[03:09] Cyber Hot Topics: Cyber Incidents and Cyber Threats

Rachael: I'd really love to welcome Rob Flanders, the Head of Threat and Incident Response at BAE Systems. I can't wait to have this conversation, Rob. So many things for us to talk about.

Rob: Thank you very much for having me.

Rachael: So Rob, you're the Head of Threat and Incident Response for BAE Systems. That's a significant role that you have for quite a large company. Can you tell us a little bit about what you do, your team, day-to-day? Have you seen some really interesting incidents that you could share, or not share?

Rob: Don't big me up too much, please. I sit, effectively, within our core enterprise strategy function. Effectively, working to the CISO, or chief information security officer. My role is effectively to look across our PLC business, so basically everything outside of our US business. Understand the types of cyber incidents and cyber threats that we're dealing with, and get a sense for how they're impacting us as a wider company.

So obviously the specifics of each incident tend to be held within each of our business units, which is natural. They have the expertise, and the local knowledge to be able to deal with the instance in the detail, and with the expertise they need. But effectively, taking a step back, looking at the organizational whole is where I come in. I guess looking at trends and the strategic view is where I fit in.

 

Cyber Hot Topics and Significant Trends Worth Picking Up On

Rob: In terms of juicy incidents, I can't reveal too much. But I guess there are some really significant trends that are worth picking up on. The big one is probably the supply chain. It's no different in the US, as it is over here. But certainly from a defense perspective, we've got a very large supply chain. Even a digital supply chain in itself, without even worrying about the physical aspects, is very large. 

We're seeing a lot more compromises of that supply chain, not necessarily with an intent to onward compromise of ourselves. But more because, small to medium size businesses are just really taking a hammering right now. I think we've seen that somewhat in the guidance.

Eric: Any trends that you're observing?

Rob: The uptick seems to have really been in these 5 to 50-person organizations, who maybe don't necessarily have a specific cybersecurity function. Or maybe, they have an MSP that deals with IT for them. Cyber is either explicitly rolled into that, or slightly forgotten about, depending on how much money they've spent, maybe? Not wanting to do anybody a disservice but that's where the weak link comes in.

Organizations like that have an incident and almost have nowhere to turn. It's either not in their contract with their managed service provider, or frankly, the people they're buying their IT off don't have the capability themselves. Then all of a sudden, lots of that problem space ends up, to a certain extent, coming back to their biggest customer. Because they've told us about it and gone, "Well, we have no real way of fixing this, so you're just going to have to sit it out."

 

How Suppliers Can Take the Right Steps

Rob: That's I guess, why we end up with quite a lot of interaction with that element of the supply chain.

Eric: How do you ensure your suppliers take the right steps? They're a lot smaller than BAE. How do you ensure that they are doing what they need to do, so when you're working on the F-35, the componentry, or capabilities they're providing, are up to BAE standards?

Rob: It's a really hard problem. A really, really hard problem. We have hundreds of thousands of suppliers, so to a certain extent it's a matter of prioritization. But also there's several kind of contractual levers we can pull. So we flow down our security requirements from our customers to our suppliers. That's sometimes more productive in some areas than others. To a certain extent, it depends on the maturity of our customer, in terms of how they've written a contract for us, as to how effectively we can flow it down to them.

Likewise, there is a threat line element to this. Which is, if there's a particular supplier we're trusting with something that's explicitly very sensitive, then at that stage, we look at an additional level of assurance. Whether or not that's getting some independent pen testing, or working with them directly on their security infrastructure. Or bringing them into some of the wider defense sharing ecosystems that exist, in order that they can manage themselves in an appropriate way.

Like I say, it depends very specifically, but it is a massive problem. To a certain extent, there's a discussion to be had about how we, within defense, collectively do that better. But also, I noticed, I think it's NIST who've got some new guidance coming out soon.

 

The Last Thing We Want To Do

Rob: Because the last thing we'd want to do, is for a small supplier to be answering to five, or six of their big customers. Answering all the same questions with a slightly different spin, wasting their time when they need to be responding to an incident.

