In Episode #31, we are joined by Doug Brush, a cybersecurity expert at Splunk. We discuss:

We’ll see you next week when we sit down with Joel Gallo, CEO of Columbia China League Business Advisory Co., a cross-border transactions and management consulting firm.


This podcast audio has been transcribed by an automatic transcriber.

Fred Rocafort  0:07 

Global law and global business go hand in hand, but never seem to keep pace with each other, developing and developed nations wax and wane in their importance in the global stage while consumption and interconnectedness both increase, laws and regulations change incessantly, requiring businesses to stay nimble. How do we make sense of it all? Welcome to Global Law and Business hosted by Harris Bricken International Business attorneys. I’m Fred Rocafort


Jonathan Bench  0:37 

and I’m Jonathan Bench. Every week we take a targeted look at legal and economic developments in locales around the world as we try to decipher global trends in law and business with the help of international experts. We cover continents, countries, regimes, governance, finance, legal developments, and whatever is trending on Twitter. We cover the important, the seemingly unimportant, the relatively simple and the complex.


Fred Rocafort  1:02 

We hope you enjoy today’s podcast. Please connect with us via email and social media to comment and suggest future topics and guests.


Jonathan Bench  1:21 

Today we’re joined by Douglas Brush, an information security executive with over 26 years of entrepreneurship and professional technology experience. He is a globally recognized expert in cybersecurity incident response, digital forensics and information governance. In addition to serving as a CISO and leading Enterprise Security assessments, Douglas has conducted hundreds of investigations involving hacking, data breaches, trade, secret theft, employee malfeasance, and various other legal and compliance issues. He also serves as a Federally Court Appointed Special master and neutral expert in high profile litigation matters involving privacy, security, and ediscovery. Currently, he is at Splunk, where he works with fortune 500 organizations to improve their security operations and reduce business risk from cyber attacks. He’s also the founder and host of cybersecurity interviews, a popular Information Security podcast. Doug, welcome to Harris Bricken, global law and business. Thanks for being with us today.


Douglas Brush  2:18 

Thanks for having me. I appreciate it.


Fred Rocafort  2:20 

Doug, let’s get things started by having you tell us how you became an expert in cyber security? And what is it that you like and dislike about the industry?


