As host of The CyberWire podcast, Dave Bittner talks to leaders from throughout the cybersecurity industry on a regular basis. From his industry-wide perspective, here's what he sees as the biggest secure communications challenges that need to be tackled.
On this week's episode of The Secure Communications Podcast, guest Dave Bittner talks about how COVID-19 has altered the way that people and organizations think about cybersecurity, and why ease of use is one of the biggest challenges facing the cyber industry.
Welcome to the Secure Communications Podcast
Data in motion is complex, chaotic, and unsecure, but the ability to seamlessly communicate is what drives innovation, growth and progress. Discover how the leading minds in the fields of technology, cybersecurity and communications are tackling the challenge of securing data in motion, and gain insights into what’s new and what’s next on the Secure Communications Podcast. Each week, host Kathleen Booth interviews bold thinkers who are developing and/or employing transformational technologies to solve communication security challenges.
In this episode
Dave Bittner has a unique perspective on the cybersecurity industry. A professional podcaster who is the host of The CyberWire, Caveat and Hacking Humans shows, he has interviewed many of the leading minds in the fields of cybersecurity and been amongst the first to hear about cutting edge new technologies.
In this episode, he shares his insights on the impact that the COVID-19 pandemic has had on the way the general public thinks about cybersecurity and what that means for the industry, and explains why he believes that usability is the biggest challenge that cyber companies need to address in the future.
Listen, watch, or read
Want to what Dave has to say about the biggest challenges the cybersecurity industry needs to address?
Kathleen (00:27): Thank you for joining today's episode of The Secure Communications Podcast. I'm your host Kathleen Booth. And today my guest is Dave Bittner who is the producer and host of The CyberWire. Welcome Dave.
Dave (00:46): Hello, glad to be here.
Kathleen (00:48): So good to have you here. It's such an interesting opportunity for me to interview another podcast host. I feel like you're in such an interesting position as the host of a podcast that is really all about cybersecurity. You have a very interesting vantage point on what's going on in the industry. So I'm really looking forward to picking your brain about that, but before we get started on that for those who may not be familiar with The CyberWire or with you, could you talk a little bit about, you know, what The CyberWire is and your background and how you came to be host of the podcast?
Dave (01:21): Sure. So The CyberWire itself is a company that has a, a number of different products that we put out there. We have our CyberWire daily briefing. That's probably the thing we're known best for. It's a daily newsletter you can subscribe to. Comes in your email. Basically it gives you a, a short, brief rundown and analysis of all the things you need to know about today in cybersecurity. Along with that, we do The CyberWire podcast, which is a podcast version of that briefing with some extra stuff thrown in. We have interviews with people and partners we talk to. Again, just a, a short, concise, brief summary of the things that you need to know as a professional or enthusiast or student in cybersecurity. We have other things we do. We have other shows. I produce, cohost, the Caveat podcast, the Hacking Humans podcast.
Dave (02:11): We do a show called Research Saturday, which we run once a week, which is all about interviews with people who are doing research in cybersecurity. We've started a number of new shows. So we just brought on Rick Howard, who is our chief analyst and chief security officer. He used to be the chief security officer at Palo Alto Networks. And so he's got a couple of podcasts he's starting himself. And we just started running those. We also just launched a pro version of our podcast, which has additional information insights. There are more more podcasts, more analysis. Just a lot more detailed stuff of the things people have come to rely on us for. So for folks who want to take it to the next level, we have that as well. My own history, I have a background in broadcasting and digital video and that sort of thing. I came into the cybersecurity world probably about five years ago. And that was along with starting The CyberWire. We got spun off from a cybersecurity company about four years ago. So my journey began about five years ago.
Kathleen (03:18): Well, all of a sudden I'm feeling incredibly intimidated because you host something like five podcasts. And so now I'm feeling like I need to really up my game and make sure I, I match your, your expertise here.
Dave (03:33): But it's not, it's not a contest, Kathleen.
Kathleen (03:35): I know, I know. No, but that's great. I think it's so fascinating. And I love what you guys are doing. Side note, if, for those who are, some people may be listening to this, but others may be seeing this on video. If you're seeing this on video, hat tip to Dave who has the awesome Zoom background of the Millennium Falcon.
Dave (03:55): She may not look like much, but she's got it where it counts.
