CEO of maybe a paper and packaged goods company, right? Not that they both don't need them. The latter might have, like, union issues and other reasons or environmental issues why people might be upset with that CEO. But, at the end of the day, the CEO is the face of a company. So they're going to draw this ire from any number of parties, right? But executive protection historically has had a couple components, right? There's the muscle, but then there's a lot of work on social media. What is the threat? What are people saying? What might they be upset about? Are they getting organized? Are they threatening to do something? So social media monitoring is a big part of this. Dark web monitoring is also a very big historical part of this, of what are people saying about the company, maybe saying about that executive of the dark web, again, a good opportunity to see if people are getting organized, if there's a campaign or something like that. And then we get into kind of, you know, geospatial monitoring. It may not even be about the executive. Is there something happening in this area? Maybe around this plant? Maybe it's a chemical plant that had an issue where, you know, the chemical spilled and leaked into the environment and killed all kinds of, you know, endangered creatures and things like that, right? So it's this concept of spatial awareness, social media awareness, physical awareness that really comes into the realm of executive protection. Now, there's lots of different types of executive protection teams out there. And they're looking at, you know, the home of the executive; what happens when they travel and kind of travel planning; physical security. But of course, you know, then there's also, in some cases, armed security, depending on the level of that executive. And armed security in the United States can be really difficult because we have different gun laws in every state, and the executive's moving in between them; and you've got to figure out all these crazy logistics based on where that executive is going.

Dave Bittner: You know, you remind me of a conversation I had a couple years ago when I was doing the Recorded Future podcast. I was talking to -- I believe it was the Chief Security Officer at Purdue, which is a chicken farming organization.

Caleb Barlow: What's for dinner, Dave.

Dave Bittner: Yeah. 33 In my house so.

Ben Yellen: Maryland based company, as well, I believe.

Dave Bittner: Yeah. In my home state of Maryland, if you go out to the Eastern Shore, probably half the farms out there are Purdue chicken farms. And so in my conversation with this gentleman -- and I think this slots in exactly to what we're talking about here. Our conversation was focused on cybersecurity. But he made the point that a big part of the threat intelligence feed that he was getting was about the physical security of those plants because there are people out there who are not happy with the idea that people are eating meat. And so, if you're a chicken farmer, you have to be aware of those things and have those things on your radar. And, before that conversation, it wasn't really something that I'd thought about that component, that sort of political component of the safe -- the physical safety of your plant, of your headquarters, you know, the people who work for you. So that was a bit of an eye opener for me.

Caleb Barlow: Well, I mean, let's think about that, too, right? Like, there's lots of things that can happen to a physical location. So, again, another thing an executive protection team will often look at is, you know, you might literally look at the gates at the, you know, physical infrastructure. Like, now imagine that's not just a chicken farm. Imagine that's like an oil refinery, right? Now it's taken up and even a notch of some sort of, you know, action on that plant could have real repercussions. I mean, in some cases, people are even getting private satellite flyovers of locations to understand what might be happening in that location. And, believe it or not, these things are not that expensive nowadays, right? But I think the other thing we have to look at with executive protection -- and here's where this gets interesting -- many, I don't know if I know enough to say most but an awful lot of corporate Fortune 500 executive protection plans are actually less about protecting the executive and more about a tax loophole for the corporate jet. So the issue is --

Ben Yellen: Go on.

Caleb Barlow: So the issue --

Ben Yellen: -- weren't expecting that twist.

Dave Bittner: No.

