Ripped from the Headlines with Eric and Rachael
This week, Eric Trexler and Rachael Lyon get To The Point on the latest cybersecurity headlines such as Colonial Pipeline, ransomware, the double extortion trend, the new Biden Executive Order on improving the nation's cybersecurity, a new Gartner report this month noting cyber spending will grow to $150 billion this year, yet cloud security is the most under-invested category.
The cyber industry in the US has more than 500,000 job openings, and when starting salaries are up to $90k why aren't more people pursuing a career in what is by far the most exciting industry in the years ahead.
Ripped from the Headlines with Eric and Rachael
[00:28] From the Headlines: $150 Billion Cybersecurity Spending
Rachael: This is another special episode where you get to hear from my co-host, Eric Trexler, and me, Rachael Lyon.
Eric this is exciting.Eric: It is. I was about to chime in with and my co-host, Rachael Lyon. I love this.
Rachael: I know why haven't we done this sooner? It's crazy.
Eric: Life consumes things, and you get busy and you forget to just chat amongst each other. I think in COVID sometimes we forget, even with friends and acquaintances and everybody else, take some downtime and just talk to people.
Rachael: I love that. We've had a common theme on that point too right? Mindfulness. Taking the time, being in the moment. I like that, I'm glad we're doing that today. It's about time.
Eric: Mindfulness. But it is a cybersecurity podcast and we've got a couple of topics we were going to hit. What's on the plate?
Rachael: Well, okay, so let's talk about ripped from the headlines. I was reading this fantastic article in TechRepublic. They were saying that cybersecurity spending is going to hit 150 billion this year. Just for context
Eric, just even 100 billion one dollar bills laid end to end measures 9,000,690 miles, or this would extend around the earth 387 times. That's how much that money is.
Eric: I was going to say I need a visualization there. Because nine million in so many miles, I think that's about halfway to the moon, but I'm not sure.
Rachael: Or you could say 100 billion is like one-third the size of the state of Rhode Island if you were to put all of these bills end to end. It's significant.
Eric: Not the length of Rhode Island meaning we could stuff Rhode Island or?
The Remarkable Spending for Cloud Security
Rachael: Those are square miles. It'd be 400 square miles if we're doing the Rhode Island example.
Eric: The moon is 238,900 miles, couldn't tell you in the kilometers, it's more in kilometers for the Europeans and the metric-oriented people. We're not quite a 10th of the way to the moon with those dollar bills.
Rachael: Not quite.
Eric: It's a lot of money.
Rachael: It's a lot of money and it's a 12% increase, which is, or sorry 12.4% increase from last year which is crazy.
Eric: How much again? 150 million according to Gartner?
Rachael: Billion, 150.4 billion this year.
Eric: Oh billion yes I forgot B not M. I don't know if you remember the podcast when we had Katie Arrington on. But both she and General Alexander who used to be the four-star running NSA who's now the CEO of IronNet have stated that the US is losing up to, and it's probably more now if the data was right, $600 billion a year in intellectual property due to cybersecurity theft. Which is actually approximately four times what we're spending. That's crazy.
Rachael: That is crazy.
Eric: Four Rhode Islands, that's almost a Connecticut maybe.
Rachael: Can I tell you something else that what surprised me about this article, is that cloud security last year was the lowest spend. This year it's again trending as the lowest spend. It's remarkable that all we did was talk about cloud last year. Digital transformation, accelerating, digital transformation to the cloud. But then you see the spending here relative to everything else, and it's the smallest by quite a sizeable measure.
The Huge Gap in Security Spending, Ripped from the Headlines
Eric: We should link to the TechRepublic article in the show notes. Because I think when you actually, I'm not going to read the sheet of 10 or so segments in the market for security. But when you look at it and you see security services are going to be $73 billion excuse me, $73 billion in 2021 and cloud security is going to be 841 million you're like whoa.
Rachael: Huge gap, yes.
Eric: Huge gap, 90 some times. For security services, those are people doing the work where cloud security is so small. I think what that says Rachael is it reinforces all the discussions we've had on this podcast over time. People are moving to the cloud, but they're leaving security behind. It's easy to sign up.
