Transcript
they're gonna get caught up into some kind of geopolitical affairs, even if they have no intention to, right? You may have no political ties or intentions or anything, but your company can very easily get tied in. And if you're not prepared and understand the implications of getting pulled into these scenarios, then it's gonna be so much harder to up your defensive once you've already been targeted. Hello, and welcome to another episode of Data Security Decoded. I'm your host, Caleb Tolan. And if this is your first time joining us, welcome to the party. Make sure you hit that subscribe button so you're notified when new episodes are live. And if you're already a subscriber, thanks for coming back. We'd love it if you'd give us a rating, drop a comment below, let us know what you think of the show. Now, in this episode, I had the pleasure of sitting down with Dustin Drouillard, who brings a wealth of experience in threat intelligence, specializing in the intersection of geopolitics and cybersecurity. We had a fascinating conversation on how geopolitical tensions impact cyber operations, the human nature of threat actors, and the trend amongst our next generation of defenders. I really enjoyed speaking with Dustin. I know you'll love this conversation. So let's dive in. Dustin, thank you so much for joining us. Before we dive into the meat of the conversation, can you tell us a little bit about your first introduction to cybersecurity and what made you decide to pursue this as a career? Yeah, well, first, Caleb, thanks for having me today. And I'd say my career isn't necessarily unusual, but it wasn't exactly planned in a linear way. I started out as an intelligence analyst in the army. And I didn't know it at the time, but it kind of provided a solid background for when I later pivoted into cyber operations. But along the way, I learned, I was introduced to new technologies, different complex analysis scenarios, and different types of data sources. Human intelligence report is very different from a signals intelligence or imagery intelligence. And so when I was introduced to the cyber as a source, if you will, it was kind of a nice addition to a lot of what I'd already been trained in and experienced with. So along the way, the army decided that they needed to kind of get in on the cyber thing, if you will. And so they offered me a position where they're taking a bunch of intelligence analysts and IT professionals and putting us together and calling that cyber. It eventually developed into what became now a dedicated cyber branch within the army. But at the time, it was kind of a little bit of all these skills mixed together. And I kind of assumed that that would just be a temporary assignment. I'd move back on to other things. But once I got exposed to a lot of the cyber operations, I really enjoyed the challenge. There's something new every day. There's so much complexity, and I really enjoyed it. And I decided I wanted to stay within that kind of technical analysis realm within the rest of my career. And since then, that's really what I've been focused on. Very cool, very cool. And I'm sure no one would be surprised based on that background that your focus has been a lot in geopolitics. And that's what I'd love to kind of shift focus to now. So when major geopolitical tensions arise, we often hear about the physical impacts, but rarely that cyber element. Can you tell us and walk us through what typically happens on the cyber front when these escalations happen? And how are adversary nation states leveraging cyber operations during these conflicts? That's a great question. And we are seeing a lot of, not the convergence of these different types of threats are new per se, but we're seeing a lot more emphasis on that in that understanding that if you have kinetic warfare, if you will, and cyber, it's gonna go hand in hand, right? And at a high level, and this is kind of a generalization, but you really, when it comes to cyber conflict, you kind of have two different methods. You have espionage and you have effects, right? You can combine the two, but in a general sense, when there are military actions or some kind of geopolitical events, right? You can conduct espionage in cyberspace. And usually that's a little more quieter. You don't want to get caught because the whole point is to obviously have that advantage of being able to collect that information and have that advantage over your victim, right? But then there's also effects, which can be a wide variety of things. It can be ransomware, it can be DDoS, it can be whatever intended effect, right? Those are usually meant to be noisier. They're meant to be, a lot of times, they're meant to be clearly aligned with whatever that geopolitical activity is, right? You kind of, in many ways, there's almost that desire for attribution to show that, hey, we are doing this because of this geopolitical activity. So those two different approaches, again, they can be combined, but every country and really in every conflict it's implemented a little differently, whether you're doing it defensively, offensively. I would say overall, cyber hasn't come into play quite as prominently as we assumed. There's a lot of theory of how cyber's gonna be a major factor within warfare, and we haven't seen it quite yet. I mean, it certainly is a significant factor, but not quite as much as we've assumed. But in recent events, you're seeing with Iran, Israel, and US ongoing conflict right now, right? There's general threats being made in terms of cyber capabilities. The Iranian banks were hacked as part of the whole geopolitical situation. There's likely hacking of defense systems, potentially on both sides. You know, there's even, it kind of goes the other way as well. Within Israel, there were specific organizations that were doing advanced technology research, right? In cyber, AI, that kind of stuff. And they were specifically targeted by Iranian missiles because Iran wanted to take out some of those potential cyber capabilities in the research and development capabilities. And so it's interesting to see sometimes the geopolitical and the technical can influence each other in both ways. And they really, they go hand in hand now. I mean, there's countless examples. North Korea, they're typically financially motivated to, in order to fund their geopolitical activity