On this episode of the IoT: The Internet of Threats podcast, Mariam Baksh, Staff Reporter at Nextgov, joins podcast host Eric Greenwald to explore the evolution of cybersecurity regulation, from the Biden Administration's 2021 Executive Order on Improving the Nation's Cybersecurity to September's OMB Memorandum on software supply chain security.

Mariam and Eric discuss the cybersecurity goals of the administration, the merits of first-party versus third-party attestation, and the fine line that NIST walks between effecting change in cybersecurity versus overwhelming the resources of security practitioners and compliance personnel.  

Interview with Mariam Baksh   

Mariam Baksh is a staff reporter for Nextgov, a Washington, DC-based publication that reports on federal IT and tech policy through journalism, podcasts, and more. In her role at Nextgov, Mariam reports on the development of federal cybersecurity policy. Mariam has been covering technology governance since 2014 and earned her master's degree in journalism and public affairs from American University. 

In this episode, Eric and Mariam discuss:

• Why the Biden administration issued last year's EO
• NIST's balancing act between improving cybersecurity and avoiding the imposition of costly requirements on companies
• The challenges involved in measuring cybersecurity performance
• The implications of a first-party vs. third-party attestation model
• The value of an SBOM and its growing role in cybersecurity regulation
• Whether the EO or the OMB memo will deliver any enforcement on the requirements they impose 

Find Mariam on LinkedIn: Mariam Baksh: https://www.linkedin.com/in/mariam-baksh-99b1b428/

  Learn more about Nextgov: https://www.linkedin.com/company/Nextgov/

Thank you for listening to this episode of the IoT: The Internet of Threats podcast, powered by Finite State — the leading supply chain cyber-security solution provider for connected devices and embedded systems.

  If you enjoyed this episode, click subscribe to stay connected and leave a review to get the word out about the podcast.

  To learn more about building a robust product security program, protecting your connected devices, and complying with emerging regulations and technical standards, visit https://finitestate.io/.

Note: This interview has been edited for length and clarity.

On this episode of the IoT: The Internet of Threats podcast, Jonathan Tubb, Director of Industrial Cyber Security, North America, at Siemens Energy, joins podcast host Eric Greenwald to explore the threats that keep industrial cybersecurity experts up at night, how today's energy and utility companies protect the U.S. power grid from terrorism and natural-disaster worst-case scenarios, the value of regulation as a catalyst for change in improving the industry's control environment, and how to get energy and utility companies committed to critical infrastructure protection.  

Interview with Jonathan Tubb: 

  Jonathan Tubb is a leader for industrial cybersecurity in North America with Siemens Energy, one of the world's largest energy technology companies. In his role at Siemens Energy, Jonathan applies his extensive expertise to developing solutions to the company's biggest security challenges by identifying and mitigating threats in critical infrastructure environments. Jonathan earned his B.S. in Computer Engineering at Ohio State University and maintains a Professional Engineer (P.E.) license in Computer Engineering.   

With more than 90,000 employees in over 90 countries, Siemens Energy's operations span nearly all of the energy value chain, from power generation to transmission to storage and includes both conventional and renewable energy technologies. Siemens Energy reported revenues of €28.5 billion for the fiscal year ended September 30, 2021. 

In this interview, Eric and Jonathan discuss:

• The threats that put America's power grid at risk
• Protecting the power grid from catastrophic acts of terrorism and natural disasters
• The varied approaches energy and utility companies take toward critical infrastructure regulation
• How to get energy and utility companies to prioritize cybersecurity
• How engineers approach cybersecurity when moonlighting a microbrewery start-up

Find Jonathan on LinkedIn: Jonathan Tubb: https://www.linkedin.com/in/jonathan-tubb/

Learn more about Siemens Energy: https://www.linkedin.com/company/siemens-energy/

Thank you for listening to this episode of the IoT: The Internet of Threats podcast, powered by Finite State — the leading supply chain cyber-security solution provider for connected devices and embedded systems.

  If you enjoyed this episode, click subscribe to stay connected and leave a review to get the word out about the podcast.  

To learn more about building a robust product security program, protecting your connected devices, and complying with emerging regulations and technical standards, visit https://finitestate.io/.

On this episode of the IoT: The Internet of Threats podcast, Megan Stifel, Chief Strategy Officer at the Institute for Security and Technology (IST) and co-chair of the Ransomware Task Force (RTF) Working Group, joins podcast host Eric Greenwald to discuss the current and future state of ransomware. The RTF recently released a new report, The Blueprint for Ransomware Defense, which the RTF calls a "clear, actionable framework for ransomware mitigation, response, and recovery." Megan and Eric walk through some of the report’s key elements and discuss what small- and medium-sized businesses can do to fight ransomware and whether tactics like regulation and insurance actually help or hurt the fight against ransomware​​.

