In this new technological age, it may seem like we have already made so much progress towards advancing with science, machines, software, and technology as a whole—but we actually still may not be as far off as we think we are. In this episode, Matthew Stephenson sits down with Arun Vishwanath and discusses cybersecurity, how much it has done so far, how many more problems it still hasn’t solved until now, and its great and equally horrible potential depending on the intent and approaches it will be used. Arun Vishwanath is a technologist, researcher, educator, and author. Tune in and learn what keeps our world secure and how much more we have to go!
—
Listen to the podcast here
Arun Vishwanath: The Right Intent And The Wrong Approach
We are bringing you the top experts in the industry for a chat about all that is interesting and keeping our secure world. Speaking of keeping our world secure, we tend to get excited. It is what we do around here. I have been practicing this, and I know it is terrible for me to say it like this, but we are happy to welcome Arun Vishwanath to the show.
I’m happy to be here. I’m excited.
Let me give you the big WWE-style introduction because I love doing this. You are the Founder and Chief Technologist of Avant Research Group, a distinguished expert for the NSA’s Science of Security and Privacy Directorate, and the author of the book, The Weakest Link: How to Diagnose, Detect, and Defend Users from Phishing. It is available from distinguished booksellers everywhere. He is a professor at the University of Buffalo and a faculty member at Indiana University. He has presented to the United States Senate and Congress, as well as multiple times at Black Hat. Welcome to the show. What did I get wrong?
You got it all right. It sounds better when you say it than I think about it. You are on the right track.
Your list is long and distinguished, but it was one of those that was like, “What do we want to pull out of this?” This is why people are going to want to see it. You are nearly omnipresent in the cybersecurity world. You have a new book. You are a frequent blogger. You appear on podcasts, and you have done television. I’m looking forward to the animated series that’s coming soon from Apple TV. For you, given all of the interesting things that you are involved with, when you look at the media, how do you even make a choice? What do I want to do? We are happy you are with us, but what do I want to do?
Let me give you a short history of this. I was a professor at a university. I did that for several years, doing actual cutting-edge peer-reviewed research on user cognition, user behavior, and stuff. As a professor, you write a lot of journal articles and peer-reviewed journals. I did a lot of that. I have written 50 different articles and hundreds of other conference papers. The problem is that you are writing to your own audience and a few other professors, and occasionally a student who doesn’t want to read it but they are forced to in a class.
That is not going to solve a lot of problems. That is going to keep you in an echo chamber of its own. I wanted to break out of that. I realized that we were not making any difference. We are adding to the pool of knowledge, science, and all that good stuff, which is important, and some of us need to know how to do that.
If you want to make a change, you have to be where the audience, the policymakers, the users, and the people who are suffering from some of these issues are. What are we talking about? We are talking about cybersecurity. I started writing for CNN when some breaches started happening. I realized that nobody knew what was going on.
I remember the Sony Pictures hack. I saw the hack happening, and I had been studying it for years. I was like, “This is something people have no clue what they are talking about. You can’t expect a journalist to be a domain expert. They are reporting on what is happening as they happen. They are not going to tell you what is about to happen, what could happen, or why something did happen.”
Like a physician for a postmortem, you need an academic who understands it for the analysis listing down the problem. I started writing for CNN. I thought I would write an article, and that would be the end of it. Lo and behold, I kept seeing those breaches happen. I realized that even that medium of news doesn’t suffice. We have to be in more places if we want people to pay attention to what is happening in order to do something about it. All of these are different opportunities to present those ideas.
If you look at where I started in 2014, people were not that concerned about social engineering and phishing. I’m talking about December of 2014. If you can think back and see some of those articles I was writing, nobody talked about these things. When Sony happened, people were busy talking about what was in those emails that were leaked, not how this whole thing happened and what was about to come. I wrote about ransomware back in 2015. where I said, “This is going to be the year of ransomware.” This was when a Hollywood hospital got hacked, and they locked the entire system down. I wrote about it on CNN in 2015.
Colonial happens in 2019 or 2020. I’m writing about the same thing. I was like, “I wrote about this. Look back. All this was happening. All this was going to happen, and we could have solved it back then. We are still exactly there.” We are talking and writing about it more. Now, there is a whole world of people out there like you. There are people doing podcasts, which is great. We are now able to amplify the message. We are making slow progress. Eventually, we will get to a point where we will do things that will make a bigger difference than it is already doing.
As we tend to do on this show, we do a prep call ahead of time. We lay out and elaborate, “These are the things we are going to talk about in bullet points.” The guest comes on and melts my brain by saying something that blows it up in the initial question. Let’s pick one, the Sony Entertainment hack. People tended to focus on the content of what was happening as opposed to what was happening.
