Tech'ed Up

Cyber Safety • Debbie Taylor Moore (IBM)

bWitched Media

Cybersecurity veteran and VP of Global Security at IBM Consulting, Debbie Taylor Moore, joins Niki in the studio for an eye-opening discussion on the future of cybersecurity threats, the need for cyber literacy, and practical advice on how to protect yourself, your data, and your home online in the event of a critical breach or outage.

"On the flip side, the bad guys or threat actors can use it [AI] for propagating disinformation, for propagating bots, malware, denial of service attacks, at much greater scale and speed, and with much greater efficiency." -Debbie Taylor Moore

Intro:

[music plays]

Niki: I’m Niki Christoff and welcome to Tech’ed Up.

On today’s episode, Debbie Taylor Moore sits down with me to talk all things cyber.  She’s delightful, great at explaining complex ideas simply, and even though we’re talking about some serious (okay…catastrophic, unthinkable) stuff - she’s anything but a “Debbie Downer.”   By the way, those are her words - not mine! 

If you walk away from this episode knowing just one more thing you can do to keep yourself and your data safe online, we’ll both consider it mission accomplished. Personally, this episode got me to finally back up my goddamn drives! 

Transcript: 

Niki: Today, I am delighted to welcome to the studio Debbie Taylor Moore. Thank you for coming in. 

Debbie: Thanks for having me, Niki. It's great to be here. 

Niki: We crossed paths at CES in January, so the Consumer Electronics Show, I went to see this panel on, essentially, cyberattacks and how it impacts consumers. You were saying some really interesting but important things in a slightly scary but accessible way about how we should be thinking about the unthinkable, which is cyberattacks. And I know I say unthinkable, but it's almost inevitable. 

So, let's just start with the state of play. How are consumers thinking about their security online?

Debbie: Well, you know, it's interesting that you say that it's scary and because it is sort of scary because we've become somewhat inured to the threat that is cybersecurity for us personally. During the pandemic, our increased usage of devices, both in our homes and personally, and business all sort of fused together. What has happened is that as people become more comfortable, they have also increased the number of devices that they're using. Whether that's a, your watch, your fitness and IoT-type devices, your laptop, your iPad. 

Niki: [interrupts] Your smart home device. 

Debbie: Exactly! Exactly. And so we're using all these devices, which are increasing our attack surface dramatically, but we're also not necessarily using best practices all the time. And I, y’know, when you think about the statistics, one in every two Americans have been, have had their data exposed in some way or another by a company or organization that they do business with or that they share information with. And 88% of them continue to still work with those entities. [chuckles]

Sometimes people are looking for, y’know, some policies or accountability or, or there to be regulatory events that help to protect them better. But I think there's a lot that the consumer can do to protect themselves and things that we can do every day just to be more safe and secure as it relates to our personal data.

Niki: What do you think the top things are? 

Debbie: Y’know, I think that a couple of things. I think social media, let's start there.

So, in social media forums, a lot of times you're asked to give, like, basic information. Like, well, you know, these little contests that want to know, y’know, “Where are all the places you've visited in the country?” or “What's your favorite, you name it,” or challenges or, y’know, providing birthday and information that's personally identifiable.

People do that regularly on social media, and a lot of that information can be harvested and used in ways we couldn't imagine. I believe that with regard to our own mobile phone usage. Y’know, obvious, the obvious thing is no sharing of passwords. [Niki: Mm-hmm] Right? 

But periodically, you'll get prompted to update your phone or to update it overnight, and a lot of times, we blow that off because we don't really think that it's important, or it may be disruptive, or we're afraid to we might lose data. But the reality is that many times there are updates and fixes that address existing and known security threats and that it's really important to do that upgrade when you're prompted.

Niki: [interrupts excitedly] Wait! So, I wanna just - quickly on those upgrades.

So, I'm a digital minimalist. I have shockingly few apps on my phone and I don't have my microphone on. I go in and I turn it off on most apps. But then, when I do the upgrade it fee, it seems like they reset it. And one of the things you've talked about that I thought was so compelling at CES was passive surveillance.