Douglas Brush  2:30 

Yeah, it’s funny, I guess, you know, being an expert, it’s, it’s one of those that I never had hoped to become. It’s one of those as, as happens with age and time, I suppose. Because it’s, it’s one of those, you start doing it long enough. And I guess people start calling you an expert, whether you like it or not. But it’s a it’s really one of those things where I’d started with information technology in the 90s. And at that point, in the early 90s, in particular, you know, I’m coming out of high school, I’m wanting to do more with technology and computers. But at that time, in particular, where I was in New York State and about an hour and a half north of New York City in the Hudson Valley region, in Poughkeepsie, New York, which has been called IBM country, big blue country, it was really the epicenter for a lot of IBM’s mainframe business and what they were shipping out globally. And, you know, really, from one end to the Hudson, all the way up to the other all the way up in extreme Vermont, you know, it’s really this whole corridor of technology, but it was very focused on mainframe technology. And at that time, I was, you know, a computer hacker I was a kid, I was getting online with things like compuserve and prodigy at the time, you know, early internet and taking apart computers and rebuilding them constantly troubleshooting them for friends family. And at that time, there was this really no path for me to get into anything that was the types of computer it would say Computer Engineering computer operations that exist today, as far as degrees. Everything computer science based then was very cobalt based in programming and mainframes. And I was like, I do not want to do that. Particularly when I saw a market growing with things like Windows PCs. And the internet really kind of come into fruition, I said, you know, this is really going to be more of a, an area. So there really wasn’t a path for me at that point. So I kind of hung out my shingle I took took a chance with some of the college savings I had and started my own computer consulting firm serving individuals and small businesses in the Hudson Valley region, doing networking and repairs. And eventually that kind of led into a lot of things. And I would say over the course of about five years into the early 2000s, of doing a lot of networking, network engineering. And there’s a natural progression without doing security as I started working with more enterprise and much larger companies at the time, where I was supporting them by going in and building out networks and having to secure them for a very short periods of time as they were doing conferences and other types of meetings. So I get be able to kind of inherent part of what I was doing was always really something that I found interesting. And when the computer security part of it kind of came about, I was always, again back in the 90s, early 2000s, always following the famous hackers that were out there with the Kevin Mitnick and these other folks that were at the time were evolving into this industry. That was kind of on the other side of the law, it really wasn’t a something that was even formalized when people were doing some of the offensive testing and things and research. So it’s really still kind of a gray area. So it really waited till kind of formalized and evolved until it was something that I became more side, I really want to get back to this kind of roots of really problem solving. And I think that’s the one thing that drew me into information security was, there’s always a problem to solve. It’s always some type of issue to unpack and understand. So I actually got called into a legal matter by a friend of mine that was doing audio visual forensics. So he was going in and taking audio files and video files and scrubbing them and seeing, you know, where they can be cleaned up to be brought in as evidence and federal and civil of federal cases, both in civil and criminal courts. And he said, you know, we got this computer, would you mind taking a look at it, do some forensics on it and write a report? Sure, at the time I i this was like a perfect segue to something I was trying to do is reinvent myself with security and information security, computer forensics. So I latched on to that. And I did this whole report and investigation of this computer and how it was recording time for this particular set of events. That was a video recordings. That was the DVR system, and how it was recording things. It set a timeline that 16 other experts on both sides were kind of using to validate the series of events. And when I looked at it can see that the time recorded on it was incorrect. And wrote this whole report, it really fundamentally changed the course of that litigation and what other folks were interpreting for their evidentiary kind of meets. And I was really passionate about that this is so cool, and really wanted to make that a full time thing. So I started my own company at that time, the digital friends group. And that was based in New York City and I got more cases and really kind of grew and then evolved from doing more the forensics that was supporting litigation to doing hacking investigations and other types of things that really kind of encompass the whole thing of, you know, we talk about information security and risk management. So the legal components, the compliance components, operational components, and really look sort of look at things more holistically, and got to work on a number of interesting cases, in the legal arena, a lot of things that were involved with data breaches and taking a lot of those lessons learned and building out security programs by seeing you know, what kind of works and what doesn’t, when the proverbial crap hits the fan, whether it’s a, you know, a litigation investigation, or whether it’s a data breach, you know, there’s some event that causes everybody to kind of scramble around and have to build a timeline. And so I took a lot of that those lessons learned and start bringing to more of the proactive side, where I would go in and work with organizations to build out their security programs, and even act as a siso in a number of these organizations to kind of guide their overall strategy. So they’re looking at things strategically and tactically, and how to build their programs, which kind of went through a couple of iterations of companies doing that, that were intrapreneur kind of operations, and eventually got to talk to the folks at Splunk, about a year ago, and decided to come over here to kind of continue to do that in a much, much larger scale.


Jonathan Bench  8:25 

It’s interesting, you, you mentioned a couple things that I thought were fascinating. One is the parallels that I haven’t ever considered between the the cybersecurity world where you have, you know, former hackers coming out of the woodwork and now turning their skills to say legal ends. Because Fred and I do quite a bit of cannabis work at our law firm. And so that’s the realm that we play in as well, where we’re still early on in the industry where a lot of the professionals you know, even executive level folks who are in public companies have a bit of a checkered past. And so it’s very interesting to to think about the way industry comes out of out of the shadows a bit to to gain more legitimacy as the as the as the laws and regulations mature and create a space for them.


