Mike Gruss, Editor of Fifth Domain discusses Cybersecurity Messaging in Government (and Shamrock Shakes) - Ep. 53
Mike Gruss, Editor of Fifth Domain and C4ISRNET joins Eric and Arika this week to discusses how cybersecurity messaging gets lost, the impact of fake twitter account on national security and shamrock shakes (you have to listen to the end).
Episode Table of Contents
- [0:22] Welcoming Our Guest Mike Gruss
- [1:36] Cybersecurity Messaging from a Writer’s Perspective
- [7:08] The Government’s Part in Cybersecurity Messaging
- [10:46] The Varying Stand of Different Agencies on Cybersecurity Messaging
- [14:09] Space Messaging versus Cybersecurity Messaging
- [19:46] Establishing Control on the Cybersecurity Messaging Channels and Accounts
- [25:27] Behind the Scene Stories of Cybersecurity Messaging
- About Our Guest Mike Gruss
Welcoming Our Guest, Mike Gruss
Eric: We have Mike Gruss today. This should be an exciting one.
Arika: Yes. Welcome Mike, how you doing?
Mike: I'm great. Thanks for having me.
Arika: Mike Gruss is the editor of Fifth Domain and C4ISRNET, which I'm going to let you break down that acronym, Eric, because you're much better at it than I am.
Eric: Okay. I'm going to try here. Command, control, computer, communications. The ISR is intelligence surveillance reconnaissance, and the net I believe stands for network, correct Mike?
Mike: Yes. That's great. Perfect.
Eric: That's a mouthful. That's a lot.
Mike: It’s a lot.
Arika: Well, again Mike, thanks for joining us this week on the podcast. You know, Eric and I have both read a number of your articles, and you really have touched some very fascinating topics around cybersecurity.
Cybersecurity Messaging from a Writer’s Perspective
Arika: So I know I have a couple of things I want to ask you about, but one of the things that we were just talking about in sort of our prep before was some of the messaging around cybersecurity.
Arika: I know you have some thoughts on what gets lost, and I would assume, especially from an editor's perspective, and someone who writes and covers these topics, you're always probably thinking about what is the message that you want to get out of anything that's being published in terms of cybersecurity as it relates to government, threats, things like that.
Arika: What is the message you think we need to make sure that's clear as it comes to cybersecurity? Because there's so much info out there right now.
Mike: Yeah, I think the first thing is when we talk about what are the threats to federal government, and I know it's said so often it's almost cliche, but so often people are talking about the human threat, and the mistakes people made, and that can include something as simple as phishing, which is why that appears to be so successful, or malware. But you know, even anyone who scrolls their social media feeds, you'll see, "Oh, look at what these hackers did." And it's not people within the cybersecurity community, but there is this culture of fear about hacking and cyber.
Mike: I think not necessarily with cybersecurity professionals, but within the government there is kind of this, to me, it's this concern that it's almost all or nothing. Like, "Oh, don't open this email because something bad will happen." Or, "Don't do this because you could lose everything."
The Binary Method of Cybersecurity Messaging
Mike: I feel like maybe everything's become so binary, either good, or bad, or catastrophic, or healthy. That may be the degree to which we talk about a lot of cybersecurity needs to change where it's almost like health.
Mike: You know, we hear so much about cyber hygiene, but it's more like, "Hey, I'm not feeling well today." Like, "Hey, the system's not doing too well today," versus, "Hey, this system's on life support, and it needs to go to the ICU." That's where I think some of the messaging gets lost where it's like, "Hey if you click on this link, is that going to lead to catastrophic failure?" Well, maybe it will, maybe it won't, but I don't think those nuances are maybe appropriately talked about especially when it comes to training within the federal government.
Eric: We see a ton of that. I mean NIST puts out their guidelines, things are very black and white, and when I meet with government customers, it's very black and white. It's checklist-driven where they don't step back, and we've had several podcasts on it. I've had a number of discussions with peers in the industry. We don't bring perspective to bear. It's a checklist, right? You do security by checklist. The one thing I think we know is that never works, right? When you do the checklist, but you don't actually think about it.