of developing nuclear weapons and all that. Volt Typhoon, which is an ongoing campaign attributed to China. It appears, according to US government, that they're staging for potential future operations. So they're not necessarily doing anything on the effects side yet, but some kind of espionage or preparing for something in the future, right? And so all of that ties into all these geopolitical conflicts around the world. And you really, I'd say you can't separate the two anymore. Right, and you gave a ton of great examples of different conflicts and how they're kind of manifesting in the real world. In moments of these high stake geopolitical conflicts, what are some of the behaviors that you see from cyber adversaries in terms of, you see this oftentimes, it starts with some type of kinetic warfare, like you were talking about. What are the behaviors that you start to see from the cyber front as that kind of evolves and moves forward? Do their tactics change? How do they measure the effectiveness of their campaigns? And what does that look like from the victim perspective? I'd say one of the most prominent strategies we've seen lately has been the implementation of influence operations via cyber means. When these geopolitical events kick off, there's a heavy flux of influence operations from all sides, really trying to both influence the general public's understanding of what's going on. But a lot of times, it's just for the sake of making noise, to be honest. It's really just adding to the noise and intentionally causing confusion, which causes division. So even though that's even kind of beyond cyber, it's cyber enabled and it's becoming a very popular way to kind of utilize technical means to advance those geopolitical initiatives. But we do see things like targeting of, or at least threats of targeting major events, like major, especially international sporting events can become a primary target in order to, again, it's more of that messaging or in protest to something that happened to a certain country, and then they will want to interrupt another country's events of some sort. So we see a lot of that, targeting of major industry players, companies, corporations that may somehow be involved in supplying a government with whatever technologies or systems. And so then they become targets, right? And so then they're, I would say fair game in the cyberspace. And so they have to up their defenses because they're gonna get pulled into this whether they want to or not, right? And I would say in general, the tactics, they really change depending on how much impact they have. But the hard part is measuring the effectiveness. It's like, how do we really know? You kind of have to know what were the threat actors' original intentions to know if they're effective. They may have been effective in an unintentional way, right? But it's really hard to gauge, did they really get the desired effect that they wanted? Or was the desired effect that we saw was that maybe that was just a distraction? Maybe we haven't caught what they were actually doing. And so it gets really complicated trying to decipher what is effective and what isn't when you're talking about cyber defense. Right, right. And I guess that's getting into the conversation of what is information versus intelligence and kind of like dissecting what all of this data and this information means within the greater context. So I gave you a pretty open-ended question that it wasn't very straightforward, but that is really interesting. And so when these high-stakes geopolitical conflicts happen and they occur, oftentimes civilian-facing organizations are the ones caught in the crossfire. And so what can these organizations do and what steps can they take to protect themselves and their customers during these times of turbulence? Yeah, yeah. That's essential for, I would say, any organization to consider ahead of time before they get caught up in this. You know, it's just a matter of time that just about any companies, they're going to get caught up into some kind of geopolitical affairs even if they have no intention to, right? And it's really vital to understand every region that a company is operating in or has customers in, right? Because again, you may have no political ties or intentions or anything, but if your company can very easily get tied in and if you're not prepared and understand the implications of getting pulled into these scenarios, then it's going to be so much harder to up your defensive once you've already been targeted, right? So just having that general understanding of the landscape that you do operate in, we're in an international environment now and no company's really isolated, right? But, and I would say even organizations that don't operate internationally, like you just, you never know why. Threat actors are going to, they get creative and sometimes they can pivot off of different infrastructure. And so never assume that you're not going to get pulled into one of these broader situations. But really, I mean, a lot of it boils down to investing in standards, cybersecurity practices. You know, I've seen a lot in the industry, a lot of the basics are overlooked. And then I know a lot of people harp on that, but it really is, you know, starting with the basics on the technical level. And if an organization can, you know, invest in some kind of cyber threat intelligence capabilities. It doesn't have to be anything fancy or what, or what have you. But, you know, whether it's an in-house, you know, analyst, whether it's some kind of service or vendor, really being able to get some of that tailored intelligence for your organization so that you're not just trying to watch the whole threat landscape, but having something that's specific to your organization. So, you know, when you should care about certain things and when you can, you know, not care as much if you will. So. Right. Yeah. There's so much information out there kind of dissecting and understanding what matters most in the context of your organization is definitely a struggle, I think, for many organizations. And so how can smaller under-resourced organizations that don't have these massive cybersecurity budgets effectively prepare for these threats, especially when they lack those dedicated security resources? Are there any resources from like, you know, the federal government