Chuck Brooks is a world-renowned cybersecurity expert and an Adjunct Professor at Georgetown University where he teaches courses on risk management, homeland security, and cybersecurity.
Chuck is also a two-time Presidential appointee and Forbes contributor. LinkedIn named him one of “The Top 5 Tech People to Follow on LinkedIn”. He was named by Thompson Reuters as a “Top 50 Global Influencer in Risk, Compliance,” and by IFSEC as the “#2 Global Cybersecurity Influencer” in 2018. He has served as Senior Legislative Staff (Defense, Security) to Senator Arlen Specter, U.S. Senate, and was also the former Technology Partner Advisor at the Bill and Melinda Gates Foundation. In addition, Chuck runs 15 other businesses and is co-leader of the top two Homeland Security groups on LinkedIn.
Tune in to this episode of Ask A CISO to hear:
- What he teaches at Georgetown University
- His take on why the U.S. government is slow to adopt and implement new technologies
- How the public and private sectors can do to help push federal adoption of new technologies
- What he recommends as the first thing to have when undergoing rapid technology transformation
- Why it's important to educate people from young about cybersecurity awareness
- If biometrics are indeed a silver bullet for vulnerabilities in authentication
- Chuck's opinions and insights into cyber warfare in the Russia-Ukraine conflict
- What he thinks is the best deterrent to cybercrime
About The Host: Paul Hadjy
Paul Hadjy is co-founder and CEO of Horangi Cyber Security.
Paul leads a team of cybersecurity specialists who create software to solve challenging cybersecurity problems. Horangi brings world-class solutions to provide clients in the Asian market with the right, actionable data to make critical cybersecurity decisions.
Prior to Horangi, Paul worked at Palantir Technologies, where he was instrumental in expanding Palantir’s footprint in the Asia Pacific.
He worked across Singapore, Korea, and New Zealand to build Palantir's business in both the commercial and government space and grow its regional teams.
He has over a decade of experience and expertise in Anti-Money Laundering, Insider Threats, Cyber Security, Government, and Commercial Banking.
Hello, and thank you for joining us for today's episode of the Ask A CISO podcast. My name is Jeremy Snyder. I'm hosting today in for Paul Hadjy. We're delighted to be joined today by Chuck Brooks.
Chuck has so many titles under his belt that it would take the entire podcast episode just to go through his accomplishments. But in summary, a few things we can say is that Chuck is a world-renowned cybersecurity expert, and an adjunct professor at Georgetown University in Washington, DC, in the USA where he teaches courses on risk management, homeland security, and cybersecurity.
Chuck is a two-time presidential appointee and a Forbes contributor. LinkedIn named him as one of the top five tech people to follow on LinkedIn and he was named by Thomson Reuters as a top 50 global influencer in risk and compliance, and by the IFCC as the number two global cybersecurity influencer in 2018.
Wow. That is quite a lot of accomplishments, Chuck, and I know you've had a long and storied career. Is there anything else you'd want to add to that introduction that you think is important for our audience to know about you?
Yeah. I mean, that's a terrific introduction. Thank you.
It's great to be here. I think what makes, I think, my background a little bit different and I've served in sort of the very core pillars of different worlds here. One being government. I was twice in government, actually three times in government. But I helped set up the Department of Homeland Security. I was one of the first hundred people hired, called a plankholder by then governor Ridge, who became Secretary Ridge, worked on the Hill for many years.
And then I've also worked in, you know, as media, as visiting editors of Homeland Security Today and Forbes, and then in corporate world, where I've done a lot of executive roles for places like Xerox, General Dynamics, Mission Systems, et cetera.
And then the final one is academia, which I think is probably the most enjoyable one where I'm currently an adjunct faculty, as you mentioned, at Georgetown University.
In your role at Georgetown University, what types of courses are you teaching or what types of information are you sharing with the students as they come through your classroom?
Well, it's a really well-rounded practical curriculum and there are some really good faculty there. The courses that I've taught is one's called Homeland Security technologies, which focused on the emerging technologies in Homeland.
Another one on risk management and my favorite, which is actually what I developed and wrote myself, which is called disruptive technologies and organizational management. It's been a very popular class for students since it's usually filled. And it really explores all the sort of breaking technologies and how they impact our future. From also including of course, cybersecurity as part of the weave through it. But all, everything from nanotechnology to biological, to quantum, et cetera.
