The Picasso of Cyberattacks Has Only Just Begun [Part 2], With Travis Howerton - Ep. 123

We pick up part two of our discussion with C2 Labs Co-Founder and CTO Travis Howerton looking at how the best-laid plans start with the truth. And we explore the security path forward in a hyper-connected world where we move more heavily into IoT and everything is connected, dying air gaps and distributed VPNs, identity management as the new firewall, identifying clear lines of deterrence with nation-states particularly within no consequence environments, the continuing skills gap and the looming threat of quantum computing that the first one to solve will be the true winner in cyber ahead.

Episode Table of Contents

  • [00:26] Not a Lot of Symmetry 
  • [03:21] Start With the Truth 
  • [07:36] The Big Question We Need to Address 
  • [13:31] An Asymmetric Advantage 
  • [21:22] The Next Emerging Threat 
  • About Our Guest

Not a Lot of Symmetry

Rachael: Episode 123, part two with Travis Howerton, where we continue taking a look at the Picasso of cyber techs that have only just begun. 

Eric: I have always stated it, Rachel, is why dropped $10 billion on an aircraft carrier if you can spend a couple hundred thousand dollars and take the power grid offline for our country. There's not a lot of symmetry in cost, in time, and everything else, but the advantage has gone to the attacker.

Rachael: Absolutely. That's a good point of critical infrastructure too. I can't remember if it was the water treatment plant. But some of these facilities are running very old versions of Windows OS. Again, it gets to your point about modernization. This seems like a very dire threat, but are we dealing with it as if it is dire? Or are we just waiting for some major catastrophic event to happen?

Travis: I think the nature of our system is people don't deal with it until the catastrophic event happens. Because you've got so many bad things that could happen. Now, you look at Solarwinds, people have been talking about supply chain security for a very, very long time.

Eric: And, we've seen it.

We Don't Have Enough Skillset

Travis: It's Travis on a podcast with a new thought here. This has been going on for a very long time in very sensitive circles where we've known this nightmare scenario could happen, but it never did. Or at least we were never aware of it. Now, you see the scale and sophistication of it, and you're fighting behind the eight ball there, where you're in trouble when you start. I think it's the same thing on grid. And I think it's the same thing in medical. There are so many holes and it's so deep and would cost so much money to get out of. That until the bad thing happens people don't take it as seriously as they should.

Travis: The other thing that keeps me up at night on this is, even if everybody did take it seriously, and let's say a trillion dollars fell from the sky and we got a new trillion-dollar cyber plan coming out of the governor and said, "We're going to modernize everything." There's not enough skill set in this country to actually do it, right. You have the investment side, but then you've got the expertise side as well and anybody who's tried to hire cyber talent in the last 10 years knows how hard that is. Even if there was the capacity to invest, the skill sets would have to ramp up. And it's going to take a while for the education system and the workforce to catch up.

Eric: That's where standards and education and automation come into play. My opinion here, you've got to up-level the talent or you've got to up-level what the talent you have is working on while you're bringing more talent in. But you've got to make things easier.

Start With the Truth

Rachael: What is the answer though? I've heard some debate. Do we just take everything offline? Because if it's connected to the internet, then it's the vulnerability. Do we just go all the way back to the stone age and do everything manually?

Travis: I think part of the future will always be a loser.

Eric: Agreed.

Travis: The future is a connected world and it's inevitable. You can fight it. I had a mentor, he taught me the best plan is to start with the truth.

Eric: I like that.

Travis: And it stuck with me everywhere. You can accept it now or you can accept it later, it'll still be the truth.

Eric: Accept reality.

Travis: Yes. The truth is we live in a connected world that's getting more connected every day.  But I think there are things that can be done. What's going on with distributed VPNs and access. I think Z scaler was an innovator there of rethinking how the world should connect to itself in a more secure and distributed way. 

Travis: I think zero trust things where identity management is the new firewall. You can't just put things behind your firewall and I'm good now, we're not talking to anybody. Everybody's talking to everybody about everything across a plethora of devices.

If There's Fear, There's Opportunity

Travis: Focusing on identity micro-segmentation and zero trust. I think the challenge is how do you overcome the technical debt? We spent 20, 30 years building what we have and there are trillions of dollars that have gone into these infrastructures across all these companies. How do you get to a zero trust cloud world where you're in a much better security posture I think is the trick. Some of the things we're doing with Dev/Ops, lowering costs, automating everything, to Eric's point, making things simpler. The stuff I do now in computer science is so much easier than the stuff I did 20 years ago. Because we all stand on the shoulder of giants. I'm not writing compilers and moving things into registers anymore by hand. 
Everything sort of layers.