Let me ask you this. Given your position as a security leader and your various CISO positions, when the content of an email comes through, your team has to look at what happens to spur people to act and react the way they do. Where do you spend more of your time? Is it the content of the email or process that they got in? Is it what happens after somebody clicks something? Do we care about what bomb you dropped, the fact that a bomb was dropped, or the fact that now the bomb has been dropped, and now we have to react or option four?
I got to be honest with you. No one has ever asked this and broken it down. Where do we begin? What is the focal element that we should be focusing on? I was working with different national security agencies. It is sitting in on these presentations from various big cybersecurity companies out there, some of the biggest names out there. They would give us this, during their presentations, a kill chain or a life cycle of a hack, where they address all of this. Let’s take Sony Pictures. It begins with some incursion. There is the release of data and holding data hostage in some cases with ransomware and payment or nonpayment.
This is something I have written about in my book, The Weakest Link. I talk about this in every forum. We focus on what it is that we like to talk about the most because that is what our skills rely on. What does a journalist do? A journalist takes this focus on, like, “What is the content? I can’t believe it.” I’m paraphrasing some of the things that were in those documents that were released from Sony. I can’t believe these people are bigoted in their emails.
People tend to focus very quickly on what we like to talk about the most because that’s where our skills lie.
That draws the energy of the audience because it is clickbait. What is the focus? That is something interesting to talk about. You talk about it for months, and the bad guys know that. If you are a security company in the technical realm, the focus is on, “What was the malware that was used?” That is something you can deal with because malware is your focus. I have written about this extensively.
Technology focus leads to even more technology being implemented. It is like an arms race. It mutually assured destruction, but, at the end of the day, there is a lot of technology being built. Let’s go to any conference. All the vendors are technical solutions.
The most important part of that so-called attack life cycle, which everybody skirts quickly is, “How did this whole thing begin? Where did it begin?” Usually, it begins with a person clicking on an email. More often than that, it is social engineering. It is spear phishing. Somebody got deceived, and they quickly moved on. They were like, “We don’t want to focus on it. Let’s go on to email security. Let’s throw some training on the problem.” It is the reason why the problem is still a problem.
The core of the act is not the bomb that was dropped. The core of the act is the construction of the bomb. In the analogy of a bomb being dropped, you can focus on the quality of the missile, how complex it was, and how wire-guided or laser-guided it was. You can build another laser-guided different system. That is great. That is something we need to do. There is no question about it.
What started that whole thing? If you can extinguish it at its root, you don’t have to get to that point where you are now in a war situation, which is what we have done since World War II. Keeping with the war analogy, we have come up with institutional structures. Back in the day, the red phone that people could call each other and say, “We got a missile going this way. It is a stray missile. Don’t take it seriously.” That is more important than we realized. The human-to-human contact is more important in the same way as email security and cyber security.
Attending to the core of that problem, how do the bad guys get in? It is something we cannot have in these presentations a one-liner on. Much of my book, 80,000 words of it, is about, “We know how these people got it, and we can, if we want to, deal with the issue right there and stop it.” We don’t have to get to malware, kill chain, or ransomware. That is one focus. Does that mean all attacks are technically taken care of? No, but the attacks that are primarily human-focused require an understanding of the human that is being focused on.
In email security, in cyber security, you have to attend to the core of the problem. How the bad guys get in is something we cannot just barely have.
It is not entirely unique because there are people like you, people that are in your position, working for security companies that need to protect their own companies. They need to protect their users, but they are also public-facing in order to educate the rest of us. That is a massive responsibility. How do you break out the time for that? Is that 1/3, 1/3, 1/3? Is it 80/10/10? How do you put in enough hours in the day? I’m assuming your day is 26 to 28 hours long in order to protect your company and clients but also let the rest of the world know there are some bad things happening, and here are some things you need to know.
We need to spend a lot of time building the idea, understanding, and awareness of the problem. Part of the problem is that if you don’t spend a significant amount of time defining the problem, people define it for themselves, or the focus shifts. I will give you a term that we all use quite a bit, cyber hygiene. Ask any security expert out there or anybody working in a company out there, “What is cyber hygiene?” The quick answer would be, “It is like we do. We wash our hands. We have something in cyber that is equivalent to it.”
The problem is that it is not true at all. Because the word hygiene is there, we cannot go towards these examples that build on some idea of human hygiene. I have written about this extensively. How we define a problem is a huge component of how we solve the problem. I spent a good amount of time defining problems, and there is a reason for it.
