Welcome to CyberFocus from the McCrary Institute where we explore the people and ideas shaping and defending our digital world. I'm your host Frank Cilluffoand this week I have the privilege to sit down with Bob Kolasky. Bob is a senior vice president at Exiger, a company focused on supply chain related issues and supply chain risk. Prior to joining Exiger, Bob was a longtime and original plank holder at what is now cisa, previously
NPPD and prior to that the Preparedness Directorate at the Department of Homeland Security. Bob also stood up the National Risk Management center at cisa. And really excited to sit down with Bob today on supply chain, supply chain and supply chain. Bob, great to see you. Thanks for joining us today. So supply chain is finding its day in the sun in part because there's some breaking news at the time discussing here pagers
in Lebanon and, and the like. But I thought before we jump into, into that particular event and incident, we can maybe sit back and, and sort of paint a picture on where we are today from a supply chain perspective. I know Congress and, and notably through the committee focused on the Communist Party of China has passed 25 bills, passed the House on supply chain related issues. So I'd love to sort of get your thoughts on where we are and what we need to be thinking about
right now. Yeah, I think the events that recently happened in Lebanon and the attack
on Hezbollah terrorists is part of this conversation because I think part of what we're saying with supply chain is it is part of a hybrid threat environment, hybrid risk environment. And certainly when you get closer to instruments of war and whether we're going to call things war or close to war, terror attacks and everything, supply chain is increasingly become both an important element of how nations defend themselves, but also an area
of attack. This is a cyber podcast and supply chain supplies. Digital supplies are a key attack vector by which cyber attacks are deployed. But of course, the term supply chain existed before the term cyber did. Right. Because supply chains, logistics chains, that's how parts get delivered, that's how products get delivered. In the middle of a disaster response or in the middle of conflict, something gets from somewhere to somewhere else through a
supply chain, through having a supply base. And so when you talk about the issue now and why we care about supply chains, we care because we want to have safe and secure supply chains. We don't want them to be vectors of attack. Is certainly for those of us who are in the homeland security perspective, we want to minimize attacks via supply chain attacks and the like. But we Also want them to function, to get critical goods to where they need to get, to help with national
defense, to help with the delivery of national critical functions and the like. So supply chains are an important element, what we're going to talk about. Critical infrastructure, I'm sure.
Absolutely. Supply chains are an important element to enable critical infrastructure, but they also present
a risk factor to critical infrastructure and other instruments. And I guess a lot of
the attention early on was more in the exploit or espionage side of the house. So in addition to disruptive or destructive attacks, which there are some as well, largely we're talking, at least initially, you don't want intel inside, as the old intel commercial used to go. Yeah. So let's talk about SolarWinds, which I'm sure you've talked about
this podcast as a supply chain attack. And SolarWinds was a software supply chain attack where they exploited bad code that was knowingly exploitable by Russia in there. And they exploited that code to collect information that, as far as we understand, to collect information on U.S. government sources, U.S. government agencies, and any other sources that they could use related to this SolarWinds vulnerability. And so, you know, think about SolarWinds both as a
cyber attack and a supply chain attack. And of course, what that means by calling them two different things is you have to mitigate through multiple ways, or there's opportunity to mitigate through multiple ways. And before going. And we can go deep on solar
winds as well. But what about dji? This was a manufacturer of drones and unmanned vehicles. Lots of concern. You and I had discussions when you were in that role at cisa. What do we need to. Yeah, as you know, I was at CISA
through 2022. And going back, you know, when we stood up the National Risk management center in 2018, one of the first issues we were talking about was what to do with concerns about dji. DJI is a Chinese company that has cornered a significant portion of the US law enforcement drone market. Right. And we saw even going back to 2018, 2019, Tech and the Department of Defense has identified these technically exploitable vulnerabilities
associated with the use of DJI drones. And what that means is concerns about the company, the Chinese government, collecting information through the use of those drones. There's also the reality that since. So. So, I mean, I think that's the major concern there. Right. That not only do we know there's ties, that at least DJI is subject to the laws of China and can be influenced by the Chinese government. I think that's
the issue. Right but there are also technical vulnerabilities related to that. So this is
a risk that's staring us in the face, has been for a long time. One of the 25 bills you mentioned that from the Chinese, the CCP committee was to address DJI drones. But they're still out there, they're still the dominant drone being bought by law enforcement across the us which is kind. Of frustrating because I think I
wrote my first op ed about 10 years on this particular issue and I kind of feel like it's almost a whack a mole approach. ZPMC is now the concerns about cranes and ports, all of which is good that we're getting our arms around this. But do we have visibility across our supply chains? We don't have the visibility