Interview with Megan Stifel: 

Megan Stifel is the Chief Strategy Officer at the Institute for Security and Technology (IST), a San Francisco-based think tank that designs and advances solutions to the world's toughest emerging security threats. Megan also serves as a co-chair of the Ransomware Task Force (RTF) Working Group. Launched in April 2021, the RTF brings together key industry, government, and civil-society stakeholders to combat the ransomware threat with a cross-sector approach. 

Megan is also the founder and CEO of Silicon Harbor Consultants, LLC, and a Visiting Fellow at the National Security Institute at the Antonin Scalia Law School at George Mason University. Prior to these roles, Megan served as a non-resident senior fellow at the Cyber Statecraft Initiative, Global Policy Officer at the Global Cyber Alliance, and Director for International Cyber Policy at the National Security Council. Megan holds a J.D., Law from Indiana University's Maurer School of Law. 

In this interview, Eric and Megan discuss:

• How small- and medium-sized enterprises can defend against ransomware, even with limited cybersecurity expertise 
• The current state of ransomware: where it is and where it's going 
• Whether regulation works in driving companies to improve cybersecurity, or if it just creates compliance theater
• If ransomware insurance makes things better or actually causes the frequency and severity of ransomware to grow 

Find Megan on LinkedIn:

Megan Stifel: https://www.linkedin.com/in/megan-s-1204bb4/

Learn more about the Institute for Security and Technology (IST): https://www.linkedin.com/company/institute-security-technology/

Learn more about the Ransomware Task Force (RTF):

https://securityandtechnology.org/ransomwaretaskforce/

Access RTF's Blueprint for Ransomware Defense:

https://securityandtechnology.org/ransomwaretaskforce/blueprint-for-ransomware-defense/

Thank you for listening to this episode of the IoT: The Internet of Threats podcast, powered by Finite State — the leading supply chain cyber-security solution provider for connected devices and embedded systems.

If you enjoyed this episode, click subscribe to stay connected and leave a review to get the word out about the podcast.

To learn more about building a robust product security program, protecting your connected devices, and complying with emerging regulations and technical standards, visit https://finitestate.io/.

On this episode of the IoT: The Internet of Threats podcast, Jeff Tricoli, Former Section Chief at the FBI's Cyber Division joins podcast host Eric Greenwald to discuss what to know about working with the FBI on cybercrime, the evolution and ethical implications of the ransomware industry, and the differences between cyberattacks from Russia and China.

Interview with Jeffrey Tricoli: 

For nearly 20 years, Jeffrey Tricoli served in a variety of roles at the FBI’s Cyber Division and most recently as its Sector Chief in charge of overseeing national cyber investigations. Jeff graduated from the University of Syracuse’s Maxwell School with an M.P.A. in Public Policy Analysis and holds a Bachelor of Arts from Canisius College. Jeff is now a senior executive at a financial services company responsible for technology and security risk.

The FBI’s Cyber division investigates and responds to malicious cyber activities that threaten the safety of the US public and the country’s national and economic security.

In this interview, Eric and Jeff discuss:

• The different motives that drive Russian and Chinese cyberattacks
• How events like the war in Ukraine or trade wars with China amplify the threats of destructive cyberattacks and intellectual property theft
• How companies should approach their relationship with law enforcement before, during, and after a cyberattack
• What it’s like to collaborate with the FBI when your organization faces a threat or breach
• The challenging ethics that businesses face when they’re presented with a ransom demand to recover their data

Find Jeff on LinkedIn

Jeffrey Tricoli: https://www.linkedin.com/in/jeffrey-tricoli-b5791aaa

Learn more about the FBI’s efforts to combat cyber threats: https://www.fbi.gov/investigate/cyber

Thank you for listening to this episode of the IoT: The Internet of Threats podcast, powered by Finite State — the leading supply chain cyber-security solution provider for connected devices and embedded systems.

If you enjoyed this episode, click subscribe to stay connected and leave a review to get the word out about the podcast.

To learn more about building a robust product security program, protecting your connected devices, and complying with emerging regulations and technical standards, visit https://finitestate.io/.

On this episode of the IoT: The Internet of Threats podcast, Health-ISAC’s Errol Weiss (Chief Security Officer) and Phil Englert (Director of Medical Device Security) join podcast host Eric Greenwald to discuss the rising stakes of medical device cybersecurity, the growing role of government in regulating cybersecurity controls in healthcare, and how Health-ISAC fits into the picture. 