For 2,000-plus years, or ever since we have any written record of humans, people have been trying to fly. What do they do? They tried to build wings, like the birds around there. They defined the problem of flight as something that involves flapping your hands or your wings. If you looked at even the early prototypes of a plane, right up to the early 1900s, they were flapping wings.
We can go back to the Nigerian Prince scheme or the Spanish prisoner. These things are old and handwritten, like close-on parchment type of things.
Look at these early prototypes of planes. What do they do? They use the analogy of flight from birds because that is how they conceptualize the problem. What I say is that you need to conceptualize problems accurately in order to find solutions quickly. Otherwise, you spend 1,900 years, 2,000 years, or a few millennia, trying to come up with a solution, which is all in the wrong direction.
What we have done with securities, we have talked about it in purely technical terms. A lot of the focus is on technical solutions. What should companies spend a lot of their time doing? They should spend a lot of their time understanding the risk that is in the enterprise. If you do that, you are focused on all the right sides of the problem.
Risk assessment is a primary function, not something you do once in a while. It’s not a phishing test that you do once every quarter and get it over with so you can check some compliance boxes, but it is something that is primary to your enterprise. You have to spend a lot of time. I spend a lot of my time with my clients on that aspect of risk. How do you do a risk assessment? How often do you do a risk assessment? What is the biggest surface of risk? It is your users. Let’s understand our user risk and who is at risk. That is not something that is static.
Users can get riskier. The risk can attenuate depending on whether they are traveling and when people start working remotely. The risk changed how these users were tending to devices, and the media was changing. It is a continuous process. You can do this and have a bigger grip on how your largest surface, whether it is protected or not. That is what you want to spend a lot of your time doing.
When you are talking to your clients, and they want to hear solutions, how interested are they in the psychology and culture of people, as opposed to, can’t we lock their machines down? Yes or no questions are the worst. When you have to get them to understand, humans, by definition, are chaos. They are fungible. That is the scariest thing you have to deal with. How do you get across to them the notion that people are your best and worst resource in this situation?
That is the hardest part of the problem. The reason this is a problem is that security folks tend to be technical folks. They are all usually engineers. They all have an engineering background. They think about problems from an engineering point of view. The problem with engineering is that engineering is predictable. Computers are predictable.
To our engineers out there reading, that is also the gift of engineering.
People are not predictable. People are stochastic. They are predictable not in a deterministic way but in a probabilistic way. There is more gap and error. That doesn’t mean we can’t predict and change them. We have been doing it for several years quite successfully. We are predicting. We have been changing human behaviors.
People are not predictable. People are stochastic. Not in a deterministic way, but in a probabilistic way; there is more gap and error. That doesn’t mean we can’t predict and change them.
You are invited back for a complete six-episode series where we talk about people without any of this stuff.
We have been doing it as a society, cultures, governments, public health officials, scholars, and academics. We have been doing it for the last several years. We have changed human behavior and civilization in many ways, from brushing teeth to hygiene to smoking cessation. We have done a lot of these things. We can do that.
The problem is that when you are talking to engineers who are used to things being predictable, it is a harder sell. There are other forces that are squeezing. I wrote my book about how the CISOs get squeezed. There are those guys out there who fundamentally believe, “The users are a problem. We want to do something about it.” They don’t have the time for it. They have to comply with all kinds of requirements and mandates that are out there. They have to show that those mandates are being complied with. The worst part of it is that they don’t want to show that they haven’t done enough. This is a risk-averse profession, to begin with.
IT and IT security are incredibly risk-averse. Nobody wants to do something someone else is not, which means everybody does what everybody else has done. The big companies out there who do security are the ones who get all the business because it is the nature of saying, “I got this XYZ company out there to take care of my stuff.” Everybody else does the same thing.
It is hard to do the user culture change that all of us want to do. That is the challenge. There are companies out there that are doing it. Some of them are doing a good job with it. I wish there were more doing it. That is where we all come in. That is the reason why I write in multiple media. That is the reason why I wrote the book, I do the podcast, and I cannot put myself out there saying, “How can we evangelize for the need of users?” Not for a product or a company alone, but for saying, “We cancel all of this. We have to attend to users. We know how to do it.” It is not a black box and it is fungible. It is probabilistic, but it is still predictable that we can do it.
I am now a radio host. Once upon a time, I was a product manager in some of these things. When we look at this, you got this interesting multi-generational intersection. There is Gen Z, Millennials, and Gen X, and might even be a few Boomers left. Most of them are probably higher up the food chain. When you come in to talk to them about the idea of insider threats, as Gen X, we saw the birth of social media. Millennials were the transition from traditional to social, and Gen Z has come up 100% inside of social. Is there a cultural thing that you need to bridge or help the CISO, the C-Suite, understand when it comes to the culture of security, how their reactions and interactions can create risk in a way that they may not have thought of?