Travis: I think the more that we can move up those layers and make this stuff simpler, a good example of that for me is Kubernetes, we've been a huge shot there. Just, everything being isolated from everything, auto-scaling, easier to manage, is really just the future. So the more skillsets you can get at people who understand that, the less hands-on keyboard you have to do to worry about all those nitty-gritty details that used to have to set up in the past. 

Travis: I think there's a promise. Every time there's fear, there's also opportunity. What encourages me is our ability to innovate at scale as a country and a society, we tend to rise up and solve some of these challenges. I think it's going to take some innovation and some new technology and some workforce development to get to where ultimately we all want to be.

The Other Side of Awareness and Inaction

Eric: When I think awareness is increasing, if you go back five years even, a decade, five years, and you went to one of our parents and said. Travis, I don't know you, you may have a PhD in comp sci as a father or mother, or you may Rachel. I did not. But if you went back to them and you talked about cybersecurity, InfoSec, they wouldn't even know what you were talking about. There was no awareness.

Eric: Now, they're aware of the Nigerian Prince scam. They're scared that the hospital could be impacted. As awareness increases, the population is better prepared in some manner for these types of attacks and what could happen. Not that we're doing enough. I fully agree, I think what you said Travis was great actually. But we're getting more societal awareness, I would say. Which will eventually lead us to understanding there's a problem, acknowledging the problem, and then trying to fix the problems.

Travis: Yes. The part that worries me is when do we get around to trying to fix it? Because the other side of this with awareness and inaction comes conditioning. If you think back to all the different attacks that have happened, the OPM one was a big one, the Target one was a big one. You can go down the list. There are one or two or three huge ones every year.

Eric: Ukraine was massive.

The Big Question We Need to Address

Travis: Exactly. You just sit back and go, "Well, that sucked." But, it's no different than mass casualty events with guns. You get conditioned that they're going to happen every so often. Nobody accepts it, nobody wants it. But we're also unable to do anything about it as a consensus. Some of what we talked about earlier is everybody knows we needed to do something on cyber. Everybody knows we needed to do something on gun violence. But where's the line, nobody agrees, right? It moves and there are lots of opinions. And it's very difficult to figure out the deterrence angle and where a line should be and what we're willing to accept and what we're not.

Eric: There's no easy answer. Take nation-state attacks, take attacks off the table. Imagine somebody making just a casual mistake that destroys a component of the energy grid. That could be catastrophic, not due to malice, but just due to an unintentional mistake. How do we protect ourselves is really one of the big questions we need to address.

Travis: Yes. It's not always easy in attribution like it is if you shoot a gun at me, Eric. I know you shot a gun at me, right, and it's very easy to attribute my hostile intent and where it should now go. It's not so easy in cyberspace. If you can even prove who it is and even when you can prove who it is, how do you prove fault. If you go back and look at some of the NSA toolkits that were released, whose fault is that if they're actively exploiting things in the wild with those tool kits. The attribution is just a mess and some of that. So attribution is hard, drawing the lines is hard. Nobody's happy with where it's at, nobody has consensus on what to do about it.

A Blurry Line That Nobody Understands

Travis: It's just, everything's connected. A lot of this stuff is unacceptable. But we don't have that same line that we do in other engagements where if you do this, you're going to receive a kinetic response. Which is a very strong deterrent from the US perspective. Because we've got the most powerful military in the world. But, where does that response get involved, I think is a very blurry line that nobody understands, including our politicians and leaders, unfortunately.

Rachael: That's a good point of today.

Eric: Travis, I might argue with you.

Rachael: Yes. Oh really?

Eric: Go ahead, Rachel.

Rachael: Well, no, from everything I'm seeing that it seems to be. It's risen up again as a big point of debate. The Biden administration wants to focus a lot on cyber and there's a lot of discussion of the offensive-defensive strategies in it what's the right play there. I think it's very complicated, and to your point when we talked earlier, depending on the country, that could also determine what that level of response, offensive-defensive would be.

A Lawless, No Rules Environment to Operate In

Rachael: How do you map that out? Because I know the government likes right. We talked about this last time, Eric black and white, very specific language, if then this. So how do you map that out and address it, particularly in a global scale with something that's changing so quickly? And then, there's the innovation piece that is very difficult. I think you said, "Cyber puts no in innovation." But, that's also the piece of it, the yin and the yang of the two, so to speak and it's not an easy answer. That's my dogs.

