WEBVTT

1
00:00:00.080 --> 00:00:02.759
<v Speaker 1>Welcome to the deep dive. We take critical research, pull

2
00:00:02.839 --> 00:00:06.040
<v Speaker 1>out the key insights and bring them straight to you. Today,

3
00:00:06.120 --> 00:00:10.400
<v Speaker 1>we're tackling something huge, really critical. We're looking at cybersecurity.

4
00:00:10.439 --> 00:00:10.519
<v Speaker 2>Now.

5
00:00:10.560 --> 00:00:13.560
<v Speaker 1>You hear about massive spending right. Global investment was over

6
00:00:13.640 --> 00:00:15.880
<v Speaker 1>one hundred and twenty three billion dollars back in twenty

7
00:00:15.919 --> 00:00:18.559
<v Speaker 1>twenty alone. But here's the kicker, and this is what

8
00:00:18.600 --> 00:00:21.800
<v Speaker 1>the research we've looked at Hammer's home. Despite all that cash,

9
00:00:22.199 --> 00:00:24.079
<v Speaker 1>we seem to be losing badly.

10
00:00:24.320 --> 00:00:26.559
<v Speaker 2>Yeah, it's a start picture. The sources we're drawing from,

11
00:00:26.559 --> 00:00:29.960
<v Speaker 2>including analysis from folks like Steve King, argue pretty strongly

12
00:00:29.960 --> 00:00:34.560
<v Speaker 2>that we're spending more and somehow getting worse results. We're

13
00:00:34.560 --> 00:00:38.119
<v Speaker 2>operating at a quote decided disadvantage.

14
00:00:37.320 --> 00:00:40.520
<v Speaker 1>A decided disadvantage. So the big question for our deep

15
00:00:40.560 --> 00:00:44.359
<v Speaker 1>dive today is why, why the disconnect? And maybe more importantly,

16
00:00:44.520 --> 00:00:46.479
<v Speaker 1>is there a way out? What's the proposed fix?

17
00:00:46.679 --> 00:00:48.920
<v Speaker 2>That's exactly it and the core idea here. The real

18
00:00:48.960 --> 00:00:50.840
<v Speaker 2>insight is that this isn't just about tech. It's not

19
00:00:50.880 --> 00:00:54.640
<v Speaker 2>just firewalls failing. It's a systemic problem. It spans five

20
00:00:54.719 --> 00:00:59.079
<v Speaker 2>interconnected areas. Think of them as battlefields. Economics, technology, information, education,

21
00:00:59.159 --> 00:01:01.600
<v Speaker 2>and leadership. We're falling short across.

22
00:01:01.200 --> 00:01:04.760
<v Speaker 1>The board five battlefields. Okay, that really broadens the scope

23
00:01:04.799 --> 00:01:08.040
<v Speaker 1>beyond just code and servers. So before we dig into

24
00:01:08.079 --> 00:01:11.120
<v Speaker 1>where we're failing, let's talk about the proposed solution you mentioned.

25
00:01:11.359 --> 00:01:13.599
<v Speaker 1>It's called zero Trust Architecture.

26
00:01:13.280 --> 00:01:17.920
<v Speaker 2>ZT exactly zero trust or ZT, and the idea behind

27
00:01:18.000 --> 00:01:21.079
<v Speaker 2>it is well, it's simple in concept but really radical

28
00:01:21.079 --> 00:01:24.359
<v Speaker 2>in practice. It basically says, forget the old idea of

29
00:01:24.400 --> 00:01:27.439
<v Speaker 2>a secure perimeter like a castle wall around your network.

30
00:01:27.719 --> 00:01:30.920
<v Speaker 2>Assume the attackers are already inside or they will get inside.

31
00:01:31.120 --> 00:01:32.959
<v Speaker 1>Okay, so if they're inside, what do you do.

32
00:01:32.840 --> 00:01:36.560
<v Speaker 2>You trust nothing implicitly, no device, no user, no service

33
00:01:36.599 --> 00:01:38.239
<v Speaker 2>inside or outside, gets a free pass.

34
00:01:38.400 --> 00:01:40.319
<v Speaker 1>Nothing, even stuff already on my network.

35
00:01:40.400 --> 00:01:45.719
<v Speaker 2>Nothing. The philosophy is never trust, always verify continuously every

36
00:01:45.760 --> 00:01:49.079
<v Speaker 2>single time something tries to access a resource. It flips

37
00:01:49.120 --> 00:01:52.040
<v Speaker 2>the old Internet model of built in trust completely on

38
00:01:52.079 --> 00:01:52.480
<v Speaker 2>its head.