Douglas Brush  9:13 

Oh, definitely, you know, in that’s a bit a really strong story arc, I think of computer security, because, you know, particularly as the internet grew, it was one of those things where we unleash it to the masses, without, I think fully appreciating the risk that it brought to businesses and individuals, it allowed people to communicate at unprecedented levels. But with that, there was an A really thought of what can go wrong. And so to test those theories, people have to kind of do them have to go through those exercises in those tabletops and actually stress the system a little bit. And there really wasn’t a framework to deal with that early on. And it It created a lot of issues where people are like, why if I guess I can do it and nobody else can understand it. This is research and people are like, Well, no, you’re now breaking into systems. That’s beyond research and business. Have a very kind of gray area. But a lot of those methodologies that people then took on to say, hey, look, I’m not the bad guy doing this and intent, intent became the key. But here’s what I was able to do. You need to patch these holes in the systems to prevent these types of things in happening, whether it’s a computer system, a process, you know, whether things like social engineering and training people, how not to give out things, when somebody calls them and ask for a password, stress testing, the system became incredibly important, and now become part of what we do as regular, you know, almost there’s, it’s funny to see things that when people say, hey, know, you need an annual pen test, or an offensive hacking exercise, conducted as part of a business agreement or part of a regulation, whereas, you know, 20 years ago, it was unheard of and and people who did do that were the ones actually, in fact, getting arrested.


Jonathan Bench  10:50 

And that, of course, reminds me of all of my cyber related incidents have something to do with Hollywood, right? The movie sneakers was probably one of the first movies I ever saw with Robert Redford. And they had both, you know, cyber component to that to that movie, as well, as, you know, kind of a real breaking and entering physical space scenario, right? It just a lot of fun when I was I don’t know how old I was, when I saw it. I’m sure I was 10 years old or less, when I saw that,


Douglas Brush  11:15 

yeah, that that movie, wargames were kind of very much part of my Canon in history of seeing that kind of play out. And that was always something I wanted to do.


Jonathan Bench  11:27 

So another question, taking this to an international level, our information systems, basically the same across the world, or are there significant differences in the way, you know, hacking, cybersecurity protection mechanisms are in place in you know, in China, in Africa, in the US, South America?


Douglas Brush  11:46 

You know, overall there, I would say the systems themselves, there’s a level of standards. But that’s just the frame kind of framework. And if you say, Okay, well, it’s a house the same in China’s houses in the United States, yes. But there might be different codes and regulations that go around to how that’s built, or how it’s used. And so I think that’s, that’s where the more the nuances is an actually in the use of the way things are communicated, how the systems are hooked up, what type of information stored on them, for how long, you know, those types of things, then on a global scale, play very differently, for how the systems are ultimately used, and certainly much more of a challenge now and global economies where, you know, people might have operations in many different countries. And then how do you design systems that connect and talk to each other, across those those, you know, virtual and physical boundaries, but also can communicate and operate internally as well. So that’s, that’s become more and more of a challenge as we globalize much of the information.


Jonathan Bench  12:45 

So let’s talk about global legal frameworks, then. What are you aware of, in the world that is being used right now, you know, say, a supranational level national levels to address cybersecurity, because I think everyone who does business is concerned about, you know, about their cybersecurity at one level or another, even if they’re not safe collecting, you know, a lot of information that might make them subject to other data security laws that we’ll talk about in a bit.


Douglas Brush  13:10 

Yeah, I think a lot of it there are, there’s some, I would say, standards, let’s say, you know, say things like ISO 27,000, or one, you know, two, which is kind of the standards and implementation of particular frameworks that say, you know, here are the types of things that we look at or consider as part of a risk management framework that sets a level that you can measure yourself to, and there’s other ones that are less International, and certainly things like NIST 800, which is a US based one that’s, that’s not necessarily used outside of the United States. And there’s some other ones. So there’s the ones to help set the standard. They’re not, you know, I would say they’re, they’re not regulated, in that sense, where somebody in a compliance body is saying, hey, thou much have this type of framework in place, it’s more going to be about the underlying data privacy, about how that information is stored, transmitted, and ultimately expunged. And then that falls more into the data privacy side, which again, becomes this kind of amorphous thing. When you look at compliance data privacy, data security, information security, we’re all parts of this kind of multi dimensional thing that have different approaches to dealing with the risks around them when needed.