I’m not an expert on insiders. I have done some work on it but not enough to be an expert on it. That is the caveat. Having studied users across the spectrum of age groups from unintentional insiders, which is not necessarily the flip side of an insider. With those caveats in mind, there is a difference. The difference that we see with various generations is a difference in values. Technology is not dictating values. I don’t believe for even a second that technology influences values as much as values emerge regardless of technology. Technology is the conduit for expression.
You named the episode right there. Values emerge as a concept of technology.
Let’s look at generations before us, the 1970s. It is a huge countercultural movement. It was expression through technology, but it wasn’t technology-driven. Demonstrations and manifestations of some of those changes were there, but the media was just reflecting on what was happening in society. I will give you a great example of this.
If you look at the 1990s, the big show on TV was Cheers. Where were people meeting at Cheers? They were meeting in a bar. I believe there were Cheers Neighborhood Bars. It became a franchise. There are still a bunch of them out there. Neighborhood bars died. What happens with Seinfeld and Friends? They meet at a coffee shop.
When I was in graduate school, I met my wife at Starbucks. This is the coffee shop generation. Slowly that is turning into something else. The media is the expression of that. Social media is another conduit of expression. Are values changing over time? Absolutely. Did Cheers and neighborhood bars go away because of cable TV? No way. They have nothing to do with it. All that has happened is that the values of every generation keep changing. Media has some influences on it.
What we need to do is understand the value systems that people come with. Every generation comes with different sets of values in the workplace and the idea of what we do for work. Look at what COVID has done for a few years. It changed how people oriented themselves to work in a pretty good way. It was about time. Technology made it possible. It made remote work possible. It brought the internet to where it was meant to be. These were the promises of being online, the continuity of organizations, and working in remote workplaces.
Some of those things are positive. What you need to do is be able to measure that. We have measures for value systems and belief systems. You can measure that and quantify it. I’m a big believer that when you measure and quantify something appropriately, it becomes easier to show tangible values and benefits to CISOs. You can say, “Here is the generation. Here is how these people are thinking, and here is why they are thinking the way they are thinking.”
Not being an expert on the insider part, but this is important because a lot of people talk about culture and culture change. These are big words, but they are constructs. What do you mean by culture change? When you sit down and ask people, it is anything and everything that they want to want it to be. That doesn’t solve any problem. That muddies the water even more. What you want to do is be an unintentional insider. The measurement of these processes and value systems dictates policy. You have a quantified, measurable, and trackable process that can help you get from point A to point B.
You are applying sound science and sound frameworks in high quality to your decision-making. Therefore, the decisions are better. This way, you can promote the idea, and you are confident that these things are going to work. Your CISOs are happy. They have something hardcore data to look at. They can say, “This worked. This didn’t work. Let’s change it.” That is what I do with even unintentional insiders. That is my focus on social engineering. How do we get this quality data? How do we measure user processes? How do we measure cognition? How do we measure behavior? How do we measure this idea of cyber hygiene? We got to do that.
You have the enviable/unenviable position of being invited in to talk to boardrooms and C-Suites. You are a Founder of a company, an author, and doing media things. People will ask you these questions expecting answers for you. When we look at the idea of what is happening inside the SOC and security team, knowing that we are dealing with this diverse group of people, we want them coming from every different corner because everybody is going to be thinking differently about stuff. What pressure does that put on you? Not to deliver the “right answer” because there is no right answer, but get them to understand what they need to be thinking about.
The biggest skill I have had all my life and that I have worked on is you got to be able to communicate concepts simply. This is one of the reasons why I like to write. I don’t believe in using constructs and complex terminologies to explain to somebody something that they are either clueless about or don’t care about.
If it has got a hashtag, I’m not interested.
Don’t waste your time. I don’t even like words like culture and resilience. What does any of this mean? What are resilience, culture, and cyber writing? I spend a lot of my time breaking it down. I spend hours writing about this to myself. Many of the writings that I do never get published, and people don’t give enough value to how hard that writing is because it is easy to take someone’s writing and try to amplify it. It is also easier to talk about it because a lot is missed in the talk.
You can easily gloss over ideas, but when you sit down and write, I spend a lot of my time writing to clarify, simplify and make it such that the end user understands. Whomever that end target audience is, if it is the CISO or C-Suite, “Here is the problem at its simplest level, and here are the solutions. These are what these solutions can give you. You don’t have to shut down the enterprise. You don’t have to bring new software. You don’t have to do anything else.” We can predict the accuracy rate. That means, 7 out of 10, we will be able to predict it, and we will live with that, or we can live with nothing. We can come up with big terms, and we can all shoot big terms and feel good about ourselves.