Eric: I've actually been on the other side, with the large systems integrator flowing down their requirements to us. They can be quite onerous.

Rob: Breathing down your neck?

Eric: I don't know if it's breathing down the neck. It doesn't come from you or from the mission side, it comes more from contracts. Some of the terms you'd see flow down have absolutely zero applicability to our business. In our business, the government business is 100% US citizen air gap net.

We've got all kinds of capabilities. We are very well protected from a supply chain perspective and everything else, but some of the onerous requirements around reporting. I can only imagine what the feelings are like, in a small business that doesn't do a lot of government, or DOD work, that wants to work with you. This is important, we have to do this.

Rob: Yes, absolutely. It pushes away innovation in the market. You have somebody or an organization maybe, that has a particular product or capability that could be really beneficial to whether it's MOD, or DOD. But that needs to come through a defense prime of some description. All of a sudden, you're not just dealing with the customer, or the end customer requirements. You're dealing with somebody in the middle who has been forced to reflow those requirements in a specific way.

 

Cyber Hot Topics in Global Economy

Rob: Yes, absolutely, it's onerous. There have been a number of initiatives in the UK defense space, such as the Defense Cyber Purchasing Partnership, DCPP. I think I've got that acronym right. They’ve attempted to try and effectively assure suppliers once, and then provide that assurance out to different buyers, so that you can start to play in the bigger pond, as it were. But even so, the suppliers themselves are saying, "Well, there's a fee to sign up for this service. I can't afford that."

It's not a particularly big one, but you're right. It becomes additional barriers to entry. The trade off with that is that you miss out on capability, fundamentally.

Eric: You know, we're in a global economy. You have to keep foreign nationals off the network, or they can't have access to certain content, or information. But that's not the way the world works anymore. The concept of a foreign national in 1940 was a lot different. Today, it's a global workforce. We have incredible minds from all over the globe that want to partake and contribute to this world we work in. It's a tough one.

Rob: I think it's an interesting point. To a certain extent that's, I think, where we need to start looking towards places like standards bodies, or places like NIST. It’s where they can have a non-prejudiced conversation about what good security looks like without necessarily have the burden of enforcing sovereignty in the conversation necessarily, as the front and center consideration. I think there's a lot to be said for how governments, or I guess, national security, national cyber sponsors around the West, and the rest of the world writ large.

 

[12:19 ]Cyber Hot Topics on the Way Law Works

Rob: How they engage with those bodies, and how they can drive that conversation productively, so that it's not a government setting the rules and setting the agenda. Because, in the nicest possible way, the agenda set by the US government is going to be fundamentally different from that set by either China or even some close allies. Just the nuances of the way law works, the way privacy is contained, GDPR just as an example between Europe and the US.

Effectively providing an independent body, and giving that independent body a power to be able to support tech standards more widely, might give us an opportunity there potentially. But it becomes a harder conversation to have.

Eric: So how do you deal with the changing regulations that you have to deal with at BAE Systems? From a threat and incident response perspective, just adhering to the different regulatory requirements, how do you think about that problem in your day-to-day work?

Rob: The honest answer is that regulations come first and last. Regulations come first in the sense that, that's what we're given in our contract. Therefore, that is the bare minimum security wrapper that we need in order to work in. But then as soon as you take those regulations outside of the context of their individual project, or individual system, and look at us as a wider organization, all of a sudden, regulation almost becomes the lowest common denominator. In the vast majority of cases, it might be expressed slightly differently, or the nuances of the language might be different.

 

Meeting Our Risk Appetite

Rob: Fundamentally, the outcomes that we are striving for as a business, in terms of meeting our risk appetite, and understanding our threat landscape, those priorities are fundamentally the same as our customers. Whilst they might give us regulation that says, do a specific thing, or deliver specific response times, or whatever it is. 99% of the time, we're striving for that or better already.