So it's good for me cause I have to keep reading all this stuff and learning.
Yeah. I mean, there's no shortage.
Exactly. There's no shortage of quote unquote "disruptive technologies" coming out everyday.
You know, my own background has been largely in the cloud for the last, let's say 12 years at this point, going back to some early work that I did at Amazon Web Services. So I've seen kind of the very, the more narrow IT side of that, particularly IT in the enterprise construct with organizations going through that transformation, but I think the perspective that you bring is really interesting because as you said, you've got things like nanotechnologies, biotechnologies. These are things well outside the scope that I look at on a daily basis.
What's interesting for me is to try to understand: so when you're thinking about those things, how do you think about those things kind of joining up with core IT systems or core systems where we're aggregating data and we're thinking about data as being a crucial part of our business going forward. Where did those kind of off-the-beaten path, for me at least, technologies fit into that equation?
Well, they all seem to have a sort of a linkage to two couple of things.
One of course is artificial intelligence, which leads into the whole data analytics and the synthesis of all the information, which is really important, whether you're looking at doing neuromorphic computing between, or human brain interface with computers. I mean, there's all kinds of interesting linkages.
So, artificial intelligence, and machine learning, seem to be one of the connectors, but they all have relationships because, you know, if you're talking about computing in general, the nanotechnology aspect of microcircuits, everything is getting smaller and having greater memory capability. If you remember just, you know, years back, we had these big lanky phones that were just all over the place.
Can't really do anything. Now you have as much computing power as the whole NASA program had that sent a man to the moon in the 1980s in just one smartphone.
So things are really getting smaller and more sophisticated, more capable. And what you mentioned, I think is really also too, it was really key. That cloud has really become the framework for all of this for transmitting and storing a lot of this information and it's moving farther and farther away from the, you know, I think the network to the edge where it's really now becoming the computing capabilities on the, on the same phones or devices you're using are becoming pretty amazing in themselves.
Yeah. I mean, to your point, I can take my phone right here anywhere on the planet and connect to my backend IT systems without really jumping through any hoops.
You know, I've got an app, I've got authentication. Maybe, you know, if my organization is security aware, I've got multifactor authentication to think about, but yeah, I can really access not only the entire knowledge of humanity, collective knowledge of humanity, but all of my key assets as well.
So from that perspective, as you've seen organizations, whether it's kind of your work in the government or in academia move towards these cloud models, what are some of the common, let's say, experiences that these organizations have with new disruptive technologies, like cloud coming in. How do they manage that transition?
Well some of them are having difficulty because they don't quite understand the role of the cloud and also you know, it's still their data and I think they give it and someone else is managing it. In some cases, you can get people in a managed service providers, but it's still your data and it's still at risk, you still have to protect it.
So most companies, you know, just assume that if you give it to someone else, it's being taken care of and it may be correlate with other companies too. So their planning has been pretty interesting. I mean, the amount of money being invested into transfer from on-prem to cloud has gone way up. Most of the big companies have done it already.
Government's been trying to do it. Unfortunately, they're wedded to a lot of legacy systems and processes that make it difficult. Also the procurement process itself, which sort of empowers those already that have those programs not to change them. So, it's been slower than I thought, but I think it's definitely, in terms of where it's revolutionizing technologies and emerging, it's really becoming, to really do this in a grand scale that we couldn't do before, particularly with transmitting information anywhere.
And, you know, if you'd be willing to take it further, you're seeing it now with the satellite transmissions now down to us, to all the data, every sensing point on the earth is now being able to draw into it. So you have a lot of issues, but the biggest issue is still cybersecurity, and it's really more of that, what you said, cybersecurity awareness cause people just take it for granted.
They don't understand that, you know, now that they're exposing all their data, that it's you know, even before they go to the cloud, it's already exposed. We need to do more.
Yeah. And I mean, this is one of the key things that I've worked on for the last six years, but I want to dig into something that you there which is that, you know, the government has not been as forward as we might've hoped in terms of embracing cloud, or maybe in terms of, let's say securing their data assets on the cloud.