Eric: It's a tough one and playing off of that, Rachel, I was going to disagree with you slightly, Travis. I think the nation-states like North Korea and China, maybe even in some of the ones that have little to lose, they like the rural set the way it is right now, open Wild West. The hackers out there that are going for financial gain and creating zero days or using ransomware to make millions of dollars a year. I think they love it right now that it's a lawless, no rules, low consequence environment to operate in. I think it's a great place to be. It's like walking into stores without any security knowing you can take something and probably not get thrown into jail.

Travis: It's a great place to be for them.

Eric: Yes.

Travis: What I see a lot of them doing is they probe. Like, "I pushed it this far, what was the consequence, nothing. What was the benefit, a lot."

People Are Pushing the Boundaries

Eric: A little more.

Travis: All right. Now, let's push a little more. All the way up to interfering in US elections, what was the consequence of that. The Solarwinds attack, basically taking over most of the private sector and government agencies in the countries networks, what was the consequence of that? What you see people doing is pushing the boundaries. And if the benefit is higher than the pain, they're going to continue to do that. I think we've got to figure that out. It's not that people. There were people way smarter than me thinking about this. It's very situational, almost like any other battle plan you would draw out.

Eric: Agreed.

Travis: How big a threat was it, how big a threat are they to us? How rapidly could this escalate? Is it worth it? All those sorts of things go into each one of these decisions. But I've seen stuff. The Trump administration did a lot more to empower our cyber offensive folks on the deterrent side. I think people are thinking through this problem, but it's very nuanced.

Travis: There's not a road answer. Every situation has got to be weighed, pros and cons and a commensurate response given. That being said, on this call, we can't talk about everything our government does. But just because you don't see a response doesn't mean there wasn't one. We don't necessarily talk about everything we do, messages can be sent other ways.

An Asymmetric Advantage

Eric: Well, it'd be nice to see the outcome with a decrease in the amount of espionage and sabotage and attacks out there.

Travis: Yes. It's one of those, there should be global norms around this. But unfortunately, the global norm is now to hack and steal. Because it's an asymmetric advantage. If you're in a poor country, what's your best opportunity to get ahead. If you can't afford the RND, you can't afford all these things, it's easier to just steal it and jump ahead of the line than it is necessarily to do the other part. You see, even in large countries, some of these countries are still developing. There are still huge swaths of those countries that are very poor and economically disadvantaged. They don't have the money to put into these problems some of the wealthier nations have.

Eric: Well, and the advantage that the United States has over a small country, as far as IP is great. A small country can't go up against the United States but think about talking about that asymmetric advantage. If they just flip it around, they can go up against Pfizer or Moderna, or a company in the United States, Sony. Then they have the power, they have the capability. So it depends on how you frame the world in some ways, too. The cyber thing is a really hard problem.

Travis: Yes. One person with a keyboard can be more powerful than a hundred in another country if they know what they're doing, and they're clever. It's an asymmetric advantage, it’s what makes it a nasty playground and something to worry about.

Ransom Is a Big Game

Eric: Good times, Rachel.

Rachael: I know. I was thinking of it. Someone had said, "Hackers don't break-in, they log in." And, it's really gotten in some ways that simple. Looking at the global stage and you do have, you know, some of these larger countries that actually have government organizations dedicated to cyber attacks. Are we going to see more of that across more developing nations as the years, go ahead? Does that become how cyber wars are fought, by having this part of actual government organizations?

Travis: I think you see it already today. Most of them already have a capability, almost all of them are trying to grow it. And even in small countries with dysfunctional governments where maybe it's not invested in that way, you'll see organized crime top organizations that develop their own capabilities in that space. Where they're less interested in traditional espionage and more in monetization. Holding things, ransomware, where those things are growing threat landscape as well. Even in very poor countries, if you get a couple of people together with computers, you can hold some big places hostage if you know what you're doing.

Rachael: Ransom is a big game right now. There's an article I read about a company that had been hit by a ransomware gang, paid million in Bitcoin, didn't patch up the vulnerability in two weeks. The gang came back and took the data again and they paid millions in Bitcoin again.

A Risk Decision

Eric: Well, the bank's vault's doors open, why not keep coming back?

Travis: Absolutely.

