Episode 71

Insider Threats, Critical Infrastructure and Evolving AI, Oh My! with Grant Schneider Halloween Series Part II

In the second episode of our 3-part Halloween series, Grant Schneider, Senior Director of Cybersecurity Services at Venable and former federal CISO, discusses the frightening implications of insider threats, how we are protecting critical infrastructure, and what it was like working on cybersecurity in the White House under both President Obama and President Trump.

Key Topics

  • 00:03:59 Increased consequences led to rise of cybersecurity
  • 00:08:47 Insider threat, screening, hiring, malicious actor, Manning, Snowden
  • 00:09:53 Snowden challenges legality of government surveillance
  • 00:15:00 Adversary gains access, steals information, demands ransom
  • 00:19:19 Different levels of readiness present challenges
  • 00:23:15 Helping clients & coalitions for cybersecurity policy
  • 00:24:58 Consistency in technology and cybersecurity under past presidents
  • 00:27:47 Cybersecurity is like warfare or terrorism
  • 00:32:30 AI tools and data drive persuasive information
  • 00:34:50 National Cybersecurity Awareness Month raises awareness on cybersecurity and encourages action to protect businesses
  • 00:42:40 Diversity of experiences leads to career growth
  • 00:44:01 Adaptive, willing, and able to learn

Introduction to National Cybersecurity Awareness Month

Purpose of Raising Awareness About Cybersecurity

Grant explained that one of the great things about National Cybersecurity Awareness Month is exactly raising awareness and providing an opportunity to hopefully spend time thinking about and discussing cybersecurity. He noted that for organizations already focused on cybersecurity daily, the awareness month may not raise their awareness much more. However, many organizations don't constantly think about cybersecurity, so for business leaders and executives who may now recognize the existential threat a cyber incident poses, the awareness month offers a chance to have important conversations they may have previously avoided due to lack of understanding.

National Cybersecurity Awareness Month: "You're only one bad kind of cyber incident away from your organization not existing anymore."— Grant Schneider

Opportunities for Organizations to Have Conversations About Cybersecurity

According to Grant, leaders who don't grasp cybersecurity risks may personally fear initiating conversations to ask what the organization needs to do to address risks. National Cybersecurity Awareness Month provides an opportunity for these leaders to have the necessary conversations and gain education. Grant said the awareness month is a chance to discuss basics, like implementing multifactor authentication, patching and updates. He observed that much of the content produced for the awareness month focuses on cybersecurity fundamentals, so it allows organizations to dedicate time to shoring up basic defenses. Overall, Grant emphasized National Cybersecurity Awareness Month facilitates essential cybersecurity conversations for organizations and leaders who otherwise may not prioritize it consistently.

Evolution of Insider Threat in the Intelligence Community

Screening Out Bad Actors During the Hiring Process

Grant explains that in the early days of his career at the Defense Intelligence Agency (DIA), insider threat mitigation focused on screening out bad actors during the hiring process. The belief was that malicious insiders were either people with concerning backgrounds trying to get hired, or nation-state actors attempting to plant individuals within the intelligence community. The screening process aimed to identify and reject potentially problematic candidates.

Nation-State Actors Planting Individuals Within the Community

He mentions the possibility of nation-state actors attempting to plant malicious insiders in the intelligence community through the hiring process. This underscores the perceived risk that foreign governments would try to insert spies or saboteurs into the ranks of U.S. intelligence agencies.

Shift Towards Insiders Becoming Whistleblowers

Grant then discusses how over time, the nature of insider threats shifted more towards insiders becoming whistleblowers driven by ideology or moral objections. He cites the Manning and Snowden cases as examples of this shift. Rather than foreign plants, these were trusted insiders who went on to leak classified information out of claimed conscience.

Importance of Not Making Negative Generalizations About Whistleblowers

While describing this evolution, Grant is careful not to make generalizations condemning all whistleblowers. He maintains that whistleblowing serves an important function in society.

Snowden’s Different View on the Community’s Work and His Actions

In Snowden's case specifically, Grant characterizes his mindset as believing the intelligence community's lawful work was actually wrong. This led Snowden to take matters into his own hands by leaking classified materials.

Importance of Diversity of Experiences for Personal and Professional Growth

Actively Seeking Out Different Experiences Within Current Role

Grant emphasized the importance of seeking diversity of experiences, even within one's current job. He advised not constantly changing jobs, as that may look unfavorable on a resume. However, within a role, one should actively volunteer for new projects and tasks that provide exposure to different skills. Being willing to say "yes" and take on unfamiliar work leads to becoming a more versatile, well-rounded employee.

Saying Yes to New Opportunities

Grant recommended that when presented with new opportunities at work, such as a manager asking for someone to work on a certain project, the best approach is to always say yes. Even if the work does not seem interesting or relevant, accepting the challenge provides a chance to learn new skills. Saying yes demonstrates eagerness to expand one's capabilities.