It becomes a case of, "Okay, so this is our regulatory environment. There's maybe five, six, even 10 different regulatory standards we have to align to and meet." And there's an argument that says, "So if we dot the I's and cross the T's on all of these, we'll be spending years just trying to get around all of our business." The answer is actually, "How do we use that as the contractual baseline, but then take a look at where we are, and where we want to be, going forward, and then apply that across the top."

Because the answer is, like I say, the vast majority of cases, compliance is there. It's about a threat-led approach, rather than a regulatory, or contractual one. At least for us anyway. I know certainly if you look at the banking sector, they are very much moving towards a similar view as well. Whilst they have a much greater, I guess, financial focus. Obviously we have a financial focus as well, as a private company, but that is their entire bread and butter. Whereas ours is supporting national security as a primary motivator. 

They are also taking the steps beyond regulation to ensure their business is protected. I think certainly, as soon as you get into the large enterprise space, that's where everybody should be focusing their attention.

 

Catch Up Feverishly on Cyber Hot Topics

Rob: Yes, regulation is important. Demonstrating your compliance is important. But if all you do is that, then you'll permanently be behind the curve, I think.

Rachael: That's the problem, isn't it? We're always trying to catch up feverishly.

Eric: Well, I think there is a balance there. It sounds like Rob, and BAE Systems have successfully figured that out. I know we struggle with it, Rachael. And I think, like most things in life, you have to do the compliance, the regulatory component. But you're also a going concern. If you were just doing what the government told you, there would be no innovation.

Commercial world exists and it moves so much faster than the government. So, that balance has to be there. Fortunately, we're getting better at cybersecurity, and a lot of companies out in the world today are taking it seriously. In my opinion, meeting a lot of the regulatory requirements is table stakes. You're just doing it. Then you have that small equipment provider on the F-35 program that has nobody in IT. You got to help them because they make something critical, but they don't have the capability. Rob, how did you get into this business? Where did you come from?

Rob: I joined BAE Systems as a cyber person after university. I did a geology degree, of all things. But before that, I always had an interest in, I guess, IT and computers. To a certain extent, an interest in cyber security was born out of problem-solving. I'm showing my age now. I didn't have broadband until I was about 15, or 16, growing up. But obviously the school I went to had a very decent internet connection.

 

A Puzzle Solving Thing

Rob: It was a case of, do I go home and sit there for four hours while I wait for this thing to download? Or do I find a way around the school's IT infrastructure restrictions, and just download it at school where it'll take 10 minutes, and then shove it on a USB stick? You don't get away with that anymore kids, unfortunately. But that, and several other things. You know, as soon as somebody's interest is piqued, it becomes a puzzle-solving thing.

Whilst I always thought I was going to end up being a professional scientist coming out of university. It’s a skillset that I hadn't necessarily nurtured in the most productive way, or the most professional way. It was certainly something I could talk about in interviews and stuff.

I was fortunate that BAE said yes. So yes, that's where I come into the picture.

Eric: My youngest, Michael, has found a way to get around the web gateway at his school, so he can play video games and things. He even created his own website that people can go to that isn't blocked. It allows them to play games and things, almost like a proxy, to get around the web security at school. So, there's still hope for our nation's youth. They're still doing what you were doing many years ago.

Rob: Indeed. Maybe I shouldn't be mean about the kids of today. I definitely shouldn't. We were talking just before the show about how natural it is now with people in technology. Like I say, I grew up on broadband. So the concept of fast internet wasn't really a thing, until I was in secondary school.

 

How Everything Has Moved

Rob: But obviously with the speed at which everything has moved, as you say, the next generation, or I guess the generation after now. Those people are going to have an innate skill set with this technical capability. It's unconscious to them how to use these technologies. It is not something they have to learn, or discover, they just know, because that's what they use.

Eric: Yes, they grew up on it.

Rachael: That's what makes me hopeful for the future of cyber. That's how I think we're going to get ahead of this thing at some point, just the innate abilities, and understanding of how things work. To your point, Rob, problem-solving. Hacking your video-enabled toy, because you want to know how it works. Then you start saying, "Oh, wait a minute. This is not safe, in terms of what it's capturing and who can access it." So that gives me hope for the path ahead.