Fred Rocafort  14:21 

Let’s talk a little bit more about data privacy right now. The European Union’s GDPR that’s the general data protection regulation. And California’s ccpa that’s the California consumer Privacy Act. These are the biggest drivers of international data privacy concerns for for companies that collect consumer data. So in broad terms, what should international companies know about GDPR and ccpa? More More broadly, what are some best practices that that companies can adopt when it comes to cybersecurity. This is a bit of a hypothetical question. But uh, but just to get a conversation going, is it possible for a business or a government to be 100% cyber secure?


Douglas Brush  15:12 

No, it’s, it’s like saying, you’re going to be perfectly healthy, you can do a lot of things to mitigate risks in layers in different areas. You know, I can eat healthy, I can exercise, I can sleep, well, I can use my seatbelt when I drive my car, I can avoid dangerous situations. So there’s a lot of risk mitigation, I can put my life in various different areas to hopefully extend my life as as long as I can, for the things I can control, but there’s obviously going to be things that I can’t control. And that’s, that’s going to happen in IT systems as well. So you can’t be completely perfect. But I think what’s important for organizations to do is to better understand, and really what, really how they make money. And that’s one thing I asked when I go into organizations like what, what keeps the lights on? You know, what are the key critical business functions that, you know, make money for you guys? And how do you support that? And what are the underlying therefore, information and technology systems that support that? And how is that staffed, and they kind of look at it from that perspective, and then building out that kind of infrastructure map to say, Okay, well, here are the kind of keys to the castle as far as the critical systems, and then finding out where the important data has to be. And what’s the type of data that brings value and do that data taxonomy. Say this is something that, you know, we need for business. And, you know, it’s such an important piece of what we do, however, does that data have any kind of compliance regulations around it, it could be things like health care, it could be HIPAA regulations, United States, it could be marketing, consumer data that could be affected by ccpa. It could be, you know, European data subject, which affects by GDPR. So it’s been really kind of mapping out, once you know, what your infrastructure is going to look like, and how this critical information is going to move around. What’s that taxonomy and compliance regulations that fall around that? And then treat that with a level of care and due diligence. Because ultimately, what you want to be able to do, you know, when you face regulation, scrutiny, and whether there has been a data security incident, or whether there’s just an inquiry, and you’re getting audited, you want to be able to show that you’re doing what you can and what are the reasonable efforts that you’re you’re putting forth? You know, would somebody in a reasonable state of mind make the same type of efforts to protect this data and really understand what the risks are? And look at it in that frame that you can really say, Okay, well, we have to treat this data a little differently, maybe we have to put other types of technical safeguards around it. Maybe there’s particular human resource training only for that data, we’ll keep it on just that system, and just that country and train the people that touch it around that regulation. And then if anybody comes, NASA can say, look, we did all the things that we could to our best of our ability to protect the sensitivity of that information and make sure it’s cordoned off. So really, it’s having to look at things in more bite sizes, in specific areas, as opposed to saying, how are we going to make our entire organization perfectly secure, that’s just not realistic, you really have to focus on the most critical areas that carry the highest amount of risks, and build safeguards around that particular set of technology and information.


Jonathan Bench  18:15 

So since you’re involved in the legal framework, to some degree, what advice do you have for lawyers who are drafting contracts around these issues? Right, if if I have it? I mean, this is a very real scenario for a lot of us who do business transactions, where were our clients contracting with someone who a company that’s probably going to be dealing with their sensitive data? You know, what are kinds of terms that you’ve seen or been discussed? You know, maybe in the cases you’ve been involved in, where, where the issue hinged on well, who’s who really? whose responsibility? Was it to take care of this risk? Who was supposed to mitigate that risk? Or where do we, that’s what I do all day long in my business contracts is figure out where the risk lines are, and push as much as I can to the other party than then my client.