Rachael: Well, that's confusing in itself. But then you see what is the department of treasury, you could be fine if you pay ransomware. And a lot of organizations struggle. What is the cost calculus for me paying versus not paying? Now, you have this additional complication of, "Well, without knowing attribution, if I pay and they happen to be on this list, well, then I'm going to get fine. So then do I just not report that I was attacked?" This starts to get more and more complicated here.

Travis: It does and you don't get necessarily real good guidance from federal officials on what to do. Sometimes they'll say the best thing you can do is pay it. Other times they say never pay it no matter what. At the end of the day, it's a risk decision. They're criminals. The moment they hijacked your data, they became criminals. So there's nothing that says criminals will honor their word if you make the payment. Or that they won't just come back and do it to you again. It's a nasty attack. Ransomware is a scary one because they're not just stealing it, they're taking away your access to your own information.

Rachael: Exactly and if you don't pay, they leak it to try to make you pay so now they're getting you both ways.

Travis: Yes.

Rachael: No easy answers Eric, on this one.

The Future of Operational Technology Environment

Eric: There aren't. Before we wrap up, I want to ask Travis, the operational technology environment, the OT environment, what do you see as the future there? Are we going to invest more in securing it? Do you think it'll continue as is? Based on your extensive background, what do you see happening and what do you think should happen?

Travis: I think you're going to move much more into an IOT world where everything's connected. But I think you're going to see a lot more edge computing in that space versus more of the distributed. I think the Z scalers of the world with the distributed VPNs can take that data that's processed locally, get it somewhere central, where you can make decisions and do other things. But I think the world of air gaps has dined, started in my past life. You take them off the internet, you put some VDI jump servers in front of them and two-factor authentication and you're good because it's not on the internet. But there are ways as we've seen to jump air gaps.

Travis: The reality is I think the economics of the IOT world will override some of those spheres where they're going to become connected like everything else. So I just think the architecture has to change.

Eric: You see PLCs on a windmill or something being connected almost in a similar fashion to nest thermostats in the home?

Travis: Kind of, but I think it's going to be more edge where you're going to have a bunch of windmills or a large farm or a raise of things that are connected to some edge computing that's got a micro VPN backed to some cloud storage where they're doing processing of data at scale.

Limit the Accessibility

Eric: Got it. Okay.

Travis: But, I think everything's going to become connected. Because the value of understanding that data and taking actions, you're going to be able to monetize that when you're good at it.

Eric: Yes. Okay. Interesting.

Travis: Yes, but I don't see, just to be clear, they're going to take the grid and just say, "Put it on the internet, nothing bad will happen." I think they'll take it to the edge. They'll have some aggregation at the edge and then a connection back to some cloud processing is I think where a lot of this is going in the future.

Eric: Okay. Got it. Almost like in a classified environment. Say your encrypted data where you need it to go, protect it. Limit the accessibility to that windmill farm, if you will. But get the information out or in, depending on what you're trying to do. Management and control would be in, reporting, any kind of data collection analysis, out. That type of thing, but limited.

Travis: Yes. It's no different than what the government's tried to do with TIC or where they do with point-to-point classified encrypters. That technique's existed for a long time. But this ability to get a lot of compute at the edge to aggregate the data and then put it in some central cloud store where you can make sense of huge volumes of data or learn from it, I think the that's where everything's going in an AIML world. I think it's inevitable but there are secure ways to do it.

The Next Emerging Threat

Eric: Okay. Got it. Interesting.

Rachael: Yes. I would love to ask a closing question, if I could Eric. Because I'm fascinated here. Travis, given your front row seat and working in windowless rooms for government organizations. Next five to 10 years, what is an emerging threat or what is something coming that we haven't even thought of yet? Or that the inklings are here today, but we better start thinking about it because it could be quite devastating?

Travis: Take a long-term view, the one that's most worrisome is probably quantum. Because quantum computers can basically eat all the encryption that exists in the world today. If you look at a world where you have no privacy whatsoever in a quantum world, I think the race to who gets quantum first and can break keys like that and it takes a whole other level of sophistication to basically handle that for sensitive data. I think that's the next arms race, is around quantum. Whichever country figures that out first will basically know the secrets of all the other countries. So I think that's the next frontier in the cyberwar. Interesting.