Eric: I think we've been playing cops and robbers for a long time because those two-year-olds are learning how to use iPhones, or IT. They can be good or bad, just like any technology out there. I've said it before, just like fire, water, and units. It can be used for good and bad.

Rachael: I don't know, I like to believe in the good of people. I think good will triumph.

Eric: Rob, what do you think? You're on the incident response side and you see a lot of bad. Which way is it heading?

Rob: I'm really hopeful. You can play the argument, I think. Just looking back a couple of weeks ago at the LAPSUS arrests that happened in the UK.

 

 

[22:08] Professionally-Driven Perspectives

Rob: Ostensibly, teenagers and young adults who clearly had some non-trivial cyber skills, or at least were associated with a group who had some non-trivial cyber skills. We haven't seen specifically, I think, what they're accused of yet, in terms of the technical detail.

But those people clearly picked up that capability from somewhere. They didn't necessarily pick it up from a teacher, or a classroom, or a professionally driven perspective. They’re curious and they could understand the environment they were working in. In that particular case, it doesn't appear to have been necessarily productive for society channeled energy if that's the right way of putting that.

But at the same time, for every one of the people that doesn't necessarily do it ethically, there's almost certainly 2, 3, 4 people that are looking at it from a lawful perspective. Even if those people don't end up taking up a specific career as a cyber person, whether that's a pen tester, or an instant responder, or whatever. Getting those people who have that awareness out into industry more widely, who have at least, I guess more than a passing understanding of cybersecurity.

Things like, if we go back three or four years, there were some comments made by some members of the UK Parliament about how they shared their passwords with members of staff. I looked at that and thought, somebody of my generation would never even have considered that as a solution, let alone entertained it as a viable business practice.

So, the more we can bring that expertise up, the more we can bring those people forward. Not just in cyber, but across the board, so that cyber is more widely understood within, I guess, business writ large.

 

A Rosy Take on Cyber Hot Topics

Rob: I think the better off everybody's going to be, for sure. So yes, I've got a rosy take on it as well, Rachael.

Eric: Public Service Announcement here. What we're saying is, sharing passwords is not an appropriate activity in pretty much any case, unless it's life or death.

Rachael: That's extreme. I have my mom's password for Netflix.

Rob: Netflix is after you for that though, by the sounds of it.

Eric: They actually just publicly stated they're going to be breaking that down, Rachael. Like different addresses, different logins. It's not good practice, is what we're saying.

Rachael: No, that's absolutely fair. And multi-factor authentication, you know how I feel about that? It's a real pain, but I got to tell you, it's saved me. I get constant updates of people trying to access my Facebook account, which I don't know why I still have one. But because I've got the MFA, they're not able to technically, I guess, get in. Which makes me feel better every time I have like, 10 emails that somebody wants an access code to get into my Facebook for some reason.

Eric: But Rob, to your point, I saw some of the Telegram output from the LAPSUS group. Some of the people who were, reportedly, their Telegram chat. But it was crazy. It would be Three Stooges type of banter, almost. Although you're from the UK, what's the equivalent,

Benny Hill maybe? Maybe to Three Stooges? It was bizarre. I'm watching these being reported.

Rachael: Mr. Bean, maybe?

Eric: I'm looking at some of the output, some of them might have been juvenile. Some of the banter was just off the charts in my mind. Maybe I'm just getting old.

 

An Interesting Example

Rob: It was an interesting example, for sure. Their OpSec was interesting in itself, shall we say? In particular, I believe White Sox Spin was one of the people either accused or arrested? I forget the specifics of it.

Eric: I think so, but it's been a long week for me. I'd have to go back to the record books.

Rob: As I understand it, they had run a doxxing service, which you would presume comes with the risk of being doxxed yourself. It's a challenging environment to operate in, I think I would say, from a security perspective. That's without law enforcement being involved with the capability they have. Yes, it's extremely difficult to operate properly and anonymously on the internet now.

