Cyber Reporting in the Age of Dis /Misinformation and Escalating Nation-State Attacks
Joe Marks, reporter for The Washington Post’s daily newsletter Cybersecurity 202 covering the policy and politics of cybersecurity joins us this week. He takes us behind the scenes of his many years covering cybersecurity and policy. Sharing insights behind the stories, the cyber reporting process and journalism in the age of dis/misinformation.
He also shares perspective on key moves made by CISA in bringing election and security groups together. And the ticking clock for government investment in cybersecurity to shore up defenses of federal agencies. To modernize state and local governments that are increasingly the target of ransomware and other disruptive ways of life attacks.
Cyber Reporting in the Age of Dis /Misinformation and Escalating Nation-State Attacks
[01:49]The Policy and Politics of Cyber Reporting
Rachael: We've got Joe Marks. He’s a reporter at the Washington Post. He writes The Cybersecurity 202 daily newsletter, and it's riveting. Every single one I read, and I can't get enough. I'm so excited to talk about all the amazing things he writes about.
Joe: Thanks so much, Rachael. You're far too kind to me.
Rachael: I can't imagine what it's like, because you write about policy and politics of cybersecurity. You've been writing about cyber for quite some time. What I love about the 202 is that a lot of them are short and sweet. Some are longer forms. I know that, but I've been looking through all of them.
In collaboration with the other writers as well, and there's so much volume to write about. How can you even narrow down when there's fires burning all over the landscape? How can you decide which ones you really want to dig into, and which ones that you can have folks on the team net out? Or how does that even work? I'm just fascinated.
Eric: That was my question. There's so much out there. How do you pick it?
Joe: That's been one of the strange benefits of having your main job being writing a daily newsletter. I write the extended top of the newsletter. Our researcher, Aaron Schaffer, writes a big chunk of the bottom and I help out with that sometimes. But my job is to write one thing a day. Most other reporting jobs, one thing happened and you're digging into and trying to get it out.
An Enterprise Piece
Joe: Usually you're trying to get an enterprise piece you've been working on for the last week. Fires keep popping up here and there and you can never focus on one thing long enough. I have the benefit once I figure out what that one thing for the day is. Provided something huge doesn't break that takes all the air out of the room and forces me to switch gears. I can really dig into it for that day.
Some days that means making a hard choice, because there's a huge amount of stuff going on. There are bigger picture things that I really want to talk about that I don't get a chance to. Then some days it's the dog days of summer and nothing is happening. You have to figure out what the heck you're going to write about. But sometimes one thing is easier than all of the things.
Eric: What happens when you pick the one thing, and then Sunburst goes public? That happens, it occurs in the afternoon. Do you pick it the next day? Or do you walk around like, "Oh, I picked the wrong one thing."
Joe: If it's big enough, we switch gears. When Chris Krebs was fired by tweet, I believe it was maybe 7:00 PM. I started making calls and emails and working on the next day. Something big enough happens and you switch gears.
Rachael: Absolutely, because it's important to be fresh and timely. That's the thing. If you're a day late, then you kind of miss the party.
The Whole 202 Franchise of Cyber Reporting
Joe: The goal of the whole 202 franchise, which is the Daily 202, Power Up, Health 202, Tech 202, is you want to give people something each morning that starts the conversation for them. Helps them understand what's going on that day, and gives a little bit of the second day story on the first day. So if you're writing about something that's out of the news by that point, you're not really doing that with people.
Rachael: I was looking through Twitter and it looks like John Oliver featured your infrastructure story on there. That was pretty cool, in a recent episode.
Joe: I have not watched it yet, I just heard about this. I was looking at all the tweets. It was not just me. I think that almost everyone who covers this stuff for a major publication got at least one story highlighted in that episode. But yes, I just realized that our former researcher, who's now at CyberScoop, Tonya Riley, was kind enough to tweet it out. It's a minor career highlight.
Rachael: I love that show, so congratulations on that. I really love the article that you wrote about it, too. You look at it, it's a $1 trillion infrastructure package of which $1 billion would go to state and local governments. A billion dollars, is that even enough? How far can that actually go?
Joe: I'm sure it's absolutely nowhere near enough. But it's really the first time any kind of cash infusion this size has ever been. It's not approved yet, it still has to go through the House, but has been seriously considered.