39
00:01:52.560 --> 00:01:55.680
<v Speaker 1>Wow, okay, never trust, always verify. That sounds like a

40
00:01:55.760 --> 00:01:58.879
<v Speaker 1>massive shift, and you're saying this is key to tackling

41
00:01:58.920 --> 00:02:00.280
<v Speaker 1>those five failing battles.

42
00:02:00.120 --> 00:02:04.000
<v Speaker 2>Fields its position as the strategic counter Let's maybe start

43
00:02:04.040 --> 00:02:06.840
<v Speaker 2>with the human side of things. Education and leadership, because

44
00:02:06.840 --> 00:02:10.080
<v Speaker 2>the talent situation described is well, it's.

45
00:02:09.919 --> 00:02:12.840
<v Speaker 1>Alarming, alarming, how what kind of numbers that we talk about?

46
00:02:12.879 --> 00:02:15.680
<v Speaker 2>The numbers are just staggering. In twenty twenty one, the

47
00:02:15.800 --> 00:02:20.719
<v Speaker 2>US apparently had something like three million unfilled cybersecurity jobs

48
00:02:20.879 --> 00:02:24.319
<v Speaker 2>three million, three million, and that gap is growing way faster,

49
00:02:24.439 --> 00:02:28.360
<v Speaker 2>like seven times faster than average job growth. But it's

50
00:02:28.360 --> 00:02:29.680
<v Speaker 2>not just the numbers.

51
00:02:29.400 --> 00:02:30.520
<v Speaker 1>It's the type of talent too.

52
00:02:30.599 --> 00:02:35.639
<v Speaker 2>Precisely, while we're struggling to fill basic roles, adversaries, particularly

53
00:02:35.680 --> 00:02:38.759
<v Speaker 2>state sponsored groups like those reportedly in North Korea, are

54
00:02:38.840 --> 00:02:44.080
<v Speaker 2>running these intense, disciplined programs. They're training thousands of specialists,

55
00:02:44.120 --> 00:02:46.479
<v Speaker 2>not just hackers, but cyber warriors, lawyers.

56
00:02:46.759 --> 00:02:48.360
<v Speaker 1>What makes some different? What kind of skills are we

57
00:02:48.400 --> 00:02:48.879
<v Speaker 1>talking about?

58
00:02:49.080 --> 00:02:53.120
<v Speaker 2>We're talking highly advanced stuff zero day exploits, obviously finding

59
00:02:53.159 --> 00:02:57.280
<v Speaker 2>flaws nobody else knows about, but also incredibly sophisticated techniques

60
00:02:57.319 --> 00:03:02.120
<v Speaker 2>like analyzing electromagnetic radiation leaks way leakage from what from

61
00:03:02.280 --> 00:03:07.199
<v Speaker 2>air gap systems, computers deliberately kept off the network for security.

62
00:03:07.639 --> 00:03:11.840
<v Speaker 2>They're reportedly training people physicists and engineers to pull data

63
00:03:11.960 --> 00:03:15.360
<v Speaker 2>from the faint electronic signals. These machines give off that.

64
00:03:15.439 --> 00:03:19.719
<v Speaker 1>Is mind blowing. In our education system, it's not producing

65
00:03:19.759 --> 00:03:21.479
<v Speaker 1>people who can even defend against that.

66
00:03:21.719 --> 00:03:25.960
<v Speaker 2>It's the core critique in the sources. Yeah, US cybersecurity degrees.

67
00:03:26.000 --> 00:03:30.280
<v Speaker 2>They often focus too much on let's say, administration compliance

68
00:03:30.639 --> 00:03:34.840
<v Speaker 2>stuff you need for certifications like CISSP, which is valuable

69
00:03:34.879 --> 00:03:37.680
<v Speaker 2>for management, sure, but it's not frontline combat training.

70
00:03:37.840 --> 00:03:41.120
<v Speaker 1>So we're graduating what administrators and bureaucrats.

71
00:03:40.520 --> 00:03:43.520
<v Speaker 2>That's the phrase used, Yes, administrators and bureaucrats, when what

72
00:03:43.599 --> 00:03:46.560
<v Speaker 2>we desperately need is a warrior class, people trained in

73
00:03:46.599 --> 00:03:49.159
<v Speaker 2>red teaming, offensive tactics, thinking like the enemy.

74
00:03:49.199 --> 00:03:51.680
<v Speaker 1>It really sounds like we're training auditors for a knife fight.

