In this episode of Cybersecurity Unplugged, Dr. Cunningham also discusses:
- Getting a bigger and better view of the Zero Trust model in cyber warfare;
- His book, Cyber Warfare – Truth, Tactics and Strategies: Strategic concepts and truths to help you and your organization survive on the battleground of cyber warfare;
- Looking into the future of Zero Trust and turning up the heat in the market.
Chase Cunningham, also known as the ‘doctor of Zero Trust’, is a recipient of several media companies’ most influential people in security. Dr. Cunningham is the current chief strategy officer at Ericom Software. In this role, he shapes the company’s strategic vision, roadmap and key partnerships. Previously, Dr. Cunningham served as vice president and principal analyst at Forrester Research where he was providing early and strategic guidance on Zero Trust, artificial intelligence, machine learning and security architecture designed for security leaders around the country and around the world. Prior to Forrester, he was the Navy chief cryptologist at Fort Meade and other sites where he directed all research and development of cyber entities to assess threat vectors, network forensics and methodologies of nefarious cyber actors across the intelligence enterprise.
As a cybersecurity expert who served in the Navy for 15 years, Dr. Cunningham uses his expertise to weigh in on the gaps that need to be filled in cyber warfare by discovering the truth behind tactics, strategies and combat approaches.
I think one of the biggest things that occurs to me is that we spend a lot of time thinking about the perfect defense and making sure that we’re never going to have a breach. And we have three plus decades of proof and that’s the wrong mindset to take. This is a warfare scenario, whether folks want to admit it or not, we’re all engaged in a combat environment. And if you’re thinking about it, in any terms, other than those specific terms, you’re doing yourself and your business a disservice.
Full Transcript
This episode has been automatically transcribed by AI, please excuse any typos or grammatical errors.
Steve King 00:13
Good day everyone, Steve King, the managing director of CyberTheory. Today I’ve got Dr. Chase Cunningham on board. He’s the doctor of zero trust, also a recipient of several media companies most influential people in security. He is also currently Eric coms Chief Strategy Officer. And in that role, he shapes the company’s strategic vision, roadmap and key partnerships, tres previously served as Vice President and Principal Analyst at Forrester Research where he was providing early and strategic guidance on zero trust, artificial intelligence, machine learning and security architecture designed for security leaders around the country around the world. And prior to Forrester, he was the Chase Cunningham, also known as the ‘doctor of Zero Trust’, is a recipient of several media companies’ most influential people in security. Dr. Cunningham is the current chief strategy officer at Ericom Software. In this role, he shapes the company’s strategic vision, roadmap and key partnerships. Previously, Dr. Cunningham served as vice president and principal analyst at Forrester Research where he was providing early and strategic guidance on Zero Trust, artificial intelligence, machine learning and security architecture designed for security leaders around the country and around the world. Prior to Forrester, he was the Navy chief cryptologist at Fort Meade and other sites where he directed all research and development of cyber entities to assess threat vectors, network forensics and methodologies of nefarious cyber actors across the intelligence enterprise. And I will not ask him anything about that today, because I don’t want to know. So welcome Chase. Thanks. I’m glad you were able to join me today. Yeah, thanks for bringing me on. So we did kind of a part one a few months ago, from a global point of view, the world has certainly changed. However, it may be to strip away all the politics, maybe it’s not changed. Maybe it’s just another edition of global cyber. Today’s show 101 or something, you recently joined our, our zero trust council as a senior fellow within the cyber theory in Institute and like the rest of us, you’ve, you’ve seen the value and gathering experts together in a think tank kind of contexts and promotes zero trust, which activities have resonated with you so far. And you think that we’ve got a model here for success?