Debbie: Oh, absolutely. So, when you have all of these apps on your phone, and over time we collect quite a few of them, you really have to look at your settings. Does every app need access to your camera and your photos? Does every app need location services turned on? That's a big one. Does every app need to follow you everywhere you go and know exactly where you are at all times? [chuckles] Probably not! 

And so it's really important to go back and, sort of, check what those settings are, but also it's important to just delete the apps you don't use. [Niki: Mm-hmm] I mean, if you haven't touched an app in 18 months to two years and you've just never revisited it, just delete that off your phone. I look at, y’know, certain apps that we are concerned about. Obviously, apps like TikTok is one of them. 

Niki: Oh, this, this podcast is, we're TikTok truthers and 

Debbie: [laughing] I love that!  

Niki:  And, and by we, I mean, I just mean me [Debbie: chuckles], and I'm just like ranting and raving, and I, we've done a bunch of TikTok stuff. 

I'm against it! [chuckling] Ban it! 

Debbie: Well, y’know, there’s so many alternatives. I mean, every platform has its own short video capture portion of the app that you can use in the same manner. But that one, in particular, is a concern cuz I think that, y’know, what people don't realize is that we are engaged in a, a major data harvesting campaign with a lot of nation-states that aren't friendly to us [Niki: Mm-hmm] who look at data and, and information as the next frontier for, for information wars. 

And so, I think that one of the things that we are most concerned about is this idea of harvesting all of our data now and decrypting it later. Some of it is harvested by these nation-states and is kept until there is a sufficiently capable quantum computer that would allow them to decrypt this data and use it for all sorts of purposes.

And so, this data collection, we're pretty vulnerable to it. You can't control the cameras that take your picture out on the street and that sort of a thing, but you can control who's taking images right off of your phone and taking that data right off of your phone.

So, I think that there are many new concerns there. There's a technique called Smishing, you probably have seen this, where you get a text message and it's from some unknown number that's telling you that your UPS package [Niki: Mm-hmm] hasn't been delivered and a lot of people fall vulnerable to that.

They fall prey to it; click on the link. And that is just, y’know, a complete release of malware onto your phone in many instances, and also harvesting of data on your phone. And so, when you see those, you should delete 'em and report 'em as junk. 

Niki: I think this is really important and I personally, so again, I'm one of these, I'm like Will Smith from Enemy of the State with like chicken wire [chuckling] around my house.

And so, I'm a, a digital minimalist. I take apps off my phone and yet I use some apps that I start to think like, okay, I need to do the upgrade for the patching. That's absolutely essential. [Debbie: Sure] You know, iOS just needed this quite recently. You gotta upgrade your phone.

I would put anyone who's from, who's where the company's run by an adversarial nation-state. They got fingers crossed behind their back when they're telling you what they're doing and not doing. They're collecting everything. Is that right?

Debbie: That, that's absolutely right. Absolutely. Y’know, you, you have to. It's not even a trust but verify. It's a don't trust. 

Niki: Ok! Yeah. Don't trust! And yet people seem, sort of, you keep saying inured, and I think that's right, but almost like it's an apathy cuz it feels like so much. We have so many IoT devices. I can see, I mean, they don't listen to this podcast probably, but my neighbors just got a TheraGun. I guess it has Bluetooth. [chuckling] I can see it at my house!  You can see their FrameTV, right? And it's sort of, like, well, if I can see that, anybody can see that and maybe hack into it. 

And we don't want people to be paranoid, but I think there's also it's just become almost, we're weary of thinking about, or maybe we think we can't do anything. What do you think?

Debbie: I think that you just named the number one challenge in cybersecurity. A lot of people say that it's, “Oh, you know, it's ransomware, or it's keeping up with, y’know, the nation-states and their proxies.” I think the number one- If you had to look across the board, whether it's consumers or whether it's large corporations, it's apathy.

It's that, “It can't be that bad. It's not going to get us. We really don't have to be concerned. Nothing so terrible has happened yet.” And I think that the convergence of all these technologies is starting to make everyone look at this slightly differently. And I think there is a sense of urgency around trying to protect yourself, trying to protect the entities you work for, the third parties you work with.

We're so interconnected today that really and truly the greatest risk is our openness and our interconnectedness in that the folks that we work with, we are as strong as our weakest link in most instances. 