75
00:03:52.280 --> 00:03:56.159
<v Speaker 1>And does this problem, this disconnect reach the leadership level too,

76
00:03:56.599 --> 00:03:57.719
<v Speaker 1>the CISO.

77
00:03:57.400 --> 00:04:00.840
<v Speaker 2>Role, No, absolutely, the CISO, the chief information security officer

78
00:04:00.879 --> 00:04:02.639
<v Speaker 2>is often in a really tough spot. They're trying to

79
00:04:02.719 --> 00:04:06.280
<v Speaker 2>justify security spending to executives to the board who often

80
00:04:06.360 --> 00:04:09.439
<v Speaker 2>don't fully grasp the technical risk, and.

81
00:04:09.400 --> 00:04:11.199
<v Speaker 1>They rely on models to make decisions.

82
00:04:11.400 --> 00:04:13.800
<v Speaker 2>Yeah, and that's part of the problem. They might use

83
00:04:13.800 --> 00:04:17.759
<v Speaker 2>something like the Gordon Lobe model, which mathematically suggests you

84
00:04:17.800 --> 00:04:20.519
<v Speaker 2>should only invest a certain percentage, maybe around thirty seven

85
00:04:20.560 --> 00:04:22.959
<v Speaker 2>percent of the expected loss from a breach.

86
00:04:23.639 --> 00:04:27.160
<v Speaker 1>Okay, but hold on, if the math is sound, isn't

87
00:04:27.160 --> 00:04:29.600
<v Speaker 1>the issue that the execs are just bad at predicting

88
00:04:29.639 --> 00:04:34.839
<v Speaker 1>the actual potential loss, especially the non dollar stuff like reputation.

89
00:04:35.319 --> 00:04:38.000
<v Speaker 2>That's a really sharp point. And yes, the sources argue

90
00:04:38.000 --> 00:04:42.399
<v Speaker 2>the model becomes problematic because executors consistently underestimate the true

91
00:04:42.560 --> 00:04:45.879
<v Speaker 2>total cost of a breach. Quantifying cyber risk is hard,

92
00:04:46.279 --> 00:04:49.360
<v Speaker 2>so they default to that lower investment figure, maybe thirty

93
00:04:49.399 --> 00:04:52.959
<v Speaker 2>seven percent of a low ball estimate. The result crowning underfunding, and.

94
00:04:52.959 --> 00:04:56.319
<v Speaker 1>The CIO's job just becomes keeping the lights.

95
00:04:56.079 --> 00:04:58.240
<v Speaker 2>On pretty much, keep the basics running, try to stay

96
00:04:58.240 --> 00:05:00.639
<v Speaker 2>out of the news. Don't build genuinely resili in systems

97
00:05:00.680 --> 00:05:02.319
<v Speaker 2>because the budget isn't there, which.

98
00:05:02.199 --> 00:05:05.399
<v Speaker 1>Leads us straight into that second battlefield, economics and technology.

99
00:05:05.399 --> 00:05:07.839
<v Speaker 1>And you said, the asymmetry here is stark.

100
00:05:08.160 --> 00:05:11.720
<v Speaker 2>Stark doesn't even cover it. It's fundamentally lopsided. Think about it.

101
00:05:11.959 --> 00:05:17.319
<v Speaker 2>Huge companies, governments spending billions collectively on defense, and the

102
00:05:17.399 --> 00:05:22.000
<v Speaker 2>attackers their cost is minuscule. You can apparently buy a

103
00:05:22.079 --> 00:05:25.680
<v Speaker 2>ready to go DIDO attack kit distributed denial of service,

104
00:05:25.720 --> 00:05:28.000
<v Speaker 2>the kind that floods a website and takes it offline

105
00:05:28.000 --> 00:05:32.399
<v Speaker 2>for fifty dollars fifty bucks, And even the most sophisticated

106
00:05:32.439 --> 00:05:35.680
<v Speaker 2>attack hits sold on the dark web for targeting large

107
00:05:35.759 --> 00:05:39.000
<v Speaker 2>enterprises maybe ten thousand dollars tops ten.

108
00:05:38.879 --> 00:05:44.199
<v Speaker 1>Thousand dollars versus multimillion dollar security budgets. It's absurd you

109
00:05:44.399 --> 00:05:47.120
<v Speaker 1>the listener could cause serious disruption for the price of

110
00:05:47.160 --> 00:05:49.800
<v Speaker 1>a cheap laptop. The whole incentive structure is.