Eric: We were talking to Chase Cunningham a couple of weeks ago from Forrester, an analyst who's looking at Zero Trust, and he talked about cloud-enabled misery, right? You end up having to go to the cloud, so what do you do? You just shove everything up there and check the box, and hope for the best. It's really a checklist, right?
Breaking Free from the Culture of Fear and Perfection
Eric: Somebody said, "You need to go to the cloud," so you go to the cloud. We're seeing that right now with Zero Trust, machine learning, artificial intelligence. You've got to almost check that box so that you meet your goals, or you're in line with your boss or your organization. But you're absolutely right, Mike.
Mike: Yeah. You know, one of the phrases we've heard a lot the last couple of years is layered defense. I think people expect that to be 100% perfection, and there is no such thing as, I mean you guys know this, there's no such thing as perfection in this business. It's just you get closer and closer to an ideal. Like I said, it just feels like it's not healthy for users because I think it probably creates this culture of fear and creates a culture where people are probably acting apprehensively, meaning from acquisitions all the way down to users.
Mike: I just wonder if there are ways to improve that dialogue so people know, not that they want to make mistakes, but they know all right, I did something, it's better to report it, and it's not the end of the world, and we can solve this. It's like falling down and scraping your knee. It's not the same as someone losing a vital organ.
Eric: To your point, it's not binary, right?
Eric: You're never going to totally beat the adversary, and that's many times the way we look at it where we have to keep them out at all cost. Well, we know the adversary, a determined adversary, especially a nation state, we know they're going to get in.
The Government’s Part in Cybersecurity Messaging
Eric: So how do we do the best we can to prevent them, to delay them, to understand once they're in, what to do? And we need that open culture, that ability to be able to say, "Hey, we have a problem here, and let's rally around our people and address it right away." Not, "We're not going to report it, we're not going to deal with it." I have a followup to Arika's question though.
Eric: How do you feel the government is doing on cyber messaging? Who's the best at it?
Arika: Oh, that's a good question.
Eric: You led me into it, Arika. It's all you.
Mike: Yeah. Who's the best at it? You know, NIST is maybe the most consistent at it, so I think if we're looking at hey, we know the guidelines are going to be here, we know they're looking, and we know they're studying them. I feel like from that sense, you kind of know what you're going to get. I think what we've seen, at least the last couple of years is across the government, everything's changing so fast. Actually I just wrote an op-ed on this, where oh, there's new cyber strategy, US Cyber Command is now combatant command. There's now CySA over at the Department of Homeland Security.
Mike: What I think is important is, yes, it's great all of these agencies and organizations are evolving. I think the concern is the rubric changing as well? With each one of these new starts or tweaks are we taking our eye off of what we're hoping to accomplish? Once again- [crosstalk]
Eric: And how are we measuring even, right?
Evolving Standard in Cybersecurity Messaging
Mike: Right, and I think that gets back to my original point. That's kind of where I think things get a little hazier, and it gets a little more obtuse because you don't know oh, well, does this same measuring stick that we had nine months ago, does that count for anything now? [crosstalk]
Mike: Go ahead.
Eric: As a member of the media, what would you like to see?
Mike: Let me tell you an example I'm not particularly happy with right now.
Mike: It's just more candid conversation. The Navy, for example, has talked pretty explicitly recently about we need to do more with cybersecurity. Their secretary talked about a giant cybersecurity review, but we've seen almost no discussion beyond, quite frankly, platitudes from them about cyber... Like, hey, what specifically are you doing? Let's have some senior leaders, let's make them available to explain on a day-to-day or quarter-to-quarter basis where you are seeing progress, and where we're seeing changes.
Mike: Now let me say on the flip side, you know, US Cyber Command, well I think we all would always like to see more. They had a media day for the first time-
Arika: Oh, interesting.