Having a Decent Cyber Reporting Hygiene
Joe: We were talking about what a massive lift it is to get even federal government agencies into a decent place of having updated equipment, having decent cyber hygiene. Things are so much more difficult at the state and local level. In a handful of places, I'm sure big cities, well-funded states care about this, they have made some efforts.
But you go down to especially not the top and mid-tier cities. You go down to my hometown of Iowa City, Iowa. I don't know what their annual budget is. But what's left over for cybersecurity is not enough to fend off a major ransomware attack.
Eric: We're seeing that in ransomware. We've heard about Baltimore; we've heard about Atlanta. But there are also a lot of second or third-tier locations that are getting pounded. They don't have the protections. The adversary is making the easy choice.
Why go after New York City or San Francisco when we can go after, I don't want to pick on anybody, but Fargo, North Dakota. I will pick on somebody. What is their budget, and what kind of control do they have? They're still going through digitization. Some kind of digital modernization strategy. We see that.
Rachael: It kind of gets to a really interesting point, particularly with your writing. It must be very difficult as we see these attacks happen, or ransomware, companies kind of caught off guard. As a reporter, do you ever just want to shake people in your writing. Like, "Why aren't you doing basic cyber hygiene? What is wrong with you?" You don't want to blame the victim. But sometimes you're like, "Some of the stuff is just 101.".
[08:09] A Shift That’s Been Happening
Joe: Yes, bigger picture. That's a shift that's been happening in the industry and in Congress over the last couple of years. I started covering this stuff for Politico in 2014. People say very often, "Let's remember not to blame the victim." At the level we were covering then, it would be intellectual property theft from China, stuff from Russia.
They can't defend against a nation-state. We're in the middle of a shift where you don't want to blame the victim entirely. But sometimes people leave the door open and so you have to draw different lines. No one wants to blame someone. You get caught through a zero-day on SolarWinds.
That is not something you can reasonably blame a company for. You get hacked because you were sharing a password without two-factor authentication. The password was something immensely easy to guess. At that point the victim does deserve some responsibility for what ultimately happened.
Eric: Do you find when you're speaking to either the victims or representatives of state and local governments or companies? That you tend to know a lot more about the industry, the threat, the risks, the adversarial intent, than they do?
Joe: It sort of depends.
Eric: Or are they pretty well informed, usually?
Joe: The people I talk with tend to be either the directors or the IT staff in these places. So the answer is usually no, but usually no one is listening to them. They understand what the threat is, but trying to get that out to the rest of the organization is pretty rough. I spent probably big chunks of 2019 and 2020 covering election security.
Cyber Reporting Made Sure They Understood What Was Going On
Joe: You talk to the secretaries of state, you talk to county level election directors. By and large, they really understood what was going on. They understood the resources they needed, they understood what the threat was in a pretty elaborate way. They’re the ones who taught me to understand it.
Because that's a very specific part of a specific niche area of a threat that has its own concerns. They've been dealing with security of all sorts, of different kinds, not just hacking, for decades upon decades. The issue is whether they had the resources to do it.
How you can get it done with limited resources, with a whole bunch of volunteers who tend to run things on election day. With not a whole lot of help from Congress for the first part of the Trump administration. Some more later, money comes out on cycles that aren't necessarily helpful for election administrators.
Eric: It's interesting you say that. How did they come to understand the threat, the risk? We mentioned Chris Krebs and CISA earlier in the conversation.
Joe: That's one thing I've been trying to look at. I was talking with people about it at Black Hat and DEFCON recently. Obviously, right now, the big push from the executive branch is on securing critical infrastructure. There were some elements of critical infrastructure that are really secure.
Financial services have been working on this for years, healthcare is getting better. There's some that have not gotten better over the last decades and are really quite vulnerable to ransomware. Obviously, elections were not critical infrastructure in 2016. It became so later, but we saw a real shift in a couple of years there.
A Tight-Knit Community
Joe: One was, this was a pretty tight-knit community of people who've been doing security of a kind for years. Not necessarily the complex election cybersecurity that we focused on from 2016 to 2020. But they've been securing against storms and securing against hurricanes, securing against power outages and things like that. So, they were used to dealing with complex problems like this.
The other part, I have some ideas about it, but I'm not 100% certain what it was. Part of it was a real big federal government push from CISA and those guys. A really strong understanding of the threat and a pretty good partnership early on between the Election Assistance Commission and what became the Cybersecurity and Infrastructure Security Agency. Matt Masterson, being the guy who moved between those two and brought the election folks to the cyber folks and the cyber folks to the election folks.