Niki: And our weakest link could be clicking what you think is UPS because it looks like UPS. And then, there you go!

Debbie: Absolutely! Absolutely. It's a trusted brand, right?

Niki: Let's talk a little bit more about what you mean by convergence of technologies.

Debbie: So, by convergence of technologies, particularly cybersecurity, I think of how AI has such promise for us. Y’know, originally, when we thought of really leveraging AI, it was to help in establishing patterns of, y’know, anomalies or, y’know, predictive modeling or finding the sort of needle in the haystack of all the alerts of all the various systems that we used in order to detect problems or situations or incidents, events. And that was very powerful use of AI.

But there's also, on the flip side, the bad guys or threat actors can use it for propagating disinformation, for propagating bots, malware, denial of service attacks, ways to do it at much greater scale and speed, and with much greater efficiency. And so, it's weaponized against us, and I feel that we look at any of the emerging technologies and there is this sort of use for good and then the use for bad. And the bad guys are way more motivated. [Niki: Mm-hmm] and, and much greater number [chuckling] than the folks out there trying to defend and protect. And so, y’know, when it's exciting when these new tech technologies, y’know, come to emerge into the space. But we also have to always be very mindful.

Niki: Congressman Hurd was on the panel at CES with you. He was on the podcast, I think in our very, one of our very first episodes talking about the cyber arms race, and he was saying, y’know exactly what you just said, “Our adversaries are incredibly motivated to use this technology.” And they are! 

And I think that's, we, sort of, as an average citizen, you're kind of thinking like, “Oh, the government's got this. Like if something goes really, really wrong, somebody's on it.”

And I don't feel [chuckling] like the government's got it. 

But can you talk a little bit about that? What does the government need to be doing to protect us, but then what do, what do we need to be doing just as, as average citizens? 

Debbie: I think as average citizens, it would, what would be really helpful for us is that, when you look at nations that are faced with critical infrastructure threats like threats to their electricity, threats to water, threats to the economic systems. And, and I look at some in particular, some nations have really gone way beyond to make sure that their citizenry is literate on these things.

Literate in that they understand it, not just fear it, but also in, “What if the worst case scenario happens? What are we doing next? What kind of plan do we have in place?”

I would love to see us do more of that type of instruction and I think that, y’know, some agencies or, or some agencies are involved in some of that, but I think that more than it being sort of passive information that people go to the website to find out about, there should be more of a push.

Niki: Mm-hmm. Like, public service announcements?

Debbie: Absolutely. Public service announcements. And I also think that it has to start early, the minute we put little tablets in the hands of little children, when- I see this all the time when I'm traveling on the plane, and they're able to learn and absorb so much more at an early age that things like cybersecurity and, sort of, threat management, if you will, should be things that are taught from K through 12. 

Niki: Because if it's just a habit, I mean, and it's not like I'm not thinking about this stuff. I'm sort of between, I'm sort of between the person who is apathetic about it, maybe kind of thinks about it, and the preppers where I think about it and I'm alarmed, but then I don't do anything. 

Debbie: [laughing] That's most of us!

[both laugh]

Niki: That's most of us. Right? And cuz what I need to do is, y’know, back everything up and do it regularly and keep;  we had another guest, Steve Bernard, talking about he was in charge of security at Sony Pictures when they got hacked by North Korea.

Debbie: Oh, wow!  

Niki: Which was unbelievable. [Debbie: Yeah] We did an episode on it and he said things like, “You don't need to keep every single document you've had for the last ten years on your laptop. You can keep it separately.” 

So, I know that these things need to happen, but I don't do it. And I think you're right, there's like a communications deficit where we kind of know, but we're so busy with other things and we're also stressed by other things that we don't take that time.

Debbie: I think so, too. I think it's definitely a question of when and how prepared will we be when that happens. I mean, we've all lived through the pandemic where, y’know, a run on toilet paper seems harmless to people running in the street who are concerned that they can't get money out of the ATM or [Niki: Yep] they can't get clean water, y’know? Or, or [00:20:00] no way to communicate. 

Niki: [crosstalk] No way to communicate. Our cars won't work. [Debbie: Yeah] New cars won't work. 