Rachael: Exactly. I think what a lot of people don't realize too, security after the fact is not a bueno way to go forward. It gets more expensive when you go after the fact. I don't know that people always think about that. They just want to keep moving and be productive 100%, but there shouldn't have to be a trade-off. You should be able to have airtight security and move at the speed of digital transformation.
Eric: The good news is there's about $24 million estimated in 21, once again by Gartner, which is a May study so it's very up-to-date. There's about $24 million in infrastructure protection. As we move to the cloud, you could theoretically do a one for one, or maybe even get some cost advantages there. And take some of the spending that you were spending on your data centers, your infrastructure, and move it to the cloud. Although I'm going to assume infrastructure protection somewhat gets blended in with the line a couple below it, network security equipment firewalls, IPSs, and the like.
Step Back and Assess Where We Are Heading
Eric: I'd put that in there. If you put that in there you've got $40 billion excuse me, I'm back on the big B. $40 billion protecting your castle walls if you will, when the adversary is always getting inside.
Rachael: That is crazy. Crazy. I have to believe, it's great to see the spending, it's great to see cybersecurity being prioritized now. But I would imagine there's so much to do, it would be daunting task I think. Because you're just buying things to do one thing at a time versus how do you get to a more holistic strategy so you don't have 50, 60, 70 of these different security products in your stack that you have to manage. And they have to make this loose fabric, integrated fabric of potential vulnerabilities because they're not necessarily built to work together.
Eric: If I were a CSO of an organization, I think I would take this report, you can get it from Gartner, and I would download it and look at the different market segments, the categories. I would look at my organization and say hey, am I in alignment with this? Is this my picture or not? Then I'd probably take a step back and say where are we going in the future? Where should I be thinking? Cloud security obviously a big one, 41% growth also the largest growth number, but it's coming from a small base. Then I'd look at app security, data security. The one that really got me I got to tell you was identity access management. It's only $14 billion this year with a 15% growth rate.
The Risk in Hiring People Virtually
Eric: I figured with zero trust coming on strong we'll talk about that a little bit later in the episode here, with the cyber executive order and everything. You would think that identity and access management would be a larger piece of the pie.
Rachael: I feel like that's all we talked about the last year too?
Eric: If you don't know who your users are how do you figure out who's doing what and what to protect?
Rachael: Well exactly. The other thing I think about too, kind of keeps me up at night is when you've had to hire virtually the last year, you're not meeting people in person. I think we're just starting to have socially distanced in-person meetings again. How do you know the people you hired are really who they say they are?
Eric: And what they're doing.
Rachael: Exactly. In the years ahead are we going to see a ramp-up in intellectual property theft? As a result, I saw that article about the FBI agent who had been bringing the confidential documents home for like 17 years or something like that, a very long time.
Eric: In Kansas City. That just broke too. That's scary. But the other piece, and I know we want to stay optimistic here, consumer security software, the lowest growth rate at 7.4%. We're talking only seven billion dollars there. Those are people who are working from home where the industry is spending money to protect the consumer at home. Those are your Nest Thermostats, your IOT devices, everything that's being connected. We're proportionally spending a lot less money to protect the user at home. But they're probably connecting to work networks from home with some of the same devices I'm betting.
[09:32] From the Headlines: 465,000 Open Positions in Cybersecurity Nationwide
Rachael: Exactly, like your smartphone hotspot from the car. But I will just say a funny I've been staying at my grandmother's house in Houston and somebody has the Wi-Fi name FBI surveillance fan.
Eric: Yes I've seen those a bunch. There's always humor here. Always humor.
Rachael: Always humor. But I think you had another topic that you wanted to dig into.
Eric: Actually it came from you. You sent a report a CBS News report about 465,000 open positions in cybersecurity nationwide in May 2021 according to CyberSeek.
Rachael: Can I tell you Eric, I think it was that same number back in 2017 when I started working at Forcepoint.
Eric: No it was lower it was in the 300s.
Rachael: Was it? Okay.
Eric: I periodically go to CyberSeek, the number is growing. Which means the opportunities are growing.