111
00:05:49.759 --> 00:05:53.439
<v Speaker 2>Broken, completely broken, and the criminal side is getting incredibly professionalized.

112
00:05:53.480 --> 00:05:55.240
<v Speaker 2>Look at ransomware as a service.

113
00:05:55.040 --> 00:05:57.680
<v Speaker 1>Riot like a software subscription, but for crime.

114
00:05:57.839 --> 00:06:01.000
<v Speaker 2>Exactly like that. Groups like Darkseide, who are behind the

115
00:06:01.040 --> 00:06:05.560
<v Speaker 2>Colonial Pipeline attack, they operate like well, like legitimate businesses.

116
00:06:05.560 --> 00:06:08.879
<v Speaker 2>They issue press releases, they have customer support desks for

117
00:06:08.920 --> 00:06:12.439
<v Speaker 2>their affiliates who deploy the ransomware. They even have tiered

118
00:06:12.480 --> 00:06:16.759
<v Speaker 2>pricing ticking maybe twenty five percent commission on smaller ransoms,

119
00:06:17.000 --> 00:06:19.160
<v Speaker 2>but dropping it to ten percent if the victim pays

120
00:06:19.160 --> 00:06:20.480
<v Speaker 2>over five million dollars.

121
00:06:20.800 --> 00:06:24.160
<v Speaker 1>It's a franchise model for extortion. Okay, wow, Okay, so

122
00:06:24.199 --> 00:06:27.879
<v Speaker 1>the economics are skewed. What about the technology battlefield? The

123
00:06:27.920 --> 00:06:30.240
<v Speaker 1>sources mentioned technological solutionism.

124
00:06:30.399 --> 00:06:32.439
<v Speaker 2>Yeah, this idea that we can just buy our way

125
00:06:32.480 --> 00:06:35.319
<v Speaker 2>out of the problem with more tools. The industry's flooded.

126
00:06:35.600 --> 00:06:38.519
<v Speaker 2>One estimate suggests there are over thirty five hundred cybersecurity

127
00:06:38.600 --> 00:06:39.600
<v Speaker 2>vendors out there.

128
00:06:39.560 --> 00:06:40.759
<v Speaker 1>Three thousand, five hundred.

129
00:06:40.759 --> 00:06:43.519
<v Speaker 2>How do you even choose exactly? Companies keep buying the

130
00:06:43.560 --> 00:06:46.959
<v Speaker 2>next shiny object, another tool, another layer. But this techt

131
00:06:46.959 --> 00:06:50.399
<v Speaker 2>sprawl isn't fixing the underlying weaknesses. In fact, the sources

132
00:06:50.439 --> 00:06:53.680
<v Speaker 2>point to a disturbing trend. The more we spend, the

133
00:06:53.680 --> 00:06:56.959
<v Speaker 2>more tools would deploy, the more successful breaches seem to increase.

134
00:06:57.120 --> 00:07:00.079
<v Speaker 1>So more tools, more complexity, more ways for things to

135
00:07:00.160 --> 00:07:00.600
<v Speaker 1>go wrong.

136
00:07:00.959 --> 00:07:04.519
<v Speaker 2>We're drowning in tech but starving for a coherent strategy,

137
00:07:04.560 --> 00:07:06.279
<v Speaker 2>and the tech itself is getting riskier.

138
00:07:06.399 --> 00:07:10.240
<v Speaker 1>Take five g AH faster speeds, more devices connecting. What's

139
00:07:10.240 --> 00:07:11.319
<v Speaker 1>the specific threat there?

140
00:07:11.480 --> 00:07:14.319
<v Speaker 2>Speed and scale. By twenty twenty five, they predict maybe

141
00:07:14.319 --> 00:07:19.720
<v Speaker 2>seventy five billion new devices connecting every year. Seventy five billion, okay,

142
00:07:19.759 --> 00:07:23.399
<v Speaker 2>and five g offers this instant high speed connection fabric.

143
00:07:23.639 --> 00:07:26.839
<v Speaker 2>So imagine malware spreading not just quickly, but potentially at

144
00:07:27.360 --> 00:07:30.600
<v Speaker 2>the speed of light across vast networks of devices.

145
00:07:30.680 --> 00:07:32.959
<v Speaker 1>So an attack like WannaCry, which caused chaos a few

146
00:07:33.000 --> 00:07:33.519
<v Speaker 1>years ago.