Chase Cunningham 02:27
Yeah, I mean, I think the model makes a lot of sense. It’s always important, and in my experience, to have a lot, you know, be around a lot of Smarter folks that are doing other things and get a bigger better view of what’s going on across the industry. And you’ve got a you got some folks on there that know what they’re doing and are putting the work in. And I think it’s a good place to be. Well, that’s great. I think that the we did a couple of events that I think that dinner down in Scottsdale went pretty well. I know that the folks at Broadcom were very, very pleased guy that’s been in the marketing business for 20 years down there said it’s the best, best video he’s ever he’s ever seen he, he couldn’t stop watching it. So that was certainly the kind of success, if you will, that, that I’ve been looking for here. He wrote another recent book title, cyber warfare, truth, tactics and strategies, which kind of fits nicely in with our currently developed cyber Ed coursework and in the learning path for what we refer to as the biggest missing link and expanding learning gap overall, which we think is cyber warrior training. That has also been kind of undervalued, we think and our approach is to expand the learning path across the whole, this nice framework, so well beyond the kind of ethical hacking bash that most folks get to in that learning path. Is that track consistent with how you see the landscape in terms of the gaps that needs to be filled? Yeah, I mean, I think one of the biggest things that occurs to me is we spend a lot of time thinking about perfect defense and making sure that we’re never going to have a breach or whatever. And we have three decades plus of proof that that’s the wrong mindset to take this. This is a warfare scenario, whether folks want to admit it or not, we’re all engaged in a combat environment. And if you’re thinking about it, in any terms, other than those specific terms, you’re doing yourself and your business a disservice. And we don’t, in my opinion, we don’t need more posturing, we don’t need more pontificating on you know what the bad guys do and how they operate or whatever else. We know it. We have volumes of data, we have lots and lots of run through on what goes down and how to combat it. And we should be approaching it from that perspective of how do we make sure that the adversary is not continuously victorious if we can do that, then we’re winning and this is not going to be a thing where you just you know, beat The bad guy and they’d go away and they’re never present again, you don’t take the battlefield, you just get to exist and get to operate in that. And that’s the reality we need to deal with. Right? Why do you think we’ve been ignoring this glaring problem for like, at least 20 years, I think really, the big thing is it’s a it’s, it’s just like the, in some, in some degrees, like the pharma industry, where it’s great to come up with a treatment not for, not for a cure and not for a plan to deal with the actual infection. That’s, that’s the difference is I can give you a, I can give you a pill, and I can keep telling you bigger, better, better, more sexy pills, but it doesn’t actually fix the problem. And it doesn’t reduce the issue of you dying. Whereas if we change the game and go at it with a different approach, we can do that. And the patient may not be perfect, but the patient will be healthier. And that’s what we’re trying to get to season. This is engineered, I think the market created for this. I mean, I think that we’ve built a multi billion dollar market that feeds the beast. And a lot of times I see folks that push things that don’t deal with the reality of the problem. And it’s because they’re putting money in their pockets to be perfectly frank. And that’s not what we need. I mean, I do tons and tons of pro bono work, because I think that the value is, you know, doing cyber, right? It’s not about putting more money in the bank. Yeah. Well, ultimately, of course, we will have retrained everybody into a zero trust mind mindset. But in the meantime, what else can we do here? I mean, yeah, it’s been driving me crazy. For 20 years, I see folks lined up behind, you know, program ABCD. And then pretty much drop it and head off to some other Yeah. But oh, I want to say constructed threat or something that that suddenly becomes the threat of the hour. Because that’s, that’s not going away, I’m the ransomware guys are just get better and better and better and better. I mean, I was on a call with a bunch of execs about the ransomware problem. And there was people on there from solutions that are in the market that are doing really, really big things. And I mean, they had Superbowl commercials, and whatever. And my question to them was, you know, do you think that this stops stuff that’s native to the operating system? And their, their admission? was? Well, no, that’s not what our software does. And I said, well, then you’re gonna miss every time ransomware invokes PowerShell. Because PowerShell is native to the operating system. That’s what it does. You just said you miss that. So then why would I buy your solution? Because it’s not fixing the fundamental core issue, and that it’s not to put somebody under the dig and say, like, your system sucks, or your solutions value less. But it’s really to go like, Look, if you’re going to solve a problem, solve the fundamental issue. And yes, there’s other ways to maybe make this thing, you know, slightly sexier, cooler or whatever. But deal with the fundamental core issue. Other than that, I don’t really need more of something, I need to deal with the fundamental realities of the problem. And that’s it. How long were you in the Navy 15 years, and you served across a whole range of, you know, Alphabet agencies, I say, serve me, you were you interacted with a whole bunch of those agencies over that period of time, right? Yeah, it was all over the place. I got to do a lot of great work. So how do you know? Yeah, and then you get out and now you’re advising companies. But who knows so much more about the realities of the of the battlefield than most folks in your situation? Do? How do you reconcile that to yourself? I mean, I try and tell people, it’s not like, it’s not about being afraid, it’s not about Fudd. It’s not about the, the having the biggest, baddest piece of tech or whatever else. It’s, it’s you put a plan in place use you align to the realities of the problem. And then you go forward. And you almost you also realize that no good plan survives first contact with the enemy. So you need to be adaptable. You got to be able to be able and willing to modify your approach based on the threat environment, and you just keep going at it. It’s, I mean, in the military, we have really good training and really good folks that understand, this is the combat for the soul of the activity, right? It’s not just we’re gonna win a fight, and we’re done. So you got to be in that mindset. You’ve got to go but no one, no one is afraid, or no one should be afraid because you’re doing what you need to do to be successful. Fear is useless fear is not going to help you actually get any better. I’m scared of spiders. I’m not scared of cyber.