Rachael: So many opportunities. Here's what I saw though, and I don't know how people aren't grabbing onto this. You could take an eight-week online course. And you could get an entry-level job as a pentester, a network security engineer, or an incident response analyst. These jobs pay up to $90,000 a year for an eight-week online course. I think, how could you not give that a run for its money? If you're hedging on what you want to do, you're coming out of college you're not sure, that's a pretty nice salary and it's a hot industry that's only getting bigger. I don't understand why people aren't jumping at the chance to come over to cyber. It's a lot of fun, you're never wanting for things to do.
A Classic Supply and Demand Problem
Eric: I think they don't know it, they don't understand. I was talking to some contractors at the DHS level a couple of years ago. I was talking about my now 23-year-old son, he was probably 19. He was in college at the time. They were like, "Have him drop out, he'll get 60 grand to start with us." I'm like, "No experience here guys." He doesn't need experience, we'll teach him everything. He just needs to be able to get a clearance and want to work, and he'll move up through the stack incredibly quickly. I'm like you've got to be kidding me. There's a 19-year-old kid right out of school, one year of college at the time. He was in his first year of college at the time, and the jobs are incredible. This is a classic supply and demand problem.
Eric: We don't have enough people, we don't have the right people. We're willing to pay and train. I think that is a good news story because we do need more diversity, we do need more people. I did LINK because I wanted to go and look at what is the geographical placement of these jobs. All you have to do is go to cyberseek.org you can get to it from there. But just look up the heat map. What you'll see is California, Texas, Florida, North Carolina, Virginia, Maryland, Delaware and New York state are the huge ones that have the most openings. There's a ton in the Northeast, and then you start looking at the middle parts of the country, taking Texas out of it, and there aren't a lot of opportunities proportionately of course, there are thousands.
Huge Vacancy in Cyber
Eric: There's still thousands or tens of thousands open right now. But you see it in the middle of the country where it's not as in demand. I wonder how that changes over time as we look at work from home becoming a thing. As we look at the opportunity for employees. We can't get these employees. I would open these positions up, let them work remote, offer to move them if you need to.
Eric: They're clearly on the map where the jobs are, but it's an interesting arrangement. If you go to public sector data, so it's a chart you get to play with, it's a pretty similar picture. There's a little bit in Colorado and Georgia that's different from the global map, and it says there are only, only right. It says there are only 36,248 openings right now in the public sector space at the national level. But it also says there are only 61,000 people employed today, which I think I've talked to probably half of those. It's got to be a larger number. But we have a problem.
Rachael: Well sure, and then you look at 31,000 openings and those pretty important roles, we're protecting our nation's critical data.
Eric: Cybersecurity consultants, technicians, analysts, IT specialists and engineers, systems engineers, software developers, network engineers, incident analysts, cybersecurity managers. The jobs pay well, a little bit of education to get started you get a lot of OJT. You can take continuing education while you're in, and we don't have enough people. Great opportunity.
Rachael: Well, why is that? Do you think it's, I know there's been a lot of advances with STEM education and building awareness there.
The Generational Component
Rachael: Do you think it's just they're not hearing about it still when they're young, or you're not playing on the playground thinking I want to be a cybersecurity engineer, or an astronaut or a vet. Are they just not getting that kind of exposure?
Eric: I think there's a generational component. If you go back what's the prior generation? 20-year gap typically from generation to generation, in the 20, 25 years. Go back 20 years and think about the chatter we had with cybersecurity. We really weren't talking about it.
Rachael: At all.
Eric: We've been talking about it, but the kids, I've got a doctor. I've got another kid trying to figure it out and I've got a 13-year-old who loves math and science. But he doesn't know what he wants to do. He just doesn't want to do what dad does. But we just started talking about it with my doctor who's 27 now, he's a military officer.
Eric: I was in the business I was in IT, I was in cyber when he was in high school and trying to figure out where he wanted to go. But we didn't talk about it, it wasn't in the news, you weren't dealing with it. Where my 13-year-old he's learning C++ right now so he can do a Valerian cheat. He's all over it. There's a generational difference between just those two kids. I think we're going to see it coming along.
Eric: I've been doing government cybersecurity for quite a while now. One of the things I've seen is the senior leaders on the civilian side, on the DOD side, they didn't grow up in this space necessarily. If you're an army general, and I want to talk about that, your goal was to command an infantry division or something like that, and you came up through those ranks.