Eric: Not only that, I'm massively paraphrasing. There was chat, it'd be like, "What's up? Got to go, mom's calling me for dinner." It's like, what? Like I said, it's reported Telegram activity. I haven't verified it but it was bizarre. Some of the chat I was reading through, I was riveted for 20 minutes or so, just like, "Okay, this is the adversary." Anyway, let's switch topics.

Rob: They are the adversary, but you can't discount the impact they had on the people they went after. The fact that they were, in broad terms, mostly socially engineered their way into a position of privilege on the networks they were attacking. Then from there, they managed to get action on. It sounds like from the description

Microsoft gave their compromise, they weren't aware that they had been compromised. Until the attackers basically said, "Oh yes, I'm downloading something massive from Microsoft." At which point their threat hunting team went and put the kibosh on it, naturally.

 

Slightly Terrifying Cyber Hot Topics

Rob: At the same time, it comes back to the point we were talking about before. This capability has clearly come naturally to these people. They’ve never been on OSCP, they haven't been on a million SANS courses. They know their stuff. That's both a good thing, and I guess slightly terrifying, depending on your perspective.

Eric: Going to Rachael's comment, kids have this amazing capability to learn. There's so much talent out there, on the positive side too, we see that. Let's talk about the Five Eyes Intelligence Alliance. That's a hot topic.

Rachael: One of the things that I'm always interested in, is cooperation amongst nations. Collectively, we're going to have to find some common ground. If we're going to write about the cyber issue, particularly with some nation state actors, there's been a lot going on with Five Eyes. As someone who's in the UK, what's your perspective there on how we're going to get to global cooperation? Both within Five Eyes, but also, again, looking at the larger, like a UN of cyber cooperation type thinking.

Rob: I'll do the Five Eyes bit first, and then do the UN bit. You've thrown me a big curveball there.

Eric: She didn't throw in Ukraine, you should be happy.

Rachael: I try not to go there.

Rob: I mean, the Five Eyes bit is really positive. The latest advisory from CISA came out from CISA, NCSC, ACSC, New Zealand, and Canada as well. I forget their acronyms. That's not really traditional Five Eyes territory, certainly in the UK. I don't know what the perspective is from the US. Five Eyes to us, normally means conversations had behind closed doors about adversaries or intelligence. That is not fit for public consumption.

 

Almost No Transparency

Rob: There is an understanding that that goes on. Obviously, that is as positive as it can be. But there's almost no transparency there, so to a certain extent, it's a little bit forgotten about. Clearly it does a good job for what it does but it is interesting to see that being brought really to the public floor. For CISA to be saying, "Look, we are publishing this in conjunction with our allies, because it pertains to a very specific threat.

That, I think, certainly in the UK, made an impact. Because we've had a number of advisories from NCSC, which fundamentally have very similar recommendations to CISA. That's obviously a good thing.

Eric: NCSC being the National Cyber Security Center in the UK?

Rob: Yes. Obviously, the alignment on the recommendations is natural. It's always going to be there. But that joint messaging on, "These are who the bad guys are, this is specifically what they're capable of. This is what their history is, in terms of their attacks." A combination of, I guess, the bulk attribution that came out in that piece, along with the, "We have all got together and come to collective common ground on language on this, and recommended it." Really speaks, I think, to the amount that they are taking this particular element of the threat landscape very seriously.

If this continues, it can only be a good thing. I was at a talk a couple of weeks ago. The head of the New Zealand national cyber agency was talking there. She said that every time they have a conversation between the Five Eyes NCSC equivalent, they always have to start with what the job of that agency is.

 

The Specific Roles of Different Agencies

Rob: Because CISA has a specific role, and that doesn't normally match in bulk terms, to what NCSC remit is, in the UK. NCSC's partner organization is GCHQ, an intelligence agency. I'm not sure where CISA sits in the wider three-letter acronyms soup that you guys have, that covers defense and intelligence.