The Importance of Diversity of Experiences: "Diversity of experiences, and whatever it is you're working on, when your boss, your coworkers say, hey, we're looking for someone to work on this, always say YES. I wanna go work on that as well."— Grant Schneider

Becoming a Well-Rounded Employee and Leader

According to Grant, embracing diverse experiences allows professionals to build unique skill sets and make themselves stand out. Having broad exposure equips individuals to work effectively on varied teams and projects. It enables adaptability that makes one a more valuable contributor. Grant emphasized that diversity of experience helps shape well-rounded leaders who can thrive in any environment.

View Work and Life as a Scavenger Hunt for Acquiring Skills

Grant suggested viewing one's career progression as a scavenger hunt to collect talents and capabilities. Being strategic and purposeful about pursuing different opportunities maximizes growth. Grant urged professionals to reflect on the skills they want in their toolbox and then leverage jobs and other life experiences to intentionally develop expertise across multiple areas.

The Consequences of Cyber Incidents and the Growth of Cybersecurity

Increased Consequences of Cyber Incidents

As Grant explained, when he first joined DIA, there were no connections to the unclassified internet in the building. Over time, every employee had both unclassified and classified computers to connect to various networks. As more devices were connected to networks, the potential consequences of a cyber incident grew. With more reliance on technology and interconnected systems, a cyberattack could cause major disruptions to operations. Grant noted that this increase in risk led to a greater focus on cybersecurity within both government and private sector organizations.

The Consistency of Approach Towards Technology and Cybersecurity across Administrations: "In my opinion, technology and cybersecurity has not been very politicized. And really going back from Bush to Obama, to Trump and to Biden, in my opinion, we've seen a good bit of consistency around the directions, the people have been headed."— Grant Schneider

Creation of Dedicated Security Operations Centers

Grant discussed how the growing risks from cyber incidents led to the creation of security operations centers focused on monitoring threats. Whereas IT operations teams had previously handled security, cybersecurity emerged as its own discipline requiring specialized skills and 24/7 vigilance. Organizations established dedicated security operations centers tasked with detecting and responding to security events around the clock. This represented a major shift as cybersecurity transitioned from a purely policy function to an operational capability within organizations.

Cybersecurity as a Distinct Operational Entity in Public and Private Sectors

Over the years, cybersecurity evolved from an information security policy role to a distinct operational entity, according to Grant. This transition occurred in both the public sector and private sector as the nature of threats changed. Cybersecurity is now recognized as requiring its own set of skills and continuous monitoring separate from traditional IT operations. Grant noted that this shift has continued with cybersecurity capabilities and staffing growing significantly across sectors.

Understanding and Manipulating Information in Cyberspace

Increasing Availability of Data and AI Tools

Grant discussed how there is more and more data available now as compared to the past. He also mentioned how AI tools allow people to analyze and understand this data in new ways. For example, AI can help determine what information or messages are most likely to resonate with someone based on what is already known about their views and preferences. Grant suggested that the combination of more data and better AI-enabled analysis means information can be tailored and targeted to individuals in new ways, for good or bad purposes.

Delivering Messages That Resonate With Individuals, Regardless of Truth

Building on the availability of data and AI tools, Grant noted how messages can now be crafted in a customized way for each person. He said that tools allow understanding of what is believable to each individual. Then messages can be created that align with existing beliefs and preferences, regardless of whether the messages are factually true. Grant gave the example that false information could potentially be spread this way if the content resonates with what someone already thinks.

Society’s Acceptance of Divisive and Blunt Opinions

Grant suggested that technology capabilities enabling tailored messaging are emerging alongside the increased societal acceptance of divisive, controversial and blunt opinions being shared publicly. He noted that norms seem to have changed from when there were more things people didn't express out loud. Grant proposed that this societal shift combined with technological capabilities that can take advantage of divisions creates risks in terms of information manipulation.

About Our Guest

Grant Schneider’s entire 30-year career has focused on our nation’s security. Grant spent more than 20 years at the Defense Intelligence Agency, seven of which he served as the CIO. He then spent six years in the Executive Office of the President during the Obama and Trump administrations, focused on all aspects of federal and critical infrastructure cybersecurity. During that time, he served as a Senior Director for Cybersecurity Policy on the National Security Council staff and most recently as the Federal CISO. For the past three years, Grant has served as Senior Director of Cybersecurity Services at Venable, helping companies from across all sectors enhance their cybersecurity programs through the development and implementation of risk management programs as well as assisting with the preparation, response, and recovery from various cyber incidents, including ransomware.

Episode Links

Transcript
Carolyn Ford [:

Welcome to Tech Transforms, sponsored by Dynatrace. I'm Carolyn Ford. Each week, Mark Senell and I talk with top influencers to explore how the U.S. Government is harnessing the power of technology to solve complex challenges and improve our lives.

Hi, thanks for joining us on Tech Transforms. I am Carolyn Ford, here with Mark Senell. Good morning, Mark.

Mark Senell [:

Good morning, Carolyn.