Caleb Barlow: No. I've been saving this. But here's the thing, right? If you are using a corporate jet for business travel, okay, that's a understandable business expense if you're a, you know, Fortune 500 executive. If you're using it for personal travel, that is compensation. You know, interestingly enough, one of the fascinating things with many -- and I don't know if I know enough to say most but certainly an awful lot of executive protection programs is there's also a tax benefit for the executive when it comes to the usage of the corporate jet. Now, here's the issue. If you have a corporate jet and you're using it for business travel, well, that's an understandable corporate expense. On the other hand, if you're using the corporate jet to take yourself and your family out to Lake Tahoe for a vacation, that's considered compensation, unless you have an executive protection plan and there is a viable threat that indicates that you need to use a corporate jet in private travel for your own personal safety and the safety of your family. So what does this mean? It means that many executive protection programs historically have been -- and I'm going to make up a term here, what I would call vanity executive protection programs, meaning that, yes; there are times where maybe that executive needs a little muscle at the -- you know, at the quarterly meeting to maybe fend off some protesters or something like that. But, generally speaking, there's not a big threat to the executive other than their potential taxes.

Dave Bittner: Wow.

Ben Yellen: It's sort of like the fig leaf of security when you're actually just trying to game the system, which is -- it's tough because, like, there could be some isolated threat out there. You talk about quarterly meetings. Like, you could have angry investors. You never know if one of them is going to commit an act of violence. But even one angry investor for a noncontroversial company, and then you have a high profile incident of violence. So, like, you can't completely discount it.

Caleb Barlow: So I found a great article from CNBC that kind of outlined 20% of Fortune 500 companies list some type of security benefit for their chief executives, according to recent proxy statements. And, now, that was not the case, interestingly enough, they found in this article with United Healthcare's executives, right? So at least -- it doesn't mean they didn't have executive protection, but it wasn't listed in the corporate proxy statement. But some of these executive protection programs are massive. So vaccine maker -- again, this is from the CNBC article -- Moderna and Pfizer in 2023 revealed they each spent upwards of a million dollars on executive security. For a company that size, that doesn't sound too crazy. You know, CVS Health disclosed -- now, this was with the former CEO Karen Lynch, that she needed to use corporate aircraft pursuant to an executive security program for both business and personal travel, similar to the approach for aircraft. She used to use a corporate driver. And, by the way, the driver thing from a executive protection program is also a significant liability reduction because, if that CEO who's obviously high net worth gets in a car accident, let's say they're at fault; they're going to get sued. If it's a driver, is the driver getting sued? The driver's not worth as much, right? So, you know, some of this is risk reduction; some of this is managing some loopholes with tax benefit; and then some of this is actual, real threat. I think a big part of this United Healthcare issue was some of these vanity programs, I think people went back and said, Oh. Maybe we actually need to think about this as a real threat, and how do we up our game?

Dave Bittner: It certainly seems like an eye opener for a lot of folks. And there was a story in CNN about how many organizations were taking a second look at their security after this event, obviously. I mean, we heard the stories about companies removing the photos of all the executives off the websites. I had a conversation with Chris Pearson, who runs Blackcloak, which is a company that helps high-level executives sort of lock down their cybersecurity. He was saying that after this, you know, their phone was ringing off the hook. But he also mentioned in a side conversation about what you touched on, Caleb, which is that at a certain level, a lot of executives aren't allowed to drive themselves places anymore, which I hadn't really considered as well. Now I'm curious, Caleb, I mean, you have been the CEO of a public company. Did anything change for you when you had that responsibility? Were there -- were there any additional elements that came into your life, having -- having that position?

Caleb Barlow: I've had two situations in my career where I've encountered kind of, you know, different levels of executive protection. So -- and I worked globally for IBM. There were certain countries that I was absolutely forbidden from driving in, having a car. Had to have a driver. There was one country I traveled to where I had to have an executive protection detail. And, you know, but that was pretty rare; and that was just because of where we were going. And, you know, honestly, it didn't mean much more than making sure certain people knew where we were going to be, what our route was. And most of that was a kidnap and recovery concern than anything else, right? And I think, you know, certainly, like, oil and petroleum companies get into these kinds of concerns a lot. That is a completely different set of issues than a CEO crossing the street in Manhattan into the -- into the Hilton, right? Like, totally different ballgame. They -- now, when I became the CEO of a public company, we were not a company that was -- you know, we were a very small public company doing cybersecurity work. We really didn't do anything that got people upset. I will say, however, what was very alarming was the loss of privacy. You know, not only is your salary published; you know, it's very easy to figure out your home address. But I actually had activist investors hiring private executives, you know, private eyes to go investigate me, not from a nefarious perspective. I mean, what they were doing was legal and above board but from a what decisions is this guy going to likely make? Where's he going to take the company? How might this drive my investment in some way, right? And, you know, that's -- that's part of the game, right, when you sign up for that. But I think the -- you know, the loss of privacy that these corporate CEOs have is -- is something they have to really get used to. And, you know, one of the things I learned is, boy; you better be doing everything above board. Every I had better be dotted; every T had better be crossed because, if it's not, you know, there's lots of ways that could go sideways.