Maybe it was, if you get a certain amount of raw terror across an entire industry. You can make changes in a relatively short period of time, in very distinct ways.
You can get machines that have paper trails, you can get sensors on voting infrastructure, you can get these basic things in place. The question is, does that level of terror exist at this point, industry-moving terror across critical infrastructure? Have the ransomware attacks at Colonial Pipeline and JBS and elsewhere instigated that kind of terror? I don't know if that's true at this point.
Eric: With focus, we seem to have proven that we can protect ourselves in at least this example.
Joe: Yes, that's absolutely true.
A Diplomatic Component of Cyber Reporting
Eric: The election was several months, the election wasn't forever, it isn't into perpetuity. It was finite, although large and distributed amount, of systems and capabilities. It’s something the whole country did seem to focus on and we were successful. I might say there was probably a diplomatic component.
Joe: An offensive component. According to my colleague reporting, Cyber Command did shut down the Internet Research Agency for a chunk of time, too. There was a real focus on stopping the adversary in addition to this. To be clear, there are real problems.
They are wrong, but there are a number of people who will tell you that the election was not secure. There was a big symposium about it recently. There's a lot of disinformation still floating around about all of this. Things were not 100% secure and they never will be.
But on the absolute bedrock principles of having paper trails for votes, being able to verify that votes were counted correctly. Being able to scan networks, 95 to 98% of voting areas in the country were secured in that way. That was just a massive shift from 2016.
Rachael: That was one of the things I wanted to ask as well. It's fascinating we're still talking about the election. This cyber symposium with these promises that never really materialized. I was following that tweet thread, Robert Graham.
He's like, "I'm here in the front row, I'm ready to come up and talk " And they never called him up. What is that like? As a reporter, you have these follow-on stories. How much weight do you want to lean into certain things when the data doesn't materialize to keep legitimizing? Why does this conversation continue to happen?
[16:05] The Nature of Cyber Reporting
Joe: I think not just in cybersecurity. Although cybersecurity, just because of the nature of it, has had to deal with this more than a lot of other beats. Especially since the beginning of the Trump administration, to be blunt about it, but before then too.
The effect of disinformation has been really big. And the standard journalistic model of, "You find the truth and print it," isn't always perfectly capable of dealing with things like that. I certainly, throughout the Trump administration, got a lot of practice in figuring out the best way to possibly write about conspiracy theories. Because you want to explain what the theory is.
Sometimes they don't cohere internally, so they're difficult to explain. You want to explain that it’s wrong and that it’s baseless to the greatest extent you can. Then you want to explain what the truth is. That's a lot to do in a news article and in the morning newsletter.
You want to be really wary of and concerned about the extent to which repeating a lie, even if you're debunking the lie, sometimes is just in people's heads. There've been multiple studies about that. That's the thing we just haven't figured out.
You can't not address this stuff, on one hand. On the other hand, you want the result of journalism to be the closest thing we can get to a shared understanding of truth. If there is an extent to which the practice of journalism is not contributing to that, you have to reckon with it somehow. We're at the beginning of that conversation, not the end of it.
Journalists Report the Story They Want to Convey
Eric: I don't think all journalists would agree with that statement. Some might feel they're out there to not necessarily report the truth, but report the story that they want to convey.
Joe: Yes, it depends.
Eric: When I watch the news or read different periodicals, whether it's the Washington Post, the New York Times, the Wall Street Journal. Certain journalists come across as having a slant, in my experience. I don't know, I am really attuned to disinformation/misinformation. And Joe, it's really hard to figure out, "Is Joe Marks saying what he wants me to hear, or did he get to the bottom line truth to the best of his ability?" Some journalists are on a legit newscast or in a periodical, you'll see the opinion in columnists.
Rachael: Like op-eds, yes.
Eric: It's really hard for a lot of people to distinguish between, "This is factual reporting to the best of our ability," versus, "This is the direction we want to push our audience for ratings or for subscriptions," or whatever it may be.
Joe: Journalism has always been a much more complex landscape than just to find and report truth to the best of our abilities. 20 years ago, 30 years ago, you could read The Nation. Obviously it's reporting, but it's reporting from a particular viewpoint, same as The National Review or something like that.