that we. Need to have at the granular level. Right. You mentioned Exiger, my company. Right now, amongst the things we do is help add to visibility, illuminate supply chains. And that can be done by the collection of a lot of information that's available, open source and through other data sources to knit together how supply chains work, supplier relationships. But visibility can always get better. Companies need to invest in visibility in their
own supply chain. The US government needs to know, particularly around weapon systems and the like, visibility and supply chains. And then there's parts of the US government like my old agency cisa who are interested in visibility just because they want to know where risk may lie in the supply chain. Go into the DGI question. And I mean, I think this is an interesting conversation of like, okay, this is not a new issue, but yet it hasn't been addressed. Yes, and we are accepting the risk as
a country associated with DJI drones. State and local law enforcement offices around the country are accepting the risk known with DJI drones. The information's out there. So now we have to say they're accepting the risk. And the reason they're accepting the risk is DJI is the most cost effective and efficient solution that they can find. So even if you don't want to necessarily deploy DJI drones, they perform well for efficiency and
effectiveness reasons. The other half of mitigating supply chain risk is having an alternative supply base that is more trustworthy. So it's not just illuminating seeing visibility and supply chains. It's like, how are we going to, how are we as a country going to see the investments made in alternatives to DJI so that law enforcement can still get a cost effective solution to meet their mission needs? And isn't that exactly what we
were dealing with with rural broadband for example and Huawei and other sorts of issues.
We can go down the list of things we're dealing with. I mean, there were good and bad reasons that we are overly reliant on technology that comes from elsewhere. Elsewhere. This did not all happen from some intentionality that I think even on the Chinese side that there was a we're going to use, we're going to create technical dominance in certain industries because we want to use that for espionage or other reasons.
But that's sort of what happened. And we're not going to talk on this podcast about trade and going back to the most favored nation status and WTO rules and things like that. But we are going or we're going to talk about sort of in any depth the technical wherewithal you need to manufacture this stuff and create it.
But we have got to an uneasy place as a country. And I think both Democrats and Republicans, a lot of what Congress is trying to do is roll back and what both the Biden administration and the Trump administration before roll back some of that for national security and national economic competitive reasons. You know, I actually don't think
that issue is off piece or off grounds. The reality is, is when you look at cyber issues, it's not just the beep and squeak and the technological sets of issues and subject matter experts who need a seat at the table. It really is all instruments of statecraft and supply chain in particular gets confusing because it's both physical and cyber. And you can have a cyber attack that has a kinetic and physical outcome and you can have a physical attack on cyber infrastructure that leads to that
same sort of outcome. So I actually don't think that's off, off grounds because we do need to marshal and mobilize our community to address this. No, yeah, no, I
agree. And you and I have talked over the years about sort of economic security as part of homeland security, economic security. National security, they're all inextricably interwoven, aren't. They, processes to talk through those having the seat at the table. You know, I believe now at this point the term industrial policy is not no longer, you know, off
table to talk about here in Washington. And I think both, I think again, going back to the legislative action, I think there are aspects of industrial policy that are part of that to strengthen our nation's security, to strengthen our economic competitiveness, to make
us more cybersecure and ultimately for America's national interest. It's not just about bringing supplies back here, manufacturing, backshoring as much as you can, but there's Friend shoring and trust shoring and such and making sure that the instruments of power are used to stimulate the development of technologies and markets for technologies that are crucial and that critical supply chains, critical supplies, there's trust in critical supplies and critical supply chains. That's the end
state goal. We're going to layer cybersecurity on top of that. That amongst the trust factors is strong software, strong hardware, continuous monitoring against known exploitable vulnerabilities, not having backdoors entered into things, zero days and all that, which is all part of building up a strong supply chain. So let's go to. So we discussed briefly the Select Committee
on ccp, let's just call it the China Select Committee and they recently came out with a report that also included Mark Green at House Homeland and Transportation I believe as well looking at ports and looking in particular at zpmc. Thoughts around that? You
know there's, there's themes in all of these stories. ZPMC was a provider of communications technologies deployed is a provider deployed through cranes shipped to shore cranes at ports around the country that again had established dominant market position. And just for the lay audience,
what could that mean if you have majority of these cranes in sensitive US Ports?