Ben Yellen: I have kind of a broad question here. This is what an economist would call a sunk cost, right? So all the money you invest on security for a CEO, that's not getting back to the investors. It's not helping you turn a profit, at least directly. So what point do you reach that threshold? Like, when does a company realize we have to actually take this seriously? We have to invest our own resources in protecting our executive. Like, what are -- what are some of the telltale signs you look to for when companies should reach that threshold?

Caleb Barlow: Well, I think this is where the connection, interestingly enough, with cybersecurity becomes so important because it's not really a question of what business are you in or who's the executive. It's what's the threat, right? Like, you could be in a really edgy business but have an executive that everybody loves; and there's no threat, right? On the other hand, you could be a completely mundane business that happened to tick off an investor or a customer, and now you've got a real problem, right? So I think social media monitoring, which, you know, all the cyber folks that listen to this really know how to do, that's incredibly important, as is just general news monitoring. What's the sentiment of the company? What's the sentiment of the CEO? Event monitoring, you know, actual geolocation and kind of putting a tag around that and then ramping up or down that security protocol based off of the threat that you actually see and being willing to jog that. Now, you know, I think the toughest question is to say, When do you go from nothing to something because, you know, it's one thing to say, oh, we -- you know, we've got a viable threat. We need to increase our executive protection budget from, you know, a half a million dollars a year to $750,000 a year. It's another thing to say we need to go from zero to something, which is probably a pretty big jump in cost. And I -- I suspect that's something a lot of companies really struggle with.

Dave Bittner: We'll be right back. I've also seen where folks will partially justify a security shift by saying it allows the executive to make better use of their time. For example, you know, here in Howard County, where I live, a couple county executives ago decided that, rather than driving themselves from place to place, they would have a police officer, you know, in a Suburban do the driving. And this was put in front of the public for two reasons. One, there were allegedly credible threats. People are unhappy. But the second reason was now the executive can be doing things in the car, answering emails and taking phone calls and, you know, being more -- making more efficient use of their time. It kind of speaks to that dual use maybe with the private jet as well. And, you know, people roll their eyes at some of them and say, oh, you know, what is a little -- what does a county executive in a little place like Howard County need a security detail for? But I don't know. It's interesting to me how you can have multiple justifications for this sort of thing.

Ben Yellen: I mean, it seems to me that that's why you do a threat assessment, is you try and figure out, as Caleb said, like, what are the threat vectors out there? Where are they coming from? Is it worth it for us to make those investments? Basically, the fundamentals of risk management, just because we're talking about actual -- actual human being, the stakes are quite high. How familiar, Caleb, are you with that world? I mean, are -- is it kind of like a scoring system where CEOs in different industries or individual CEOs are given kind of a general threat score that informs how much a company is going to invest in physical or cybersecurity?

Caleb Barlow: Well, if they have an executive protection team, this is exactly what the executive protection team is doing, right? They're looking out ahead, saying, What is this executive's travel plans? What are the risks in these locations? Do we need to take any specific precautions in these locations or do something different. Like, you know, maybe the executive comes in, gives their speech, and then leaves. Or -- you know, or do they linger, right? And -- and sometimes those decisions are based on a threat. Sometimes those decisions are also based on, you know, how do you best utilize the time of the executive, right? So both aspects can come into play. And, you know, I think the other thing that is going to really kind of play into this is what are the decisions that the company is making and that are executives making; and how risky are those decisions, right? You know, so a lot of times where this stuff comes from is a company is maybe making a decision that might be particularly alarming to a certain community. Let's say we're going to put our new plant, you know, over some endangered animal; and that's going to upset a lot of people. And there's going to be environment --

Ben Yellen: You know what I'll give you? I'll give you the most current example.