Douglas Brush  18:59 

The amount of times I’ve spent dealing with unlimited liability caps and contracts, it’s scary. You guys probably see it all the time, too, because it’s, and I think that that’s, you know, I’m kind of laughing at it, but it’s part of the problem is people don’t know, they’re like, well, gosh, who’s gonna assume liability because we don’t know what’s going to happen with this information. My encouragement on that is to really have ongoing and continue discussions and early on so with the legal teams, both inside counsel and outside counsel, talk to the technology teams, talk to procurement, vendor management, and really be involved in the risk process and as far as raising the risk of this type of information, and then putting the appropriate types of legal safeguards around it, you know, by no means my my lawyer, that’s actually you guys. But you know, I definitely like to deal with a lot of these contracts. And it’s really just talking about, you know, what’s, what’s fair and reasonable in protecting information and then saying, Well look, if you’re going to put some liability caps around the types of deal that you’re getting into with this data, the I want to know, what are what are the appropriate safeguards that you’re using? Is there a compliance or risk management framework that you guys adhere to. And this is where, you know, again, they’re not silver bullets, these risk management frameworks, like an ISO 27,001 certification, or sock two certification, which is kind of different. But they’re nice to have when you’re saying, hey, look, we really do take data integrity, information security seriously, here are the types of standards and compliance that we’re going to. And then understanding what those mitigation steps are going to be if there is a potential leakage of that data. And what’s the safeguards, and really kind of build that into understanding in the negotiation process of what’s that data lifecycle, how its protected? That’s the one thing I encourage attorneys to do is like, don’t don’t expect them to be the experts on these standards. But ask the fair and reasonable question, say, what are you doing to protect this data? And, you know, how are you going to respond? If there is and when there is a breach? I think that’s one other thing that I would say that I think a lot of folks assume it’s like, it’s not just protecting the data, we all assume that but it’s if there is data exposure, how fast you’re going to spin up a response, and put out this fire. And that’s another thing to really kind of focus on, because things are going to happen. And what you don’t want is having the FBI or some third party law enforcement agency, saying, Hey, we just found all your data on the internet, it came from a vendor, that’s the last way you want to be notified, you want to be notified from that vendor say, Hey, we just discovered there was a security incident, we got on it within 24 hours, here’s a story we can tell you, you know, the risks and the limits of liability, hopefully should be understood at that point. But you really just have to understand what their response plan is like.


Jonathan Bench  21:36 

And how effective is cyber insurance then in those scenarios, right. I mean, is it is it prohibitively expensive it can you get a decent amount of coverage for a data breach incident?


Douglas Brush  21:46 

You can, and I, you know, I’ve worked heavily within that space for several several years, and probably with insurance carriers covered about probably about 500 different data security incidents, 30 to 40% of them were notifiable data breaches. And had those companies not had some type of risk transference in the form of cyber insurance. I would, I can’t even think of how many of those companies would even be in business now. I mean, it would have been devastating. The amount of costs for having just forensic providers kind of come in and do their work at $700 an hour, data breach, counsel, time loss, reputational, harm all those things out up and costs of responding to an incident. And not having those things well laid out and at least plan for financially in advance is can be, so be really painful. So a lot of organizations that engage with cyber insurance, you know, the nice thing that they get is a team. So, you know, you have these panel providers that should there be something that happens, you call up your, you know, call the insurance company say, hey, look, you know, we think we have a security incident. They say, Hey, you know, call these data breach attorneys get things under privilege right away. Because that’s another thing that you might, that folks might miss when they’re doing data breach investigations, or data incident investigations is not having the appropriate outside counsel to cover things that are privileged. So you can have no kind of frank conversations about what’s happening. You get this, get that wrapped up with the appropriate legal counsel, you bring in the right forensic providers. And it just has this kind of playbook that already comes out. When you use a cyber carrier. Not having that you’d probably spend days if not weeks, trying to just even get to the what we would do in the first couple hours should somebody say hey, we know we’re opening up a claim.