I do want to dig into something specific that you have written because, one, I want to give a shout-out to something you have written that I think is a great article, but it was in Dark Reading in September 2022. The article’s name is Time to Change Our Flawed Approach to Security Awareness. It is such an incredible opening line.
I want to get out of the way. I’m going to pass you the ball, and you were full-on Steph Curry, either going iso or dropping a 35-foot three, whatever you want to do. When we talk about the approach being flawed, and we must change it, from your experience and the work that you have done, as we have established your bona fides, without question, where are the flaws?
That is my whole book, but I’m going to give you the five major issues. Let’s talk about this in the broadest way. We are talking about security awareness. The first thing is that we have no standard for awareness. What do you mean by security awareness? I’m sure you have done this. We have gone around the world giving presentations. I was in the corner of Indonesia. I said about Nigerian phishing, and they all knew it. I have been to parts of Africa. Everybody is aware of it.
That is not what we mean by awareness. What do we mean by awareness? Do we mean the same thing as knowledge because that is something else? Let’s say the term awareness is problematic. We use the easy term knowledge. What do we mean by knowledge? How much knowledge? Are we going to make everybody a computer scientist? Are Matt, Arun, and everybody going to be computer scientists? A lot of people at Microsoft were computer scientists. They all got hacked by a bunch of teenagers. Bing’s entire source code was released.
Your kids and I were not hacked.
Not hacked yet, that we know of. We have no standard for awareness. The first problem is that we don’t even know what we are trying to achieve, but we are trying to achieve something. We have spent a month every year since 2004 trying to achieve security awareness month. We have no idea. This is like saying, “We are going to get everybody healthy, but we don’t know what healthy means anymore.”
That would be the equivalent. At least we have some understanding of this. In security awareness, the smartest minds, all the technical guys, the engineers, the computer scientists, everybody with advanced degrees and enormous certifications, every acronym you can find is out there, but they have no idea what security is. There is no standard for awareness. That is the first problem.
Second, we have no standard for testing. We do a lot of pen tests. That’s the primary means for testing. How do you make a pen test that is accurate? What should the pen test focus on? I have been in companies where I have looked at pen tests. My seven-year-old could say, “This is a problem email.” If you are in the middle of the Pocono Mountains and you are offering scuba diving lessons, that is a problem right there. That is an easy test. Anybody can figure it out. How about that?
We can make a test easy so everybody figures it out, which means the data looks amazing, or we can make it hard so that nobody figures it out. That is one problem. What should the test focus on? Should it focus on the retailer, Amazon delivery, FedEx, or PayPal? Is it only emails or delivery services? Is there anything to do with authentication that we should focus on? SSL? What should the focus of these pen tests be? There is no benchmark for it.
Crypto, blockchain, Web 3.0, FTX.
Keep going down that list. It could be anything. There is no standard. How do the IT guy and the CISO’s office come up with a pen test? He pulls it out of thin air. I have heard this quite a bit, “We look at what attacks are out there, and we replicate them.” Here is the problem. Isn’t security awareness supposed to be proactive? If you go out there, look at a bad guy, and do what they did, that is called being reactive. By definition, you are letting them lead. It is an attack that hasn’t hit you yet. For all you know, you already got hit.
You named your return episode. Episode two, Arun, the revenge. It hasn’t hit you yet. That is what it is going to be called.
There is no standard for testing. We don’t know what a pen test should be. We make it up, and we use that data. It is like you go to the doctor’s office. There is no standard for blood pressure. We are going to put a cuff on you. We are going to measure something, and we are going to say, “You are probably healthy.”
This could be longer than Godfather 2 or Wakanda Forever, which is great, but by the way, it is long.
It is 2 hours and 20 minutes.
You are talking metric time. The one I went to was a lot longer than that.
I believe the movie is supposed to be good. I’m looking forward to seeing it, but 2 hours and 20 minutes is quite some time. I got to break it into the bar.
It is not quite the Irishman, but it is up there. It is fantastic. Please go see it because it is wonderful. I make this joke a lot, but we had a lot to talk about on this thing. I want you to come back because I want to dig into this. I want to give you an opportunity here for the next 4 1/2 hours to ask a specific question following up on everything you have said. What do we do?
This is what I talk about in my book. Look at the second problem being, “What is a good pen test? How do we build a good pen test? What should the pen test focus on?” All those answers are there. We know what to do. We know why people fall victim. We know what they fall victim to. We know where the gaps are if we measure them. I have an inventory, a series of questions in the book, The Weakest Link, which measures various dimensions of cyber hygiene. If you do that survey, you can tell what is lacking in your company. You can tell where the gaps are. You can say it with quite a lot of precision. You can say, “I know what the gap is in this part.”