Caleb Barlow: All right. Fire away.

Ben Yellen: It's not -- I'm a news junkie. This morning, Mark Zuckerberg -- obviously, he already has robust security, I'm sure -- but announced that Facebook is doing away with its fact checking enterprise. And they are no longer going to be working with third-party fact checkers in an effort to facilitate free speech. So there are going to be some people who are really upset about that.

Caleb Barlow: Right. So let's monitor that. Let's monitor that from the social media perspective. Let's monitor where he goes. And I'm guessing someone like Mark Zuckerberg probably has an extensive executive protection program, both at home as well as when he travels. But here's the -- here's the other interesting thing, back to Dave's question, right? Like, some of this is going to be about the convenience of the executive. I mean, someone like Mark Zuckerberg, you know, his time is probably worth many tens of thousands of dollars an hour, right? So does it make sense for him to be driving his own car or waiting in the lounge for the aircraft? Absolutely not, right? You need to maximize the time of that executive as much as possible to get the maximum return for your shareholders. So I don't think anybody's going to question someone like Mark Zuckerberg having a robust protection program; private aircraft; and, you know, drivers and all that good stuff. Now, let's wind back to the United Healthcare executive. Like, okay. On one hand, lots of people get upset with healthcare; and I think lots of people get upset with United Healthcare. Would any of us -- I mean, now, granted, we're not in the know what the specific threat was and what was posted on social or anything else. But, in general, would any of us think that there was an assassination threat of a US Healthcare executive? That's just not even in the realm of things I would have even thought of. I mean, I could see somebody yelling at him at the street or maybe disrupting a conference or, you know, throwing a rotten tomato at him or something. But this was well thought out, premeditated in a way that what would it cost to prevent that is the -- this is the other scenario with this, right? Like, okay. Let's say that it is a viable threat that the executive could be shot outside of a hotel crossing the street. What's the level of protection and the cost required to mitigate that? I mean, now you're talking diplomatic security level.

Ben Yellen: Secret Service.

Caleb Barlow: Yeah.

Dave Bittner: Reagan still got shot outside of a hotel.

Ben Yellen: Good point.

Dave Bittner: You know, so best protection in the world. Here's the thing that I think about with this. It makes me think of Columbine in that, before Columbine happened, before we had the school shooting at Columbine, school shootings were not a thing. They were not on our radar. We didn't think about them. We didn't consider them. Just wasn't a thing. And then, after that, it was a thing; and it continues to be a thing. It sparked the -- I'm going to put air quotes around imagination of people looking to do bad things. Here was a way to do a bad thing, to get your name in the newspaper, to get noticed. And I wonder if this isn't similar to that.

Caleb Barlow: Well, how is this different than, to your point, where -- are we entering the period of heightened violence, right? We had the attempted assassination of, you know, President-Elect Donald Trump. We had the attack on Nancy Pelosi's husband. You know, these are all switches to vi -- well, for that matter, we had January 6, right? These are all pivots to violence based on ideological belief. Now, regardless of where we sit politically, regardless of where we sit in our views of healthcare and United Healthcare and all this stuff, my worry, to your point, is are we entering a period where, for whatever reason, a violent reaction to something we don't like, politically or ideologically, is going to be viewed as okay. And probably the most disturbing thing out of the United Healthcare scenario was what Ben mentioned at the outset, which is the reaction on social media where there was a large population that was accepting of this as an acceptable response. That, in my mind, is the biggest takeaway I have on this show is that, if you're responsible for executive protection, maybe the world has changed; and we need to start really looking at social, really looking at dark web, really looking at geospatial and starting to monitor this in a robust way, even if we haven't decided to go full -- full in with a physical detail yet on an executive.