What do you think is kind of holding them back more? Is it more the lack of technical understanding or is it kind of that process that they're wedded to that you alluded to? Because I've seen in the corporate world, both can really impact things and I've not done any work with public sector whatsoever so I have no visibility into how government organizations work, but I'm curious what your observations have been and maybe kind of what advice you would give to people if they think about trying to solve those problems?
Yeah, no I think it's endemic to the size and nature of government.
You have people that are there for, you know, entrenched for many years. You also have difficulty attracting the right kind of people in particular in technology and cybersecurity areas outside of the military and outside NSA and other agencies like that. So attracting those kinds of people is tough and keeping them staying is the other thing, you know, if they're younger.
So you don't have the innovation capabilities you have in the private sector. And, you know, there's always lapses and there's also a fear of taking risks that, you know, if you're sticking with a big company and they're doing it, you know, it's easy for me, you know, they're doing it. If the contract's out, do I need to change it? So it's sort of a combination of what you said.
It's sort of the process itself and the procurement process, but also it's a combination of that. And people with an aversion to new technologies. Now there's been a lot done the last couple of years, particularly with expanding DARPA's role with the defense innovation units throughout the government. And of course, DHS has really expanded their outreach to the private sector. And that's really, the solution is really, it's a cooperative effort between the public and private sector that will make cybersecurity work, and ingenuity and agility of what you say in the commercial side is really what government needs to take it to its advantages, you know, and they're starting to do more of that.
And particularly with verticals, you know, with critical infrastructure and stuff where we already have the lessons learned, you have people capable that could give you information, experience with the technology they've tried. But, if you really want to go, go to the financial industry, which is really the most capable of all commercial industries to get lessons learned, but you know, there is still a lot of skill, and a lot of money, and a lot of classified programs that could bring the information the other way too.
So I think it could be a two way street. It's not just the private sector. We have the government, and the private sector.
Yeah. Yeah. I think that's a great point. And I'm comforted to hear as a taxpayer one of the things that you said, which is that, you know, some of those, let's say more sensitive organizations are the ones you highlighted as being the most capable on that side. So that feels good to hear. I'm curious, when you think about, let's say, the overall ecosystem, so we've talked about a lot of different things in a very short period of time, but let's say we take the example of kind of the digital satellite communications that we were mentioning.
And we've got a gazillion sensors all around the world now that have the ability to send data up through satellite links, through 5G links, cellular links, what have you, for processing and then out to the cloud to be turned into some type of enriched information that we might use as an organization.
What do you think is kind of the first thing, if I'm brand new in an organization that's going through a rapid transformation and ingesting this data, what would be the first thing that you would recommend I start to look at?
Is it on the visibility side, understanding what's what? Is it understanding business objectives? Is it getting a cyber mindset? Is it first principles? I mean, where would you say, it's like, okay, we focus on this?
Yeah. I think you have to go with the cyber mindset, just because you know, security is broken and this whole zero trust movement throughout government and somewhat now in the private sector realizes that you know, we've already been corrupted and there's a lot to lose out there. You know, particularly small-medium business being taken out every day by ransomware and other attacks, you know, so you really have to look at the security mindset first and then see what your inventory is and design it.
But I think for any company now moving into this next decade, you know, the fourth industrial revolution. It's essential that they have an understanding of what the new technologies are, what the emerging technologies can do. You know, you don't have to be an engineer or a technical expert, but you have to have an understanding of the capabilities and the use situations. You're seeing so much happen just in the last couple of years, even with COVID, you know, with Space X launching satellites, with electric cars, with neuromorphic computing, all kinds of different things is breaking through.
And artificial intelligence, certainly, being used through for drug discovery and all kinds of things. So I think it's inherent that, you know, everyone needs to know this kind of thing. If you're growing up, if you're not getting it in school, you should be.
But again, you know, technology is not just designing from a technical perspective, it's really understanding the use cases and also how to market and sell it. You know, that's half the battle too. And then operate it.
So there's so many components that go into it. So that's why I encourage all my students to get up a varied background in technologies.
Yeah, it makes sense.