Eric: Don't go there. I got yelled at in October by people from CISA, because I didn't consider them an intelligence agency. Anyway, let's not go there. They're part of homeland security, which is a civilian agency with intelligence components.

Rob: The perspective is different in our allies as well. Again, based on what their laws and their interpretation has been of how they do cyber security well. It's clearly been challenging for them to come together in a structured way, to have to go through all that rigmarole every time they talk about things, in order to get that collaboration going. But it's obviously really positive. It's had a really big impact, I think, particularly this time around, to see everybody come to the table together and go, "No, it's this. This is what you should be doing about it."

For non cyber people, I think it really speaks well. Because if one national cyber agency says something, all the cyber people might listen. But for members of the exec, or people who aren't cyber specialists, they might turn around and go, "Oh yes, your agency has told you to do something, just in the same way as the guy that manages the roads, tells the guy that manages roads to do stuff. I ignore that too."

 

[33:39] Cyber Hot Topics and Potential Storm Warnings

Rob: It's at a different level when you can point to headlines and say, "No, the Americans are saying this. Our local government is saying this. All our allies around the globe are saying this as well. Oh, and by the way, it's us that's in the middle of this potential storm that they're warning us about." It's a lot easier message to land. Can I jump to your UN question because I like that.

Eric: Yes, but before you do, I have a follow-up. CISA has rolled out this program in the States called Shields Up. It's exactly in line with what you're talking about. So the Five Eyes nations have come together and said, "There’s a critical and imminent threat out here that we need to deal with. Companies of America, this is CISA Shields Up. You need to patch. There are things you need to do."

We've been on high alert now since February, how long can we do that? How much longer before people grow weary, they get tired, when we haven't seen significant abnormal behavior? I think, at this point, it's fair to say there's been more cyber activity going into Russia, than coming out of Russia. What are your thoughts on that? How much longer can we go? Or, how do we evolve?

Rob: This is a really good point. Lots of cyber people in businesses were running really hot over Christmas, thanks to Log4j. That was just what happened.

Eric: Oh, right. That was the predecessor to all this.

Rob: That landed 8th of December, from memory. Let's be honest, most people were not completely done with the issue.

 

Cyber Hot Topics that are Really Difficult to Deal With

Rob: Two weeks later, when it came to the Christmas break, that meant it dragged into January. Certainly, I know we got our critical piece patched very quickly. I know lots of other people did as well. But, it was a really difficult one to deal with from a stack investigation perspective. I think there were some vendors, who I won't call out on this podcast, who didn't have patches available until mid-January. Not naming any names. Regardless, everybody ran hard over that period. We moved into the Russia and Ukraine crisis.

Eric: That was just a year after Sunburst.

Rob: SolarWinds.

Eric: We've been running hot for a long time.

Rob: Indeed. What you need to be healthy in a security team is to be running at normal pace. So when something specific to you, and critical to you is there, you can notice that small change, whatever it might be. Whether that's in your SOCK, or in your wider assurance platform. So that you can jump on that and then be able to say, "I've got the time, the bandwidth, and the capability to be able to go and investigate that anomaly and prove it's not something malicious."

You're running everybody at a billion miles an hour because they're dealing with this existential threat that is being put forward by the government. I'm not saying they're wrong, CISA, because they're not. But there is absolutely a balance to be had. Certainly our perspective, from BAE internally was, Russia has always been a threat to us. We've always looked at Russia as part of the wider threat landscape. Our understanding of that threat landscape includes all of the recommendations that CISA already provided.

 

From a Cyber Defense Perspective

Rob: So, we'll keep a very close eye on this. But fundamentally, what we are doing from a cyber defensive perspective will continue. We want to be ready when the time comes, not running around with our hair on fire, trying to make small tier updates, or upgrades, to specific areas. Just if or when something major did happen, we would then have to pull everybody back out of whatever they got stuck into and then refocus them. That just wouldn't be healthy.

As the threat has escalated, or the messaging around the threat has escalated, following Joe Biden's announcement a couple of weeks ago, and then this joint advisory. At that stage, we were starting to think about, okay, now we've got some more specificity around this.