Dave Bittner: I'm reminded -- you know, to paraphrase, I think it was comedian Chris Rock who said, I don't condone it, but I understand it, the people's response to this killing. And I think the frustration that -- that people have built up inside of them where they feel as though nothing they can -- there is no avenue that they can get properly heard with some of these mega companies, right? My -- what I say about these companies is that they no longer operate at a human scale. They've gotten so big. There's so many consolidations. You know, I think about, you know, growing up, the cable companies, where they were local. So, if you had a problem with your cable company, chances are you or one of your neighbors knew somebody who worked at the cable company; and you could get it resolved. That's not the way things are anymore. You know, there's -- if you have a trouble with the cable company, with your healthcare company, there's a point where you're going to go up against a brick wall; and that's it. And I think when people start to feel powerless, when they feel like they have used up every avenue at their disposal and they're still not getting satisfied, that can lead people down this irrational path. And I worry about that.

Ben Yellen: I don't even -- I don't know. I don't even accept your premise on this one, Dave, just because I think this person didn't exhaust other available avenues. There are ways to publicize the misdeeds of health insurance companies. Even public heckling, yes; that's not going to get the same type of media attention. But it certainly gets some level of media attention. Or, you know, some of the horror stories we see online have actually broken through some of the abuses of healthcare companies. And to have that elevate to cold-blooded murder to me is like, I'm not even -- and maybe we differ on this. I'm not at the point of I don't condone it, but I understand it. That's just me.

Caleb Barlow: So, Ben, we've talked a little bit about, like, where the cyber side of plays into this. Where do you think the legal side, the courts, the lawyers, like, is there a motion that they need to play in this whole executive protection issue?

Ben Yellen: So there are a couple of angles I would think about. One of them you mentioned, which is the differing gun laws. I do think the impact of that has been blunted a little bit by the Supreme Court's decision in the Bruin case, which struck down a lot of state-specific gun statutes. It makes it easier for people to carry guns in blue or more gun restrictive states. But I do think that's an issue. If you're going to have armed security, you have to know whether they have proper permitting if your CEO is going to be traveling to New York or California. Then, there, from a legal perspective, you always think about laws relating to liability and corporate structure. And I'm not enough of an expert to know what would have to be changed. But something in forming an LLC, for example, something in the incorporation of a business would have to take account, I guess, in some way of the risk, not just to the company itself but to the CEO and that CEO's safety. And I can't really pinpoint exactly what that would look like. I took business associations in law school, and I stayed at a Holiday Inn Express last night. That's the extent of my knowledge on this -- on the subject. But I'd be curious to hear what you think about that liability angle and if we should think about this in terms of corporate governance structures.

Caleb Barlow: Well, actually, let me pivot one step further on that. Does this become something CEOs negotiate as part of their package? Like --

Ben Yellen: I think it has to be. It has to be.

Caleb Barlow: I think if -- if you're a CEO in the tens of millions of dollars in comp range, which a lot of them are, you're negotiating all kinds of crazy things like access to the corporate jet and drivers and all that other stuff in your contract. Like, is a real versus vanity executive protection program something you start to think about for you and your family? Like, you know, I -- again, I think where this stuff is very real today are CEOs that operate in areas of the world where they need to worry about what they call the K&R risk, the kidnap and recovery risk, right? And those are very real teams that have very real capabilities because there's a very real threat. Again, you don't see that in somebody that's just, you know, working in the US and Europe. And maybe -- maybe that starts to become part of the program, right? But, you know, I also -- you brought up the word of liability. Like, is there a expectation that comes in this in some way? What happens if a company and a board refuses to provide the expensive executive protection to a CEO? Like, let's say you're a, I don't know, $100 million ARR company, which, you know, on public standards is pretty small, right? Let's say your CEO has been threatened in a variety of ways. And let's say a board is not willing to provide the level of executive protection that the CEO needs. Like, do we start to get into some liability issues if something happens.