A lot traffic's through cranes a lot. So understanding through ports, not through cranes, pardon me, you know, what can it mean? Ports are critical infrastructure. Ports have, you know, you see lots of things that go out. So yes, starts with collecting different sources of collecting information about shipping patterns, what kind of goods are through ports, you know,
timing and what ships from that. And so it is a collection vehicle there, there are other ways of course that could be but it's in addition to digital espionage capabilities. And then always with these things there's also the possibility that there's availability issues, something goes wrong, systems don't work and we're in the middle of a bad day where we have to try to deploy overseas from stuff that's going to help us
get overseas from a port and we have operational issues there. And so I think to the report it identified that this is a risk factor that has continued to increase. Are we ready to go after doing it? You know, you see a lot of this in all these things where it's like it's time to, you know, we've elevated the risk but. But we don't have solutions yet. And the reports trying to put pressure on the port environment for solutions. Yeah, just to sort of pull a
thread you raised. So there is the collection concern, but there's also the, in the event of A crisis, it may not work as intended. And if you can accept, exploit, you can disrupt or attack, right? Arguably, yeah. And, you know, the last, certainly
the last several years of my career at DHS and then work I've done after was all about better understanding strategic vulnerabilities to critical functions. And, you know, I used to give a. And help our listeners understand that and viewers, because critical functions. Exactly. The idea of critical functions are the things that infrastructure produces that are important to national security, the economy, economic security. So the critical function that we all rely on
is getting, generating electricity, distributing electricity and transmitting electricity. So we have the lights on every day. It's the health and public health system. It's patient care. Critical functions include
the supply of water. It includes, you know, having a functioning wireless communications network. And so the idea of switching from communications that just from critical functions to just talking about critical infrastructure sectors is it's actually the thing that we want to make sure works is the function that the infrastructure produces. And so it's not just the actual piece of critical infrastructure, it's the critical. Function that could cut across all critical infrastructure
sectors. Right. Like all critical infrastructure sectors, lido rely on critical minerals. They rely on
the availability of chemicals and the ability to process chemicals. They rely on, of course, electricity there. And so going back to the question of the concern with ports and what I was saying about my time at dhs, we realized at a certain point that if our adversaries of concern are nation states who have time to invest in ways to try to go after weakening the homeland, weakening America's critical infrastructure or critical
functions, they're going to be studying the ways to do that. And we have to know our systems better than they know our systems, so we can make protection prioritization. And it really is a mindset shift. If ultimately the goal of homeland security is to maintain the continuity of critical functions, the continuity of government and the like, to
work toward that and protect and make resilient those critical functions. And, you know, think about the things that are most precious and how that works and make sure those are protection priorities. And can you help our viewers understand sort of, you've got critical
infrastructure sectors, you've got critical functions, you've got what are now referred to as sie systemically important entities. Help us stitch that together. Yeah, it's a messy. It doesn't have
to be sort of a messy bureaucratic effort. And it's kind of fun to talk about the messy bureaucratic elements of it because it's important to know that. But ultimately, the end state goal in my mind is maintaining functions, whether at the national level, at the community level, that are safe and secure, that work there. And to do that you have to work with critical infrastructure companies, critical infrastructure industries, through a sector
structure to strengthen critical infrastructure, to strengthen critical functions. And within that then there are important elements, data centers, which by the way. Transformers, risk ports, defined as a equivalent. Of a critical infrastructure center, financial parts of the financial instrument, telecom, hotels and the like, which are sort of systemically important to the overall functioning of how our infrastructure