Carolyn Ford [:

Okay, in the spirit of Halloween, today's episode is the second in a three part series, and we're exploring some of the creepier, spookier, crazier sides of technology in this series. If you haven't already, listeners, be sure to catch the first episode in the series focused on the spooky side of Generative AI with Mr. X. That's his villain name that I gave him. And just fair warning to our guests today, I'm going to come up with one for you, too. So today we have the honor. I'm a little amped up. I'm not going to lie.

Carolyn Ford [:

Like, we have a rock star today, and we're welcoming Grant Schneider. Grant has spent his entire 30 year career focused on the nation's security. He spent over 20 years at the Defense Intelligence Agency, seven of which he was the CIO. He then spent six years at the Executive Office of the President during the Obama and Trump administrations, I have questions about that. Focused on all aspects of federal and critical infrastructure security. During that time, he served as a Senior Director for Cybersecurity Policy on the National Security Council staff, and most recently as the Federal CISO. So for those of you guys like me, let's just say, like the White House CISO, like, it's cool. So for the past three years, he's served as Senior Director of Cybersecurity Services at Venable, helping organizations from across all sectors enhance their cybersecurity programs through the development and implementation of risk management programs, as well as assisting with the preparation, response and recovery from various cyber incidents, including ransomware.

Carolyn Ford [:

So I'm telling you guys, today's episode is a do not miss. We're going to talk to Grant. We're going to try to get him to tell us the scariest stories from his career, from ransomware to I want to know if a cyber fire sale is like, can it happen? Like in Die Hard. I want to know. And based on his background, you know, we're going to get some good stuff. So welcome to the show, Grant. Thanks for joining us.

Grant Schneider [:

Well, thanks for having me. Excited to be here.

Mark Senell:

Thanks for being here.

Grant Schneider:

Now I'm a little scared to be.

Carolyn Ford [:

So well, we want you to scare us with some really good stories, but we'll start with some easy stuff. I want to start off with your public service career. You were on the front lines and really still are on the front lines of the nation's cybersecurity posture. And looking back, even at your time at the DIA, your work has contributed to enhancing the security of the federal government. How has our nation's approach to cybersecurity matured or evolved over the course of your career? And were there any moves that were more impactful than others in your opinion.

Grant Schneider [:

I mean, we've evolved a ton, right? The government has evolved a lot. This industry has evolved a lot. And it's really been as technology has evolved. And I remember at DIA when I first got there, there were no connections to the Internet, the unclassified internet in our building. And when I left, every single person in the building had an unclassified computer under their desk, as well as a couple of classified computers because they needed to be on other networks. And so as we kind of expanded our threat surface by connecting more things to the network, we have increased the consequence of a cyber incident, of a technology incident, of our technology going down. And I think along those lines, cybersecurity was born and really moved from. When I was first at DIA, we operated on classified networks.

Grant Schneider [:

No one really talked about security because we were isolated and segregated from the rest of the world. And we just talked about information management or maybe information security. And that organization was a policy organization. They wrote policies and put policies out that the people doing It operations had to implement and were supposed to do upgrades and updates and patches and all the basics that you would expect today. But what we saw is as those consequences of an incident increased, the information security team eventually became cybersecurity, but became an operational entity inside of organizations and became where you had a security operations center that was looking at security on seven days a week, 24 hours a day basis. And it really became its own sets of skills and separate and apart from the IT operators that had always been there running twenty four, seven operations, but really became a distinct skill set and a distinct part of the organization over the years. And I think we've just seen that continue to grow both in public sector as well as in private sector as well.

Mark Senell [:

So you brought up something really interesting there, Grant, that I wanted to ask you about, because you said over time, as technology and organizations have expanded and you have access to external internets and stuff like that, do you see the threat vector more? Do you see it as increasing or that we've risen to the challenge of protecting that? I guess where I'm trying to go with this is how does insider threat play there? Is that more of like something that accidentally people could make mistakes or I guess it could be malicious.

Grant Schneider [:

Just a lot of different directions.

Mark Senell [:

Sorry, I didn't know how to go.

Grant Schneider [:

A, the threats continue to increase, and the threats, as we've shifted it and we've put more things and connected more things to our networks, well, we've created the opportunity for decades. Security was really about espionage, right? It was about nation states and about espionage and trying to steal information that didn't have much value beyond espionage, or maybe some industrial espionage as well. Right. But we've now shifted and we've seen over the last 20 plus years to where being a malicious actor in cyberspace, you can monetize your activity and the ability to talk about ransomware, whether it's ransomware, whether it's fraud, that you're going to go in and steal health data or steal credit card information. Right. A lot of this started as I was going to steal credit card information and sell pawn credit cards. So any way that an actor can monetize as we've interconnected the world and put more data and more information and more sensitive stuff, threat actors continue to look for ways to monetize that. And as long as they continue to be able to monetize it in a variety of fashions, ransomware being a big one, but in a variety of fashions, those threats are going to increase and we're going to need to take more protective measures.