So when you think about the cyber mindset, and I particularly think about zero trust, let's say, aside from that term kind of being corrupted as a marketing term, or let's say not corrupted, but co-opted as a marketing term, I think the core principles of, you know, authentication and authorization, and don't assume that the system that you are connecting to, or the application you're connecting to, you know, assume it's bad until proven good, you know, kind of the don't trust, verify model, if you will, is kind of a simplification that I've heard around it.
Does that kind of match with how you think about that? And does that kind of also match with the cyber mindset that you think about, or what's missing from that cyber mindset?
Yeah. Well, it is. It's part of it.
You know, I think zero trust is really a strategy and there's really no one set strategy for every company or every industry. So I think you have to adapt it and have really a mistrust management strategy in up first. And that would be a part of it. You have to also assume that you're going to get hacked. You have to have a incident response strategy as part of that. You also have to have management strategy - who has responsibility in the company for what, so all of that needs to go, it's part of it.
And then yes, the multi-factor authentication, the firewalls and inventory, what's in your system, assuming that you've been corrupted, which likely you have been. You know, all kinds of issues, you know, all will follow, but I think, you know, zero trust is part of the strategy.
So, you know, I mean, you still have defense-in-depth depending on what you need for your other industries to do that.
And if you can, go with the new security by design, so all those elements fall in, but I think I like the idea of zero trust because after what we saw with SolarWinds, you know, they've been in the system for over a year and we didn't know it. And it corrupted, you know, thousands of companies and agencies, government agencies. So it's that easy.
So if you don't really assume the worst, you're going to be in a bad situation.
Yeah. Yeah. One thing that I wonder, so you talked about kind of like the need for people to be more cyber aware. And I would agree with that a hundred percent.
You know, I recently started a company and one of the very first things that we did was we laid out cyber principles for the organization, just in a Google doc, but at least our high level principles for, you know, guiding things that we will do our best to do every day in the work that we do with our customers.
And one of the things that comes to mind though, is that outside of our work or let's say if you're not at an organization that's very cyber conscious.
How do we get people, just kind of the general population to be more cyber aware? Because I think about kind of kids coming through schools; I see my own daughters going through universities right now. There's almost no cyber awareness in what they're doing. You know, they log in with a single username and password to a Google workspace.
They've got Google classrooms, Blackboard, any number of other systems that they're using to complete their work. There's not a single security concern in there. And I wonder if they will then transition into the workforce and they'll just expect that everything works that way. And they don't have to think about cybersecurity because they never have up until that point.
How do we kind of break that mindset or kind of get those cyber learnings pushed down?
It's gotta be a communication effort and it starts, you know, getting them on social media, even the things that they look at, like Tik ToK and others getting in early. But also it's not just the kids, it's adults out there, you know, so LinkedIn and Facebook and Instagram, all those places need to be, you know, it's a campaign, it's constant, you know, with cyber hygiene.
And you saw, what you mentioned the academic example, there was a college just taken out last week that has been around for over a hundred years. Colleges and universities and schools are easy targets because of the disparate systems that they use, and multiple users. So they're easy to get for ransomware.
So I think at some point everyone's going to have to realize, and I keep saying this last big hack, you know, whether it be Colonial Pipeline or something, everyone's got it. You know, everyone will wake up, but they don't 'cause their attention spans are short. So I think what we really need to do is start going with the curriculum in these younger schools.
Even the elementary schools and junior high schools have cyber hygiene be a part of course, because they're operating all on digital already. And they're co-mingling their personal stuff with their work stuff I mean, their school stuff and they'll eventually it's going to be their work stuff. So I think you have to start early and there are some organizations trying to do that. I just think that there has to be more of them and more money directed that way.
Yeah. It makes a lot of sense.
I mean, if, especially if we consider that going forward, just imagine how much time we spend online today and how much, you know, we do on internet connected systems, basically 40 hours a week, if not more. Well, 40 hours a week of work time, if not more. And then our lives outside of that, which have another 10 hours a week.
And I think about kind of the example, I think to your point, Chuck, you know, we had the global financial crisis between 2008 and let's call it 2012, right? And we had all these kinds of mortgage meltdowns and subprimes and blah, blah, blah, blah, blah, right? I won't go into it.
But one of the positive outcomes that came out of that, I noticed in my daughter's high school was they ended up with a basic kind of financial literacy curriculum as a result of that. And, you know, how do we use credit as consumers? How does a mortgage work? How do I use a bank account, balance a checkbook, all of those kinds of basics.