That's nothing terribly new, and it's not exactly the op-ed pages, but it is journalism from a particular perspective. The mission statement of the Washington Post, of the news pages, not the opinion pages, is and has always been, "Find the truth and report it to the best of your ability."
Cyber Reporting in the Age of Social Media
Joe: This is true in cybersecurity, it's true in pretty much every beat. In the age of social media and competing things, where we're trying to figure out how to talk about that. The thing is that capital O, objectivity, has never been totally achievable. It's always been a thing to strive toward.
Journalism in general, those of us who try to be as objective as possible with the understanding that it's a goal. It's an end state, it's never a perfect and easy thing. They are in the process of trying to get better about talking about that process. Talking about trying to achieve that, not pretending that we can ever achieve it.
My newsletter comes out every day. That means I've got time to talk to three, four, five people before it goes out. Sometimes I'm working on other things. I do the best I can to present the best vision of what I think matters in an analytical way at 5:00, 6:00 PM the night before, and then that's what comes out. It's always going to be a rough draft; it's never going to be perfect. And it's never going to give you that perfect capital O objectivity that we strive for.
Eric: With the increase of disinformation and misinformation, I've seen a lot of studies saying it is on the rise. If you disagree, let me know, but how do you become more diligent? How has your job changed to try to get to ground truth? I imagine it's gotten more difficult.
Joe: More difficult, I suppose.
Eric: I don't know, maybe not.
The Thing About Disinformation
Joe: The thing about disinformation is, I'm not the target of it. I am, we all are, but if you have a Facebook or Twitter campaign saying that Black Lives Matter is trying to undermine voting in XYZ spots, that's not going to make it into the Washington Post. It's going to make it into your Facebook feed.
That's not the thing that precisely gets in the way. I will say that the range of things that politicians, members of Congress, will say and it's correlation with some version of truth that they are massaging, but not totally abandoning. That connection has gotten looser over the last 20 years, probably over the course of my entire journalism career. That's a challenge. If you're balancing something that has an 80% basis in reality versus something that has a 20% basis in reality, you don't want to make that a he said, she said.
Rachael: That's a great point. Do you find, speaking of journalism though, and things like Pegasus spyware? It's almost like the role of journalists has gotten a little more dicey these last few years as well. Particularly after 2016, I've spoken with other folks at The Wall Street Journal.
They were getting targeted in some way with people not happy with what they're reporting. Then now you're hearing this spyware happening in other parts of the world, and here. How does that make you feel about the future of the profession? It seems like it's more important than ever as we have all these other things going on.
Two Different Points
Joe: Two different points to that. One, spyware generally, Pegasus in particular, is one of the reminders about how truly international all of these concerns are. Once upon a time, surveillance was the business of a handful of governments.
A government's ability to conduct surveillance was roughly equal to its budget and its power elsewhere in the globe. Now, that stuff is all for sale. A, that just makes individuals less secure. B, it's a threat to the global progress of democracy. To the extent that it's making any progress these days.
If you can't organize and talk about the government in private in some way and speak your mind. Then it's just going to be much tougher to combat the government in any way. The power of totalitarian regimes, or authoritarian regimes, to limit and track their adversaries. Whether they're journalists, activists, whoever, both at home and abroad, which is what a lot of the Pegasus project uncovered, is really concerning. The power of authoritarians to retain power is getting greater attention, and technology is enabling that.
Eric: Well, and you combine it with the disinformation/misinformation component and it becomes really scary. Because now that narrative is really being controlled in some ways.
Rachael: It's an interesting dovetail, you had written this article too, about what's going on with Apple. How they scan for child pornography, but it's kind of this full circle. We were talking about this, years ago when there was a gun attack. They were in California.
Joe: In the San Bernardino attack, yes.
[26:15] All the Things That Could Go Wrong with Cyber Reporting
Rachael: Yes, and now here we are back again with this discussion about the back door and all the things that could go wrong. But then you weigh that with what could go right in terms of trying to mitigate illegal activities. Although I think from that article, it was also talking about, "Well sure! You shut this pathway down, they're going to find another," which is always the complexity there.
It was such an interesting article because I felt like you gave me this whole 360 view. I would be so angry; I just want to talk about that. But you get in these very meaty subjects. How do you navigate forward, and can you only do one article, too? It seems like some things are so much to explore. How can you just do it in an 800-word or 600-word article?