Steve King 09:39
Right. Tell us a bit about that. About your most recent book, the cyber warfare, truth tactics and strategies book. Yeah. So I mean, I really was focused on that book as far as going through the very realistic scenarios how different things are used like crawled through a bunch of applications of artificial intelligence and machine learning for threat.
Chase Cunningham 10:00
threat actors and tactics, I made it a point not to go into, you know, vendor related stuff. It was all just here’s what goes on. Here’s a historical perspective. Here’s how they could have adapted and combat the threat more effectively. And yes, it’s an armchair quarterback scenario. But if you’re not doing those armchair quarterback things, you don’t ever, you know, get better. So I, I was really proud of it. And it’s been pretty well received. And that’s available on what all the normal other regular book buying things. Yeah, yeah. What interests me, I guess is that you can, again, you know, so much more as because you’ve been in I say inside the NSA, not what that might imply, but you certainly have access to people and process and information that the rest of us don’t, you know, and then we know that the the NSA is, has been very successful at creating malware and using different threat vectors to attack known vulnerabilities in software that all of us use, though their attacks maybe in other countries, it puts all of us at risk, does it not? Well, I think the things for folks to remember about the cyberspace, especially in the classified environment is the things that were good and successful, the wins the victories you’ll never know about. Those never leave before they stay inside those 10 Plus rooms, you’re never going to know about the victories that we have in the space and they happen 1000 times a day, you’ll know about the screw ups, you’ll know about the leaks, you’ll know about some of the stuff that makes its way to the press. But I mean, in reality, the the fact that we are engaged in that combat environment, we’re doing it all day, every day with, you know, amazing people doing amazing work. You’ll never ever, ever hear about it. And that’s, that’s actually a good thing. That’s the way that it’s supposed to work. But we should take some some some comfort in knowing that the less we hear the more victorious we’re we actually are, except for the people that are running that software that has vulnerabilities spread throughout that they don’t know about because they don’t, because the government won’t tell them about it. Right? Well, I mean, you have to keep some cards close to the vest. But I would say to that, well, that’s a very realistic issue. The majority of folks need to worry about bad passwords and VPNs and basic stuff, don’t worry about your crazy zero days, you’ll get to that later. So your view is, which is held by many of us is that most of our problems are self inflicted, that either are solidly solvable, either through education or training, or better high cyber hygiene. I mean, the basics are the basics, the basics are what will win will keep you you know, as safe as possible. The other, the other stuff comes later, there’s a maturity curve, there’s a line in the sand, you’ve got to be able to subscribe to get across. And other than that, you get to those, you know, super sexy, amazing cyber things further down the road. It’s it’s not about perfection, it’s about reality, and about dealing with the likelihood of compromise. You know, John talks about a student breach. I mean, that’s, I think that way all day, every day. Whereas God is my witness. I wake up every morning and look on my machine, and I cross my fingers, because I know something’s, you know, probably poking around there that I don’t know about, but it just is what it is you deal with it move on and do the best you can. Right. You think then. Yeah, speaking of that, in a way, you think that Russian Ukrainian conflict will reveal some other level of cyber warfare than we’ve seen so far. I think it already has, I think we finally people are starting finally starting to at the highest levels of government, highest levels of business, people are actually realizing like cyber as a first strike capability. I mean, what’s the first thing the Russians did last week, they started doing denial of service attacks, they started taking down banking systems. What concerns me is really, you know, if this thing does go the way that’s looking like it’s gonna go and we start putting our sanctions on them, they’ve got lots of things that are, you know, put in place in our own infrastructure. I would say watch out very carefully, carefully for critical infrastructure that starts shutting off. Yeah, I mean, those those traps are those threats, if you will, are already planted. I think, right. They’ve been there for years. Yeah. Yeah. For years. Right. And so it’s not a good idea to poke the bear is it?