Grant Schneider [:

And I can come back to insider threat if you want.

Carolyn Ford [:

Well, I was thinking like when you were first talking then, Mark, you made me even lean into it more. Was I'm wondering, Grant, you said, okay. At first we were never connected to the Internet. And then as time went on, everybody had an outside connection to the Internet. You were there when Snowden rocked the world. Did that connection to the Internet, how did that change things for you.

Grant Schneider [:

On Insider Threat? Right. What I've saw. The evolution of insider threat is early on in my career, the intelligence community. The screening was really about don't hire a bad guy. Screen them out in the hiring process with a little bit of the belief that there could be a malicious actor, their nation state that's trying to plant someone into the community in some way, shape, or form, or someone that just has issues that you don't want in the intelligence community. But insider threat and we saw this with Manning and with Snowden shifted to where when they came through the door, I don't know what was around them when they came through the door, but a lot of them became these ideological ideas right. That this whistleblower sort of approach to some degree, and I'm not saying bad things about whistleblowers, it's an important function, but people who had a different view on the lawful work that was being done by the community right. And Snowden just thought that work was bad and thought we were doing things as a country that we were doing legally were wrong and therefore "I'm personally going to do something about it."

Grant Schneider [:

Right. That seemed to be his approach. So did Snowden absolutely rock the community in a big way? In a big way. And Snowden was able to do things that Snowden shouldn't have been able to do from a policy standpoint. Right. Most incidents there's a policy in place that didn't get implemented in some way, shape, or form or a technical control that got bypassed in some way that allowed something to happen. With Snowden, he was in a very interesting position where his job was to gather data and pull data together. And in fact, he was downloading a whole bunch of the data that he ultimately released, and at one point got a phone call from someone that was like, hey, you're killing my servers.

Grant Schneider [:

My performance is bad because you're downloading all this data from us. You're scraping this data. And the response was, "oh, I'm sorry, I'll do that in the middle of the night from now on." "Okay, great."

Carolyn Ford [:

My gosh.

Grant Schneider [:

Because he was in a position that that was his job, was to aggregate all this data. So insider threats super scary because of and in a post 9/11 world, the need to know was the focus of the intelligence community, that we need to share more information across the community. And it was kind of if you were inside the tents, you got access to everything inside the tent. And with things like zero trust, we've seen that certainly shift over the years, most recently with zero trust architectures. But insiders are still very much, I think, scary for all organizations.

Mark Senell [:

So, speaking of 9/11, having worked with government agencies and commercial organizations, I really feel like the government has progressed significantly across the front of cybersecurity and insider threat and all these things, more so than maybe the commercial side of the house. But when I think of, like, 9/11 or stuff like that, I think of how are we protecting critical infrastructure, commercial critical infrastructure? Because you hear about this in the news a lot. You hear about the Chinese being in our electric grid. You hear about all these kind of scary things that are out there. Have you had experience of working with commercial entities around that, or I guess even in government dealing with the critical infrastructure?

Grant Schneider [:

Yeah. So when we look at critical infrastructure, which is appropriately named right? It's critical infrastructure because it is the things whether it's transportation, energy, water, telecommunications, financial systems, the things that make our economy run, that make our daily lives run and operate, if something bad happens in one of those, it can be significantly disruptive. The Colonial Pipelines is a great example a couple of years ago where you had a ransomware event, Colonial Pipelines shut down and then back up right there.

Carolyn Ford [:

Just for our listeners and for me, remind us how that ransomware attack actually happened, because that is crazy to me that it happened. So can you walk us through the details just a little bit?

Grant Schneider [:

Now you're making me dig back into.

Carolyn Ford [:

I mean not too much but just refresh our memories.

Grant Schneider [:

Essentially, when the actors were able to get into their systems, and my understanding is that they got into the information technology side of the house. Right. And most critical infrastructure have an operational technology and an information technology environments, which historically much like an intelligence community. Those were separated. Those were air gapped and not interconnected. Well, like many things in our lives, my stove is now connected to my home network, the same one that we're doing this over. Things got interconnected for lots of good reasons around productivity, around the ability for your third party provider to not have to fly someone to your site to be able to repair your OT system. So my understanding on it is that they were able to get into the IT system and they were able to essentially lock up the IT system.

Grant Schneider [:

Right. They got access. Typically in an incident, you're going to get access or the adversary is looking to gain access. They're going to do some amount of reconnaissance to understand the environment they're operating in, understand where's the critical information they may steal some of that information before they do anything else. What are the critical operations? If you have a cyber insurance, they're going to go look for your cyber insurance policy so that if they are going to ask for a ransom, they know what your coverage is. They're going to understand your business before they let you know that they're there. And then ransomware is kind of the thing they do at the end, where they then lock up your systems. Once they've done all the work, the prep work that they need to do, they're going to encrypt systems.