[17:02] From the Headlines: Army Generals Are Not Prepared For The Future
Eric: If you're in cyber now you may have come up typically through communications or something else. But there was a good article, I'm going to transition us quickly if you don't mind in Defense One this week.
Rachael: No this is great. Yes.
Eric: Army generals are not prepared for the future. Talk about clickbait, talk about an inflammatory title.
Eric: But I think there's something to it. I'm going to extract out the army component for a minute. Let's look at government leaders aren't necessarily prepared for the future. The article talks about, it's a Harvard business review study from 2018, more of the top 100 CEOs, so this is non-government, CEOs have engineering degrees than MBAs. More technical than business-oriented. There's a Boston consulting group 2020 list in there in the top 20 most innovative private sector companies, roughly 65% have STEM undergraduate degrees, 30% almost a third have graduate-level STEM degrees.
Eric: Having that technical, that STEM background according to a couple of data sources here really pays off in the commercial world, private sector. So then they looked at army generals. We're just using army, I guarantee the same thing's probably close for air force, navy, marine corps, other government functions. The point is, get technical degrees, get higher levels of education, get that foundational component as you say. Of the current active duty army generals, 32% have undergraduate STEM degrees. The top 20 most innovative companies, 65% have STEM undergraduate degrees, in the army current active duty, 32% are about half.
The Education Component
Eric: So it's about half the rate of the most innovative companies. Only 11% have STEM degrees, which is about a third, I'm sorry STEM graduate degrees, which is about a third of what the most innovative companies have. Then they break it down and I don't want to read the article on the air here. But when they look at Army Futures Command, 15 of the generals associated with it, only five have STEM undergraduate degrees, and none have STEM graduate degrees. You're looking at Army Futures Command, this is where the army is learning to fight for the future.
Eric: We only have a third of the officer, the general officers the leaders having a technical degree. I don't know what their degrees are in history, psychology, agriculture, military science, it doesn't really talk about it. But they finally look into other technical fields like missile defense, test and evaluation, intelligence, aviation, nuclear, and they're saying there, only seven percent of these generals have STEM degrees. Only 10% of the generals in cyber, probably the army's most technical field have STEM degrees at the graduate level. I do think there is an education component here, and you almost need to make it when we're looking at these jobs, you need to make this your career.
Eric: It was an interesting article, not to pick on the US Army or anything. At the end of it they talk about the Chinese People's Liberation Army and how they've really, really invested in STEM. I think that's something we need to do as we look at quantum and 5G. You and I were talking earlier, you've got to have that technical basis of understanding that background.
A Guaranteed Job
Eric: Or it's very difficult, says the guy with a marketing undergrad by the way. It's very difficult to understand where you need to go and understand what your technical people are telling you. By the way I was a systems engineer also. I was a DBA, a performance and tuning person. I've got some creds out there, but I did go for marketing. But it's a bachelor of science at least, so I don't know, maybe that's technical maybe it's not. I don't think it's STEM. Then I've got the MBA which discredits me I guess here. It puts me on the wrong side of that equation.
Rachael: They cancel each other out.
Eric: But I think there's something there. As we're looking at the job openings, we've got a huge market potential here, we've got a huge problem which isn't going away. It's just getting worse. Talk about job security. I remember my father-in-law. And I think I was 19, I was an infantryman in the army, a ranger doing my thing. I was just blowing stuff up and running fast, I wasn't thinking about anything. And I knew I was going to go to college though. His guidance to me because he had been laid off a number of times in his life. He had been an industrial surveyor, and he would go through these periods of riches and then just paltry, there was no work.
Eric: He said, "Stay in the military, it's a guaranteed job you'll be good for life." I didn't want to be an infantryman for 20 years. It's a hard gig. I knew I wanted to go into business. But I think the guidance in cyber, in InfoSec, it's basically a job guaranteed for life, whether you go private or public sector.
The Kids of Today
Eric: It pays a lot more than infantry, you're not freezing, cold, hungry, miserable, wet, tired, you name it. I don't see this ending for a long time. So maybe optimism session here Rachael, I don't know what you think.