147
00:07:33.519 --> 00:07:37.519
<v Speaker 2>Could spread globally in minutes. Potentially, it shifts cyber attacks

148
00:07:37.560 --> 00:07:41.399
<v Speaker 2>from being mostly financial or data theft problems to potentially

149
00:07:41.439 --> 00:07:44.920
<v Speaker 2>causing real world physical damage at five G pace. Think

150
00:07:45.040 --> 00:07:47.319
<v Speaker 2>power grids, manufacturing, transport.

151
00:07:47.519 --> 00:07:50.439
<v Speaker 1>It's terrifying, and it connects to another tech issue mentioned,

152
00:07:50.680 --> 00:07:52.959
<v Speaker 1>the supply chain, particularly open source.

153
00:07:53.120 --> 00:07:55.800
<v Speaker 2>Yes, the software supply chain. We all rely heavily on

154
00:07:55.839 --> 00:07:59.600
<v Speaker 2>open source code, reusable libraries, and components. Developers downloaded something

155
00:07:59.639 --> 00:08:02.120
<v Speaker 2>like two zero point two trillion open source packages in

156
00:08:02.160 --> 00:08:05.839
<v Speaker 2>twenty twenty one trillion. It's the foundation of modern software.

157
00:08:06.319 --> 00:08:10.839
<v Speaker 2>But here's the problem. The most popular, most widely used projects.

158
00:08:11.199 --> 00:08:15.680
<v Speaker 2>They're apparently three times more likely to contain known security vulnerabilities.

159
00:08:15.839 --> 00:08:18.000
<v Speaker 1>So the stuff everyone uses is the riskiest.

160
00:08:18.199 --> 00:08:22.439
<v Speaker 2>It makes the whole ecosystem a massive tempting target. Compromise

161
00:08:22.560 --> 00:08:26.120
<v Speaker 2>one popular component and you could potentially infect thousands of

162
00:08:26.160 --> 00:08:27.439
<v Speaker 2>applications downstream.

163
00:08:27.519 --> 00:08:30.639
<v Speaker 1>Okay, this is bleak. Let's move to the third battlefield information,

164
00:08:31.399 --> 00:08:33.080
<v Speaker 1>the fog of cyber war you called it.

165
00:08:33.200 --> 00:08:36.679
<v Speaker 2>Yeah, large leaps of attribution, or rather the lack of

166
00:08:36.720 --> 00:08:40.519
<v Speaker 2>reliable attribution. You get hit, but figuring out definitively who

167
00:08:40.519 --> 00:08:46.080
<v Speaker 2>did it? Was it Russia, China, Iran, North Korea, A criminal, gang,

168
00:08:46.399 --> 00:08:47.120
<v Speaker 2>an individual?

169
00:08:47.200 --> 00:08:48.279
<v Speaker 1>It's hard to pin down.

170
00:08:48.240 --> 00:08:51.279
<v Speaker 2>Extremely hard. The example given is the Anthem Health insurance hack,

171
00:08:51.600 --> 00:08:55.600
<v Speaker 2>huge breach, seventy eight point eight million records stolen, massive investigation,

172
00:08:55.879 --> 00:08:59.279
<v Speaker 2>years of work, million spent, and the conclusion only a

173
00:08:59.279 --> 00:09:03.200
<v Speaker 2>suspicion that she was responsible, No definitive proof. That uncertainty,

174
00:09:03.240 --> 00:09:06.639
<v Speaker 2>that information gap benefits the attackers immensely. They can deny,

175
00:09:06.879 --> 00:09:08.080
<v Speaker 2>adapt and strike again.

176
00:09:08.399 --> 00:09:11.720
<v Speaker 1>And there's another angle to this information problem. Isn't there

177
00:09:12.039 --> 00:09:14.080
<v Speaker 1>something about our own government agencies?

178
00:09:14.440 --> 00:09:18.200
<v Speaker 2>Yes? This is a really critical and kind of uncomfortable

179
00:09:18.240 --> 00:09:21.559
<v Speaker 2>point raised in the sources. It concerns the tension between

180
00:09:21.799 --> 00:09:26.399
<v Speaker 2>intelligence gathering and defense agencies like the NSA. Their job

181
00:09:26.480 --> 00:09:32.159
<v Speaker 2>involves finding weaknesses exploits in software, including common commercial products

182
00:09:32.320 --> 00:09:34.279
<v Speaker 2>like Microsoft Windows or Office.

183
00:09:34.399 --> 00:09:37.679
<v Speaker 1>Okay, standard intelligence where finding vulnerabilities, right, But.