Grant Schneider [:

They're going to deny the company the access to their systems. To the best of my knowledge, the adversary didn't get into the OT systems and that Colonial Pipelines shut down their OT systems as in an abundance of caution because they really didn't know the extent and they didn't want to have something happen on that delivery side. However, shutting it down for all of us on the East Coast had a significant impact, both from a real impact of places where you couldn't go get gas and then the fear that my gas station might be the next one to not have gas. So I need to go fill up all my cars crazy and keep a couple of hundred gallons of gas in my garage that I don't need to go anywhere for. Right. Everyone sort of took that approach, but that then drove this lack of confidence.

Carolyn Ford [:

You had 200 gallons of gas in your garage?

Grant Schneider [:

No, not me, I, but I think a lot of people went in hoarded. Right.

Carolyn Ford [:

I grew up in Utah.

Grant Schneider [:

We saw it with toilet paper during COVID too. It seems to be human nature.

Carolyn Ford [:

I grew up in Utah. Father very much. I mean, I guess we could fall into the prepper camp. We actually had a tank in our backyard. I don't know how many gallons it held, but we had that kind of stuff.

Grant Schneider [:

You were prepared?

Carolyn Ford [:

Oh, yeah. We were very prepared.

Mark Senell [:

Survivalist.

Carolyn Ford [:

Yes. Okay. So we're starting to dabble into this is the good stuff. Live Free, Die Hard. So Die Hard 4. For those of you who guys aren't a fan, you should watch this because it's scary as it's very scary. The idea, this cyber fire sale idea where everything could be shut down by these hackers and what you're telling me, Grant, just based on the pipeline incident that it's possible, right?

Grant Schneider [:

Well, I think there's a couple of aspects. I mean something being possible. There's a lot of things that are possible, right. If you put all the parts of a watch in a bag and shake it forever, eventually the watch will come together. I don't recommend trying that at home.

Mark Senell [:

Because I think you'll that's a good analogy.

Grant Schneider [:

But in theory that's possible. I think though, to me what's almost as scary is what threshold does an adversary need to get to to have a significant impact on our economy, on our trust in the economy, on our trust, in the ability that we're going to have these goods, these critical infrastructure items delivered to us. And so I think the way our critical infrastructure, a, it's mostly owned and operated by private companies, right? Some of it's owned and operated by the government, but it's very much in a decentralized right, it's very decentralized across the country. And so there is an amount of air quotes, maybe security, it's not really real security, but there is an amount of resiliency, that's a better word by having the amount of distributedness. But it also means you end up with a whole bunch of different levels of readiness. You've got some organizations that have the understanding, the budgets, the ability to actually invest in these areas, think financial services, and then you've got other organizations that are small, maybe a municipal water department in a county or a small town who is rate limited, right. They can't charge more money. They can't necessarily raise their rates without getting some approval through a political process.

Grant Schneider [:

So they can't even invest if they want to, if they have the awareness and they want to be able to do it. So you end up with a lot of different levels out there. But I think the ability to start that type of disruption is super scary to me because you don't have to be able to actually disrupt all of it. If you can create enough concern and a lack of confidence in the delivery of the critical infrastructure, you're going to see these fall on kind of human nature results.

Mark Senell [:

That's a great example.

Grant Schneider [:

Negative.

Mark Senell [:

So I've always looked at our decentralization or our openness as a potential weakness in area that our adversaries would attack. But am I hearing they're saying the decentralization actually could make it harder because.

Carolyn Ford [:

We're kind of air gapped by default, right?

Mark Senell [:

Potentially.

Carolyn Ford [:

Right. But that security by default makes me think there's not a lot of efficiency. It also brings a lot of problems with it to not be yeah, to.

Grant Schneider [:

Be clear, I think you get an amount of resiliency, not security by that distributed. Right. Because an adversary has to get into multiple systems or multiple items. On the flip side, the adversaries don't have to work really hard to get into multiple systems. Right. It's not like breaking into a bank physically, where you have to go to every single one. The nature of it is that you can scan lots of these organizations from anywhere in the world and you can do it all night long. You just need compute power and you can identify vulnerabilities and you can have automated scripts so you're still able to attack on scale or the adversaries are able to attack on scale.

Mark Senell [:

So now we're more scary. This is definitely more scary.

Carolyn Ford [:

Right? Well, and to your point, just inciting the fear was enough. Like, Colonial Pipeline is a really good example. They scared the hell out of us as a nation. They shut you guys down. And when we say maybe, I don't know if misnomer is the right word because sure, I still had gas in Utah. There was no resiliency for you guys on the East Coast. Right, right.

Grant Schneider [:

And we do know in some sectors and energy is probably a big one where it's very interconnected, right. Where there are interdependencies on the way that pipelines work and natural gas is delivered and energy is produced.

Mark Senell [:

Distribution.

Grant Schneider [:

Yeah, exactly.

Mark Senell [:

Are you involved in any of the efforts kind of that brings government together with industry around this concept?