And it sounds like one thing that might be an interesting idea or an interesting concept to float around is kind of a similar course for cyber and for basic IT hygiene, right? Let's train these children early and get them to understand at least what these things are. And they might join organizations with different levels of maturity, but still knowing the basics would be really fundamental.
Yeah. I think there's an urgency to that. I know that this has a program there's going up, but again, it's small in scale compared to what it needs to be. And I think, you know, maybe the kind of thing you're talking about doing right now, and the more you talk about it, hopefully more people will listen and, and expand that perception of what we need to do because it really is going to get worse if we don't do something now.
Now speaking of kind of zero trust and authentication in particular as one of the core pillars of that, identity theft and identity breach are pretty common nowadays. Identity breach, I think about more on the business side because you know, a breached email, for instance, business email compromise as being one of the most prevalent kind of initial attack vectors to get into an organization.
I know biometrics have been floated as kind of being the silver bullet solution writ large to that. What do you think about that? I mean, do you think it can be as simple as let's move everything to biometric or do you think there's more nuance that we need to think about?
Well, I think it's good that they're moving to more biometrics just because it is an extra layer. It's not infallible though. There are ways to get around it.
Apple has another face recognition, which is pretty good, but there needs to be more of that just because we don't tend to do things when they need to take steps and do this and that. It automates it, which is really important, you know, whether it be a thumbprint or something.
So I think that's good for particularly for the younger generation that expects everything to be automatic, and they're not going to take the extra time to do things. So, but, I think there's there, you know, the strong passwords are still important, changing your password, being aware of that, encryption still needs to be thought about by most businesses. Because, you know, what happens if your data is stolen?
Like you said, a lot of the breaches for companies, you know, still the main motivation of hackers, you know, worldwide is financial gain. You know, it's just transferred from brick and mortar to this, the digital, but it's so easy for them because it could be in a, you know, 3000 miles away and get cryptocurrency payments for ransomware or holding your hostage and hold your data hostage for companies and economic espionage is another big problem.
We saw with China the vast amounts of IP being stolen from companies and universities all over the country being transferred to them and being used in their military program. So there's a lot of reasons to have this biometric on there and it's not hard to do so I think, but eventually it's gotta be more secure.
And then again, you know, there's always a worry of privacy issues too. It's how much you give away with your face, with your thumb prints and stuff. And I understand that to most privacy considerations, but right now it appears that most of the people out there don't really care that much about privacy, unfortunately.
It does seem that way. That's something I worry about a lot.
And something that you've mentioned just now, and I've seen a previous interview of yours where you talked about this, which was kind of the thing about ransomware it's been around for a long time, but right now the economic payout is just too good and too easy, right? The low hanging fruit, so to speak, hangs so low and it's so ripe for the picking that you know, there's just a lot of motivation for bad actors to go after that.
And it's probably even enticed some people into, let's say kind of ransomware gangs that might have otherwise been other types of organized crime offline, for instance, who knows?
But I wonder, what you were saying just now is let's say with the example of this university shutting down, do you think that just making it so much more expensive to breach an organization is enough to deter a lot of these bad actors and kind of get them out of the space?
Or do you think there needs to be more effort by law enforcement to put people behind bars? What do you think is a better deterrent?
I think the better deterrant is the prosecution. It's difficult, you know, there's Interpol and others, but of course, some of the countries that are involved in Interpol are also some of the countries that are sponsoring these gangs, these criminal games or looking the other way.
So it's difficult to do law enforcement activities. But they have been more and more recently, there's been a lot more people that have been extradited and captured and it sets an example.
So I think that's important. Of course, making the cost higher too. There's also talks now that, you know, you're seeing it now in the Ukraine Russian conflict, they're going after some of these groups with offensive cybersecurity capabilities. So, you know, there could be retaliation by governments. If one of these groups goes after critical infrastructure, it does something that is considered more of an act of war, or violation of the norm. They could pay the price there too, but we're going to have to watch this cyber warfare aspect of this kind of thing again.
Yeah. I think that's something that a lot of people have expressed concern around and certainly myself I've been following the situation closely. I have a family history in Finland and we have our, let's say our shared history with of conflict with Russia, to put it mildly.