Rachael: No I think it's exciting too.
Eric: Good advice.
Rachael: I'm encouraged when you talk about your younger son. I think them seeing all the headlines of everything going on in cyber, and we're all looking for some kind of answer or that rainbow through the clouds to help us get ahead of the threat. I think that's what it's going to take. These kids that grow up where they're already thinking about these things inherently. I think that's how you can get ahead of the threat eventually. That's really encouraging.
Eric: I hope so. I was not a programmer, but I bought a Commodore 128. Because it was twice as good as the Commodore 64s which were really popular when I was like, it was a long time ago. I was probably 12,13.
Eric: From that time I had my own computer and then I started building X86 computers and everything else. But that technical underpinning, even though I don't have a STEM degree just marketing and an MBA. It led me to, first of all my mom said, "You will be a sales person." Which I resisted but then I collapsed and fell into sales and I love it because I love talking to customers. But I think that technical underpinning led me to use that skillset. I bring this up because I was relatively small subset back in my day. But I think the kids today are very technical. I've seen it across my three.
[24:08] From the Headlines: An Executive Order
Eric: The younger one is so much more technical than the other two because he started younger and he's comfortable there and he likes it there. I think he's going to be more inclined to look at rocket science or cybersecurity or cloud computing or something. At a minimum, let's say he goes and gets a marketing degree and he moves into marketing. He will be more technical savvy than his brothers because he started early and he's very comfortable there.
Eric: I think that'll help us in the long term.
Rachael: I agree. That's what I'm saying, I think this generation coming up I'm excited to see what they bring to bear.
Eric: I think it will be a good thing, I really do.
Rachael: We need it. We need some good stuff that's for sure.
Eric: We had an executive order come out, we won't spend a whole lot of time on that. They put out a whole bunch of mandates within 30, 45 or 60 days. We're going to see the entire US government change their supply chain considerations there. Hopefully the government can drive, they're a relatively large purchaser of IT equipment and technologies. It's not just that actually. If you're a lawn mowing company contracting with the government, theoretically, there's going to be some components in the supply chain there and far requirements. Hopefully the government's moving the needle a little bit here. Then the last thing I wanted to talk to you about is something you're very good with and familiar with, is RSA. The conference happened last week, did anybody notice?
Rachael: That's a great question Eric. It was an all virtual conference, so not just anybody could go. Just like years past you had to have an RSA pass to access any of the sessions.
Eric: Meaning you had to pay for it.
Eric: You'd either have someone give it to you, it wasn't free.
Rachael: No. I only had a sponsor pass, which meant I couldn't even watch our sponsors' sessions.
Eric: Really? Okay. RSA to me was always the show going back even a decade, where you went and it was a vendor show. You saw what the themes and technologies were and you got to meet all your friends who hopped around from job to job to job all the time, and you hadn't seen in a while and connect. Hey, how's it going, what are you working on? I'm working on sandboxing or network security, whatever cloud security this year, the big themes. You got to connect. There weren't as many customers there as most people would think.
Rachael: No. The virtual booths it was very little traffic unfortunately.
Eric: This year?
Eric: But you couldn't even connect. If it was a show for the vendors to see people and recruit and meet people, you couldn't even really connect with people.
Rachael: Exactly. It made it very difficult. But what is that platform to do that today? That would enable that kind of personal interaction.
CEO Manny Rivelo, RSA 2021 Keynote Interview
Eric: LinkedIn. You would spend in a traditional year, how much time would you spend leading up to RSA to make sure that everything is perfect?
Rachael: Oh, hundreds of hours.
Eric: You literally would spend hundreds of hours prepping for, I mean you led the Forcepoint RSA charge. We did a podcast on it last year.
Eric: If anybody wants to listen to what Rachael did at a typical RSA. I don't know the number, but go back about a year to I'd say March.
Rachael: March yes, early March.
Eric: Well it was March because COVID was kicking off and we didn't know. March of 2020 and you can hear Rachael Lyon being ambushed by myself on the podcast on what a day in the life of setting up for and dealing with RSA is like. How many hours this year?
Rachael: A lot less. I spent most of my time putting together our sponsor sessions and our keynote. We had an amazing keynote with our CEO, Manny Rivelo, which people can view.