There are a lot of value in doing that extra layer of assurance. But again, not driving people to the point that they're working all hours of the day. Unfortunately, security people like to be heroes. If I might say that in the nastiest possible way. Security people should never be heroes.

Eric: We need heroes.

Rob: I would argue we do need heroes, but at the same time, we shouldn't ever make it so that heroes are the only way to get out of a problem. It should have always been dealt with, whatever the cyber incident was, by effective preparation, planning, and operational execution. There shouldn't ever be a point that one guy, who's in the SOCK, working 24 hours a day for three days, just to hunt down whatever the problem was. That's just not sustainable.

 

A Noticeable Change in the States

Eric: 100% agree. The difference I see on this one, CISA seemed to target America more than the DIB, or the government, with their Shields Up campaign. Small town America. "Hey, all businesses out there. You don't have to have anything to do with the government.

You’re susceptible right now. You are potentially at risk, especially critical infrastructure. This is what you can and should do." I saw a noticeable change in the States in that regard.

Rob: Just picking up on your last point before I move on, I think it's not really a cultural difference, but an operational difference, between the US and the UK. Obviously it varies between the rest of the Five Eyes as well. Lots of critical national infrastructure in the UK is either nationalized, or pseudo nationalized. Just because of the nature of how we operate. We technically have private water companies, but the government has a lot of sway, as their regulator, in how they manage cyber security. They've been talking as a regulatory body for a long time about those things.

It might just be a matter of scale or a matter of just how things are more federated in the States. I wonder whether, just because of the inherent advantage we've had of, I guess, maintaining that nationalized, or more nationalized perspective, in the UK. Certainly compared to the US, at least. That gives us a more effective route to start having these conversations earlier.

Shields Up makes a lot of sense. From my understanding of how critical national infrastructure works in the States, there are small to medium-size enterprises who look after water, or utilities, or whatever it might be, in some states for very small areas.

 

Cyber Hot Topics They Need to Hear

Rob: Just naturally, it might be that CISA hasn't managed to touch base with them yet. Again that's just, I guess, a natural nuance and the difference between the approaches. But yes, it's obviously really positive to see because that messaging does need to go out.

Certainly, even in the UK, there are small to medium size businesses who support critical national infrastructure whether they're part of the defense supply chain, or elsewhere. They do need to hear the message too. I'd like to think they should have heard it already before this, but they still need to hear it again, I guess.

Eric: In the States, you and I could buy a small electric generating organization, or water company in some places. We could decide that security is a top priority, or profit is. That's just the way it works here. They're very different models that we have.

Rob: Going back to your UN question, I think there's genuinely something to be said. This is somewhat of a criticism I guess, towards the joint advisory. And this speaks to some of the things that some senior members of NCSC have said very recently. We say a lot in the context of recruitment, and improving cyber capabilities, that cyber needs to be more diverse. I think lots of people understand that as a concept, in terms of operating cyber within a business. You can't be narrow-minded about your recruitment pool, you can't be entertaining unconscious biases when you're doing interview.

But I think where that has somewhat been forgotten a little bit, and it's something like I say, that NCSC have mentioned recently.

 

[42:53] Deciding How the Internet Operates

Rob: If the Anglosphere are deciding how the internet operates, fundamentally that's alienating three-quarters plus of the world's population, because they don't speak English.
It is not about us versus China, in terms of who controls the internet. It's about those people in the middle, who maybe have had to buy 5G equipment from China. China are the only people that make it and license it, in the way that means they can buy it. Or maybe China has put their 5G infrastructure in for free, because that's part of their Belt and Road initiative.

All of a sudden, their view of information security, privacy, and how to manage access to the internet from their nation, becomes very China skewed, rather than Western skewed. We don't win an argument about getting those people on board by saying, "Hey, look. Freedom is free, and freedom is great. So you should do our way of doing things."

Eric: If you do it our way.