works. And that's what, you know, the systemically important entities are entities that operate things
that are the crucial nodes to keep functions up and running. And so what, what I would advocate the government do, and I did try to do a lot of this when I was in government, and it's a big government, they don't always listen to what I'm advocating for, but I would, what I would advocate for is knowing the most systemically important entities and working with those companies that operate that infrastructure as
close as possible. You know, we can say operational collaboration, we can say shoulder to shoulder, but as close as possible to strengthen those, to prioritize making sure that those entities have everything they need from the government and that there's constant communication so that risks are recognized and vulnerabilities are addressed because it's in the national interest and. Also
because many of these companies didn't go into business thinking they have to defend themselves against foreign militaries, foreign intelligence. Services and the like. I agree that that's true. But
you know, I had the honor of working with, you know, representatives of many of these companies at this point. I had honor to work with a bunch of people in government who I trust and respect a lot. And at some point, if you're systemically important, you know, you're systemically important. So, you know, there was one company who said, hey, we're trying to decide if we're systemically important, like it was up to
them. And it's like, well, no, you're systemically important because your business has been so successful that you do something that's so important to American communities and the like that, you know, you have the honor to be systemically important, but you have the obligation to be systemically important. Right? So you might not have entered because you thought you were going to one day be crucial to national security or national well being, but
through the success of your business, you are. Which brings up a question around, which
has probably come up in multiple podcasts, but Space Cloud thoughts on that should they be designated critical infrastructure sectors, clearly essential to our national security, economy and public health?
Yeah, right. So there's part of this, which is an academic discussion which is like, okay, cloud infrastructure, particularly hyperscale cloud infrastructure is part of our critical infrastructure. If you're one of the hyperscalers, Amazon, Microsoft, Google, that's not a controversial statement whatsoever. Other parts
of that ecosystem certainly are. So the question of should it be a separate critical infrastructure sector or how should the requirements be the security and resilience requirements to be
placed on them. That's the question we should be dealing with. The last question, which is do we need additional security resilience requirements or practices put in place to make sure that what is critical infrastructure in areas we do, we certainly need more, what I call stress testing of the use of cloud services, for example, preparedness, exercising, making sure that we know, as you know, we saw this with the impact of the
CrowdStrike, the failure of the software update in the CrowdStrike. We saw the degree to which, you know, the entire ecosystem depends on, you know, the real time upping of systems and CSPs are a big part of that. Yeah, yeah. So let's move to
sort of what US strategies are to respond. And again, I think we frame this different ways, but at the end of the day our cyber security and economic security are inextricably interwoven and our cyber security, national security, same sort of thing. But where do you think we stand right now on. On some of the, at least strategically thinking through strategies around supply chain and securing and more importantly doing. Yeah, securing a
supply chains. It can. We've made a lot of progress on the recognition side on
the putting this toward the top of agenda. So admiring problems we're there, but that
kind of progress. Let's think simply binary. Companies are taking their supply chain security, their
supply chain risk management more seriously than they used to. They're investing in resilience in their supply chains because there's good business there and they recognize the need to do that, would like to continue to elevate that conversation from the private sector side to make sure that private sector supply chain risk management, particularly for critical infrastructure companies, is an important part of how they execute their business. Every dollar invested security comes at