184
00:09:37.679 --> 00:09:41.120
<v Speaker 2>The crucial part is historically the policy has often been

185
00:09:41.519 --> 00:09:44.200
<v Speaker 2>not to tell the software vendor about the flaw they found.

186
00:09:44.240 --> 00:09:47.320
<v Speaker 1>Wait, so the NSA finds a hole, uses it for spying,

187
00:09:47.759 --> 00:09:49.360
<v Speaker 1>but doesn't tell Microsoft to fix it.

188
00:09:49.840 --> 00:09:53.120
<v Speaker 2>That's the reported dynamic they keep the vulnerability secret to

189
00:09:53.159 --> 00:09:56.960
<v Speaker 2>maintain their intelligence access. But the side effect is huge.

190
00:09:57.039 --> 00:09:59.559
<v Speaker 1>It means that vulnerability stays open for everyone else to

191
00:09:59.559 --> 00:10:03.080
<v Speaker 1>find an exploit too. Yeah, adversaries, criminals exactly.

192
00:10:03.159 --> 00:10:05.919
<v Speaker 2>We're essentially leaving known holes in the software that runs

193
00:10:05.919 --> 00:10:09.559
<v Speaker 2>our businesses, our banks, our infrastructure for the sake of

194
00:10:09.600 --> 00:10:14.399
<v Speaker 2>potential intelligence gains. It's a deliberate trade off that increases systemic.

195
00:10:14.000 --> 00:10:17.480
<v Speaker 1>Risk that seems counterproductive to overall national security.

196
00:10:17.519 --> 00:10:20.639
<v Speaker 2>It highlights a major internal conflict, and it's worsened by

197
00:10:20.679 --> 00:10:23.840
<v Speaker 2>the fact that even when threats are known, information sharing

198
00:10:23.960 --> 00:10:28.200
<v Speaker 2>is poor. Both private companies and public agencies tend to

199
00:10:28.320 --> 00:10:31.799
<v Speaker 2>hoard threat data, preventing a truly unified defense.

200
00:10:31.960 --> 00:10:37.919
<v Speaker 1>Okay, so education, leadership, economics, technology, information failures across the board.

201
00:10:38.480 --> 00:10:41.879
<v Speaker 1>It really paints a picture of needing a fundamental strategic shift,

202
00:10:42.240 --> 00:10:44.360
<v Speaker 1>not just more money or tools.

203
00:10:44.080 --> 00:10:46.480
<v Speaker 2>Which brings us back to zero trust.

204
00:10:46.759 --> 00:10:50.360
<v Speaker 1>Right, So, how does ZT actually counter these failures in practice?

205
00:10:50.399 --> 00:10:53.559
<v Speaker 1>You said, never trust, always verify. What does that look

206
00:10:53.639 --> 00:10:54.240
<v Speaker 1>like day to day?

207
00:10:54.399 --> 00:10:57.240
<v Speaker 2>Okay, So the first practical is defining your protect surface.

208
00:10:57.519 --> 00:10:59.960
<v Speaker 2>Instead of trying to defend everything. You identify your app,

209
00:11:00.399 --> 00:11:04.039
<v Speaker 2>most critical data assets, applications the crown jewels. It has

210
00:11:04.080 --> 00:11:05.759
<v Speaker 2>to be small and management focus.

211
00:11:05.519 --> 00:11:08.399
<v Speaker 1>On what truly matters most. Got it? Then what?

212
00:11:08.600 --> 00:11:11.320
<v Speaker 2>Then? You use micro segmentation. Think of it like putting

213
00:11:11.360 --> 00:11:14.519
<v Speaker 2>tiny secure rooms around each critical asset or application within

214
00:11:14.559 --> 00:11:17.200
<v Speaker 2>your network. You build internal walls so.

215
00:11:17.240 --> 00:11:19.200
<v Speaker 1>Even if an attacker gets past the main door, they're

216
00:11:19.200 --> 00:11:21.639
<v Speaker 1>contained in one small area. They can't just wander around

217
00:11:21.639 --> 00:11:22.840
<v Speaker 1>the whole network.

218
00:11:22.919 --> 00:11:26.279
<v Speaker 2>Precisely. It stops lateral movement, which is how most major

219
00:11:26.320 --> 00:11:30.519
<v Speaker 2>breaches spread. And the third key piece is rigorous identity management.

220
00:11:30.919 --> 00:11:35.960
<v Speaker 2>This means continuous verification of users and devices. Strong multi

221
00:11:35.960 --> 00:11:39.840
<v Speaker 2>factor authentication or MFA isn't a one time login thing.