Grant Schneider [:

Yes. So one of the things that we do or I do in my role at Venable is we help clients of the firm and then we have our individual clients that we work with on a variety of of kind cybersecurity matters. We also work with a number of industry coalitions and working with those industry coalitions, such as the Alliance for Digital Innovation is one where we bring together private sector organizations that are very interested and focused on delivery of capabilities into the public sector. And really, we then facilitate some of those conversations, policy conversations. Where do we need policies to go to add security to the public sector but also that will add security to the private sector? And we've seen this administration particularly very focused on second and third order impacts from a security standpoint, using the Federal Acquisition regulations to drive security behavior in an organization in order to sell something to the government that will also impact the services that they sell commercially as well.

Mark Senell [:

Having worked across multiple political administrations, does it vary from administration to administration or are there civil servants that kind of keep driving that effort forward or is it really kind of more politicized?

Grant Schneider [:

So fortunately, in my opinion, technology and cybersecurity has not been very politized, really going back, know, Bush to Obama to Trump and to Biden, in my opinion. We've seen a good bit of consistency around the directions that people have been was there at the end of the Obama administration. I was there for most of the Trump administration, and I would say the Obama administration looked at cybersecurity and technology very much through the cyber lens. Right. It was a post OPM hack environment very focused on cybersecurity and moving that forward. The Trump administration came in and looked at it through a little different lens. They looked at it largely through technology modernization, how do we modernize the government, modernize solutions both for delivery, know, citizen services and cybersecurity was a part of that. But when we sat down and literally sat down and briefed Jared Kushner when he came in on what we were doing from a technology and cybersecurity standpoint, his response to us, know, that all seems like the right stuff.

Grant Schneider [:

You should keep doing that. It's a shame you didn't have very good leadership to help you actually be able to deliver that, but it seems like the right thing, so keep doing it. And so Mark, it's a little it was an interesting moment and when we were like "yay, we're okay, thank you very much."

Carolyn Ford [:

We'll continue really changed with what you guys were doing, I mean, how it.

Grant Schneider [:

Was being reported, who we were working with. If you're in the White House, there's a political aspect. Even though many of the people working in the White House are career civil servants, as I was, it's still going to be politicized and you're working within a political environment. But yes, we were able to continue working in that direction and changing some of the language and focusing more on technology modernization at the same time continuing a lot of the cybersecurity work.

Carolyn Ford [:

Okay, well, that's nice, but it's not very scary. So let's get to the scary stuff.

Mark Senell [:

Scary, scary. I have a scary thing to Grant.

Carolyn Ford [:

Go, Mark.

Mark Senell [:

So, Grant, I hear about a lot in the news out there about and this may not be a cyber thing at all, but I'm curious, if you think about this, what about like EMP attacks on that's a good or electrical grids and stuff like that? I mean, is that more warfare as opposed to cyber?

Grant Schneider [:

So I think of it a little I think of it as warfare or terrorism, however, because I feel like that's where it would start, and that would be the motivating factors. Because if we look at cybersecurity in general and we look at malicious cyber actors, we've got nation states, we've got terrorists that are just looking to disrupt and do bad things, and nation states are looking to steal and be able to spy and all of those things. And then we've got a whole bunch of what I would call criminals, people that are trying to make money. And I don't know how you make money off an EMP that is just destructive in nature. Certainly if there was an EMP and we took down big chunks of the infrastructure, that would be detrimental on so many levels. It would be super, super scary. I would be very scared of that. I don't see it as something that a criminal actor is going to go after.

Mark Senell [:

More of a nation state type thing.

Grant Schneider [:

A nation state is going to want to have that capability for a time of war where they might want to do it. However, nation states also, even in a time of war, sometimes don't want to be that destructive. If that's an infrastructure, they want to come take over in the future. And we've even seen some of that in Ukraine or certainly at the beginning of Ukraine. You know, terrorism is where I think it's most scary, because terrorists really don't care about the so from a longer term or even near term policy. Yeah.

Carolyn Ford [:

They just want to burn exactly down. They don't care. Yeah. So what does the future look like? What's the scariest thing that we should be? Oh, I have another one, too. How does AI play into all of this? How does it make it scarier? All this stuff that we've been talking about?

Grant Schneider [:

I think where AI potentially makes it scarier is AI allows for acceleration, I think is one of the things, and it's a force multiplier. You can get lots of things done a lot quicker, both in a good way and in a bad way, using AI. And AI is I mean, we've had machine learning for a long time. AI tools and capabilities have been here. ChatGPT really put it on the map and made it kind of a mainstream by making a super easy interface right, where now anyone can interface with this AI capability. And so I'm confident AI is being leveraged by malicious actors. It allows them to be better. Right.