Ben Yellen: Potentially. And the way tort law works is the liability would start to become more of a discussion if this gets widespread because the corporate boards would be judged on what a reasonable corporate board would have done under these circumstances.

Caleb Barlow: Oh. Interesting. So it's not even so much specific. It's what would be reasonable in that circumstance.

Ben Yellen: Exactly. I mean, that's how any lawsuit in torts works. You're judged against a reasonable person or entity similarly situated. So, if we start to see the compete -- the direct competition or similar industry players investing in this type of security, when some corporate board says this is not -- this is not an expenditure that we want to make, maybe some court is going to recognize that as a breach of a standard. I mean, that's kind of how medical malpractice cases have worked, for example. You get expert testimony from doctors saying, this is -- I do X, Y, Z procedures every time I perform this surgery. And the doctor in this case did not do that. So, if this becomes so customary in the industry, that's going to start to have an impact in courts of law.

Caleb Barlow: Let me throw one other question your way, Ben. You know, so it's very difficult now to be anonymous; and it's very difficult to anonymize where you live, right? Like, you know, if you want to truly anonymize where you live, you're going to have to put your house in a trust. You're going to have to get your mail some other location. Like, it's work, right?

Ben Yellen: Totally. And not worth it for --

Caleb Barlow: Most.

Ben Yellen: -- 99 percent of people. Yeah.

Caleb Barlow: Right. Like, is there some change that needs to occur? Because it's usually governments, at the end of the day, that are publishing, like, who bought this house and, you know; or, you know, it's real estate sites posting the pictures of the interior. Like, it's really difficult to hide where you live. Like, does something need to change there?

Ben Yellen: Maybe. The thing is, like -- and I've been trying to take this situation with the gravity that it deserves. But it's still, like, if you step back for a second, a niche issue that affects CEOs, which in and of themselves are.001% of the population. So there are societal uses to having public property records. You know, it's important for local governments and tax assessments. And, I mean, there are a whole bunch of reasons why we have those public records. And so to throw the baby out with the bathwater because of this, what right now I think is still an isolated risk, it wouldn't fundamentally cause me to rethink allowing Zillow to maintain photos of a house after it's been purchased. And I don't think this is something -- like, of all the priorities that Congress has, for example, would I go out of my way to take -- take those actions? Probably not. I'm curious to see what -- if you disagree or what you think.

Caleb Barlow: Well, we actually talked on a prior show about, you know, kind of upping the game on your -- this is on the CyberWire podcast, you know, upping your game on these things. Interestingly enough, you can remove your house from Zillow and other sites. You can obscure it on Google. There's things you need to do with your Wi-Fi to hide where you live, right? But it's really hard. And, at the end of the day, the part that's almost impossible to change is all the public property and tax records.

Dave Bittner: There was a -- recently I saw, you know, there have been several Twitter accounts that specialize in tracking the corporate jets of famous people because that's all publicly available information.

Caleb Barlow: Yeah. There was that whole issue around the guy tracking Elon Musk. And didn't he kick him off a Twitter or whatever?

Dave Bittner: Right, right.

Ben Yellen: He did. And Elon Musk referred to it as you're posting my assassination coordinates. I mean, that is another risk vector is, like, I was curious as to whether Taylor Swift was going to show up to last year's Super Bowl. So I searched it on Google, and people were tracking her private jet. She had a show in South Korea. You could see exactly where it was. There are security measures in place. I think all of those public flight records are -- I think they're on some sort of delay where what you're seeing is what existed 10 minutes ago or whatever. But still, I mean, it's kind of insane that that information is so readily available and easily accessible.