Debbie: Absolutely. And so, having a step-by-step sort of understanding of what we do, as you know, contingency planning and disaster recovery planning for the average citizen is really important, I think. 

I know many people who have that within their families. They are, y’know, in disparate places and they have a game plan for how we all get to one place. I mean, there is a, a reason why these apocalyptic shows [chuckling] do so well on tv. [Niki: Mm-hmm. Right!]  I think each of us can sort of imagine what we might need to do in a crisis.

Niki: I know! I've got four Cliff Bars, and I mean, I'd last a matter of hours [laughs]. 

Debbie: [laughs] I know, I know. 

Niki:  We used to though growing up, we did have a plan as a family of where we would go. [Debbie: Yeah] Which I don't, I don't- [starts chuckling] Well, I don't know if we wanna go to the same place anymore or not! 

[both laugh] 

Niki: I'm not sure the family wants to go to the same place if there's an apocalyptic event, but we sort of, I think you're right there's, the reason that content is so interesting is on some level you realize this could happen, may happen. And it may not even be an adversary, one of what's called in the industry, which you guys really can't even talk about: “The Four Horsemen,” right? [Debbie: Mm-hmm Yeah] They, which means just for our listeners, we can't say the names of those countries. That's like a no-no. That's how scary this is. [Debbie: Yes!]  

But it may not even be an attack necessarily. It could be a natural disaster. 

Debbie: Absolutely. And those all fall in the same category, and there's nothing wrong with being particularly prepared. And so, y’know, a lot of the work that I do is within this realm of quantum-safe. 

And so, the underpinning of our society is based on us being able to trust, giving information to each other, and that information remaining private until it reaches the hands or the ears or the eyes of the recipient who's authorized to receive that. And so, we have this encryption that exists everywhere that, sort of, it's kind of like a coder-decoder ring.

Like I send you, Niki, a message and only you can open it. [Niki: Mm-hmm]. And so, that is at its very basic, simplest form, sort of what cryptography is. It's sort of the science of coding and decoding. [Niki: Okay] Being able to lock data as it transverses across the internet or the virtual private network or your home network.

And that is what's seemingly under threat in a very near future. And so, what's happening today is that there's a very, there's very much a sort of a race to get to a sufficiently capable quantum computer to be able to do all kinds of wonderful things for technology and for our advancement, whether that's health, science, telecommunications, things that are going to improve society greatly on this new quantum computing platform, but also it's a very powerful platform that is very capable of threatening our current encryption schema. And so, in that vein, it becomes an attack vector. 

Niki: I'm gonna interrupt you quickly. [Debbie: Sure] I don't know that people know what a lot of that means. So, tell me if I'm recapping this right. [Debbie: Sure, absolutely]  We are right now encrypting all of our stuff under, like, a certain rubric or, or historic method. [Debbie: Mm-hmm] And with quantum computing, which is like supercharged hardware computing, by the way, if this is like really dumbed down, correct me, please? 

Debbie: No, no, you're good. You're doing fine. [chuckles]

Niki: Okay. And then the idea is we need to protect that encryption methodology and schema because that is where we're most vulnerable. Is that what you're kind of saying? 

Debbie: Yeah. We use a framework for encrypting data that has been around for a long time and each time it gets challenged or breached by a threat we sort of upgrade to the next level of encryption. So, we replace the old, so we deprecate the old [Niki: mm-hmm] and we migrate to new encryption. [Niki: Okay]

And so, what is happening with quantum computing is that it's so spectacular in its ability to manage computational tasks that it threatens to undermine the encryption that we have today, almost in a continuous fashion. [Niki: Mm-hmm] 

And so, we, what we have to do is when we build applications or we develop any sort of new technologies, we have to make sure that our encryption sort of separate from the asset, the system so that it can be replaced if a sufficiently capable quantum computer comes along, that just keeps breaking our encryption. [Niki: Got it. Okay] 

And so, we have to be ready. [Niki: Yep]  And so we have to be crypto agile, and that's just basically being agile around encryption, being able to replace or change our encryption in order to keep the attack at bay. 

