On The Cyber Jack Podcast, we sat down with Jennifer Tisdale, Senior Principal, Cyber Physical Systems, GRIMM, to talk about cyber war, critical infrastructure security, and the culture of data breaches.
[automated transcript for accessibility and your reading leisure]
Jack 00:04
Today, Jennifer Tisdale, Senior Principal Cyber Physical systems at GRIMM, joins us to talk about critical infrastructure security, cyber war, and the culture of data breaches. All this and more on the show. Jennifer, thanks so much for joining us today. As always, we'd like to start things off with a bit about your background and what you've been focused on in your current role.
Jennifer Tisdale 00:38
Absolutely. My name is Jennifer Tisdale. I'm the Senior Principal of Cyber Physical Systems at GRIMM a cyber research firm – I’m solely dedicated to cyber physical systems security and my vertical and leading the way for embedded systems security, research, testing and product development. My background is a little unique compared to the others in my company. I am not a security engineer. I have an economics background, coupled with public administration and strategic communications. And I was introduced into the world of cybersecurity through the Department of Defense and work that I had done for both the federal government and my local state. So I'm located in the state of Michigan, and I was brought on to the government side to help create an economic strategy that hinged on cybersecurity, with the industries that are most relevant to Michigan, which was automotive, aerospace and the defense industrial base. Through that, that was in 2014/2013, I believe. And at the time, they wanted to recreate an economic strategy for cyber that looked very similar to what we see in the bay area or in Texas or in the beltway. And it was my research and my perspective at the time, and it is still today that there was no need to recreate what was already done very well. Instead, we focused our efforts on embedded systems and creating a cybersecurity economy hinged on hardware software and firmware integration. And the rest is history. We've grown that program to attract new businesses and grow new businesses, not just in the state of Michigan, but in the country. And I'm proud to say that that is how I met GRIMM. So full circle, I have brought me to GRIMM to help lead their efforts in this realm.
Jack 02:25
Well, we're very excited to talk to you today about critical infrastructure and cyber war. To jump into it -- mainstream media has brought up the notion of a cyber war many times before. Are we thinking about that term in the right way? And what is the United States doing to prepare for the future?
Jennifer Tisdale 02:43
My very first reaction to that is we need to be very specific and how we're defining cyber war. I think the term means a lot of things to a lot of different people. But in the purest sense, I'm going to interpret it as offensive and defensive tactics initiated by nation-states or government entities against the US. And my very first inclination, and one of the things that has been top of mind for me as of late, is that other countries, other governments seem to focus more wholly on offensive tactics and cybersecurity, not to say that the US does not, but we don't tend to promote it, talk about it, or train for it in quite the same way as other countries and other governments do. To only have a one sided gameplan, if you will, is not the way you win a game. It's certainly not a winning strategy for more national security type endeavors. So it has to be more focused on not just defensive tactics, but offensive tactics as well,
Jack 03:41
Of course, and as a country, what does the United States need to change in order to improve its cybersecurity posture? What do we need to prioritize?
Jennifer Tisdale 03:52
Well, we could go on forever, I'm sure on this very topic. And we can approach it in a couple of different ways. I would love to see more attention given to critical infrastructure. Critical infrastructure is also a large term. It's an umbrella term that covers a lot of things. But I think that priorities should be focused on public entities are utilities. First and foremost, we've seen some of the ransomware attacks from earlier this year. They are not exclusive to that one incident and there'll be many globally, that's not going away. But we need to invest in the workforce, we need to invest in education, we need to invest in our children and their awareness of cybersecurity from a holistic perspective. So from a tactical National Security, Homeland Security perspective, critical infrastructure, but second to that, and maybe more important is the education of the people in the citizens so that they understand you know, the prevalence of security and what they can do to protect themselves
Jack 04:54
And diving a bit deeper into the education portion. How does the consumer culture in the United States contribute to our culture of security? We have no problem giving Facebook or third-party mobile apps, our data, and we've really become desensitized to data breaches. What kind of impact has this had?
Jennifer Tisdale 05:16
I think that is the number one issue that we have to contend within the US society today and probably around the globe. As consumers, we love convenience, I'm equally guilty of that, I love the advantages that technology can bring into our personal lives and our professional lives, the efficiency that it can bring to us some of the safety features that it provides to us as people and passengers and vehicles, etc. But we do wholly give away our personal data pretty freely, with social media, third-party applications, things of that nature. And it certainly is a cultural shift. I have to say that most people that I talked to, don't understand that they are, you know, collecting and transmitting data about themselves in an everyday way, from some of the surveys that people complete, as games on Facebook to applications that they download onto their phones, the technology they introduce into their homes. As consumers, we love technology. And we and we should, there are definite advantages to the technology that we integrate into our lives. But we need to have a more security-forward mindset. And that's something that's lacking. You know, the way it impacts our culture is pervasive. But you know, consumer education is something that we need to do better at in terms of cybersecurity. And what happens after a while it becomes white noise. If you work for a company that has any type of cybersecurity training teaches you to click or not click on certain links. After a while it becomes inconvenient, and people find a way to pass around it, you know, how do I make this easier for me. So I don't have to go through all these steps. And that is a cultural shift that we need to make in our society is security is not meant to be convenient or easy for us. We need to do it for our own good, whether it's the protection of our company data or personal data. And we need to provide the educational mechanisms, put them in place so that people understand the consequence. And not just the how to
Jack 07:24
And cyber education is one of the most important tools we have. After all, humans are the weakest endpoint. And final question, and arguably the most difficult one to answer. We've seen a huge surge in advanced and potentially nation-state-backed adversaries over the past few years. They're executing very high-profile attacks, some that we may not even know about yet. Do we have a way to slow them down or even stop some of them in their tracks?
Jennifer Tisdale 07:54
If we had the answer to that you and I would be very rich. I don't I don't know that there is a way to make this thing stop -- adversaries are adversaries, they have varying motivations could be something simple to something complex, something that's a cyber crime to something that's an act of war. There really is not, unfortunately, that silver bullet solution that we all wish for to make this stop, I think we need to understand that it is not going away. We need to put tactics in place, even if they never get deployed. And we have to understand that cybersecurity is not a one-and-done situation. It's ongoing. It's an action. And it has to be layered in many different approaches from incident response to, you know, innovative new technologies that we can integrate into our systems and products. We have to be mindful that this is an ongoing activity, and one solution is not going to fix the problem is that it's not going away. And so we have to be at the ready prepared, and knowledgeable of what the risks are and at least have a plan in place for how we'd like to respond to them.
Jack 09:06
Jennifer, thank you so much for discussing these important topics with us. We'll keep advocating for more cyber education. To all of our listeners, we'll see you next time.
###