Grant Schneider [:

Phishing emails ten years ago were pretty bad and obvious. AI makes it a lot and they've gotten much better. AI makes it a lot easier, allows you to scale if you're a bad guy, allows bad guys to scale much quicker and can have more impacts. And then in the future, when AI is doing more things for us and we don't really understand how it's working well, we won't understand when it's not working well or right. And as we interconnect things and we don't understand the algorithms and the models, quite frankly, many people my age, and certainly older than me, used to really understand how our cars worked. You did lots of your maintenance. You understood when I was in high school, we were pulling engines out of cars and pulling them apart and putting them back together. And now you look in and it's a whole bunch of computers in the car.

Grant Schneider [:

There's an average like 13 or 20 computers in every single car today. So it's just become more opaque to the user of how these things are operating. And I think that's a scary aspect, potentially, of AI.

Carolyn Ford [:

Yeah, well, and even before we get to how it works, just the ability we're seeing, even with ChatGPT right now to spread wrong information, and people are taking it as fact and passing it on because it sounds so credible. I guess it's not really social engineering, but just that social side of it is already causing some havoc.

Grant Schneider [:

Well, and I think the more data that's out there and the AI tools and the ability to understand the right we're seeing, not only are people taking information because it's believable, but there are tools out there that allow someone to understand what's believable to Carolyn versus where am I already leaning? Towards where's Mark leaning? Where are you leaning? And then delivering messages that are going to resonate. Whether they're true or they're not, they're going to resonate. And when something resonates with us, we ask fewer questions about it, it seems right. It sounds plausible. It's what I wanted to hear. And so I see these technology capabilities coming at the same time, from a society standpoint, it's become more accepted is the word I'll use. Not okay, but accepted to be very divisive and to be blunt and to state your opinion, things that I was brought up by my mom. You don't say a whole bunch of this stuff out loud that seems to have gone by the wayside for a lot of folks, including public figures.

Grant Schneider [:

We've got this societal time that we're in, combined with this technology capabilities that can feed on, literally and do feed on each other.

Mark Senell [:

October is National Cybersecurity Awareness Month, and so a lot of people are talking about it during this time. Are there certain things that you're seeing organizations do or best practices that they're talking about to defend against things like we mentioned ransomware before?

Grant Schneider [:

I think one of the great things about National Cybersecurity Awareness Month is exactly raising awareness, giving an opportunity for people to hopefully spend a little bit of time and think about cybersecurity and what they're doing from a cybersecurity standpoint. And I think that for some organizations that are focused on this all day long, day in, day out, maybe they're not going to raise their awareness that much more during October. But I think a lot of organizations that aren't thinking about this all the time for a lot of business leaders and C-suite entities that understand now, I think most people recognize I should be scared that a cyber incident could make my whole business model go away. It could make my whole business go away. You're only one bad kind of cyber incident away from your organization not existing anymore. And hopefully Cybersecurity Awareness Month is an opportunity to go sit down and have those conversations that a leader that doesn't understand this space might be personally scared to have and say, what do we need to do about it? What should we be doing about it? What are the things? I read an article the other day because there's so much out this month, and a lot of it's going to. Be back to basics. I often talk about cybersecurity.

Grant Schneider [:

Sounds cool and sexy, but it's kind of like working at a brewery. If you've ever brewed beer in your house, working in a brewery sounds exciting. But if you've ever actually brewed beer, it's all about sanitization. It's about cleaning stuff all day long, and cybersecurity is that way. It's about doing the basics. It's about implementing multifactor authentication. It's about updating and patching and doing the things because most incidents come from a known vulnerability that didn't get dealt with in the infrastructure that got exploited.

Carolyn Ford [:

I like it. So your words of advice for our listeners, like best practices here is first awareness, and then back to those basics that we've been talking about for years. Multifactor authentication, patches, updates, and remember, it's the same as brewing beer. So there you go. All right, let's go to our Tech Talk questions before we completely run out of time, because do you know what else is cool about October? Halloween? So if you celebrate, Grant, do you have a favorite Halloween tradition or a favorite past costume or coming costume?

Grant Schneider [:

I'm going to go with tradition. I'm less a costume person. It's funny. I live in a neighborhood where the houses are fairly spread out, and I have a steep driveway, so it's typically a disincentive. And we don't have a ton of kids in the neighborhood. You could pretty much tell when the neighbors kids were coming and when they were young, their parents would come as well. And I would always come to the door with a bowl of candy and a platter with a few beers on it as well, or some other adult beverage. For the parents.

Mark Senell:

For the parents.

Grant Schneider [:

But now the parents don't come up the hill. They just throw a party in someone's house and send the kids off. So it's very much just getting to see the kids as they come by and enjoy the costumes and get them to take as much of the candy as possible so I don't have to deal with it later.

Mark Senell [:

Grant, Carolyn is a costume girl. I'm surprised you didn't actually wear a costume today.

Carolyn Ford [:

I kind of wanted to. Like, for all these Halloween episodes, I was going to ask our guests to dress up. Then I thought that might be a bit of a stretch. And now that I know know you're.

Grant Schneider [:

Not dressed up for you, Carolyn, I definitely would have dressed up for you.

Carolyn Ford [:

I'm trying to think who you dressed up as. Grant, you'd dressed up as yourself.