a cost, but it also hopefully reduces risk and contributes to the bottom line. From the government side, the government has created more certainly the executive branch has created more institutional strength governance structures to address these issues. We haven't quite seen the full benefit of that. So there needs to be a little bit of continuity in solutions there. But then the legislative push, the Chips and Science act, the Infrastructure Investment and the
Inflation Reduction act, that's given us more money to strengthen our supply base. I think the Biden administration's eo, America's supply chain eo, which was probably the first security EO coming out of the administration, has identified critical supply areas and we're starting to see strengthening of the energy supply chain, the healthcare supply chain, the mineral supply chain and investments in that. But that's almost a generational problem. And again, I still think we
have a challenge with visibility when you get to second, third, fourth order kind of effective supply chain. So. And well, let's start with. And this happens all the time,
right? More visibility, more demands for visibility to require critical infrastructure, companies, government agencies, to not put their head in the sand and to avoid the visibility. So get the visibility because it's good for you to manage your supply chain risks. And so I
think, and some of that's not government. It's going to be clearly industry. Right. And
there are solutions that will help companies better understand the supply chain. And as you have that visibility, start to use that visibility to make decisions to take less risk, to find alternative suppliers, to not have concentration risk, and to then go advocate where you know where. Again, go back to the DJI drone, if you really rely on drones and the only place you seem to be able to find drones from is
dji. Let's have a national conversation about how we create alternative sources of drones. No,
that's spot on. And I do think there are a number of different areas. Again, I always feel like we're reacting rather than trying to get out in front of all that. And what are your thoughts on that? So it's never the list of
the companies to not do business with or the list of companies to do business with. It's having the process to create those lists and update those lists. But there
should be a unifying list, should there not? For depending on the purpose. There should
be. There should certainly be. There may not be one list to rule them all for everything, but there should certainly be. If all the lists are trying to do kind of similar things, why not do that? At least grow up the same way? And certainly from my industry perspective, I get frustrated when there's seven different ways the government's trying to accomplish the same different thing that I have to comply with. Give me one way that I comply with what you're trying to accomplish because it's going
to be much more cost effective. So it's more Than just harmonizing. It's actually getting
on the same sheet of music. Yeah. And so from. So we can roll out
like, don't do business with Huawei, don't do business with zte, don't do business with Kaspersky. That's good. And there are legitimate reasons not to do business with them and not to have that hardware and software and parts in your supply chain. But that process has to be dynamic because these companies, the Chinese government, the Russian government, this
is a ongoing game. So, okay, if we pass a law to don't do business with A and B, and we think one reason don't do business with A and B is they're influenced China or Russia, guess what, there's gonna be an alternative to A and B that the Chinese government is subsidizing or the Russian government subsidizing, which.
Is a bit of a whack a mole. Yeah. Which is why the process has
to be dynamic and there needs to be continuous monitoring of supply chain risk. So
one particular entity that gets a whole lot of attention. You and I have probably had discussions about this over the years, but let's talk TikTok, ByteDance and what the implications are there. Yeah. I continue to think that the legislative path that we're on
and the restrictions placed on ByteDance ability to operate TikTok in the US is a good path. I think it is clear that TikTok gives the Chinese government avenue for propaganda. In the US we can have a conversation about free speech for in propaganda, but when a country that's been designated an adversary nation has that much influence over a media platform, I think it's in our interest to. For that not to occur.
