Welcome to Cyberfocus. Today we're going to take a little bit of a different approach and format to our discussion to be able to respond to some breaking news. I'm joined today by Bob Kolasky, who's a senior vice president at Exiger, a supply chain risk and management company, and a former senior executive at the Department of Homeland Security and CISA. Frank, great to be with you. And joining us today is our producer,
Don Kaufman, to tee us up. Don, thank you. Yeah, no, thanks, Frank. We're talking
about the recent pager and communication device attack in Lebanon. It sounds like the Israeli government used a lot of planning to be able to go in and explode some of these devices. And so want to get your sense for kind of the scale and scope of this type of operation. What went into the planning to pull something like this off? And then. Have we ever seen anything like this before? You know,
I'll start and Bob, jump in. I mean, from a scale and scope perspective, I think it is unprecedented the tactics, techniques and procedures that were utilized. The in all likelihood, combination of human intelligence with technical means underscores not only how sophisticated an actor needed to be to be able to pull something at this scale off, but also just how significant our supply chains are today. And we always talk about
supply chain security. We've had many incidents on the cyber side, but we still tend to hit that snooze button. But when you start seeing something that has potential loss of life and physical consequences, I think maybe people will actually pay some attention to a significant set of issues facing our countries, our societies, and obviously our companies. Net net. I think this was an exquisite from a tradecraft standpoint, very sophisticated, and I
think underscores a set of issues we need to take seriously. Yeah, it's one of
those where the theoretical scenario becomes real. You and I participated. You couldn't have done
this in a Hollywood movie. Right. But we've also participated in a lot of exercises
and planning scenarios where people brief the. Some of this could happen. And whether you're sitting in government or you're sitting in corporate security office, you're like, I can't plan against that. I don't have the ability to plan against that. I got to deal with the stuff that's really going to happen. The Israeli government crossed the line into something we've talked about in Rubicon, crossed the line in terms of supply chain attack.
That again, we all assume probably, but I think I was surprised to see something of the scale of that. And when we talk about scale, it's not just the 2,700 or 3,000 exploding package pagers starting and then the similar walkie talkie carnage caused by that. But it's also the amount of planning to set up a company. We're all relying on the reporting by AP and the Times and other places like that, but apparently set up a company that was intended to sell pagers to Hezbollah. Right.
Or went into business with something like that as the intent. This was not just, as far as we know, in the reporting, it wasn't that they found the pagers that were heading to Hezbollah. It was like they set up a company to do this. And they set up a company not to sell pagers in the Middle east, but to sell them to Hezbollah. And that takes. Right, that's intelligence. And then the technical wherewithal to actually. Cause the devices to go off to. Get the device to
work pretty functionally. That's pretty impressive, I guess is the word. And the final area that we've talked about, Frank, is sort of the doctrinal shift that now supply chains are probably on the table as an attack vector as we get closer to war.
You know, and one thing that I think is significant is also the psychological impact that an initiative such as this can have on our adversaries. So they're looking over their shoulder, not plotting and executing attacks, but also the potential for boomerang. Right? Yeah.
So hope the Israeli Defense Forces came into this with the idea of trying to escalate to win a conflict so that we don't get to greater conflict. And part of that is the psychological factor that, hey, if you can do this, what else can you do? That. And maybe this will cause Hezbollah or Iran to pause before
they respond to this and hopefully not respond. And we can get to a point where Hezbollah has been weakened, which I think we all think is a good thing, but not that, you know, not in a way that's going to cause them to escalate, because I don't want to see that escalation. But, yeah, psychologically, like if you can't trust your community, you know, obviously part of the irony of this whole thing is the reason pagers were being used is because you couldn't trust Hezbollah, couldn't trust
their cell phones because they were worried about espionage concerns. And now you can't trust pagers or walkie talkies. You probably saw the same memes I did about pigeons flying around, and that's the new communication style that they're going to have to. Or the communications technique they're going to have to deploy. But, yeah, I mean, I think slows
down their planning. Yeah, yeah, we talked about some of them. But what other ripple
effects do you foresee coming out of this incident in terms of how other nation states respond, but also how companies that don't want to have their products be seen as suspect or vulnerable, what do they do to stay off concern? Yeah, I'll start
with that and then go to Frank. I mean, so if I'm sitting in the Defense Department and I'm sitting in a corporate security officer for a big critical infrastructure company today, I'm thinking about, do I have any similar vulnerabilities that could be exploited like this? I don't think it's a matter of like, just, do we carry pagers