Joe: Another good thing about the newsletter is that I don't have to. I got to get 600 words out every day, but there's always another day. There's always another shot at it. And Apple scanning system, I'm sure I will return to at some point in the future. On that point in particular, I find that fascinating because of the going dark debate.
And this is sort of an extension of the going dark debate, not exactly the same thing. It has been going on in some form since the '90s, more explicitly, since 2014. When FBI Director Comey started sounding alarm bells about the way end-to-end encryption was keeping them from doing investigations. We are in this process of trying to figure out this balance between privacy and security.
Joe: In 2014, what the FBI wanted was some kind of backdoor access into end-to-end communications. Really the vast majority, as near 100% as you can get of cybersecurity folks said, "That's a bad trade-off."
Eric: Apple said, bad trade-off.
Joe: Yes, Apple said it was a bad trade-off, as did most other platforms. This is not to say that the people you're trying to find and gather data on with a warrant is not valid and important. That they would not contribute to catching terrorists, criminals, purveyors of child pornography and other bad people. But the trade-off for everyone's cybersecurity is too much. It seems like the vast majority of cybersecurity folks say, "It's still a bad trade-off." Even though, this could make a big dent in the spread of child pornography material. This could protect a lot of children from perhaps abuse, certainly from that abuse being spread and repeated over and over again.
Most people still say it's not worth the trade-offs of what could happen with the system. But some people say it is worth the trade-offs. That's a balance we're going to have to strike at some point, and it's not a decision that's going to be made by technologists. It's going to be a decision that is made by lawmakers and the people who vote them in or out.
It is something that's never going to go away. We're going to make a compromise at some point, in some way on this, between technology companies, lawmakers, and voters. That's going to be an ongoing dialogue for the foreseeable future.
Cyber Reporting and Its Main Pivot Points
Joe: Ideally, one thing you can say about the Apple system is it was probably developed under pressure from the government to some extent. But it was not developed in response to a particular crisis.
In the past, each of the main pivot points we've had has been about a crisis. It was about the San Bernardino shooting and trying to get into that iPhone. There was another situation somewhat like that. It was the second time around, so it didn't get as much focus a couple of years later. There was the Bill Barr push on limiting the spread of child pornography. This was not in response to a crisis like that.
There’s one thing that people have said that has struck me. It’s that at some point, if we don't come to a compromise eventually, it's going to happen in a crisis. Congress is in an uproar. They're going to pass something that doesn't make a whole lot of sense. It's going to be worse off for everyone.
Rachael: It's a really great point you make. It seems like there's this ongoing dialogue in cybersecurity and you are being too alarmist. You're like Chicken Little and the sky is falling. But we have this continuous discussion of has the bottom truly fallen out yet? It seems like you can't really win.
Eric: You can't win, we know that.
Joe: It's amazing to me, and you guys have been in this field much longer than I have. You are much more knowledgeable than I am. But in 2014, I started covering this. Maybe a month or two after we launched the Politico Pro morning cybersecurity newsletter, now weekly cybersecurity. It mostly went behind the paywall.
Joe: But a month or two after we launched that, out comes the PLA indictment for the very first time. It was a watershed, it was huge. I remember I thought it was the most huge thing that could happen. Then there was JP Morgan, and then there was the 2016 election, and then there was SolarWinds. And then there was this spate of ransomware attacks.
Whoever would have thought that a president of the United States walking up to Vladimir Putin with a list of the 16 critical infrastructure sectors and trying to cut a deal on it? That was not envisioned in 2014. It seems as if we're not near getting a handle on it. It's going to get bigger and the bottom is going to keep falling out more over the next several years.
Eric: We've been talking about that for years. Even on the show for years, it keeps getting worse. There hasn't been a red line, there hasn't been an answer. A silver bullet, which we know doesn't exist in cybersecurity. You've got endless lifetime reporting coverage, which is one of the positives.
Rachael: Great job security, yes.
Joe: One of the few journalists with career security, yes.
Eric: My mother used to tell me, I may have mentioned this on the podcast once. She was like, "Become a mortician, you're in business for life." I'm like, "Not the business I want to be in." Same thing with cybersecurity. It would be great if we could secure our infrastructure.