Rob: Yes. If you do it our way, freedom is free, and that's great. But at the same time, they then look at China and say, "Yes, but there's a big bill if we buy it from you guys. Frankly, China's giving it to us for free." To a certain extent, their social and cultural norms may lend themselves more to a more heavily regulated internet environment. If I might put it in diplomatic terms than maybe an open and, I guess, broadly deregulated environment that we're used to in the west.

 

We Need to Change the Game

Rob: It's about making sure that we can have the conversations not in a colonial way obviously. But in a way that means that, I guess, our offering to those nations, and to those organizations out in that middle ground, ensures that our offering is the best one and the one they can go for. I think we really need to change the game in terms of our approach to that. It can't be, as I say, just, "Oh yes, but we're the good guys, so you should follow us." Because frankly, that doesn't cut it.

Eric: I think in many cases, it's the choice between having capability or not, for your people.

Rob: That's what it comes down to, you're absolutely right.

Eric: China's giving it to us, we'll have 5G capability. We can build our country, our economy, whatever. If we don't get it from them for free, we may not get it, and we may not be able to afford it. We have different priorities, whatever it may be. That's a tough decision.

Rachael: I've been wanting to ask the entire time Rob, you have a master of earth sciences degree, from Oxford. You still have very much a keen interest in arctic oceanography, which I find fascinating. But we talk about diversity of thought and problem solving coming into cyber. How did you make that decision to move from what would be a really cool, I guess, career path, if you were to pursue that one, versus cyber. I mean, they're both really interesting. How did you make that shift or that decision?

 

Attractive Career Options

Rob: It was very difficult, to be honest. Clearly both are attractive career options. I guess the option of being an academic comes with its own challenges. Some of those things might not necessarily lend themselves to, for example, long-term stability. Lots of academics in the UK move between institutions on a kind of four-year basis, until they get to the point that they can get themselves established.

Whereas taking a more conventional career path potentially gives you a bit more stability upfront. I've been with BAE since I left university, so maybe that's a trick I'm missing. Not that I'm inviting recruiters, but yes, the question for me was not necessarily one for what was most interesting. It was about life priorities.

To take it back to your diversity point, that is also something that we need to be very acutely aware of when it comes to diversity and cyber. I think as you said earlier on, middle-aged, white men, fundamentally don't align with the rest of society, necessarily. We need to be very cognizant of that, so that we can really capitalize on the talent pool that is available to us. But it is almost at this stage, I guess, almost artificially gated from us because of the construct of what cyber is.

Rachael: That's awesome. Having spent time in an academic world, thinking about earth sciences and geology, I have to imagine thinking through those world problems, and then putting that lens onto cyber. It helps you come at things in a very different way, as well. Those are the things that we need. I think we've heard that fine arts degrees, or philosophy degrees, or archeology degrees are coming into cyber.

Eric: Math, music, yes, all of them.

 

We Need Exciting Cyber Hot Topics

Rachael: It's exciting, that's what we need. I think if we ever crack that incident solving nut, it’s looking at it from a different perspective.

Eric: We're ending on a very positive note here, on the diversity that we need to bring into the business. Take us home until next week, though. It is time.

Rachael: Well, Rob, thank you so much. This has been a wonderful conversation. So exciting to have you on the podcast this week. To all of our great listeners, thanks again for joining us this week. As always, don't forget to hit, smash, grab that subscription button, and you get a fresh episode in your email inbox every Tuesday.

Eric: Give us a good comment on the podcast app of your choice.

 

About Our Guest

Rob Flanders has 9 years experience, primarily in UK Gov delivering technical cyber security solutions and risk management and assurance. He has worked across a number of areas, from delivering ISO27000 risk assessments to security assurance for large programmes. Robert Flanders also delivered more technical security focussed capabilities across government, leading GBEST assessments on behalf of government departments and supporting development of Threat Intelligence capability across the public sector. He also spoke at CyberUK in 2018 on the topic of Quantifying Cyber Risk.

He’s a graduate of Oxford University with a Masters in Earth Sciences and maintains an interest in physical / Arctic oceanography from his Masters project.