Dave Bittner: But I did see something recently, and I don't remember the precise details but where I guess it's the FAA who has jurisdiction over this is taking some steps to try to make it a little harder to automatically track these jets. So they -- you could say they recognize the issue. You could also say that they're, you know, caving to the requests of billionaires. But -- and both those things can be true at the same time. But it's an interesting point. You know, how much public information do we keep public? Let me ask you guys this, and maybe we can bring it home with this. How do we make sure we don't overcorrect here? If this is truly a one-off, if this is a random, you know, one person alone wolf, which there's been no indications of it being otherwise so far, the CEOs, the boards are scrambling in response to this. Is this the kind of thing where five years from now half the folks who, you know, souped up their executive security have since let it go by the wayside because turns out the threat isn't real?

Ben Yellen: I think you have to look at this the way you look at any other risk. Like, if you were to ask me in 2018 should our country invest trillions of dollars in pandemic preparedness? I would have been -- I mean, I probably would have said yes, but most people would have been, like, no. Like, that doesn't -- that doesn't seem like that big of a threat vector. Like, we have other priorities. Let's invest it in housing or whatever or any other federal priority. When I do things like hazard identification and risk assessments, you evaluate extremely unlikely scenarios, things like nuclear detonation in a given metropolitan area. Do I think that counties and municipalities in Maryland should invest public resources in protecting against the fallout of a nuclear attack, given its relative lack of likeliness? No, I don't. So I think it just -- it depends on -- and I -- this sounds like an economist answer, which is, I guess, kind of what it is. But it depends on your evaluation of risk and your tolerance of these kind of isolated harms.

Caleb Barlow: I have a slightly different point of view in that I think there's two pieces to this, right? I think you invest in protections for things that are likely to occur, right, like, you know, risks that you could see occurring like, you know, hey, the corporate headquarters burns down in a fire, right? I mean, that's a reasonably likely risk that you should probably invest in smoke alarms and, you know, an exec -- and not, you know, exits in the building. And, by the way, those things are required by law, right? But I think -- I think the new learning out of this is that companies of any size do need to invest in the intelligence of monitoring for a black swan event. And, in doing that, you're not only building the muscle memory to look for someone that may be targeting your CEO or your corporate headquarters, you know; but you're also building the ability to constantly articulate what those black swan events are and be able to talk about them. So when one of them moves from being highly unlikely to likely, you've got to be able to deal with that. And I think probably the biggest example of this right now in the cybersecurity world are companies that, for example, are operating out of Israel, right, where, you know, there was a black swan event there a little over a year ago; and it has changed the way businesses need to operate. Now, you know, the good news is things are very resilient. Businesses keep on trucking. But that was, I think, by any measure, a black swan event. So we need to monitor those, and we at least need to have the plan in place of what if.

Ben Yellen: I think that's right. I think that's actually a good place to close because you don't have to do things like rewrite laws on public property records if you are diligent about assessing risk.

Caleb Barlow: And have a little imagination.

Ben Yellen: Exactly, exactly. As they said in the 9/11 commission report, so much of our government's failure was a failure of imagination to connect the dots and figure out that such an event was possible. So I think the same logic applies here.

Dave Bittner: All right. Well, gentlemen, we will leave it at that. Again, our thanks to Caleb Barlow, CEO of Cyberbit, for joining us here today. That is Caveat brought to you by N2K CyberWire. We would love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes, or send an email to caveat@n2k.com. This episode is produced by Liz Stokes. Our executive producer is Jennifer Eiben. The show is mixed by Tré Hester. Our executive editor is Brandon Karpf. Peter Kilpe is our publisher. I'm Dave Bittner.

Ben Yellen: I'm Ben Yellen.

Dave Bittner: Thanks for listening.

Caveat
Podcast Info
HOST(S):
Dave Bittner
Ben Yelin
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Ben Yelin, JD, is the Program Director for Public Policy & External Affairs at the University of Maryland Center for Cyber Health and Hazard Strategies, where he consults public and private entities on homeland security, cybersecurity and emergency management policy. He is also an adjunct faculty member at the University of Maryland Francis King Carey School of Law, where he teaches courses on electronic surveillance and the Fourth Amendment.
Schedule: Wednesdays
Creator: N2K Networks, Inc.