level or where would you say some of these organizations could start to, you know, address that eat your vegetables conversation of preparing before the attack even occurs? Yeah. Yeah, absolutely. So there are a lot of accessible resources, you know, available through government and nonprofits as well. I know in the government, you have like DHS CISA here in the States, you know, has a lot of resources for critical infrastructure and other organizations. You have NSA and the DOD Cybercrime Center have a lot of resources for those companies that have any kind of government contract to, you know, just to be able to boost their system, you know, their security posture and understand the specific threats to their organizations. And you always have ISACs, the information sharing and analysis centers. which, you know, cover various industries and they provide a lot of, you know, it's usually affordable to buy into and get those, you know, information feeds that are relevant to your sector that you work in. So very, very helpful there. And I would say, just consider collaborating with whatever industry you're working in. I know that seems kind of counterintuitive. Like, why would we talk to maybe a competitor in our industry? But if it's a matter of keeping the industry safe, that sharing threat information is not going to hurt anybody, right? If you can both bolster your defenses, that's everybody wins there. Not a popular opinion, but I think it is worthwhile to partner even unofficially with other organizations that you work with and do some of that threat sharing internally. Maybe it's not a popular opinion, but it's a necessary opinion for sure. And I'm really glad you mentioned ISACs as well. We actually just had an episode drop with Errol Weiss, and he is the chief security officer over at Health ISAC. And he also has a background in the financial services ISAC as well. So we had a really interesting conversation there. If you haven't already listened to that episode, for those tuning in, I definitely recommend going back to that last episode and checking it out if you haven't already. So thank you for mentioning that. But going back to the conversation at hand, I kind of want to go back and look at the earlier part of your career and look at some of your educational background, because you have an interesting path of study to land where you're at today. So your background's in anthropology, which is pretty rare in cybersecurity. And I'd love to understand how has that understanding of human culture and behavior informed your work in cybersecurity, especially when it comes to this conversation around geopolitics and cyber operations? People usually chuckle when they hear a background in anthropology, and oh, that's a big shift into cyber. But I'd say not really. I think I've heard the saying all tech is human, right? It's technology is made by humans for humans, right? And so there's always going to be that human factor in tech and cyber and all that kind of stuff. So understanding human culture I think is vital to really understanding cyber operations, especially at the strategic level. But I think it's been very helpful, both understanding the people, the operators that are within cyberspace, but also the cultural backgrounds that they come from and the threat actors. Usually many of them have some kind of cultural ties, whether it be linguistic, religious, geographic, something there. They usually have some kind of ties. And it's interesting sometimes when you get digging into the technical side of the back end of websites that are being set up for CNC domains or something like that, or digging into malware source code, and you'll find little cultural indicators based off of languages used or language settings on computers to be avoided. And it kind of gives you hints as to some of that geopolitical aspect of who's developing this infrastructure, these tools. And even within CTI, getting into open source intelligence, doing those investigations, OSINT investigations, a lot of times there's that linguistic factor of having to do research, even if I'm not a linguist, but sometimes I have to do research throughout websites that are not in English. And then understanding that even the term cyber can mean different things in different cultural contexts. And other AI or drones or whatever advanced technology you're talking about, they have different perceptions depending on which geographic region you're looking at. And so you have to understand that. Otherwise, you'll have an analytic bias towards what you know, what's familiar to you. And you have to kind of see things from the perspective of those that you're researching. And I would say it even blends into I've done UX research for web design in the past. And a lot of that is understanding tools and software from the user perspective. And that applies within cyber as well. If we make tools that are really advanced and really cool, but it's really hard to adopt at the human level, then are they really that useful, right? And that's where the anthropological thinking can really come into play in making tools and making security usable at the human level. Right. I love those kind of unexpected benefits from whatever you studied in school. And so in the same vein, I have another question for you around education. And that is other than like traditional paths to cybersecurity, like majoring in cybersecurity or doing some type of master's or bootcamp program in cybersecurity, computer science, coding, anything like that, or anthropology. I'm going to take that one off the options, list of options there for you as well. What majors would you recommend that students consider in preparing themselves for a career in cybersecurity or cyber policy? I'm going to go first on this one because I actually have a pretty interesting recommendation and it has a story behind it. So when I was in school, I studied communication and political science and I was walking through campus one day and I was over by the student store and there was this table with a bunch of books on it and this woman came over and flagged me over to come speak to her and she was trying to convince me to drop my communication major and move over to Great Books, which was the program that she helped run and that's why they were giving out all these great books. And her perspective was there's so