Niki: Okay. And so, this is what, what you do and have done in your whole career, what people in the government have been doing, what CISOs and security, Chief of Security at companies are doing is sort of thinking through this.

Debbie: Think thinking through just basic data protection. [Niki: Mm-hmm] and trying to protect sensitive data. And so, as we advance with quantum computing all around the world, folks are spending tons of money and investing quite a bit for all of the good that quantum can bring and the milestones are not known for all of our enemies, like how far along they are in their advancement versus where we might be.

And because of that, it's sort of a date unknown or date uncertain [Niki: Mm-hmm] when there would be this capability. And so, the best that we can do in the interim is to plan for it in that we need to understand our entire environments and where we might be vulnerable and plan for the scope of it. But it really is a cybersecurity issue and in its simplest form, it's upgrading encryption.

Niki: Upgrading our encryption. Okay. So, I wanna talk about one more sort of chilling thing that you mentioned when you first came into the studio. That kind of is a look back. 

What you're talking about upgrading, encryption protects us going forward. [Debbie: Yes] But you mentioned the OPM hack, which people kind of don't talk about anymore. Can you give us a breakdown of why that was something you brought up first thing this morning?

Debbie: Absolutely. So, people don't talk about this very frequently and essentially, it's one of the largest, sort of, attacks that we've had in our, the history of our government around data. And so, there's this concept of harvest now, decrypt later. [Niki: Mm-hmm] The idea that information and data is sort of the new frontier for everything, for currency, for warfare, that being able to take this data and use it to advance a company or a country's progress is sort of, there's value there. 

So, it's not only happening on a corporate level; it's happening on an individual level and a government level. 

Back in 2014, a very remarkable situation happened and it was essentially the Office of Personnel Management. The office that handles the retirement, the payroll, the lots of security data, clearance data on a lot of citizens was in fact the victim of a harvest now decrypt later exfiltration hack. And what that is and what that meant back at that time was that essentially there were 22 million people who were impacted. Their records were stolen and it was somewhat of an insider threat. 

There was an individual who had dual citizenship that worked both in the US and also in China and worked for an American integrator. [Niki: Hmmmm]. And literally, by the time this hack was discovered, every line of code of one of the major applications was duplicated in China. And all of this data went with it. 

And to describe the data, anybody who's ever completed an SF-86, which, that is a form that people, that's an application for a clearance. It contains, it can, they can be upwards of 127 pages or more, but it contains very, very intimate data as it relates to, y’know, personally identifiable data, your history, work history, your life history, your psychiatric history, tax history, all kinds of financial data as well. 

And so, in addition to that, biometric data, and so, it's really sort of a treasure trove of the individual data. They found out who the person was. They went to jail for 18 months and they had to pay a 1.1 million dollar fine. They were sent back to China. 

But in the meantime, that data that was harvested, we don't really talk about whatever happened to that data or what's its effective use, and so, that sort of attack the harvest now decrypt later is of great concern for the future.

There is, theoretically, nation-states who have been collecting data for years like that was almost, that was, like, eight, nine years ago. [Niki: Mm-hmm] And so, this sort of concern exists that once this capability exists with quantum computing, that not only will that data be decrypted, and in some instances has been decrypted already, it will become useful to folks who would want to do harm to us. And so, it's another part of cybersecurity that's another bit of, another bit of weaponization potentially of data.

Niki: And I would put myself in the category of people putting their head in the sand over the OPM hack because, not to make everything about me, [both chuckle] but I was part, part of the hack.

I, my former spouse, was in the intelligence community, so every single thing about both of us, [Debbie: Yeah] was on file with the government. My fingerprints, my- everything. And when the hack happened, I thought, “Oh, well, y’know, when they come to get, I'm just done. [Debbie: laughs] I like, I've got four, four Cliff bars and they've got everything about me, like, I'm just cooked.”

But I remember just sort of thinking like, “Well, what can I do?” because that was government information. If I can't expect that to be safe. I actually didn't know until just now that it was an insider threat, which is crazy because it's [Debbie:  Yeah] there's a 120-page dossier, dossier of me sitting in a foreign country, and I try not to think about it.

Debbie: Absolutely, myself as well. Many of us who are cleared within the US Government's framework, that's just data that's gone. 