Grant Schneider [:

I'll dress up as all right.

Carolyn Ford [:

All right. Mark, you get to ask the next Tech Talk.

Mark Senell [:

What about Halloween candy? So if you go back to maybe your childhood, did you have a go to candy, your favorite candy?

Grant Schneider [:

So I was always like a Snickers bar, right? Chocolate. When I was growing up, it was all about chocolate. And then I grew up and became an adult. And so what do you do when it was all about chocolate for you as a kid? You buy chocolate. And my kids could care less when they were little, they wanted sour stuff, Sour Patch this, Sour Patch that. And I would see kids at my door, dig, move all the chocolate out of the way, trying to find those couple sour patch things. So seems like it's evolved over the years.

Carolyn Ford [:

Is your go to now beer?

Grant Schneider [:

I'm not really a sweet tooth. I'm more of a savory person. I'll leave it at that.

Carolyn Ford [:

All right, fair enough. All right, last question. Less about Halloween, actually. Do you have, like, a favorite Halloween time, fall time movie or book or story that you like to revisit?

Grant Schneider [:

I don't I've never been a big scary movie fan.

Carolyn Ford [:

Yeah, me either.

Grant Schneider [:

They've never appealed to me that much. Movies around Halloween, that's what I think of. Are all the Halloween movies, literally and other things. So, yeah, I don't think about movies so much.

Mark Senell [:

Let me hit with one.

Grant Schneider [:

I haven't seen Oppenheimer, but it could be the scary Halloween movie this year.

Mark Senell [:

Oh, it's excellent. Is it excellent?

Carolyn Ford [:

Okay. So is Barbie. Go with Barbie. It's also funny. It's so funny. You just don't like

Mark Senell [:

Oppenheimer was really good. Yeah, acting was great. Great cast. I mean, this is very historical. So you know the story, you know how it ends, but it was neat how they kind of portrayed it.

Carolyn Ford [:

All right, do you have one last question for Grant?

Mark Senell [:

Oh, I was just going to say for Grant, yeah, not Halloween related, but for young people who are going to listen to the podcast. Any advice, career advice on folks coming into this arena where they should start, what they should do?

Grant Schneider [:

Diversity of experiences, I think get as many different experiences, and that doesn't mean get a new job every year. I don't think that looks good on a resume, but diversity of experiences and whatever it is you're working on, when your boss or your coworkers say, hey, we're looking for someone to work on this, always say, yes. Yes, I want to go work on that as well. Even if you don't know what it is, even if you're not interested in it, you're going to learn more and you're going to become a more well rounded employee, a more well rounded leader at some point. And really, just what are the different skills that you want to put in your personal professional toolbox and view it as work and life, as a bit of a scavenger hunt for those skills. So seeking out the places where you can go get the right skills, put them together so that your resume is unique and you're able to fit in well with lots of different teams, work on different projects, and be viewed as a value add from your coworkers, your leaders, your customers. Kind of that whole 360, I think is super important. Super important.

Grant Schneider [:

For people to consider.

Carolyn Ford [:

Yeah, that's great advice. And it shows that you're adaptive, you're willing to learn. You're able to learn, which really when I'm looking for somebody to work with or to hire, that's what I want. I want to know, can they learn they may not know the specific skill, but what kind of a learner are they?

Grant Schneider [:

Right. Can they learn what they need to to be successful here? And do they play well with others?

Carolyn Ford [:

Yes.

Mark Senell [:

That's a good one.

Carolyn Ford [:

That's actually really important. I'm still trying to figure that one, so all right, well, Grant, thank you so much for being part of the show today.

Grant Schneider [:

Well, thank you for having me. I really appreciate it. And everyone take some time during October to think about Halloween and scary things and cybersecurity, so they go well together.

Mark Senell [:

No, this was great. Thanks for joining us, Grant. Good to talk to you again.

Carolyn Ford [:

Yeah, and thanks to our listeners. Share this episode, smash that like button, and we will talk to you next time on Tech Transforms. Thanks for joining Tech Transforms, sponsored by Dynatrace. For more Tech Transforms, follow us on LinkedIn, Twitter and Instagram.

About the Podcast

Show artwork for Tech Transformed
Tech Transformed
Tech Transforms has a new home, visit us here https://techtransforms.fireside.fm/

About your hosts

Profile picture for Carolyn Ford

Carolyn Ford

Carolyn Ford is a passionate leader, doer, adventurer, guided by her father's philosophy: "leave everything and everyone better than you found them."
She brings over two decades of marketing experience to the intersection of technology, innovation, humanity, and the public good.
Profile picture for Carolyn Ford

Carolyn Ford

Carolyn Ford is passionate about connecting with people to learn how the power of technology is impacting their lives and how they are using technology to shape the world. She has worked in high tech and federal-focused cybersecurity for more than 15 years. Prior to co-hosting Tech Transforms, Carolyn launched and hosted the award-winning podcast "To The Point Cybersecurity".