Is it awareness? Is it knowledge? Is it capacity? It is the ability to do something. Is it an enactment? It is doing something. You can come up with a test that needs that. I also have a framework, and I’ve talked about this. I presented it at Black Hat on how you build the appropriate pen test. Not just pull it out of the air or copy something, but build it. It measures what it is meant to measure. It is like a blood pressure monitor. It has to be calibrated. You build a test, you calibrate the test, and you deploy it like what we are doing right now. There is a simple way. The book talks about it. There is simply one question that you ask to measure risk.
What will we do with that afterward?
All you need is to do that, and it gives you a number from 0 to 100 on the level of risk that you pose to the enterprise. It is like a credit score, a 0 to 100 number. They can say, “Arun is at 60. Matt is at 90.” The point is that when we know what Arun or Matt is at, we know whom to focus on. We also know whom to use to understand what they are doing right. If Matt is at 90, I want to know what Matt did right.
I can use the measurement that I have to say, “Here is what Matt is doing right. Let’s try to implement that on Arun.” That is how you solve this. We don’t try to keep the problem going, but you use a diagnostic approach. What is a diagnostic? What does a doctor do? She or he diagnoses you. They get into the office. They are trained to ask questions. How else do doctors do it? They use instruments, questions, and tests. This process is no different. It is not that complicated. It is a simple process. Anybody can do it.
This is written for companies, mom-and-pop shops, all the way to corporations. Once you do that, you have a quantified measure of risk. Once you have a quantified measure of risk, you can reduce it and see if it is reducing. You can do a security awareness training if you want to do that and say, “Did that risk go on? Do another test.” You can do what we are doing right now, which is shooting in the dark.
I don’t know if I believe there is anything that is quantifiable anymore, but I am hopeful. The name of the book is The Weakest Link: How to Diagnose, Detect, and Defend Users From Phishing. It was written by Arun Vishwanath and was published by MIT Press. You can feel me sweeping you towards the door because you have things to do and so do everybody else. Let me ask you a question about general technology because, by definition of what you do, you have to be looking wide. Is there anything out there that has caught your eye that is maybe not quite ready for prime time, but you are thinking, “These were close, and it would be worth looking at?”
There are two trends that I’m focused on. I have written about both of them to some extent. One is more well-known than the others. In the long term, from a technological point of view, the biggest concern is quantum. Quantum computing is going to change the entire crypto landscape that we are in that is based on tooling systems, which means every encryption methodology mechanism that we have becomes obsolete.
You could crack soft code or any encryption in seconds which would take days or years. I hope that we are the first to come up with quantum protections, which is a bigger deal because where quantum is likely going to be used first is in warfighting. Imagine all these satellites going offline. Satellites are easy to hack, which is why we have the whole space force. It is a great idea because we need it. We rely on GPS for everything from electric cars all the way to GPS for tracking human movement, for running, your software, your Nike+ running apps, and your phones. Everything is doing it.
Quantum is a big thing. There are adversaries out there who are spending a lot of money on it because everybody recognizes it. It is not a secret anymore. Everybody knows that it is the frontier and going to be the game changer. It is going to change computing, our so-called touring systems, touring computing programs, and systems are going to be obsolete. I see that happening sooner than later, maybe in a few years. It is on the near horizon.
I wrote an article for The Washington Post. The idea was that technology would bring us all closer, and the internet is the ultimate decentralized global technology that exists. Even satellite TV, which was the technology that bought the world closer, wasn’t as open as the internet is or made. We have Amazon everywhere outside of the companies, but the internet is everywhere.
I wrote about this in The Washington Post, where the more we see factions breaking out, the likelihood is that you are going to see the internet break up into different components because everybody is going to recognize, “It is easy to hack somebody using is a bad guy from this country.” The fear is that the internet has started breaking down into standards and protocols that are unique to different nations. I’m talking about packet transmission protocols and creating different digital equivalencies or parallel networks with software and operating systems that are unique.
That hasn’t happened, but it is starting to happen. You are starting to see this so-called intranet, but at a global and national scale, popping up in different parts of the world and emerging as ideas because everybody is going to recognize the value of doing that. It keeps you protected from the bad guys or an adversary nation. That is another concern. I have written about both of them. These are both things that are big ideas. You can see them slowly starting to emerge, and the world goes further apart than closer together, and it is happening. Those are the technical issues that I’m focused on.