Kathleen (03:58): Oh, she holds a special place in my heart. And we are recording this on May 5th. I did note that yesterday was may the fourth and of course, may the fourth be with you, so we are a day late, but, but we'll extend it for a day.
Kathleen (04:13): So what I really wanted to talk with you about was just this whole topic of secure communications. You know, this podcast kind of covers a range of topics that are under a large umbrella, all having to do with securing data in motion, which you know, which does cover a lot of different things. And that's why I was particularly interested to chat with someone like yourself, who, who does get to talk with practitioners from different parts of the industry, people from different companies, researchers you know, and, and has insight into all the different things that are happening. And so I would love to just hear from you, what are you seeing in the landscape of secure communications technology and, and, you know, what do you think are the biggest challenges right now really that we need to address?
Dave (04:58): Hm, well I mean, these are certainly interesting times when it comes to secure communications, right? I mean, I think we were sort of, I'd say, rolling along in a, mostly an evolutionary mode where folks were bringing new things to market. Had new ideas. But then all of a sudden we had this COVID-19 thing happen. And now, with so many people working outside of the office, working at home, that really shone a light on all of this stuff. And then also, all of the scrutiny that Zoom has been under for their own security issues, shortcomings and so forth. You know, you and I are, are using Zoom right now to record this conversation. And I think that also brought to light some of the disconnects between maybe what some organizations' marketing messages may be about their security, about whether or not things are truly end-to-end encrypted or not, and made people take a second look at that stuff to make sure that what people are promising is what is actually being delivered.
Dave (06:08): I think coming into this, I think there has been a lot of confusion when it comes particularly to VPNs, because there are so many providers of VPNs. And I think especially on the consumer side of things, and I would, I would include small businesses with that as well. The folks who don't necessarily have a dedicated IT team who really know all of this stuff inside and out. It's hard to know who to trust when it comes to having a provider for your VPN, because there's so many out there they all promise the world. And then how many times have we seen that such and such VPN provider either was leaking information or was breached or, you know, so on and so forth? So I think we've seen more scrutiny with those sorts of things. And then on the policy side of the equation, we're seeing the ongoing crypto wars, if you will, where we're seeing legislation coming through, where, you know, some folks in government and law enforcement are saying, we need to have backdoors to some of this stuff.
Dave (07:17): And in response to that, you have companies, Signal, for example, who are famous for their end to end encrypted messaging and video chat app, has said, if you do that, we may have to pull out of your market. So I'd say it's interesting times. I think there are opportunities there for organizations. And I would, I would put Attila in that group who have, who have offerings in this space and who can make a clear presentation. Can make their case in plain English for why whatever they're offering is going to provide their customers with what they need, back that up with the documentation and the, the science for how it actually works, differentiate themselves and make it easy for people. Because I think that's another barrier. If, if it doesn't work, if it gets in my way, if it slows me down, if it's a speed bump for me, or roadblock, I'm gonna - most people are going to go for convenience over security, especially if they just have to get their work done. Right? If I'm sitting in that airport well, airport is probably not a good example, right?
Kathleen (08:33): There are still people flying. There aren't that many of them. But there are still some.
Dave (08:38): But let's use that as an example because it's one that everyone can imagine. If I'm sitting there and I've got work to do, and I've got, you know, emails to exchange and I just can't get my secure communications working and it just keeps throwing up errors, well, I've still got work to do. And so I'm going to, chances are, I'm going to take that risk. And so that's the thing that I think we need to, to work on and that folks can differentiate themselves with, by having it be effortless and seamless and just work. I think that's the real thing people are hungry for.
Kathleen (09:09): Wait, I think that's so true. I heard someone once say that every end user is their own CIO, because you can give them any tech you want, but as soon as they, as you say, as soon as they hit a speed bump, they're going to make a decision that works best for them. We're all very inherently selfish. Right?
Dave (09:27): Right. Yeah. One of my cohosts on the hacking humans podcast, Joe Kerrigan, he works at Johns Hopkins and Johns Hopkins is, as everybody knows, in addition to all the tech stuff they do in the university, they have a hospital. And so Joe makes the point that when it comes to doctors, if there's some security thing that's getting in the way of them providing treatment, there is no ambiguity as to what takes priority. That security thing is out the door. Because they're literally dealing with life and death situations there.