222
00:11:39.879 --> 00:11:43.720
<v Speaker 2>It's constant, and you apply really granular controls at the

223
00:11:43.759 --> 00:11:47.519
<v Speaker 2>application layer seven, controlling exactly who can do what with

224
00:11:47.600 --> 00:11:49.279
<v Speaker 2>which data under what conditions.

225
00:11:49.320 --> 00:11:51.600
<v Speaker 1>That sounds much more granular than just checking if someone

226
00:11:51.639 --> 00:11:54.600
<v Speaker 1>has network access. You mentioned active directory earlier, calling it

227
00:11:54.639 --> 00:11:56.519
<v Speaker 1>a trojan. How does ZT fix that?

228
00:11:56.960 --> 00:11:59.960
<v Speaker 2>Because systems like active directory are built on implicit trust.

229
00:12:00.759 --> 00:12:03.279
<v Speaker 2>Once you compromise AD, you often get the keys to

230
00:12:03.320 --> 00:12:07.919
<v Speaker 2>the entire kingdom ADMIN rights everywhere. It's powerful, but brittle.

231
00:12:08.480 --> 00:12:12.399
<v Speaker 2>ZT dismantles that excessive trust. It assumes any identity could

232
00:12:12.399 --> 00:12:16.440
<v Speaker 2>be compromised and requires continuous proof isolating resources. So one

233
00:12:16.480 --> 00:12:20.440
<v Speaker 2>breach does in cascade it essentially neuters that trusted internal

234
00:12:20.480 --> 00:12:22.519
<v Speaker 2>system's ability to grant universal access.

235
00:12:22.799 --> 00:12:26.039
<v Speaker 1>Okay, it makes sense conceptually, but does it actually work?

236
00:12:26.679 --> 00:12:29.320
<v Speaker 1>Is there evidence ZT improves things?

237
00:12:29.480 --> 00:12:31.960
<v Speaker 2>The data reported in the sources is pretty positive.

238
00:12:32.039 --> 00:12:32.279
<v Speaker 1>Yeah.

239
00:12:32.759 --> 00:12:36.840
<v Speaker 2>Studies apparently show organizations adopting these core ZT principles see

240
00:12:36.879 --> 00:12:39.840
<v Speaker 2>around a fifty percent improvement in preventing breaches.

241
00:12:40.000 --> 00:12:43.159
<v Speaker 1>Fifty percent just from those changes. Just by shrinking the

242
00:12:43.240 --> 00:12:49.320
<v Speaker 1>attack surface, eliminating that excessive internal trust, and enforcing continuous verification,

243
00:12:49.799 --> 00:12:52.080
<v Speaker 1>it fundamentally changes the defensive posture.

244
00:12:52.159 --> 00:12:56.159
<v Speaker 2>That's significant. But implementing this sounds like a huge undertaking,

245
00:12:56.279 --> 00:13:00.679
<v Speaker 2>especially nationwide. What kind of big, national level actions do

246
00:13:00.759 --> 00:13:03.320
<v Speaker 2>the sources recommend to actually make this shift happen.

247
00:13:03.440 --> 00:13:06.519
<v Speaker 1>They don't pull any punches here. The recommendations are aggressive,

248
00:13:06.559 --> 00:13:09.919
<v Speaker 1>almost wartime footing kind of stuff LIKEWI. First, mandate zero

249
00:13:09.960 --> 00:13:14.279
<v Speaker 1>trust for everyone every network, public and private, set a deadline,

250
00:13:14.440 --> 00:13:15.159
<v Speaker 1>make it non.

251
00:13:14.960 --> 00:13:18.240
<v Speaker 2>Negotiable, a government mandate for ZT architecture.

252
00:13:18.399 --> 00:13:18.799
<v Speaker 1>Wow.

253
00:13:19.000 --> 00:13:24.440
<v Speaker 2>Second, create a National Cybersecurity Manhattan Project pour massive funding

254
00:13:24.519 --> 00:13:28.399
<v Speaker 2>into applying AI machine learning to security, focused on rapid

255
00:13:28.440 --> 00:13:33.120
<v Speaker 2>development and deployment, not just slow academic research. Get solutions

256
00:13:33.120 --> 00:13:33.919
<v Speaker 2>out fast.

257
00:13:34.159 --> 00:13:37.279
<v Speaker 1>A Manhattan project for cyber AI. Get what else?