Interview with Errol Weiss and Phil Englert: 

Prior to his role as Chief Security Officer of Health-ISAC, Errol served in several SVP-level positions at Bank of America, focusing on cybercrime, fraud prevention, business process cyber assessments, and threat analytics and information sharing. Earlier in his career, he held key positions at Citigroup and SAIC. Errol also served on the Board of the Financial Services ISAC during the 2010s. 

Before joining Health-ISAC as Director of Medical Device Security, Phil served as Chief Product Officer at MedSec and was responsible for product management, new business development, and process improvement. Prior to MedSec, Phil served in a variety of roles at Deloitte, Novasano, MDISS (Medical Device Innovation Security and Safety), and Catholic Health Initiatives. 

Health-ISAC (also referred to as H-ISAC) is a global, non-profit organization that offers healthcare security stakeholders actionable data in a trusted community. 

In this interview, Eric, Errol, and Phil discuss:

• What is an ISAC and what does the H-ISAC do? 
• The government’s increased appetite for cybersecurity regulation (with a focus on medical device security) 
• How to protect against attacks with tens of thousands of different medical devices made by a wide array of different manufacturers and that do different things
• The importance of having visibility into the components that make up those thousands of medical devices
• Whether the SBOM (Software Bill of Materials) is ready to be a key control in the healthcare cybersecurity ecosystem 

Find Errol and Phil on LinkedIn

Errol Weiss: https://linkedin.com/in/errolweiss/

Phil Englert: https://www.linkedin.com/in/phil-englert-2642724

Learn more about Health-ISAC by visiting https://h-isac.org/.

Thank you for listening to this episode of the IoT: The Internet of Threats podcast, powered by Finite State — the leading supply chain cyber-security solution provider for connected devices and embedded systems.

If you enjoyed this episode, click subscribe to stay connected and leave a review to get the word out about the podcast.

To learn more about building a robust product security program, protecting your connected devices, and complying with emerging regulations and technical standards, visit https://finitestate.io/.

On this episode of the IoT: The Internet of Threats podcast, Michael Daniel, President and CEO of Cyber Threat Alliance, joins podcast host Eric Greenwald to discuss the shifting sands of the regulatory landscape in cybersecurity today and the growing prospect of government regulation affecting private-sector cybersecurity practices. 

Interview with Michael Daniel: 

Prior to his role as President and CEO of Cyber Threat Alliance, Michael served as the Cybersecurity Coordinator to President Obama’s National Security Council (NSC). His work at the NSC followed a 17-year tenure a Program Examiner and later a Branch Chief for national security programs with the U.S. Government’s Office of Management and Budget. 

The Cyber Threat Alliance is a non-profit organization that enables cybersecurity providers to share threat intelligence with each other and improve cybersecurity across the digital ecosystem.

In this interview, Eric and Michael discuss:

• The government’s evolving role in cybersecurity regulation, from the Cybersecurity Maturity Model Certification (CMMC) to Executive Order 14028
• How to measure the efficacy of cybersecurity products and practices and the pros and cons of first- and third-party certifications
• The government's contribution to improving cybersecurity practices by encouraging the adoption and implementation of the Software Bill of Materials (SBOM)
• How SBOMs help us see inside the software we use and address a key weakness in cybersecurity right now

Find Michael on LinkedIn: https://www.linkedin.com/in/j-michael-daniel-7b71a95/. Learn more about Cyber Threat Alliance by visiting CyberThreatAlliance.org.

Thank you for listening to this episode of the IoT: The Internet of Threats podcast, powered by Finite State — the leading supply chain cyber-security solution provider for connected devices and embedded systems.

If you enjoyed this episode, click subscribe to stay connected and leave a review to get the word out about the podcast.

To learn more about building a robust product security program, protecting your connected devices, and complying with emerging regulations and technical standards, visit https://finitestate.io/.

In this episode of the IoT: The Internet of Threats podcast, host Eric Greenwald and the Vidovich brothers Nick and Sam hack the headlines – they discuss the latest news in security and offer their perspectives. Eric also interviews guest Darren Pulsipher, Chief Solutions Architect at Intel Corporation, about supply chain security at Intel.

Hacking the Headlines:

• Researchers warn of the huge risks involved in the rapid deployment of AI in agriculture, noting that cyberattacks on high-tech farm equipment could threaten the global food supply chain.
• Netgear recently issued a security advisory outlining vulnerabilities in two popular router models. According to Netgear, they are unfixable. Is this a responsible disclosure, or does it just raise more questions/concerns than it addresses? 
• A malicious Python package that performs supply chain attacks was spotted in the PyPI registry. It was downloaded 325 times before being removed. Is this more serious than funny, or more funny than serious? 

Interview with Darren Pulsipher:

Darren has been working on security solutions with Intel for 12 years. He’s seen from the inside how to build robust security into the software development and supply chain processes. In addition to his day job, he hosts his own tech podcast and is part of a standards body working to articulate how organizations should use the Software Bill of Materials (SBOM) to secure software and meet regulatory requirements. 