Jonathan Bench  23:39 

Fascinating. So let’s look at the international side of this again, I love I love the concept of hackers in Russia and China, you know, pounding on their keyboards trying to breach everything in the world. I mean, intellectually, it’s fun to think about it, the reality is, it’s scary, right? I mean, so when you’re thinking about the global world of, you know, black hat, white hat hackers, you know, country of origin training goals for cyber hacking activities, I mean, how should we kind of make sense of all of the potential hackers that are out there, you know, domestic and foreign


Douglas Brush  24:13 

Well it’s important to understand their motivations, you know too and if we were talking about, you know, state sponsored hackers, and whether those be APT groups or advanced persistent threats or other types of, you know, groups that are working there, it’s, you know, kind of really understanding their tactics, techniques and procedures ttps. There’s human behavior behind these actions, right. There’s somebody that’s behind those keyboards. They’re usually trained within certain groups, they have certain, you know, for lack of a better word kind of poker tells, like, once you see them operate a couple times, they fall into a cadence and a pattern that you can kind of recognize who they’re from and how they’re executing their their particular attacks. added with that understanding their motivation. So if I’m, you know, broad based terms A lot of the Russian and Eastern European groups, um, I would say, even defy that even further. So some of the Eastern European groups that are more focused on cybercrime are going after things in a very different manner than when he would even the Russians that might be doing a state sponsored disinformation campaigns and finding information to then potentially, you know, cloud and election. So those are just two different very motivations that are going through from similar types of teams and similar geographies, but doing things very differently. And for different means same things. You know, when you look at the state sponsored attack groups out of China, they’re looking for intellectual property, they’re not necessarily interested in committing committing fraud. So their actions are going to be very different. And they might be very quiet and much harder to detect, because they’re trying to really blend in with with information streams that are going around extra trade information, intellectual property might not be huge data dumps. So you might there could be a little bit harder to detect organico compared to like, say, Eastern European hacker that might just be going in to we campaign get in steal some big amounts of information, they get stopped, they move on. If not, they launch a ransomware attack demand $1.2 million dollars in Bitcoin and move on. So it’s understanding this cadence the waves as they move become important. Outside of that, the attributions you know, what that means is difficult. You know, there’s there’s still a lot of gray area and community of people say, Well, does it really matter summit does doesn’t, because really hasn’t been a strong enforcement action against these groups. You know, recently, we saw where, you know, DOJ indicted some of the, you know, Russian state sponsored groups, that comes with a mixed bag of information, yes, those people can be captured and extradited to they leave Russia kind of constrained some a little bit, however, as a retaliatory tactic from that is, we’re not immune to, you know, our own actions as well. You know, retagged, the NSA has thrown attack groups that are going out and doing information gathering and more of an Hostnet type of activity. But those folks are known within all the communities as well, and some of those folks have been outed. So when we started dating people, threatening to arrest them, the reaction might be okay, we’re gonna start naming people within the NSA, that we know who they are, and, you know, putting their name out there. So it kind of comes with a double edged sword once we start getting to attribution in retaliation.


Jonathan Bench  27:23 

So from just kind of a general community security standpoint, should we be worried about hackers taking down public infrastructure or making you know, air traffic control? unsafe? Is that more of a something that would come to play in a war, you know, cold or hot war scenario, as opposed to just kind of day to day stuff that we’ll have to deal with?


Douglas Brush  27:44 

When it comes down to that that motivation? in there, there’s definitely I would say there’s enough of a concern from certain groups that would want to do more of a, let’s say, a, you know, terrorist, let’s say activity of taking down a power grid or nuclear power plan making things go awry. You know, you might see those out of your typical terrorist groups that might have done more of kinetic types of things have street side bombings, IDs, things like that. They might say, Okay, well, if we can weaponize some of our actions in the cyberspace, you know, in the cyber sphere, can we attack and do those so that that’d be more of a concern. Now, there’s typically been a gap there, where the capabilities and the intent of those individuals were separated, they’re narrowing, which concerns me is that you now have groups do you have more these attack hits and more knowledge about how to attack these types of infrastructure? publicly available? So are these groups might spin up a campaign and go after that, I would say it’s less likely from your more cold war state sponsored actors from China or Russia, because, like they need our computers on they start turning off our computers, they’re in those systems for months, if not years, they’re not going to want to lose the power to that. So it might not be a very strong motivation for them to do that. And, you know, outside of that, what does it really get them? You know, they take down a power system, they do damage to a regional area, the United States, disrupt things, you know, our actions might be kinetic, we might come back at them, and there could be sanctions, or it could be, you know, physical war. I mean, so it’s they might not want to kick that hornet’s nest. So it’s, there is a little bit of a you know, you know, kind of careful I would say careful, I’m err, quoting that where you can see but we’re each side being a little bit careful about how they how far they want to step over those boundaries, just because of the retaliation.