I’m going to have to read as much of your stuff as I read coming into this. I didn’t read enough of that. Given what we have seen to date, stamp it. It is the 14th of November, 2022. We have seen some interesting things happening with Twitter. Suddenly, Mastodon is on the scene, and no free ads, but one of their pitches is decentralized servers. You are not just joining the community, you are joining this sliver of that, and it feels a little similar to that, but we could go another 4 1/2 hours if we could dig into that.
What I need to do is cue you up for the big close and invite you back for episodes 3 through 20. Let’s bump over to the leadership corner. You got a lot going on, but sometimes you may not do this. What do you do when you are not doing this? Are you reading anything? What’s on your Spotify playlist? Are you on bicycles or unicycles? What is going on?
I like to read, and I write a lot. I’m in the news quite a bit, but I never watch or read the news.
It is the worst thing ever.
The strange thing, Matt, is even though I don’t necessarily sit and read the news unless I’m doing work because that is work for me. If I’m writing about something, I’m focused on it, and I’m looking at stuff. I have noticed the news follows you. It never leaves you. I know everything that is usually going on. Somehow, peripherally looking at a website every so often, I don’t sit on it.
When I say I don’t read the news, I don’t go deep dive into it, read the news, and all that stuff. Nobody does it anymore. That is the other thing. The point is, somehow, I know what is happening. I know everything that happened for whatever reason. You know it because it is everywhere. It is omnipresent. Pick up your phone, watch, iPad, and laptop. It is there.
I spend a lot of my time reading history, bizarrely enough. I love reading history and I don’t know if a lot of people do this. I do a lot of original reading. What I mean by that is I go to source materials. I love reading first-person source materials from the original writers who went and saw something for the first time in the 1800s.
People are quoted in books about the events that happen.
I like to go and read some of those original works. I’m in the middle of reading something about this person who traveled through Egypt back with Napoleon’s army. He is a physician who is looking at Egypt through the eyes of a European and trying to understand what is going on and explain to you what is going on. It is fascinating.
The original was written in French and translated into English by British Colonial Army guys. It is a beautiful way to look at the world, interpret it for yourself, and understand what is happening all over the world. Instead of taking someone else’s rewrite of history, I like the source material reading. I spent a lot of my time doing that.
The good part of this is that all these books are available for free in Project Gutenberg. Go online, find a part of the world, find out who the travelers are, who are these people who travel to the different parts of the world, and read it. You would be surprised at how the world looked. There are many lessons there. I spent a lot of my time when I was writing my book because I was reading about these Colonial British Soldiers who were traveling through different parts of the world and they were writing.
I would go back to the air source material, and I found out why there was another guy’s source material they were using. I would find that and be like, “This is fascinating to see what they were looking at.” They are no different from all of us. The world they are looking at is different. The value systems are different. This is why I said the values change over time. Technology is the source of expression.
I spent a lot of my time doing that. It is a lot of fun because I believe that you need to read history, not based on what someone else has written, because that is their view of history. You have to read it and make up your mind for yourself. It is the lonely walk of an intellectual. You have to dive deep into these things for yourself and say, “Where does this path lead? Why do we say what we say? Why are we where we are? Who are we as a people? Why did we all become who we are?”
It gives you a richness of understanding and appreciation for everybody because, at the end of the day, the cool thing is, like you, I’ve traveled extensively. We are all similarly programmed. It is a fascinating, similar world, and it is cool to see it from the eyes of the people who first saw it. I spent a lot of my time reading history, believe it or not.
I’m quietly humbled, which are two adjectives that are never ever attached to me. You may have renamed the episode, The Quiet Journey of the Intellectual.
A lot of us need to do that. I’m sure you do a lot of this. I do a lot of this where we don’t spend enough time. Most of us try to escape our thoughts, and you want to spend a lot of your time reading, thinking, and writing. We don’t value writing much. I spend a lot of my time writing. I believe whatever presidential election we have next, there should not be a tweeting confidence but a writing confidence where you have to, as the Commander-in-Chief, write a 1,200-word essay. You have to be able to do it. You get 1 hour to do a 1,200-word essay and you have no help.
Don’t even get me started about the death of writing in cursive or writing with a pen.
I wrote an article about writing in cursive. I wrote an article about how typing changes how you think. We know that, but I also wrote about how different software programs change the way you write. I look at how you write, how I write, and how my advisors back in the day used to write. They could write a first draft, which was immaculate.
If you look at my first draft, it is gibberish. These guys had to think clearly. When you are typing physically, and a lot of these old books were typed, you had only maybe one more run before your fingers died. They thought clearly before they wrote. Every sentence was well taught. Every thought was structured well. What we do is write stuff and mold it later.
Get it out as fast as you can to get it down before you forget it because you already have another thought coming on.