Eric and Darren discuss:

• Intel’s process for analyzing third-party software and scanning for vulnerabilities
• Securing the DevOps pipeline
• Balancing value and risk in using open-source software
• Potential impacts of Executive Order 14028 on improving the nation’s cybersecurity

Find Darren on LinkedIn: https://www.linkedin.com/in/darrenpulsipher/

Thank you for listening to this episode of the IoT: The Internet of Threats podcast, powered by Finite State — the leading supply chain cyber-security solution provider for connected devices and embedded systems.

If you enjoyed this episode, click subscribe to stay connected and leave a review to get the word out about the podcast.

To learn more about building a robust product security program, protecting your connected devices, and complying with emerging regulations and technical standards, visit https://finitestate.io/.

This episode of the IoT: The Internet of Threats podcast features host Eric Greenwald reviewing security news with Nick and Sam, the Vidovich brothers. Eric then welcomes as his guest Vice Admiral TJ White, US Navy (Ret.), former commander of US Fleet Cyber Command/US TENTH Fleet, and Navy Space Command. Together, they discuss the international cybersecurity landscape and the challenges involved in defending the networks of the US Navy. 

They also geek out on the policy and process surrounding offensive cyber operations in a deep-dive that you can listen to separately.  Click here to check the bonus track.

News Roundup:

The Weekly News Roundup covers:

• A cybersecurity advisory issued by the United States and its allies focusing attention on a set of vulnerabilities that, while very basic, are responsible for a grossly disproportionate share of data breaches
• A recent Black Hat Asia presentation examining the firmware supply chain and exploring just how complicated it is to secure devices
• Yet another piece of draft legislation that would impose an SBOM requirement for medical devices

Interview with TJ White:

TJ White served more than 37 years in government, including high-level assignments in intelligence, cybersecurity, and cyber operations for the US Navy. He served as Deputy Director for NSA’s elite hacking unit — Tailored Access Operations — and capped off his military career with a tour of duty as the Commander of US 10th Fleet.

TJ and Eric discuss:

• Growing concern around potential targets of Russian cyber operations
• The US government policy and process for planning and approving offensive cyber operations
• The extreme challenge involved in defending big networks—and how the US government is getting better at helping private companies do just that

They also take a deeper dive into the history of US offensive cyber operations and how US policy has evolved since the early days of Cyber Command. Listen to the bonus episode here. 

Connect with TJ White: https://www.linkedin.com/in/tjwhite01networkconnection/

Learn more about US Cyber Command: https://www.cybercom.mil/

Thank you for listening to this episode of the IoT: The Internet of Threats podcast, powered by Finite State — the leading supply chain cyber-security solution provider for connected devices and embedded systems.

If you enjoyed this episode, click subscribe to stay connected and leave a review to get the word out about the podcast.

To learn more about building a robust product security program, protecting your connected devices, and complying with emerging regulations and technical standards, visit https://finitestate.io/.

In this bonus track, our host, Eric Greenwald, and Vice Admiral TJ White, US Navy (Ret.), former commander of US Fleet Cyber Command/US TENTH Fleet, and Navy Space Command geeks out on the policy and process surrounding offensive cyber operations.

This week's episode of the IoT: The Internet of Threats podcast features host Eric Greenwald reviewing security news with Nick and Sam, the Vidovich brothers and discussing the future of the Software Bill of Materials (SBOM) Allan Friedman, Senior Advisor and Strategist at CISA.

News Roundup:

This week's Weekly News Roundup covers:

• Lessons that IT professionals can take away from the new Windows patch
• The importance of boardrooms bracing for supply chain cyberattacks
• The importance of the SBOM in addressing cybersecurity supply chain risk

Interview with Allan Friedman:

Allan is the former Director of Cybersecurity Initiatives at NTIA and has been one of the central figures in advancing the Software Bill of Materials (SBOM) as a key element of product and supply-chain cybersecurity. 

Allan and Eric discuss:

• The history of the SBOM
• Increasing adoption of the SBOM as a security practice
• How SBOMs may be mandated under federal rules 
• Misconceptions and myths around the SBOM

Connect with Allan Friedman: https://www.linkedin.com/in/allanafriedman

Learn more about CISA at: https://www.cisa.gov/

Thank you for listening to this episode of the IoT: The Internet of Threats podcast, powered by Finite State — the leading product security solution provider for connected devices and embedded systems.

If you enjoyed this episode, click subscribe to stay connected and leave a review to get the word out about the podcast.

To learn more about building out a robust product security program, protecting your connected devices, and complying with emerging regulations and technical standards, visit https://finitestate.io/.