But you think of that and you magnify that by all the corporations and all the corporate espionage and all of the things that have happened over the years, and it's really important that this massive transfer of data be managed and controlled. 

Niki: Yep. So, let's end on just sort of the things you already said, just to recap them so people feel like they have, not just fear around this, like it's “The Last of Us” or whatever. I haven't seen that, but I've heard-  

Debbie: [interrupts] It's good. It's a great show. It's great.

Niki: I've heard about it. [Debbie: laughs] I'm like, I don't know. I don't need a fungus killing me. 

[Both laugh] 

Niki: Whatever! I can't even think about mushrooms killing me. But to end on sort of the up note, which is a call to action for more public service announcements so that we become more cyber literate starting with young people who are on all these devices, they're plugged in, they're IT support for their parents [chuckling] and everybody else on the plane sitting next to them. And then back up everything, be really thoughtful about what you're sharing data with. Remember that your smart home device is on all the time. [Debbie: Yes] It creates convenience, but think about not just your privacy but your privacy as related to your security. 

Debbie: Yes, absolutely. 

Niki: Right? And just take the time and I promise before this airs, I will back up my data. [Debbie: Good!]  because I have not done it. And think through a contingency plan, like you don't have to be- being a prepper to some degree, is about just having a plan of what you're gonna do when and if this happens. Is that sort of a recap of your suggestions and recommendations? 

Debbie: Yeah, absolutely.

And I think it, y’know, the space is fascinating because it's dynamic and it's changing all the time. And that's the beauty of convergence is that, y’know, just when you think you everything figured out, there's always something new to consider, and it may feel like it's a bit overwhelming, but a lot of the things that normal consumers can do are very common sense things.

Niki: Debbie, thank you for taking the time to come on. I actually wanna end on something personal. [Debbie: Ok] So I, I am, I love how you're able to break this down in a way. You are an expert in it, but it's in a way that people can access and make actionable changes. And people should follow Debbie on LinkedIn. [Debbie: chuckles] 

But you have this beautiful personal credo that I found and I just thought maybe you could talk about that for a second. Cuz I found, I personally found it just sort of inspiring and it obviously frames your work.

Debbie: Oh, you're so sweet, Niki!  I think that, y’know, first and foremost, for all of us that are, you know, fighting on the front lines or, y’know, whatever it is that we do in our work, that your family comes first. There's work-life balance, certainly, but that's an important thing for me to be a great wife, great mother, the best that I can be, and also to leave things, anything that I touch, anybody that I work with, anything that I'm engaged in to try to leave it better than I found it.

Cybersecurity has been the, the most rewarding career, and it's one of those areas where you always feel like you're just slightly behind the bad guy. You don't always have a way to measure progress or success because the attacks get more sophisticated at greater velocity. And y’know, there's just always a bit more happening than we can all manage, but at the same time, there is incremental progress.

We need more people in the fold to work with us. We need to open up our aperture of requirements for working in this field. We need to open up our understanding, speaking in plain language so people writ large really understand what this space is about and how it's really very necessary to, y’know, it's existential to our future.

And so, I think that the key thing about the credo is that I don't separate much in my personal life from my work life. I'm as protective, you know, globally as I am of my family, and it all sort of intertwined, and it all comes together. But I think that that is, that's pretty much, that's pretty much the sum total of sort of how I look at things.

Niki: So, I really like it and I think that, hopefully, if just people listening to this podcast take a couple of steps to protect their home more and have a little bit of a contingency plan for when something goes wrong, you will have left things better than you found them [chuckles] when we started talking. 

Debbie: Thanks. I hope so. I sure hope so. 

Niki: I think you will! Thank you, Debbie, for coming on. 

Debbie: Thanks, Niki, for having me. This is great.

Outro:  

Niki: Tune in next time as we welcome Dorothy Chou to the studio.  She’s the Head of Public Affairs at DeepMind and we’ll be talking, naturally, all about AI.  DeepMind’s been in the AI space for over a decade and has a bit of a counterpoint perspective to the OpenAI and ChatGPT news we’ve all been obsessed with the past few weeks. 

Thanks, as always, for subscribing and listening. 

People on this episode