That is a different way of writing, but it is a different way of thinking, too. Your thinking is not as clear, as defined, or as articulate as it should be because you have not needed to think that hard. The reading and writing part is something in the last decade I have been spending a lot of my time doing. This is what I naturally do. There are some people that love writing. I hate it, but it is something I force myself to do because it is that lonely walk. It is when those ideas flesh out and form. You can hear it say, “Is this making sense?”
Your thinking is not as clear, defined, or articulate as it should be because you have not needed to think that hard.
I’m calling it because this is way too big a topic to try to drop into for the last three minutes before we get out of here. This is the next 51-minute-long episode we do on thought process and how it leans into everything that is involved in what we do. You did not give me a Spotify playlist. You said that you like to read.
I do have a Spotify playlist. I will give it to you in my next one.
One band right now. What is the last song you listen to?
I was going to give you my Spotify list. I wasn’t going to tell you which band because I don’t listen a lot. Because I write, I have about 35 musical pieces, which I listen to on repeat. There is a reason I do that.
Do you cook?
I do. I smoke a lot of meat. I’m an avid meat smoker. I have friends of mine in barbecue competitions. I love smoking meat.
You do live in Upstate New York. Montreal is not that far away.
I got three smokers. That is my passion.
You are a humble guy. You don’t like to talk about what you have been up to. Shameless plugs time. I’m going to get out of the way. We have mentioned the book, but please keep mentioning it, the website, speaking, events, or anything you got going on with the social, and all of those things. You are someone who is out there crushing it so that it can help people. Where can they find you when they want to find out more about you?
Find me on LinkedIn or find me on my website, ArunVishwanath.us. I post everything online. It is all for free. Everything is out there. Most blogs of mine are in there. Unless it is something that is copyrighted, it is on the websites on which I post them. They are all out there. Between LinkedIn and ArunVishwanath.us, you can find everything about me. You can find my contact information, what I do, what I have written, and how I think about things. Reach out to me. If there is anything, feel free to call me.
You got one thing left to say to the entirety of the galaxy right now. What do you say?
Buy my book. The book is available out there. We can solve the problem of social engineering. If you are serious about it, you have to take a look at the book.
What he affectionately refers to as the book, The Weakest Link: How to Diagnose, Detect, and Defend Users from Phishing. That is from MIT Press. It is available from all the booksellers you know, and probably some that you don’t because we all got used to buying them from 1 or 2 of the same things. We have stolen so much of your time, and I cannot wait to steal more. Arun, thank you so much.
Thank you so much, Matt. That was awesome. It has been an honor.
We didn’t even start to get weird. That is it for now. Thank you for joining us. For more information and all that is good in the world of cyber security, specifically when it comes to people witting and unwitting the threats, whether they don’t know they are doing it or not, this is why we bring people like Arun because we can help figure it out.
Find us on LinkedIn, Facebook, and also at the mothership on Elevate Security.com. You could find me @PackMatt73 across all the socials. As far as the show, anywhere you go, that is where we are. All we ask is you subscribe, rate, and review, and please give us five stars. To steal from my man, Bomani Jones, “If you give us four, I am inclined to think you are a hater, but we know with guys like Arun, why would you ever give us 4 instead of 5? Tune in next time. We will have all of the coolest things. Until then, we will see you then.
Important Links
- ElevateSecurity.com
- LinkedIn – Elevate Security
- Facebook – Elevate Security
- Arun Vishwanath
- LinkedIn – Arun Vishwanath
- Avant Research Group
- The Weakest Link: How to Diagnose, Detect and Defend Users from Phishing
- Black Hat
- Time to Change Our Flawed Approach to Security Awareness
- Mastodon
- Project Gutenberg
- @PackMatt73 – Matt Stephenson
About Arun Vishwanath
Arun Vishwanath studies the “people problem” of cybersecurity. His research focuses on improving individual, organizational, and national resilience to cyber attacks by focusing on the weakest links in cyber security—Internet users.
His particular interest is in understanding why people fall prey to social engineering attacks that come in through email and social media, and on ways we can harness this understanding to secure cyberspace. He also examines how various groups—criminal syndicates, terrorist networks, hacktivists—utilize cyberspace to commit crimes, spread misinformation, recruit operatives, and radicalize others.
Dr. Vishwanath is an alumnus of the Berkman Klein Center at Harvard University. He was a tenured associate professor at the University at Buffalo and was faculty at Indiana University, Bloomington. He serves as the CTO of Avant Research Group (ARG)—a Buffalo, New York based cyber security research and advisory firm, where he consults for major corporations and government agencies on issues ranging from cybersecurity to consumer protection. He also serves as a distinguished expert for the NSA’s Science of Security & Privacy directorate.