Kathleen (10:01): Yeah. Especially at a time like this. I think it's really interesting how you frame this because I hadn't thought of it in this light, but now I'm, I'm kind of seeing what you're saying, which is that with everything that's happened with the coronavirus, I mean, we're in cybersecurity. So we're talking about and thinking about security all the time. But yeah, I, you know, I don't come from the cybersecurity world and, and I can say firsthand that most people don't think about it very often, if at all, unfortunately. And what's been really interesting to me as this has unfolded, and I think Zoom, as you raised, it's the perfect example of it, is that, you know, you take a platform like Zoom and I've used it at, at every company I've been with for the last several years extensively and no one ever raised a concern about security.
Kathleen (10:55): And it took this strange set of circumstances, this pandemic, where we're all working from home, including organizations that really do have to worry about security, for those concerns to kind of bubble to the surface. And I think at least what I've observed is that it's starting a conversation that really wasn't happening before in places that, that weren't thinking about this topic. So, you know, I feel like coronavirus is, is accelerating a lot of things, you know, remote work, you know, all kinds of telemedicine. All kinds of different things are speeding up the pace at which they roll out because of this. And it's almost like the conversation around security is, is, is falling into that category as well. Like companies are starting to talk about things they weren't talking about before, or at least that's what it seems to me.
Dave (11:48): Yeah. I think that's a good point. I mean, one thing that I think about when it comes to this stuff is if you think back to the days before we had things like Touch ID and Face ID on our phones, on our mobile devices, or on the Android side of the equivalents to those, I would say a lot more people did not lock their phones as a matter of habit before we had those quick, easy, seamless ways to do so. Right? And so in making that layer of security, frictionless, making it almost instantaneous, you had huge adoption by a wide swath of people who never thought that that was important before. Again, convenience trumps security so many times. So by making that easy for folks to do, we had this, almost a side effect of, widespread adoption. And I think there's also kind of a coolness factor there that I bought this device.
Dave (12:49): It has this cool new thing. Hey, look at this cool new thing. And that's great too, but if you can make it fun for people, make it seamless, you know, that that to me is a, is a win win. How interesting now that, you know, Face ID is having some, some challenges with people wearing masks. So Apple is pushing out some updates that are, that are going to help, you know, make that a little, a little easier for folks who are wearing masks. So could we find ourselves a little, maybe a half step backwards? But yeah, I, again, I think it, if you want people to adopt it, you gotta make it so it just works.
Kathleen (13:24): You make a really good point. And I, I, the last interview I did for this podcast was with Nigel Jones from KoolSpan, who talked about exactly that with mobile communication security. That really, for any solution to be effective, it has to be completely built in to the device, to the application. It's like, you really can't add any extra steps for users because any extra steps are going to serve as an impediment. And I think in general, that does point to this, this notion that user experience is, is almost as important, if not more important than the tech. You know, it, it's not the thing that we talk about as much. It doesn't seem as sexy as some of the cool cyber technology out there, but it's, it's so critical.
Dave (14:10): Yeah. And I think because also when the thing works properly, nine times out of 10, you don't notice the nine times it works well. You notice the time that it frustrated you. The time that it kept you from doing the thing that you want it to do. I notice this with using things like Siri on again, on, on my iPhone. If Siri gives me the answer that I want or what I'm looking for over and over again, that's great. And I appreciate that. But boy, that time when I ask something crystal clear and she comes back either with a nonsense answer or whatever, that just registers with me. And I'm more, I'm hesitant to use Siri next time because they wasted my time.
Kathleen (14:53): It's so funny because this happened just last night in my house. My husband was trying to ask Siri something and I mean, he was being pretty clear and she just, she was not getting it and he must have tried five times and then he just started to yell at her as though she could understand. And I, you know, I watched him spiral into this like Siri rage, so absolutely.
Dave (15:19): Everyone else in the house, it's just glad that it's not them, right?
Kathleen (15:22): Yes, exactly. So, so you have this interesting purview sitting in the seat that you do and talking with all the different people that you talk to. I'm curious, you know, who do you see out there that that's doing really interesting, groundbreaking work in this area of secure communications technology - company or individual?
Dave (15:45): Hm, that's interesting. I don't know that I have actual names to share. I mean, I, I think, I think maybe another way to come at this is that it seems to me like a lot of this is becoming ubiquitous. In other words, the expectation is that our communications are going to be secure. I see a lot of people we mentioned earlier. The Signal app, you know? To me, that's a good example of something that is written from the ground up with security in mind. It is open. So it's been vetted by people who have no skin in the game, no financial interests in their success. And so, the widespread adoption of that, I think, is very interesting. It demonstrates there's a desire for it. Other apps like, you know, Apple's texting app has end to end encryption.