Fred Rocafort  29:29 

Doug the other day, I was listening to a podcast that, among other things, touched upon deep fakes, you know, the fake audio fake images, and I was quite surprised to hear about the levels of sophistication that had been reached in terms of being able to generate this kind of of material and there is obviously a connection there to do cyber security. Obviously the if you as a, as a, as a producer of these fakes, can can get access to real audio samples or images it presumably helps you with with the degeneration of the of the deep fakes. But I bring this up to ask you about issues that are or I should say new issues or novel issues that are keeping cybersecurity professionals such as yourself awake at night, obviously, there’s some of the things that that that keep you awake, or are things that have been around for a long time. But in terms of emerging threats, can you tell us about some of the newer challenges that you are facing?


Douglas Brush  30:47 

Yeah, and in general, I mean, that’s always going to be a problem. technology evolves and changes. And with that becomes and when we say I mean, we step back a little bit even say now is the technology age with this use uses change, you know, people might use a technology different. So you kind of combine those factors, and all of a sudden, new vulnerabilities open up, new risks come out, and possibly new attack vectors. So there’s always that risk with old technology, new technology being used in different ways to kind of exploit manipulate systems for some kind of game. And definitely things like deep fakes have some concern, I still think they’re a little bit kind of cutting edge. And we’re, we’re gonna probably see them being used more often, in disinformation campaigns, so where you’re gonna have maybe state sponsored activities against a country where they’re trying to upset election or change kind of behaviors of individuals, that will probably be, we’ll see more of that, you know, there could be other ways I can think of using it as an attack vector. However, I can also think of easier ways to do the same thing as far as impersonating things to kind of gain that level of confidence and social engineering. And that’s kind of where I was thinking with that, but I don’t know if it’d be as effective. But in general, you know, it’s, it’s the times change as well. And we’ve now seen things like cloud technology, which has been there now for numbers to you number of years. But we’re seeing obviously, a greater adoption, I would say in the last year with things like COVID going on, where there’s a greater shift. So all of a sudden, it’s like, where, you know, we’ve been in cybersecurity always want to say, Hey, come on, let’s measure twice, cut once, let’s plan things out. Often what happens in these kind of planning, and adoption and implementation of these different technologies, it happens under the gun. And that’s where I think we’ve seen right now with COVID, is all of a sudden, where, yeah, we’ve been saying, for years, you guys are gonna have to make a cloud play, you’re gonna have to move things into these different types of image structures, put around the appropriate controls, give yourself plenty of time to plan and all of a sudden, companies like, we have to do it, it’s the middle of March, all of our offices shut down, we’re doing this massive shift. And then they’re trying to do a technology change a behavior change, and then wrap security around it all at the same time. And those are the types of things that worry me. And I quite frankly, think we don’t know all the repercussions of that yet. It’s still too early. Um, and as people then shift to going back in the offices, what’s that going to mean? Is that going to then introduce new threats? Because the behaviors and work patterns are going to change? So it’s, that’s the things that worried me the most is like, how do we continue to think about these upcoming changes in the way people interact with the technology, as well as the underlying tech itself?


Jonathan Bench  33:31 

Doug, it’s been fascinating to have you on the podcast, we appreciate you bringing your your viewpoint, certainly your gravitas with your long running podcast history, we really appreciate that. And we look forward to hopefully catching up with you again, at some point in the future to discuss more of these issues. We we like to close our podcasts by asking our guests for some recommendations on how we can get smarter and audience can learn more, either within the cybersecurity realm or outside, so anything that you’ve read or listened to or watched lately that that you would recommend, we’d love to hear your recommendations.