Mike Gallagher used to call it digital fentanyl, which it kind of is. Yeah. And
so, you know, there are then intelligence conversations about what else can be collected via TikTok, whether it's geolocation, geolocation, information geolocation, and some of that. You know, I think it's fair to criticize the government for not being exactly clear about how far they're concerned about the collection possibilities related to TikTok. Some of that's because those conversations are
happening in, maybe not in rooms like this, but I think, you know, giving. Creating an ecosystem where there are alternatives to TikTok to accomplish what a lot of people like out of TikTok, so that we're not so reliant on a social media platform that is digital media platform that's so reliant, that's so connected to the Chinese government is a Worthwhile goal. And again, you brought this up earlier, but it's. Even if
the company doesn't have malicious intent, it is bound by law to share information with the, with the security services. Yeah, I think that's an important element of this whole
supply chain conversation. Like there are first order realities. If you do business trust and Verify and Verify Incorporated company in China or in Russia, both of them have laws that say if we as a government say we want a piece of information about your business, your client base, your clients, you legally have to comply with that. Imagine if that was the debate here in the US and if American companies had to operate basically the fear at any one day that they were working on behalf of
the government without control there. And you know, that's not a policy you or I would advocate here in the US it's bad policy, but it's a sign of what an authoritarian government is doing. And the reality is that puts anything that those companies are doing, even if they're not directly subsidized or run by the government, that puts a degree of influence and potentially control of their business practices. And a lot of what we're trying to roll back in the supply chain is not being reliant on
places that are the first order serving the needs of our adversaries. And I would
argue financial transparency. So with 10k file, none of that exists. And to know where the funding originated and what other intentions may be are pretty difficult to discern. Yeah.
And so there are places where, you know, it's relatively clear that these companies are complying with the law of the CCP or the Russian government. And there are other places where there's startup culture and things like that, but there's risk there. So you
got 25 bills passed in the House. Obviously it needs to pass the Senate to move forward. Anything lacking that you feel like major gaps still exist that you would have liked to have seen A. And if you have, and I'm not asking you to be a betting man, but which ones do you think actually make it over the goal line? I mean, you never lose money betting against Congress passing bills. Right.
So the fact that the TikTok bill got done was a big deal. There's not much time in this Congress for things. It's hard to see the DJI bill getting done. But maybe I'm wrong in the Senate. But you know, they're things like. But
these are. These have largely bipartisan support. I mean, we haven't talked about the. Biosecure act, and that's a big deal. We haven't talked about the Biosecure act, which is
one of those 25 that does have, you know, has been passed. Right. And the biosecure act is protecting the bioeconomy, biohealth, you know, sensitive health information that is being collected in companies that are doing business there. So, you know, again, I don't get
paid as a prognosticator for particular ones. I think things that are moving toward protecting the most critical information, I think there is recognition that amongst sensitive information that particularly overlaps with Americans losing their own sensitive information, such as what we're talking about with the biosecure act, you can talk to your constituents about what you're trying to
do there. And I think those ones where, you know, it's like anything with Congress, it's like if it's going to serve the needs of constituents, it's got more of a chance of passing. And if you look back just to the pandemic and responses
to COVID19 and we talked ports, we talked medical supply chains and the like, we were in part dependent. And honestly, China was not acting in our best interest throughout that which I'm sure if the shoes were flipped. Yeah, I mean there was again,
there were some realities. Things that shipped out of Wuhan and things that just were not available. And you know, that's just because we weren't shipping things from there. And we saw from a, like an ICT functioning that we were. The ICT companies were able to continue operations despite not getting parts that they were relying on, but that there were times it got teetered in terms of the actual ppe. Protective, medical personnel,
protective equipment. Yes. That, you know, we did not have the capacity that we needed. And other medical early days there. And even when capacity started to come back online, you also saw a lot of counterfeit goods being shipped from different places. You saw a lot of fraud in the system as well. So it wasn't just a matter of, you know, could we get these things. But could we get the real thing. Counterfeit ppe, counterfeit medicine means it doesn't work. Right. It means it's not performing its
critical function of keeping people safe. Yeah, yeah. And then we haven't even talked about, you know, the dangerous in the fentanyl supply chain. And that is a big deal.