Mike: earlier this fall or late summer. I think there are steps being made. Obviously across the civilian side of federal government there are some agencies that are much more responsive than others. But what I'd really like to see is-
Arika: Why is that though? Do think it's a balance of trying to protect the level of transparency or is it just not-
Mike: Yeah. I think people just have different priorities.
The Varying Stand of Different Agencies on Cybersecurity Messaging
Mike: You know, there are certain companies and certain... It's like leadership everywhere. I don't think the government is unique in the sense that there are some agencies that value talking about this more than others. Just like there are some editors who are willing to talk about their publications and some that aren't. You see it with sports teams, some folks are like Bill Belichick and don't answer questions- [crosstalk]
Arika: Right, they give nothing away.
Mike: And then there some who are, you know... What was the example a couple of weeks ago, Deshaun Watson explaining everything he saw in a play. I think that's just kind of human nature, but there's certainly room to clearly explain your metrics, to talk about why you chose those metrics, and to talk about what kind of progress you're making and how you're doing it. To me, the biggest point is, especially for what we're covering, this is federal money. We're not saying we need every dollar accounted for publicly, but there is a sense of you're spending taxpayer money-
Arika: And a lot of money going to [cybery].
Mike: and a lot of money. You should be able to explain what it's going toward without giving away operational details.
Arika: Well, it's interesting-
Eric: We've also had a lot of... Go ahead, Arika.
Arika: I was just going to say it's interesting because we've had a few great government guests on the podcast, and those have been some of our most popular episodes. You know, we've had Chris Krebs, we've had Karen Evans from energy, we've had Sanjay Gupta, CIO of SBA.
A Plea to Come Out and Be Heard
Arika: I think people want to hear, and not just always the script, but actually hear them in a conversational discussion about what the strategy is, how it's measuring, what keeps them up at night, how things are progressing. Hopefully that's encouraging to more government leaders, officials in this area to share and discuss because I think there certainly is a desire by even the general public to hear more-
Eric: Yeah, I thought that was a plea to get them to come on the podcast.
Arika: Well, it is. It was. It was also anyone listening out there that's in government that would like to be with us-
Eric: Come on and tell your story.
Mike: I would say I think the reason almost all those examples or the reason they've been successful is because they can communicate their message and they can communicate what they're looking for, not just within their agency but also to industry, so I think that's a good example. I would also say they might... This is just me being a bit of an opportunist, I guess, is there would be people who would say, "Hey, the reason they're listening to those or the most popular episodes is because that's where they feel like they're going to get the most insight into how they're thinking about acquisition, and new contracts, and their thought leaders. And people want to get something out of it."
Eric: We don't spend time on products or acquisition typically, but definitely messaging.
Eric: You know, messaging, strategic intent, communicating that to your people, to the businesses around you, I mean it's one of the primary components of leadership also.
Space Messaging versus Cybersecurity Messaging
Eric: So Mike, I want to switch it up for you a little bit. I know you've written a ton on space. I mean, that's a big part of what you do. Space or cyber, which is more interesting?
Mike: I'll tell you one of the first cyber lunches I sat down at, I was sitting next to someone from the Library of Congress CIO's office, and they said- [crosstalk]
Eric: It's a small space budget.
Eric: Very small space budget.
Mike: Right, and they said, "What did you cover before you did this?" And I said, "Oh, I covered space." And they said, "Oh, well this is the exact opposite because space moves so slow, particularly from an acquisition standpoint." You know, it can be five, seven years from when you see an RFP to when you see something launched into space.
Mike: I think that's probably the biggest change.
Eric: Okay. Okay. Which ones most likely to damage the country? Or where do you see the biggest threat? Maybe that's the better question.
Mike: I think it would probably take less to go wrong in space for there to be really catastrophic damage. You know, the right satellite and the right orbit, either purposefully or accidentally, splitting up could be really, really troublesome, but I think it's probably more likely that something would happen on the cyber side.