or not? Right. That's not what you should plan against, but it has to be part of the planning scenarios for having good asset management of equipment that key personnel carry, doing the testing of that equipment to the extent you can test and see whether there's been integrity concerns there. And then the provenance of knowing who you're doing business with and where you're buying things from, in particular, where you're buying critical supplies
from. And so if this is a call for doubling down on the defensive side, for making sure you're getting supplies from, you know, the US has the luxury of we can know your suppliers. Hezbollah might not have had that same luxury, but the US Certainly could put in practices to know your suppliers. And so if this doubles down on a commitment to know your suppliers for critical supplies, I think that's a good, good after effect from a defense perspective. You just finished a broader discussion that
will come out in a couple of weeks about this topic. But can you talk a little bit more before we hear from Frank about the idea of either on shoring or friend shoring? Yeah, I mean, the idea of onshoring and friend shoring we
were talking about in the context of things like DJI drones and having alternatives to DJI drones. The idea of this is that the technologies that are important for national
security missions, national defense missions, come from trusted suppliers. And the best way to get to trusted suppliers is suppliers that are subject to the rules of the US Marketplace or friendly marketplace, so that you have the business information about key management personnel and suppliers that aren't subject to the laws of the Chinese government and the Russian government
or other adversarial nations, and the influence is there. And so the more that for anything that we consider a critical supply in the US that there are trustworthy sources of companies creating Those supplies that are subject to Western or OECD like transparency regime in reporting information and have personnel that are not subject to being exploited by foreign governments, I think is an important element. So, couple of quick thoughts on this. Firstly,
I mean, history is filled with examples of where technological superiority isn't always noticed. It's how that technology is applied. So I think here you had a very innovative means of utilizing a tactic and technique. I do suggest some really creative thinking with the
technology that I think a lot of people didn't realize was still in use, frankly.
You know, I also think though, we've got to be very careful in terms of what lessons we fully learn here. My gut tells me in the intelligence world it's exquisite. It's a source or a method that is very unique. My gut tells me this does require a level of sophistication that the average bear won't have. But. But I do think it will likely lead to some new applications and tactics, techniques and
procedures we may see in the battlefield or even in a civilian battlefield. So I think it's a little early to figure out what all those consequences are, but clearly we'll be taking some note. Yeah, I agree with you. And the last thing I'd
say is wake up and ask the question of do you have practices into. In place to have confidence in your supply chain? But you're absolutely right. The last thing we always want to do is just treat an attack like this is that's the next thing that's going to happen and you have to plan for that. It's not specific, but it is the general. And then the broader conversation is we're likely to see an enhancement in hybrid techniques, including cyber attacks in conflicts like this. And, and
maybe even in this conflict. You know, in the banking sector, know your customer and,
and all the issues that are very prevalent in, in that sector, know your, know your supply chain is really, I think the, the big takeaway here and hopefully we'll have companies being able to provide not only not only ask the right questions but, but actually start doing more to ensure that their supply chains are secure. I couldn't
have said it better and. Resilient to drill down a little bit more on the
supply chain. This attack evolved a physical device, but there could be other, more software, just purely digital components that could be exploited as well in future attacks. Yeah, I
mean, that's why I keep coming to the phrase hybrid because I don't want to call this a physical or cyber. It's an element of both things. And you needed to right. There's a digital aspect of how the physical attack was done. And so we're going to get lost if we spend our time debating whether something's cyber or not. Cyber enabled, physical enabled. It's all blended together there impact and outcome that matters.
We've seen there are other devices where you don't need explosives in the device to cause the device to to have a kinetic event. The software type things you're saying. And so that's the reality. And that's one reason that cybersecurity for important devices. We call it ot. We call it Internet of Things or industrial Internet of Things. That's an important element of cybersecurity because it's those kinds of things that probably lead
more to physical consequences than cybersecurity for it. And our attack surface continues to grow
exponentially. And I think it is becoming an artificial distinction between itot physical, cyber, industrial, operational technology, IIoT. Truth is, it's happening fast. We just need to think through the consequences before something significant happens. And in battlefields, let's all be blended together. Battlefields are normally where innovations start. Thank you for taking a couple of minutes to help
us unpack this event. We appreciate your time. Thank you. Thanks. Thank you for joining
us for this episode of Cyberfocus. If you liked what you heard, please consider subscribing your ratings and reviews. Help us reach more listeners. Drop us a line if you have any ideas in terms of topics, themes or individuals you'd like for us to host. Until next time, stay safe, stay informed and stay curious.