much you can learn from history, from culture through these different books and learn more about, you know, what's happening with different nation states or different cultures like we were just talking about and the history and different perspectives and ways of thinking that I think could really open your mind in a technical role within cybersecurity to kind of think outside the box a little bit. So I ultimately did not decide to drop my communication major and go into Great Books, but I think it would have been very interesting. And so I think people should consider that. So that's my recommendation, but I'm curious about yours. Yeah, I mean, I think that's an awesome recommendation. You could end it right there. But I mean, obviously I love books and I think there's a lot of value in reading the great books and developing those critical thinking skills but not to steal your answer. I would say one thing that would be very useful is understanding business, business strategy, business management. I think that's very overlooked in the cyber community is understanding how businesses operate and how cyber plays into that and enables that because a lot of times cyber operations are kind of seen as a cost center. It drains resources and why do we fund cybersecurity? And there's always those kind of debates going on. And if you want to be a leader in the cybersecurity space, understand how business operates, how it works, the strategy, the policies, and being able to leverage a technical background and applying that to business operations and being able to explain the value would go a long ways. I think that's crucial. But almost to get a little more philosophical, I would say even just whatever subject that you can leverage to develop your critical thinking, right? Whether it's literature, through great books, whether it's anthropology, sociology, systems engineering, there's all kinds of subjects that different people think in different ways, and whatever gets you excited and helps drive that creative thinking that you can leverage within cybersecurity. You layer that on top of good technical foundation and you're set up for success. Right. That's great. That's a great take. I definitely agree with that. And in the spirit of education, I wanted to talk a little bit about your current gig teaching at the Institute of World Politics. So that's a really interesting kind of additional thing that you're doing right now. And I'd love to know what are some of the trends or shifts that you're seeing in the way cybersecurity professionals are currently being trained? And kind of as a second question on with that too, what do you think are the core elements that schools need to consider as a part of their cyber curriculum to adequately prepare students to enter into these variety of different cyber careers that they can take? That's pretty interesting. I think there's a lot of debate around those topics right now. And I would say I'm not really seeing shifts at a macro level. Honestly, I think a lot of the academic programs are kind of keeping status quo right now. But what I what I hope to see, I think the natural tendency will become seeing that convergence like we were talking about earlier, convergence of technical and non-technical threats. And I think more programs will likely hopefully start to incorporate so that they're not developing just cyber professionals siloed in their own technical environment, right? But also understanding how all these different threats play together and really training people ahead of time so that when they enter the workforce, they are able to collaborate very easily with the supply chain folks, physical security, the geopolitical analysts and all that. So I'm hoping to see that become a trend within the broader cyber training programs. But some of the core things I think is you can never neglect the technical foundations, right? I think that some programs I've seen, they kind of, they emphasize so much that either the policy or the management or the non-technical side of things, which is important, but you have to have that technical foundation. I think if it has the word cyber in the program, it needs to have some baseline technical foundation. You don't have to be a computer scientist to be in cyber, but you've got to have some kind of technical acumen. But really, I think there should be, most programs should develop specializations, right? Cyber is really a broad term and we could have a whole debate on what is cyber, what isn't cyber. And so the field, there's so many subsets within cybersecurity. And so it does a disservice to students when you teach them a little bit of everything and then push them in the industry and say, good luck, right? There's a big difference between a SOC analyst and a pen tester and a threat hunter and a CTI analyst. Those are all overlapping, but very unique skills. And so having a specialization in your programs would really help guide students as they get into the industry. But also, like I mentioned, adding business education is very helpful. I think every program should at least touch on that. How does cyber drive business? And really overall, like critical thinking. Cybersecurity is not a static issue. It's not, this attack happened, so I pushed this button and it's all done, right? It's very complex, understand how to pivot off information, how to think outside the box, develop hypotheses. And you really have to, that takes time to develop critical thinking skills. And I think any education program should really emphasize that beyond just specific tools that they recommend. Right, being able to operate in that gray area where you're not just given very streamlined workflows to follow or the lines are blurred. I think to your point, critical thinking is such a important skill for cyber professionals to have today, no matter what kind of discipline you go into based on that specialization like you were talking about. So couldn't agree more. But what a great note to end on. I mean, that's all we have for everyone today. Thanks for everyone who tuned in. And thank you, Dustin, for sharing your perspective. I think it was really interesting and valuable. Love chatting with you about education, geopolitics, all that stuff. It's very interesting. So thank you for your time and until next time. Yeah, thank you, Caleb. I enjoyed our conversation.