And I do want to get to that, maybe in a different kind of way. But when you look at convergence, physical, cyber, supply chain, cyber, but biotech. And you brought up sort of the Biosafety act and cyber, they're coming together pretty darn fast, aren't they, oh yeah. You know, how is all this. Right. One of the reasons
we're having this conversation is the digitalization of how supply chains operate in the automated way and the that things are being produced and the fact that we're more reliant on artificial intelligence and robotics and the computing power necessary for all that. So innovation, Right. That even in things that you think are the most classic physical manufacturer things,
there's still a digital element of innovation. Advanced manufacturing is huge. Yeah, right. So we're seeing order magnitudes, improvements in manufacturing techniques that are being enabled by digital and what is. Whenever you say the word digital, you can say the word cyber because a digital supply chain is a potentially cyber vulnerable supply chain. That means cybersecurity's got to
go to those areas. And we're merging all these concepts together. The physical implications of the supply chain not functioning because of a digital failure has real world consequences, whether on your business bottom line or the availability of the good that my city is dependent on. Let's go to breaking news today, which will not be necessarily when our
viewers touch on this but significant supply chain issue that brings to real life the potential consequences. And let's talk about what we saw are seeing play out in Lebanon.
So by all accounts, the Israeli intelligence operation launched an exquisite attack on the members of Hezbollah using supply chains. And it's, you know, there are three elements that I think are worth talking about just right now. Intelligence and the degree to which this was a, from everything I can tell, was a well planned intelligence operation where, you know, suppliers, companies who were providing pagers were set up for the intent of providing
pagers that could be used in this manner. And so this took time to build up a supply base and companies that were essentially front companies or the like to then, you know, has blood procured from these companies. Right. And you know, a good, a bad of the attack is these pages were set up to be in the hands of terrorists or people who support terrorists and not just send out into the wild in Lebanon. So that, so this was a, this was an exquisite intelligence operation.
The second side is the technological side, which we've been talking about throughout this, which is it's pretty, I would imagine it's pretty hard to get all the specifics right for the degree of technological attacks where there's explosives and ways to charge and a way to generate the explosives to cause this level of harm. And then the third
area is what I think you and I would call doctrine. Right. We've now seen Rubicon in a near state of war, supply chain attack, be part of the Israeli government's doctrine for something that's a way that you can go about attacking the adversary. I'm not aware of a lot of examples like that. We'll see if anything changes long term about that as an instrument. But it's all part of every conflict between modern states or modern states. Modern states is going to be a hybrid conflict. Now,
that's what Russia, Ukraine has been. That's what certainly even the Hamas attack on Israel was a hybrid technologically enabled attack, even though we would assume Hamas is behind, is not as far advanced in some of the exquisite intelligence capabilities we're talking about. But still it was a highly technical, highly sophisticated hybrid attack. So in terms of scale
and scope, arguably unprecedented in terms of the tradecraft, the tactics, techniques and procedures I think you're seeing. And again, there's a lot we don't know, but in all likelihood, a combination of sophisticated human intelligence combined with technical means. Yes. And creative planning and
very creative and unique planning that had significant consequence. The question, I think, that all of us have sort of struggled with in the past is we've always had sophisticated cyber capabilities, but there's always the potential that once you unleash something, it can boomerang and come back. Do you think this is potentially going to lead to that or is the tradecraft at such an exquisite and sophisticated means that probably not so much.
I mean, there's the sort of somewhat flippant part of it, like, should I be worried about carrying my cell phone today? Should me and you be worried about our cell phone or if we have a pager? I haven't had a pager for a little while. Luckily, I don't spend time in skiffs anymore, but haven't had a. So there's a little bit of that. You know, is this exact. I mean, there are reasons why people shouldn't wake up and be scared about their personal communication device today.