Eric: Yeah. I think you wrote an article, and I don't have it in front of me right now, but I mean that's a big red line. If you take out a satellite.
Crossing Beyond the Gray Zone
Eric: In cyber, I don't even know that we have a line. The line seems to move like the teams on a football field, right? Sometimes you cross the line, sometimes you didn't. It depends who it was, and massively catastrophic consequences can come out of it also.
Mike: Well, I feel like with cyber we talk almost exclusively about the gray zone, and we don't talk about where that line is, and what happens when it's crossed-
Mike: Yeah, Exactly. That's the point. It's all great. It's a really interesting time, especially with certainly a more assertive posture by Cyber Command in the White House the last couple of years.
Eric: Agreed. Agreed.
Arika: I have one other topic I just wanted to ask you about based upon another article I recently read by you.
Arika: It's the article you wrote about the fake Twitter accounts in government.
Eric: That was a great one.
Arika: Just tell our listeners, if they haven't read the article we'll include it in our show notes. But I was just fascinated, I guess. You hear a lot about people creating fake Twitter accounts, but I'll be honest with you, I hear more about it on sort of the celebrity, like the fake Kim Kardashian account versus a Cyber Command official or something like that.
Arika: And then when I was reading it, I was like, "Wow. There really is a lot of threat potential here." Especially because we do live in an age where someone can read something on Twitter and take it as facts, and as truth.
The Binary Catastrophic Hack
Arika: Probably a few years ago we wouldn't put as much weight on things that are on Twitter. But now we see, I mean, even when you're watching the news, right? They're reporting so and so on Twitter-
Eric: Arika, I'm going to correct you for a second. People do read things on Twitter, and Facebook, and social media and take it as fact.
Arika: Yeah, that's what I-
Eric: All the time.
Arika: Right, exactly. Exactly.
Eric: Not just can they do, in fact.
Arika: Oh, yes. They do.
Eric: We know our adversaries, whether it's somebody running a political campaign inside the States or nation states coming after us, we know that they're actively spreading incorrect data out there.
Eric: Incorrect information.
Mike: I think that maybe that doesn't get sometimes the attention it deserves because we think about, again, that binary catastrophic hack and we think of, "Oh, well my lights aren't going to... If this was really a devastating hack, my lights won't turn on in the morning or there won't be electricity at my house." It can be devastating in lots of smaller ways, and maybe that's death by a thousand cuts. But part of it is this spread of misinformation. The story that you mentioned, Arika, was about we had noticed that the defense department using their official Twitter accounts was kind of warning people to only follow official DOD accounts for some of their leadership. They explicitly mentioned what their Twitter handles were, and we thought, you know, that's kind of an odd statement to just make out of the blue.
Establishing Control on the Cybersecurity Messaging Channels and Accounts
Mike: We didn't nail it down to a specific example, but what has happened is that a lot of imposter accounts had popped up for... You know, including some of the most senior DOD leaders, but also not everyone knows who the vice chairman of the joint chiefs of staff is-
Mike: and those are the types of accounts that were popping up. The concern is okay, maybe you follow that account, and then maybe that... You guys know how this trail goes. Maybe it leads to someone DMing you, and then asking you to send this email, and then maybe you have an email you didn't have, or maybe you see a pattern of who are these people following? You think this is the real account, and then you work at an air force base in Colorado, and you end up retweeting the wrong account. It creates chaos as opposed, or just even confusion, or even planting a seed, like, "Women, didn't the air force say this or didn't the vice chairman of the joint chief say this?"
Mike: It can perpetuate itself, and that's where the real danger is. So I think one of the things we're seeing now, and I'm sure you guys have noticed this, is more of these reputation managers online, and more of the folks that will use AI to say like, "Hey, this doesn't look like the type of account that you would ordinarily tweet or retweet about, or this isn't the type of information that you would say." Even something you might not think like, "Oh, this is a big deal. You've got this account at this base."