Douglas Brush  34:06 

Yeah, I would say overall and kind of going back to the COVID thing that we’re all dealing with. Right now a lot of organizations that have put on conferences that used to be you know, you go and attend have put a lot of this information out there now free. So whether it’s something that you know, we talked about things in the cyber insurance space and a number of those conferences, have gone online and become much more accessible, definitely pick up those things. And net diligence has been a great kind of set of ongoing talk tracks and company community engagement within cyber and legal advice in the same way you know that those are two organizations I work pretty heavily with within the cyber insurance and legal community. So for listeners out there that farm with that, definitely check both those those groups out, and they’ve done quite a bit now online, but also different things. You know, like Splunk, we just had our doctor cop 20 this week it was online and it was all free number of organizations do that, too. It’s just a ton of free content out there now. And it’s could probably be a little bit more of a firehose and most people want but definitely look at what’s out there. As far as these free conferences that are going online, that you can, you would have normally had to pay thousands of dollars to get to thousands of dollars to get in the door, you can now do at home, do not lose that. That advantage now of this type of information sharing, definitely get out there and look at the types of conferences that are now shifted to being virtual and got gather that information.


Jonathan Bench  35:31 

Great. Thank you. And, Fred, what do you have for us this week?


Fred Rocafort  35:34 

I have three recommendations today. The first one is that podcast two, which I alluded a little bit earlier. it’s it’s a it’s part of Sam Harris’s Making Sense podcast, Episode Number 220. The information apocalypse a conversation with Nina Schick and they talk about a whole bunch of things, but the the they lead with the deep fakes. So that was very interesting. And On a related note, second article or sorry, second recommendation is an article from GQ the mystery of the Immaculate concussion. And if you’ve been following the story of the mystery attacks on American diplomats in Cuba, and other places, and in fact, in during one of our recent podcasts, I think Jonathan, you you brought that up tangentially. So basically, this article picks up on that story and makes some some further speculation about what might have happened. And And overall, it presents a pretty damning indictment of what Russia in particular is up to, in terms of its harrassment of us, diplomats and CIA agents. So check it out the mystery of the Immaculate Concussion by Julia Ioffe. And it’s October 20. But you can find it on their website. So Jonathan, what about you?


Jonathan Bench  37:24 

I started with the tech bent on our episode today. And this article from Nikkei Asia is called inside the US campaign to cut China out of the tech supply chain. It’s quite a mouthful, but very interesting read, really lays bare how much American diplomatic pressure is being put on countries and companies that are doing business with China. And they’re basically being given an ultimatum, in the guise of Hi, we’re from the US government, we want to make sure you understand how our export control laws work. Right. And so it’s very interesting perspective from these companies in Asia, especially Taiwan, that’s what this article focuses on, on how they’re dealing and how they’re interpreting these very, not very veiled threats from the US government, you know, about about doing business with China for the long term. And so it raises the question of, will non Chinese companies eventually be targeted by us sanctions, if they continue to do business with China? Are they going to be blacklisted in the same way that the US has added, you know, 70 Chinese companies, to our blacklist in the last 12 months? So interesting. And the other thing that I thought was very interesting that raised his and I think Steve Dickinson, one of our co bloggers on China law blog has raised this issue that, you know, Taiwan, everyone says, Okay, we’re not doing business with China, we’re doing business with Taiwan, you know, Taiwan, semiconductor companies. But he says that, you know, Taiwan is already so riddled with Chinese malware, right? All the all the Taiwanese companies have already been breached to the nth degree. And so you know, taking a back step into Taiwan and saying, oh, we’re doing business with Taiwan, not China. Now. It’s really fundamentally no different. That’s not true from a diplomatic perspective. But from an information security perspective. It may be, may be no different. So interesting. Read, recommend it for anyone who’s interested. Doug, want to thank you again, for being our guest today. We appreciate you and wish you well, and we’re going to catch up with you on your podcast. I’d love to tune in there and get deeper into the cybersecurity realm.


Douglas Brush  39:29 

Fred, Jonathan, I really appreciate it. Thank you.


Jonathan Bench  39:34 

We hope you enjoyed this week’s episode. We look forward to connecting with you on social media to continue discussing developments in global law and business. and tune in next week for another episode. We’ll see you then.


Transcribed by