Eric: Only session I watched.
Rachael: Yes they can watch it on our YouTube channel, Forcepoint YouTube channel it's available. That was a really great conversation with journalist Georgie Barrat, so highly recommend that. But yes it was hard, we had an accepted talk that I wasn't able to watch with my sponsor pass unfortunately. We're trying to figure out how do we make these videos available after RSA? I think they have to sit on the RSA platform for 60 days and then we may be able to get access to them, so broader audience can see it. It's something though, at least we'll get a replay. As virtual conferences go, it just wasn't not where you want to be for the virtual booth at least this year for sure.
Eric: I think people are just exhausted with the virtual everything.
A Missed Opportunity
Eric: You just want a little physical. I had several friends who were speaking and I couldn't watch them. They were like, "Hey, come to my keynote, come to my talk," and I couldn't get in.
Rachael: I know. That was disappointing because when they're virtual you feel like almost everybody should have a chance to watch it.
Eric: It should be free right?
Rachael: Kind of like a missed opportunity, yes exactly. Because we've already paid our sponsor dollars. The money has been paid, so why not open it up to a broader audience? We're talking about cyber skills and jobs opening. Imagine if you had all these great cyber thought leaders were at RSA, having these amazing talks. If you open those up to the public, just imagine all the people that could spark ideas for them or inspire them, or they find cyber through those videos. The lineup they had just on the keynotes alone was really remarkable. It's not how it is at least right now.
Eric: I'd be interested to see the numbers. What do you think for next year? We're back in person I'm assuming, we're going to have tens of thousands of people there or the gap year here, does it hurt it?
Rachael: The interesting thing is, I mean not to get overly on the contract side, but all of the sponsors basically re-opt for next year for the physical show. Since we weren't able to do a physical event this year. All the brands are going to be there, lots and lots and lots of companies like they are every year. I think people are going to want to go back, they want to be in person. I think it's going to be a big event.
[30:53] From the Headlines: RSA Next Year Is In Person
Eric: No data on whether people will go or not, but the sponsors have already signed up so they're going.
Rachael: Well you have to RSA asked you to sign up, re-opt for the next year before.
Eric: A year in advance right?
Rachael: Yes exactly.
Eric: So everybody's signing up of course because you don't want to be left out of RSA. You heard it here first everyone, RSA next year it's in person according to Rachael Lyon. It's going to be bigger than ever, all the sponsors are going.
Rachael: Absolutely you don't want to miss it.
Eric: You do think people will want to get back out.
Rachael: Aren't you? I'm itching to get back out and travel again and have meetings, as more and more folks get vaccinated, I'm excited. And I'm excited for that, and I think people are hungry for that. I'm hopeful that next year I think it's February show is when it's happening.
Eric: I don't have the dates, but I guess I should put them on the calendar because I think I'll be there.
Rachael: I think it's a week after our sales kickoff.
Eric: Okay so next year in February we've got RSA back at the Moscone Center, Rachael's announced it on their behalf.
Rachael: That's right, in person.
Eric: It's going to be big.
Rachael: Get ready.
Eric: It'll be interesting to see if people actually tuned in or if they tuned out this year.
Rachael: Agreed. But I think to your point, everyone's a little Zoomed out.
Eric: They're exhausted.
Rachael: Having the content available to watch when you want to watch it and making it public, I think there's a case to be made for that for sure.
Eric: Agreed. But do people have the time, the patience, and the ability to sit down? I know I don't.
A 15-Minute Keynote Interview
Rachael: Keynote's for 15 minutes. Do you not have 15 minutes to watch a keynote?
Eric: Man, I thought you'd know me better than that by now. 15 minutes, I can pay attention for about two if it's really interesting, I think I've got about two. That might get me to four.
Rachael: Well, I think there's like you can read the script as well or the captions if you want. I guess not Eric, but there are others. I like watching them. First thing in the morning I always like to go through the news and just catch up on things. That's something that I would do while I'm drinking my coffee and just getting into the day and you get ideas too.