Eric: We talked about that on the Steve Grobman episode, I don't know the number, Rachel. But I've talked to a lot of people about quantum and they're like, "Yes, we've got to get there first." What people don't understand is, if you're capturing encrypted data now, even though you can't decrypt it now, once quantum computing comes along, you will now have the capability to decrypt it. Those past communications that you stored, that you couldn't read at the time and that's a real threat.

A Whole New World With Quantum

Eric: It's just not understanding and go forward but it's also looking at what you had from the past. Quantum will open up a whole new world for us. And Travis, I'd agree with you that the country that gets it first has a distinct advantage, but the next country and the next one, after that, they also have the ability to rapidly catch up because of that capability.

Travis: Potentially, there's a window. It was the Nazi show on Amazon, it depends on who gets it.

Eric: Are you talking the Philip, and I can't think of it now either. I'm with you, go ahead.

Travis: Yes. It's the man in the high tower or something like that. But basically replays a world where Germany got the bomb first. So you don't need a lot of tun time advantage if the wrong country gets it first. They can use it if they were so inclined to take that advantage to basically scale-out. The US is probably the only country in the history of the world that would have a weapon that could force every country to surrender to us and not take advantage of it. There's a lot of countries that would not be so kind.

Eric: Interesting bringing that nuclear history or background into play there.

Travis: Yes.

The Pros and Cons of Quantum

Eric: Yes. I'd agree with you. From a quantum perspective, get there first from a U S angle point of view. Because we would have it so we could protect ourselves. And if we don't use it, assuming we don't, like we did nuclear weapons, we would be back into mutually assured destruction or some level playing field, if you will.

Travis: Yes. There are also encryption techniques that are completely resistant to that. Some of which also use quantum mechanics. I think it's attack and defend. You invest in things and there's a lot of good that's going to come out of quantum. And it's going to solve all medical things that are too computationally intense. It's going to be good for the world, but it can also destroy the world. The same thing with nuclear. They can give you unlimited power that's clean forever, or it could end the earth. That's sort of the spectrum it lives on, quantum's the same thing.

Travis: I think it's a combination of focusing on the capabilities we need for the country and the advantages it gives. But also the defense side of making sure critical infrastructure can protect itself in a quantum world. So if we don't get there first, we're not completely vulnerable, at least in these certain key industries where that matters.

Eric: Are we investing enough?

A Two-Horse Race

Travis: We never are in those spaces. It's the nature of government, you invest in whatever the fire the day is and the politics of the day, people don't worry about those problems downstream. It seems like we've lost our ability in the modern new cycle to worry about strategic problems as a country in a way we used to.

Eric: Will we be there first?

Travis: Time will tell. It's really a two-horse race, probably.

Rachael: Yes.

Eric: Us and China, right?

Travis: Correct. They have a lot of advantages and they know privacy, the most data, the least rules that impede them. They don't have our innovation ecosystem.

Eric: But, they may have our IP.

Travis: Yes. It'll be interesting to see how that plays out. You can make a strong argument on both sides but they have a lot of structural advantages.

Eric: You think this is five to 10 years?

A Difficult but Solvable Problem

Travis: They said five to 10 years ago back in 2015. I think it's a hard problem. But it is a solvable problem and so it's just a matter of time. The same thing with some of the clean energy technologies and solar. At some point as a society, we'll figure that out and it will be transformative and whoever does it first is going to make a lot of money.

Travis: I think it's the same thing, it's inevitable. I don't live in Vegas and I don't know that I can over-under that with any credibility to settle on.

Eric: Well, it’s great conversation today. Really appreciate it.

Travis: Yes. It's great. I appreciate you guys having me on. It's been great getting to know you guys and greatly enjoyed the conversation and your all's insights as well.

Rachael: It's been fantastic. I'd love to do this again soon, myself, I could talk to you all day.

Eric: Cool. Well, with that though, we will wrap it up.

Rachael: All right. Well, thanks everybody for joining To The Point podcast. Again, this was Travis Howerton, co-founder and CTO of C2 labs joining us today for a very insightful conversation. Thanks for joining us and we'll talk to you soon.

About Our Guest

Travis Howerton, Co-Founder, and CTO, C2 Labs

After executive leadership roles in some of the largest public and private sector IT organizations in the United States (to include the National Nuclear Security Administration, Oak Ridge National Laboratory, and Bechtel), Howerton joined C2 Labs in March 2019 to drive product development and corporate strategy. With over 20 years of experience in delivering "no fail" missions, he is a trusted advisor of our largest clients, thought leader for our product strategy, and focused on delivering sustainable long-term growth for the company.