258
00:13:37.639 --> 00:13:42.320
<v Speaker 2>Third change the laws modernize cybercrime legislation to allow for

259
00:13:42.399 --> 00:13:46.000
<v Speaker 2>more offensive defense measures. The idea is to let victims

260
00:13:46.080 --> 00:13:51.039
<v Speaker 2>actively pursue attackers, maybe seese assets or evidence in real

261
00:13:51.039 --> 00:13:53.200
<v Speaker 2>time during an attack. That's controversial, but.

262
00:13:53.159 --> 00:13:57.600
<v Speaker 1>It's proposed enabling hackback or active defense legally. That's a

263
00:13:57.600 --> 00:13:58.120
<v Speaker 1>big one.

264
00:13:58.279 --> 00:14:01.759
<v Speaker 2>And the fourth mandates on cyber and insurance providers basically

265
00:14:01.840 --> 00:14:05.720
<v Speaker 2>force insurers to require companies meet to standardize security baseline

266
00:14:05.759 --> 00:14:08.399
<v Speaker 2>like the NIST framework before they can even get coverage.

267
00:14:08.480 --> 00:14:11.639
<v Speaker 1>AH using the insurance market to enforce standards. That's clever.

268
00:14:11.879 --> 00:14:13.840
<v Speaker 1>It shifts the compliance burden exactly.

269
00:14:13.919 --> 00:14:17.200
<v Speaker 2>It leverages market forces to drive adoption of better security

270
00:14:17.200 --> 00:14:18.440
<v Speaker 2>practices across the board.

271
00:14:18.720 --> 00:14:21.159
<v Speaker 1>So, bringing this all together, what's the main takeaway for

272
00:14:21.240 --> 00:14:22.799
<v Speaker 1>you the listener? Where does this leave us?

273
00:14:23.120 --> 00:14:26.039
<v Speaker 2>Look, the core message from this material is pretty clear.

274
00:14:26.639 --> 00:14:29.200
<v Speaker 2>We're losing this fight not because we lack money, but

275
00:14:29.240 --> 00:14:32.759
<v Speaker 2>because our strategy, our education, our leadership, our whole approach

276
00:14:32.879 --> 00:14:37.080
<v Speaker 2>across these five battlefields is fundamentally flawed, and zero.

277
00:14:36.840 --> 00:14:39.960
<v Speaker 1>Trust is offered as the framework to actually turn things around.

278
00:14:40.200 --> 00:14:44.320
<v Speaker 2>It's presented as the practical strategic path forward, a way

279
00:14:44.360 --> 00:14:47.639
<v Speaker 2>to redefine the battlefield, shrink the target, and actually start

280
00:14:47.639 --> 00:14:51.360
<v Speaker 2>pushing back effectively. But the sources end on a really

281
00:14:51.399 --> 00:14:54.639
<v Speaker 2>sobering note. They draw this parallel to the lead up

282
00:14:54.639 --> 00:14:57.360
<v Speaker 2>to World War Two, where the US was underestimated. How So,

283
00:14:57.679 --> 00:15:00.080
<v Speaker 2>the warning is that if we don't undertake a mass

284
00:15:00.120 --> 00:15:03.159
<v Speaker 2>of coordinated national effort now like some of those proposals,

285
00:15:03.200 --> 00:15:07.320
<v Speaker 2>maybe even a national Cybersecurity Service program for graduates, if

286
00:15:07.320 --> 00:15:09.840
<v Speaker 2>we don't fundamentally change how we manage this risk, the

287
00:15:09.919 --> 00:15:13.840
<v Speaker 2>potential impact on our hyper connected society could be devastating.

288
00:15:14.080 --> 00:15:17.039
<v Speaker 2>The quote used as stark. It could plunge the US

289
00:15:17.080 --> 00:15:19.799
<v Speaker 2>into resembling a third world country, at least as it

290
00:15:19.840 --> 00:15:20.919
<v Speaker 2>relates to cyber.

291
00:15:20.720 --> 00:15:23.720
<v Speaker 1>Wow, a failure connectivity knocking us back decades.

292
00:15:24.039 --> 00:15:27.639
<v Speaker 2>That's the potential future painted. So the final question really

293
00:15:27.799 --> 00:15:31.000
<v Speaker 2>left for you to consider is do we collectively have

294
00:15:31.120 --> 00:15:34.320
<v Speaker 2>the will to make these difficult systemic changes before a

295
00:15:34.320 --> 00:15:37.320
<v Speaker 2>catastrophe forces us to, or will we wait until it's

296
00:15:37.360 --> 00:15:37.759
<v Speaker 2>too late