Dave (16:55): So I think, you know, things like that are becoming part of the expectation rather than an added feature. Again, I don't know. I wonder how that's going to bump up against law enforcement from the policy point of view because there, and law enforcement has a legitimate desire to be able to do the work they need to do. But if encryption - encryption is not hard anymore, right? It's not exotic. It's not hard to do. So, if you take away my Signal app, I'm sure there's going to be someone somewhere around the world who's going to spin up an app that I'll be able to download, even though I'm in an area that has no, where it's illegal...
Kathleen (17:38): Right?
Dave (17:39): ...technically. So it, you're not going to be able to make it unavailable. Maybe inconvenient. So I don't know.
Dave (17:49): I, I guess it's a roundabout answer to your question, but I, I, part of my answer is that I don't know that I've seen anything recently that has made me go, "Oh, wow. That's really interesting and new." Actually, you know what, I'll, I'll take that back. I think some of the interesting work I'm seeing is in some of the really advanced encryption technology, like the folks at Envail who are doing work with homomorphic encryption, where you can you can look at the, you can, you can perform calculations and analysis and so forth on the data that has been encrypted without decrypting the data and without revealing what the data is. And to me, this is, that is like that old saying from Arthur C. Clark, that a high enough level of technology is indistinguishable from magic. You know, I understand that they're, you know, very, very smart people working on these things and and it's amazing that they can do the things they do. So will we see those sorts of things become part of the day to day? Will everything be encrypted so that if some, if there's data breach that it doesn't matter because it all has strong encryption and, you know, you're, it's worthless that way? I think it will be interesting to track that as well.
Kathleen (19:12): Yeah, it's fascinating because I was just talking with someone yesterday about quantum computing and how, you know, it's probably not going to really roll out for 20 to 30 years, but, but what most people don't really consider is that it's still a risk now because data stolen now can be held. And as soon as it becomes viable, you know, essentially, that data can be cracked. And while that might not matter if it's your, you know, today's checking account, it does matter when it comes to, you know, government data, other intellectual property, some, some personal information, health related information, et cetera. So, yeah, it's, it's interesting to think about, you know? The risk is, is very real now, even though the possible compromise of the data isn't coming for awhile.
Dave (20:05): Yeah. And we've certainly heard those stories that our adversaries, you know, might be a, you know, vacuum, vacuuming up encrypted data that they've gotten access to. And like you say, even though it's not useful to them now, it doesn't mean it won't be useful to them later. I like, there's a joke about quantum computing that it's kind of like fusion energy, that it's, it's always 20 years away, no matter when you ask. I don't, I mean, I think there's definitely progress being made on quantum computing, but yeah, it's definitely seems to be fuzzy as to when, when it'll actually make a difference in our lives. And I don't have a good sense for what that timeline is.
Kathleen (20:46): Yeah. So when you think about the, all the change that's happening, you know, we talked about quantum computing and we talked about this push and pull between people wanting stronger encryption and the need for law enforcement to have back doors.
Kathleen (21:04): When you think about this whole landscape that we're in right now, what do you see as the biggest challenge that we're going to face in the next year with respect to secure communications?
Dave (21:13): I think it's, I think it's the human side of it. I think if we look at how people are being attacked these days, a huge percentage, depending on who you ask, the people will say up to 90% of breaches start with a phishing attack. So taking advantage of our natural human impulses to either be helpful or to respond to something that makes us fearful or trigger some kind of emotion in us. And the bad guys know that. They take advantage of it. The techniques they're using are not new techniques. These are age old scams that have been adapted to the modern age. So, I think being able to have the machines assist us with that, to be able to do a better job at looking at our communications and saying, "Hey, this doesn't, you know, the, this, this this return email address looks like it's coming from inside your organization, but it's not, in fact, it's routing back to some bad place that, you know, so don't click on this." Those sorts of things.
Dave (22:29): But then also, you know, assisting us, basically having our back. You know, being that, that virtual assistant who can help. If you look towards the future, you know, I can imagine a system, you know, maybe making use of your web cam or something and saying you know, "Hey, Dave you seem a little wound up right now, are you sure you want to hit send?"
Kathleen (22:59): Oh a lot of people could benefit from that.