If we could secure systems and communications so people could go on creating things. They could focus on doing the job, the business, whether for pleasure or for work, that they want to do. We're definitely getting further behind every year.
[33:31] The Headline
Rachael: The Senate Homeland Security Committee recently updated their report. The headline was, data is still at risk. Joe, you're in the underbelly of government and politics. Can these agencies ever get to a good place? Your article acknowledged some of the challenges that are there in terms of how they operate. You see CISA's doing really well, but that's the charter, basically, of what they do. How do other agencies get there? Can they get there?
Joe: I think they can.
Eric: CISA, part of their charter is being responsible for and helping protect the infrastructure of America. I don't think they're doing very well there. That's a very difficult task, many would say impossible. And that's one where you don't have that direct control, that direct funding. That's a struggle.
Joe: Just to take the first issue, can the government get there? It's never going to get there 100%. Can it do a lot better? Absolutely! It goes back to what we were talking about with the elections model. Is there enough terror? I started covering government technology for a site called Nextgov. It was part of Atlantic Media; it's split off now. But back in 2011 was when I arrived there, before I was covering cybersecurity. Covering the terrible legacy systems, 50-year-old systems at IRS. And all of the old legacy technology spread all across the government for a couple of years before I started covering cybersecurity.
What is it going to take to fix that? It could happen, but it's going to take lots of money and a very concerted effort to do it. It's probably going to take a lot of terror to do it. You've seen big changes.
A Big Cyber Sprint
Joe: After the OPM breach, there was a big cyber sprint by the Obama administration that made real strides. Things got substantially better after OPM. They didn't get better enough. SolarWinds still happened. You saw some big changes over the last several years with the creation of CISA out of the NPPD.
New authorities said that CISA has to issue these binding operational directives. They’re saying, "You must get to a point where you are patching software within 30 days or 90 days, et cetera. You must remove Kaspersky and Huawei from all of your systems."
There are big government-wide things that are happening. Is it keeping up with the pace of the threat or falling behind? I'm not sure, and it's certainly not solving the problem to this point. Could there be something big enough that it would instill terror to make that happen? I don't know. Clearly, OPM and SolarWinds have not been enough yet.
Eric: There will always be risk in the system, just like you will always have criminals in society. How do you protect yourselves? Where do you spend your time? I'm certainly not seeing enough focus on risk, high-value assets, and understanding the business. I know we're talking about the government here, but understanding the business of the government.
What is the mission-critical component? What's the most high-value component of the business that we've got to protect? I see a lot of peanut butter spreading, a lot of mandates coming down from the administration, congressional inquiries. We look at the FISMA reports. You do this compliance checklist-based security.
What Business Are We In?
Eric: Where I have yet to see many really say, "What business are we in? We only have so much, so many assets. Where's the risk and how do we protect that to the best of our ability?" We just aren't having that dialogue yet.
Joe: To their credit, there is a lot of talk about that. CISA talks endlessly about high-value assets and so forth. People understand it, but the extent to which that becomes a box-checking exercise at the agencies when it gets there? Many people understand the scope and the nature of the problem. The will to actually fix it is perhaps not there yet.
Eric: I am seeing, in my travels, the understanding of the scope, which you speak of. It's growing from people who've been in their end of career, where they never worked with computers, in some cases ever. They have people who still print out emails for them, believe it or not. They're starting to understand, we see it in the commercial spaces, board-level issues.
The government is coming up to speed there. But I do think generationally, there will be a growth as people age out of the system. The millennials in the workforce that grew up with some level of compute understanding, they've just got a better understanding. I'm running this financial application for the IRS. Oh, okay, so there are bad guys.
There are adversaries out there who can not only go through physical security, which was the old concern, stealing paper. But they can come in electronically, or they can come in through a partner. I am seeing growth there, it's just that, it's not fast enough.
Dedicated Government Agencies
Rachael: But how can it be? You hear about this other great article too, it's about ransomware. We can't stop hearing about ransomware today, but it was interesting to see you consider folks like China. They're in their infancy. Iran, Brazil, and these countries that actually have these dedicated government agencies, that's all they do.
Like in Russia, you hear this is all they do. They are just focused on attacks. How do you combat that when you've got so many players out there? And they're incentivized by the government to go out there and do damage. How do you get ahead of that if you're in the US?
Joe: That's the challenge we're facing. You make a good point that so far, what we've paid a whole lot of attention to is about attacks. Cyber attacks from these near-peer Russia/China adversaries. We are significantly concerned about Iran and North Korea.