Eric: I'm skipping all over the place, anyway. RSA is on next year, we don't know how it was this year. But the material we'll release if anybody's interested at some point in the next 60 days or so. It happened, so it did happen we confirmed that. Anything else before we wrap the show? I got to tell you, I just love talking to you. This was a good one.
Rachael: I know this was fun. Did you want to get on double extortion or do we not have time for that today?
Eric: You mean Colonial Pipeline? Real quick what did they pay? 4.4 or 4.1 million? I've seen both numbers.
Rachael: That's a great question, I wonder if it's based on the fluctuating value of Bitcoin at any point in time, does that change how much they paid?
Eric: No I think it's probably a misunderstanding. DarkSide disappeared with everybody's money.
Rachael: Yes, with everybody's money.
Eric: The encryptor didn't work so well or the decryptor I guess. Encrypts quickly, decrypts too slowly, so they had to restore from backup and double extortion.
Eric: I think one thing that when I talk to lay people in the industry, they're like oh, that ransomware that's so bad. You could lose access to your data, and then you have to pay people to get it back. What people really miss is oh, and the ransomware hostage-takers, the terrorists, whatever you want to call them, the bad guys and gals, they've got your data and they can go sell that data also.
Rachael: Exactly. It's all about money right? All about money.
Eric: It's not just selling control to your accessibility of the data, but they actually in many cases take your data and they will sell it on the black market.
Rachael: Is that called double-dipping? I don't know is there a term for that?
Eric: Well in the industry we're calling it double extortion these days. I got you to lock your data up and I can also charge you for me not selling your data in the black market.
Rachael: Are there any guarantees that that doesn't happen even if you pay?
Eric: We're dealing with criminal enterprises, are there any guarantees? What are the guarantees in life? You're guaranteed to die at some point and that's about it. No, there are no guarantees.
Rachael: It sounds like there's a ransomware gang court though, like ransomware court of law where DarkSide got called up amongst these I guess their affiliates and they didn't pay. It's interesting to see that at least they do police their own if you will. Maybe that's why DarkSide went dark I don't know.
Ransomware Is Growing
Eric: I think it's very loose. My wife and I are watching Godfather of Harlem right now, and you can see the Italian mobsters back in the 50s and 60s. They're aligned and they are for each other. But they'll screw the other family over if they can get away with it or think they can. I think we got the same thing here in the criminal world. You're best friends until somebody better comes along, some better opportunity. I wouldn't rely a whole lot on any kind of integrity or rules of the land to hold fast. That's just my personal opinion, maybe they're very honorable thieves I don't know.
Rachael: I don't know, but I just thought it was really interesting to read that they do have their own court of ransomware gang law, where they commune together and try to bring people to justice and get what they're owed. That was interesting, I guess every business enterprise has that though right?
Eric: Something's better than nothing. I wouldn't count on criminal law in this case being the criminals enforcing their own code of conduct. They're gone for now, I guarantee we see them back in some shape or form later. Ransomware is doing nothing but growing as we've talked about. At least to end the show on a positive note, petroleum's pumping. We've got oil, we've got gas, the American people have forgot about Colonial Pipeline in this case and we're good to go. Everything's good, nothing happened.
Eric: A couple of million dollars, little bit of time.
Rachael: I'm ready to drive next weekend and pump my car full of gas and not be worried that I won't have enough to get to my destination. That's the best feeling.
Eric: You have a great vacation. Don't worry about the gas, but ransomware had something else you may need at some point we'll see, hopefully you get away with it. I think it was a great episode. Thank you.
Rachael: All right so for all of our listeners out there again, don't forget to subscribe. Pound the subscription button so you can get a fresh episode to your email inbox every single week and feedback. We love the feedback all day long. Topics, guests, you name it, we're open to everything that you have to give us. Until next week.
About Eric and Rachael
Eric Trexler has demonstrated his passion for federal service as both an Airborne Ranger in the U.S. Army and an executive in the technology sector with more than 20 years of experience. At Forcepoint, he works closely with government leaders to protect over 80% of all federal agencies' vital people, data, networks, and infrastructures.
Rachael Lyon brings her journalistic curiosity and more than 20 years in technology working with global industry leaders and innovative start-ups to dig into today’s cyber news and trends impacting us all.
Listen and subscribe on your favorite platform