Dave (23:02): Or maybe I could tell my computer, I could say, listen, if you notice that my heart rate has increased, you know, because, because I'm wearing an Apple watch or a Fitbit or something like that. So you have your, you're sensing into my, you have a view into my biology, right? So if you notice that while I'm responding to an email that I'm getting a little wound up about something, and you notice my eyes are moving around or whatever, I want you to automatically hold that email for an hour before you send it. And then before you send it, I want you to check back with me and say, "You wrote this email an hour ago, and since then your blood pressure has gone down. Are you sure you want to, you don't want to take another look at this?" Right? So maybe that way, the technology can have our back protect us against ourselves. Some of our impulses when it comes to those emotional responses to things.
Kathleen (23:55): Yeah, the, the topic of human, the human element has come up a lot in the conversations I've been having for the podcast. And, you know, it's, it's interesting because I think in cyber, we, we do many times think technology first. But this can't, you know, at least right now, it can't be solved by tech. Although I love some of the ideas that you just mentioned. I wish those existed, you know? That and a breathalyzer that you have to blow into before you send an email or a text or a post to social media. But in the absence of, of a tech solution, you know, how do, how do we solve this? I mean, how do we solve the human thing? Because it seems like there are, there is plenty of training out there, but it goes right back to what you said in the beginning, which is that, you know, we're, I hate to use the word lazy, but in some respects, it's true, you know? It's, we, we follow the path of least resistance.
Dave (24:50): Yeah. And I think rather than saying we're lazy and I think it's true, w,e are you know, I certainly, speaking for myself, I am. But I think it is probably a better way to say it is that we're human. And so we just, we, all of us have these human frailties and shortcomings, where the way that we're all wired, we respond to certain emotional impulses. And all the data and science shows that the bad guys know how to press our buttons and they know how to get us to do things. And so there's no shame in that, right? And so, so I think an important notion here is that organizationally, when you're building your company culture, if someone does accidentally click on the link or forward the email or, or whatever, there shouldn't be punishment for that.
Dave (25:46): That should be an opportunity for education and figuring out, you know, why did we as an organization become a victim of this? Why did we fall for this? Did we fall short on training? Did we fall short on, on tech? We fell short somewhere. How could we have done a better job and not shame someone? Because I think if you have people functioning in an environment of fear, then they're going to be afraid to report anything to you. And you want those open lines of communication so that everybody in the organization knows what's going on. I think it's another interesting point is we're all working from home here with coronavirus is that makes it a lot harder to poke your head in your colleague's office or the cubicle next door, and say, I just got this funny email, or the boss just asked me to wire $25,000 to someone right away. Does that sound right to you? No, it's harder to have those little conversations that I, that are useful for checking things out, slowing us down, you know, having a little personal cross human backup before we do something that we may later regret.
Kathleen (26:58): Absolutely. Yeah, it does present new challenges and certainly the, the threat landscape has gotten bigger. You know, I've been just so disappointed to see the, the escalation and attacks that have happened since this all started, not just against, you know, the average person working from home, but against health care facilities and, you know, just, Ugh.
Dave (27:19): Yeah. And just some of the, the, these folks have no shame. You know, some of the despicable attacks of claiming that you know, someone you love is, has the disease, or if you don't send us money, we're going to infect you or one of your loved ones or something like that. You know, they don't, they have, no, they have no honor, they have no scruples. And so that's who we're up against.
Kathleen (27:42): Yeah. There's a special place in hell for people who take advantage of something like this.
Dave (27:48): Agreed. Agreed.
Kathleen (27:49): Yeah. Well, this has been so interesting. I could talk to you for hours. I love, I love the perspective you have, you know? Because normally, when I chat with folks, they're from a particular company, or, you know, they've, they've created a certain technology, but it's interesting to speak to someone like yourself, who, who has this perspective of, of looking at the industry as a whole.
Dave (28:10): Thank you. Yeah. Thanks for having me. No, it was a real pleasure. Thanks for extending the invitation. This was a lot of fun.
Kathleen (28:17): Absolutely. Well, if you are listening and you enjoyed this episode, please consider leaving the podcast a review on Apple podcasts or wherever you choose to listen. And we want to hear from you. If you have an idea for a future episode or a future guest, tweet us @Attilasecurity. That's it for this week. Thank you so much for joining me, Dave.
Dave (28:37): My pleasure.