The Potential Risks Cybersecurity Messaging Is Being Posed With
Mike: They might say, "Oh, well today's a snow day, everyone stay home." It's like well that could create a lot of confusion and potentially a lot of problems.
Eric: And a very relatively benign comment, but you could keep parts of the government workforce at home.
Eric: Craziness. I mean imagine if there was actually a concerted effort with a different type of cyber attack misdirection feeding to the American people. I mean, the best story I read about was years ago, the Russians actually started a protest nobody even attended, right? They brought both sides of the American people to the protest.
Eric: From Russia.
Eric: I mean, think about the power of that, the disinformation. That's why we need a free press.
Eric: But we also need solid information coming out. But Mike, I want to switch gears on you. I do have a question, and I know we're running short on time here. I saw in your resume, or your CV, you were working for The Virginian-Pilot back in the day.
Eric: And there was something that stood out to me. There's a bullet in there that says, "Told stories about people unlikely to appear in the newspaper." What was that about?
Mike: Yeah. I don't think a lot of folks come out of journalism school, or come out of college, and they say, for example, I spend a lot of time learning about federal acquisition and writing about that, no one says like, "Oh, federal acquisition is what kind of news I'm going to break." But once you get into it, it's really fascinating.
Shamrock Shake and The Lighter Side of Feature Writing
Mike: There are great stories, but I spent 10 years working in Norfolk at The Virginia-Pilot. My job was I wrote a column for the feature section. It wasn't about the people who were traditionally in the news, it was about people that were having exceptional happen to them or doing the exceptional things, but might just be like your neighbor.
Mike: Yeah. Sometimes they were lighthearted, like a four-year-old who had lost a teddy bear, and the seven stages of grief that they were associated with that. We wrote about how they brought Wi-Fi to the new light rail or how they weren't going to have Wi-Fi in the new light rail down there. I kind of made a case, and they ended up adding it later. The other joke I tell is that they didn't have Shamrock Shakes in Southeastern Virginia for a while, and I used the column and complained about it, and then the marketing team said-
Arika: Shamrock Shakes?
Mike: Yeah, you know, the McDonald's Shamrock Shakes, the mint shakes. It was very lighthearted. I mean, I did tackle more serious topics sometimes, but it was a great opportunity to have fun in the day-to-day business. My thinking, and it still is, is that news does not need to be 100% blood, and doom, and gloom, and corruption. That part of the role of a journalist is to be a documentarian or a historian and to show how we live on a day-to-day basis. So if part of it is showing hey, here are the kind of fast food things that we love, and weird ways I'm writing an ode to this Shamrock Shake.
Behind the Scene Stories of Cybersecurity Messaging
Mike: Or if it's talking about how we cherish stuffed animals, or why we're selling a wedding dress on Craigslist. You know, things like that. That was for fun.
Eric: That's life.
Eric: I feel like you wrote about life.
Mike: Yeah, and that's what I try and get out. Now I will say, and the reporters who work with me sometimes get sick of me talking about it, is that I think the best cybersecurity coverage and best military coverage that folks are doing here in DC is the coverage that talks about people and programs. But I think it's very easy, especially in the B2B trade space, to just talk about programs and say, "This program is six months behind, this program is going to cost $10.2 million. An RFP is going to come out in this state, an RFI is going to come out in this state."
Eric: Oh, you're boring me already.
Mike: I know. But there are some really fascinating minds in this space, and to see how they got to where they got, and what they're doing, to try and explain what they're doing and why they're doing it, and behind the scenes, and what drives them. I think that's where you can tell some really great stories.
Eric: So maybe one of the things going forward with Fifth Domain you can bring some human perspectives to the cyber story. Why it's so tough to get caught up, what a day in the life of a PFC who's in charge of the cyber program, maybe not in charge, but actually doing the implementation work or the ONM at a given program. You know, what that looks like.