But we've been, I think a lot of us in the cyber world have been observing the cyber warfare and kind of this hybrid warfare going on right now. And I think frankly, I myself have been surprised at how low stakes it's been and actually how low impact it's been. And I would say relatively contained.
Do you think that's because there is this kind of uncertainty around, let's say, a cyber attack outside of Ukraine being interpreted as an active hostility towards potentially like, say, a NATO member nation or something like that?
You know, there's a lot of speculation on that. And my own personal view is that it's probably strategic, I guess, misconceptions that caused a lot of the lack of cyber. I thought that it probably the Russians thought that this would be over in a few days and we're going to take it out kinetically anyway, all their infrastructure. Well, they did launch a few attacks so that cyber of the ancillary and they wouldn't need it.
Now they found out that not only did they need it, but Ukrainians have more capabilities, plus it mobilized a lot of the world to start to go after some of the Russian cyber capabilities. So I think it was an unintended consequences that did that. And now we're at the point right now is I think they have their hands full and yes, I mean, we know who these gangs are and if they do something, there could be some serious retaliation.
The West does have capabilities. We demonstrated that and against our a few years ago, taking out their whole ports. So, even the Chinese, Russians, North Koreans are not the only ones that have this ability. So I think there is a perception there that they don't want to fool around and NATO have some great capabilities and certainly Finland. certainly, what you mentioned, has been one of the forefront of ingenuity and in terms of digital applications of technology.
So it's a pretty cool interesting scenario for some of the people in this world to look at the implications and why it's being used and not being used, but that's only my personal opinion.
Yeah. Yeah. It's fascinating to watch. And it's one of those things where going back to the Stuxnet example you cited there, the asymmetric impact can be massive.
You know, if I recollect from looking at that case study, I think the amount of human time, aside from the code development, but the amount of human time involved in kind of introducing the Stuxnet virus into the systems was really minimal on the order of a couple of man-days. No more than that. And it just had this massive effect that set back the nuclear program back decades was one of the calculations that I've seen.
So the asymmetric impact can be really dramatic. That's really interesting to think about. I guess, from my side, I know we're kind of wrapping up the conversation. We've touched on a lot of things, everything from kind of training kids in schools to new technologies, disruptive, embracing a cyber mindset, zero trust, a lot of things.
I know one thing that I've got here on my bio and on the list here, that I think is not discussed is that, I guess you used to compete in powerlifting in a past life. Is that right?
Yeah. Yeah. You can probably see there's some trophies back there, but, yeah, I did. And I paid the price, It was great. I did it for many years but I do have bad shoulders now. I actually just tore my rotator cuff on the side working out.
But you know, it's still fun. I mean, I still work out a lot, but not those heavy weights anymore. Cause they take its toll, but it's, yeah, it was a lot of fun.
What was the personal record?
I was at 181, I was benching 375, drug tested, you know, which is pretty good if you take away the, if you , it gets blown out of proportion and out as you compete with a rock to compete with equipment or drugs, it changes the equation a little bit. It's a little bit cheating. I think. You know, rod and drug testing is a way to go.
Absolutely. Absolutely. Are there any lessons from your powerlifting days that you've brought to your career in cybersecurity?
I think it's sort of a discipline, you know, when you get up and have to work out every day and follow an order, I think you do have to do that with work too, and you have to separate, you know, what your priorities are. And I'm sort of doing that too. I juggle a lot of things with my consulting and my teaching and, you know, you just need to be able to focus on when you need to be able to focus on it.
So you know, it's just like when you're going up there and there's, everyone's watching you and you have the weight on you. You're only focused on the weight. You're doing the same thing with what you are juggling, multitasking, but in a different way. I mean, if you have things planned and have a strategy, then you, then it's much easier.
Well, planning, strategy, focus and discipline, I think our four core tenets that everybody can agree on. And they're certainly important in the cyber world, as well as in kind of work and in life in general.
Chuck, thank you so much for the conversation today. This has been a real pleasure connecting with you and I'm sure our audience is going to really appreciate this. We will call it there for this episode of Ask A CISO with great thanks to our guest for today.
Chuck Brooks, thank you so much for joining us.
Thank you for having me. I really enjoy talking to you.