That being said, over time, is it a attack vector that can be put in place? We've now seen that it is. Are others going to try to copycat and pursue it? You know, that's the doctrinal piece. Maybe it's not off limits to try to do that. And so, you know, I do think from a homeland security security perspective, we've been talking about supply chain risk management, but let's also talk about supply
chain security. And it's going to be important for things that are potential weapons that, you know, the provenance of the things that are potential weapons that you're maintaining checks on the integrity there that, you know, if you're in the U.S. defense Department or somewhere, you're, you're making sure who you're doing business with and where you're buying these things with is you're continuously monitoring all the things we were talking about earlier there.
I don't know that Hezbollah has the ability to know that who they're buying pages from is secure. But the U.S. defense Department probably has the bill pretty good practices in there. And so too we're going to have to see this in the corporate security side. And so yeah, I mean, as an escalation technique for something that has to be now part of your planning. I think unfortunately we always have to learn from these and plan for whether that's a scenario where it's going to lead for
Hezbollah's response. And did Israel escalate to de escalate or did Israel escalate to escalate? This is running two weeks before we're talking two weeks before this is going to run. But the technique from a collection standpoint, I don't think any of us would
be overly surprised that it could be exploited. But, but yeah, also to ensure how it was detonated and heated up and what have you there. There was some pretty sophisticated. Yeah. And one amongst the things that you and I don't know is how
easy would it be for us to evaluate a piece of technology if we were looking for a scenario like this. You know, presumably it's probably worth assuming that it
was not easy to spot, but if you were explicitly looking for explosives. And so there will be questions, unfortunately, going back to DHS and the DHS mission, there are going to be questions about bombing detection, explosive detection technology to improve explosive detection areas that DHS has invested in great R and D over the last 20 years, but will continue to be something that, you know, we're going to have to see investments
in. Hey, Bob, we're near the, unfortunately the end of our time. What questions didn't
I ask that I should have? I think you pretty much hit them for, for
what we're trying to do here with supply chain security. Let me ask it a
different way. Unfinished business, long and terrific career in federal service. Any anything in particular you'd love to. To see in five years acted upon. Stability of institutions I think
is important and stability of priorities. And so, you know, I always come at this and we're talking a little bit, you know, we're doing some work, Frank, on, you know, cyber priorities for the next administration, whether it's the Harris administration or the Trump administration. And one of the things I think we both agree on is, you know, let's not keep changing institutional directions. Let's empower the institutions that Congress has created, the
executive branch has created to continue to do this work. Administrations may have different priorities, but the more we sort of jump around with three letter agencies who have different authorities and all that, the more we keep creating something new, the more we sort of get drawn away from the end state goal, which is more security and resilience. Pithy thing I will say is every dollar you're spending on change or compliance rather
than security, resilience is, you know, those things come out of trail opportunity costs. Right. And so I want to see, you know, we didn't spend as much time as we probably could have. It's sort of how the government better empowers the private sector to provide capabilities around some of these things. That's certainly an area of passion for
me. You need government reform, you need procurement reform, you need some of those areas to continue to allow the private sector to be the source of innovation on these issues. And I think many want to. Right. I mean, they're just chomping at the
bit, actually. Yeah, yeah. I mean, we were talking before. Sorry, you just Talked to
Dave DeWalt and Kathryn Grunberg and you know, the work they're doing at Night Dragon, I mean, they're investing in companies who want to be part of the national security solution. Certainly that's. We as a company, you know, think we can help get us stay ahead of some of these challenges, and that's how we're going to win this. But they have to be come with trusted suppliers. Bob, thank you for all your
time today. Thank you for your many years of public service and thank you for continuing to serve. And I dare say, as a senior fellow, we're thrilled to have you on board at the McCrary Institute to be here. And luckily, we're gonna have
lots of issues to talk about coming forward. Awesome. Well, thank you, Bob. Thank you
for joining us for this episode of Cyberfocus. If you liked what you heard, please consider subscribing your ratings and reviews. Help us reach more listeners. Drop us a line if you have any ideas in terms of topics, themes, or individuals you'd like for us to host. Until next time, stay safe, stay informed, and stay curious.