Picking the Right People to Cover
Mike: Yeah. You know, I think one of the things that drives me absolutely bonkers is, especially at the program manager level, that everyone's kind of viewed as a cog, and that it's like, "Oh, we're replacing this person with that person."
Eric: It's like the checklist we started the conversation with.
Mike: They have an exceptional skill set.
Eric: And they're people.
Mike: So they might say like, "Well, this person's really good at keeping a program on deadline." It's like, "Well how? How do you know? Show me. Prove to me they do it." And they're like, "Well, let me show you. They wake up at 4:30 every morning, and they have a checklist next to their bed, and it has these seven things. Every night before they go to bed, they do X, Y, and Z. They walk around their entire workspace and talk to each person before they leave."
Mike: Whatever it is, I want someone to show me those details rather than just say, you know, "She's a good project manager." Well, lots of people are good project managers. Do more than that. I think that's a real challenge, and it's uncomfortable, and we're not used to talking that way, especially in the B2B press. No one wants to be a character or become a cult of personality. But that's partially how a lot of folks succeed is there are big personalities here, and I think the best coverage can do a better job exploring them as people.
Arika: It's interesting because Eric usually always asked our guests at the end, you know, "Look, you have a big job. It's a serious job. It's a lot of pressure.
Achieving a Good Balance Between Serious Work and Personal Leisure
Arika: What do you do to decompress, release stress, to balance everything?" And we've gotten some really interesting answers. I mean, I think one of our favorites is Chris Krebs told us he bikes to work every single day, 365 days a year. He said that's his time to really... You know he has a big family as well, and so that allows him to kind of have that separation between when he leaves work-
Eric: A transition.
Arika: And gets home. It's been interesting to hear. We know you're a runner, we heard that. We learned that about you earlier.
Arika: It's great to kind of get that human aspect, especially in this space where I do think it can sometimes seem like everyone's very techie, and you know?
Mike: Yeah, but you think...
Eric: Well, Arika, we've blown through another 15-minute promise session. We'll have to apologize to our listeners. One day we'll hit 15 minutes, but it's so interesting always.
Arika: I know, I know.
Eric: Mike, I didn't mean to cut you off.
Mike: That's all right.
Eric: You were going to say?
Mike: Oh, I was just going to say you look at like what a big job Chris Krebs has, and it's like if you're biking to work 365 days a year, or every business day of the year, there's a certain steely determination there that you get, and it's like you can see that on those rainy, cloudy, snowy days in DC. If you can do that, you're going to push hard to do lots of other things.
Eric: Absolutely. Okay. Arika, until next week.
A Repeat Performance on Cybersecurity Messaging Six Months In the Making
Arika: Until next week. Thanks. Actually, I had one request. I was going to put you on the spot, Mike.
Mike: Okay. Let's do it.
Arika: I was going to ask we'd love to have you back, and maybe you could tell us, you know, maybe towards the end of the year, which is not that far off, but two or three of your best or most interesting cyber stories of the year really based upon the people, not the program. That kind of sparked when you were breaking- [crosstalk]
Mike: That's a good challenge. I like it.
Eric: Six months from now. It's a date.
Arika: We appreciate having you on the podcast. Thank you to all the listeners. Please continue to tune in and to subscribe to the podcast, share it with a friend or colleague, and let us know what you want us to talk about. Until next week, that's To The Point Cybersecurity.
Arika: Thanks for joining us on the To The Point Cybersecurity podcast brought to you by Forcepoint. For more information and show notes from today's episode, please visit www.forcepoint.com/govpodcast, and don't forget to subscribe and leave a review on iTunes or the Google Play store.
About Our Guest Mike Gruss
Mike Gruss is the editor of C4ISRNET, a battlefield technology outlet that publishes a print magazine six times a year, and the Fifth Domain, a news site focused on government cybersecurity. Previously, he served as senior national security writer at SpaceNews. He has written for newspapers in Virginia, Indiana and Ohio and his work has been published in a series of magazines including Runner’s World and the AARP Bulletin.