Steve King 14:35
Well, I mean, it’s not a good idea to poke the bear. But then again, you’ve got to stand up. We know when it’s time for a fight, and Americans should never back down. But uh, I think the diplomacy thing here is probably the wise way to go. But uh, from you know, just being a general consumer and everyday American, I would be hedging my bets that things are gonna start getting really dicey really quick. Yeah, I think so. as well. Another question for you though. Yeah. When it’s around technology type, we have a tendency to devolve into the geek speak when we talk to board members, and yet much of the zero trust principles that you and I are both big fans of deal with technical principles, how to do we need to taxonomies? I mean, how do we get that message across? I don’t think we’re doing a very good job. But I don’t think we’re doing a very good job. Getting it across to the folks that actually can understand our particular geekspeak, let alone the board members.
Chase Cunningham 15:34
Yeah, that’s, I mean, I say this all the time. If I could go back and reactivate my GI Bill, I wouldn’t get a PhD in computer science, I go get a business degree because we need to talk more business, we need to forget the geekspeak. Because the people that are going to cut the checks, they’re going to pay for the work that we need to do. They don’t they don’t understand technology speak. So I think we collectively have got to do a really, really good look at ourselves and say, Are we speaking in terms of business people understand, and it’s going to get us the things we need to actually fix the problem. And if we’re not, we need to fix the way that we talk about it. Strategy business all day long every day.
Steve King 16:11
Now, why don’t we do that? Maybe we maybe we need to hire an actor and write a script script for him and just send him into the portion 50 companies have a chat.
Chase Cunningham 16:22
Yeah, I mean, it’s, it’s a, I think it’s incumbent on those of us that are lucky enough to have any sort of audience to really work our heads around how we do better business speak. It’s not something that I’m good at, but I’m working on it. I’m trying like hell to learn how to do it. Right. And it’s, it’s not easy.
Steve King 16:40
So you’ve got quite a bit of that reach, I think, with your workshops, right. Can you describe kind of what your, you know, workshop offering is for our listeners?
Chase Cunningham 16:53
Yeah, I do a lot of advisory work with companies on looking at their security strategy. And honestly, it’s, you know, it starts very basic of like, you know, literally somebody whoever’s in charge. And if they don’t know who’s in charge, that’s probably problem. Number one, the problem number two is, whoever’s in charge, tell me what your strategy is. And it’s got to be something that I can understand in about 10 seconds. And if that’s not the case, we need to figure out how to fix that. And then other things follow along with that. But my, my whole focus is very real, very pragmatic, very practical. And I, you know, I let the I let the company educate me as to why they’re doing and how they’re using their strategy to address the issues they’re going to face.
Steve King 17:33
Yeah. And so how many versions of that? Are there? Do you would you say now, even
Chase Cunningham 17:38
though it’s different for every company? Everyone, it’s a different? It’s a different sort of stretch?
Steve King 17:46
Hmm. All right. Well, I’m watching the clock here. I got one more question for you. I think. So what do you see looking out into the future? And with your role in the evolution of zero trust, adaption? How do we turn up the heat in these markets?
Chase Cunningham 18:05
I think we’re doing it, I think it’s the boil the frog approach, you know, we’re we’re turning it up, you know, slow enough, and smartly enough that it’s going to happen, as things continue to evolve. Unfortunately, for the market in general, the more continued breaches and compromises and things that we have, the more we can kind of sit back and go like, look, we’re, we’re telling you, there’s different approach, you’ve tried what you tried, you know, well done. But there’s a different way to do this. So let’s explore that. And it’s happening, kind of whether folks like it or not, which means that I think we’re in the right place at the right time.
Steve King 18:38
Well, we’re going to give it our best shot here, we are giving our best shot here from a marketing point of view, taking the the strength of the ISMG network, and combining that with the, with the Institute here. And now we’ve got 1415 members there are so on the fellow Senior Fellow side there. And, you know, our objective is to make as much positive noise about why this makes sense as as possible. That hasn’t happened, you know, no, there’s been no central driving force. So we intend to be that central driving force. Let’s see if that doesn’t make a difference. And your participation has been really golden. In regard to this. I want to thank you, both personally and professionally for being willing to jump in and do all that you’ve done so far. And then, you know, our little session upcoming next week in San Antonio, I believe as well. So thank you, chase for all of that. And I hope I hope we see some progress as we continue on here.
Chase Cunningham 19:43
I think we’re, we’re making progress. So any progress is progress, and you just got to put one foot in front of the other.
Steve King 19:48
Sounds great. Alright, man, thanks for taking the time. I really appreciate it. I’ll see you next week. And thanks to our listeners, who I hope had an equally enjoyable time and Learn something from this and until next time, I’m your host Steve King signing off.