We're increasingly concerned about cybercriminals that operate with impunity in Russia and former Soviet territory and a few other places. We haven't gotten so concerned yet about all of these second-tier nations that are developing hacking capabilities, trying to find their own zero-days.
That's the world that's going to emerge. Every conflict is going to be a cyber conflict. Israel and the Middle East is going to be a cyber conflict. It already is to some extent, Pakistan and India. Any place you look at conflict in the world, there's going to be a really heavy digital component to it. I’m not sure that we were remotely prepared for that world.
Eric: We'll have to be. It's been a great discussion, but what inspired you to move into cybersecurity?
Cyber Reporting Covers Anything That Touches Technology
Joe: Like most journalists, I had very little power over my career and I just fell into it. It would be hilarious to a lot of people I grew up with that I am covering anything that touches on technology. Because I was a geeky English major in college, and that's still my character in many ways.I came to DC for grad school, in international affairs, having been a journalist for many years in the Midwest. And I wanted to work my way into the East Coast media establishment. Showed up for grad school in 2008, left in 2010. A lot of things went wrong in the country during that time period, including journalism contracting by about half to two-thirds.
The job that I got not directly, about a year out of grad school, was covering government technology for Nextgov. Which is a great site if you're at all interested in government technology. Did that for several years, and then Politico was starting its cybersecurity, Vertical. Politico Pro's Cybersecurity Vertical.
They DM'd me and figured that a background in government technology was close enough. Surprisingly, given how important this stuff all is, there's still maybe two dozen reporters who really cover cybersecurity policy in a dedicated way. Back then there were half a dozen or so, so you sort of had to look elsewhere.
I was lucky enough that they looked for me. The beat got bigger, and I was lucky to just kind of ride the wave. What a great thing to cover for these last six years, not just because there's always something happening. Not just because it's become a bigger concern in Washington and the rest of the nation and internationally.
[43:26] A Big Element of Cyber Reporting
Joe: But also because it incorporates pretty much anything that you could be interested in. It is what always keeps me interested. There's a big element of intelligence in this, there's a big element of economic security in this. There is certainly a good chunk of technology, which I'm still not great at. I just know who to call to explain it to me.
There's just a big chunk of global international conflict. Just basic questions of national security. How a country values what it takes care of, and what it takes to run a country well. That increasingly, is a White House concern. It's been a fascinating thing for the last six years, and I'm sure it will continue to be.
Eric: It strikes me that your path isn't dissimilar to other English majors who go into business, or marketing majors, or finance. Cybersecurity is all around us. So, interesting.
Joe: I'm surprised by how many people in the industry I run into who were history majors and English majors. This is not a field of mere technologists, even though there's some amazing technologists among this industry.
Rachael: It sounds like it has all the great components too. I feel like you need to write a screenplay or something, this amazing thriller, this action thriller. Nobody would believe it, either. If you were to write of all the things that you've covered over the years, that would be amazing. That or a book, or both, I'm just waiting for them. Whenever you're ready, I'm here.
Eric: You can see the artist in our podcast here. I agree, though.
Rachael: Joe Marks, thank you so much for joining us today. This has been so much fun talking to you. Really appreciate your time.
Eric: It's been great, Joe. Love reading, keep sending that information, putting the information out there. Cybersecurity 202, what's the best way for people to get to you?
Joe: You can subscribe to the newsletter. If you just Google Washington Post Cybersecurity 202, you can get to one of them. There's a quick sign-up link there. If you go to find me on Twitter, I'm joseph_marks_. Go there, in my bio you can see a link to click subscribe to the newsletter.
If you don't want to have it in your inbox every day, you just want to Google it sometimes. Just Joseph Marks Cybersecurity 202, click my bio on the post site. You can get pretty much everything I've ever written in reverse chronological order.
Rachael: Highly recommend subscribing, everyone. Please subscribe and read it because you learn so much. Thank you, Joe, for all the work that you do. I feel like a smarter person every time I get to read one of your articles. It’s like I'm getting a nice 360 view because you do get great points of view represented there. To all of our listeners, thanks for joining us this week. Subscribe to us as well, get a fresh episode in your inbox every Tuesday. Until next time, be safe.
About Our Guest
Listen and subscribe on your favorite platform