Welcome to CyberFocus from the McCrary Institute, where we explore the people and ideas shaping and defending our digital world. I'm your host, Frank Cilluffo, and have the privilege this week to sit down with two luminaries in the Cyber Field. Dave DeWalt, who is the founder and CEO of NightDragon, has been a CEO of multiple cybersecurity companies in the past, including, as my kids would say, the OG McAfee, which ultimately was sold
to intel. And I can't count how many executives came out of that leadership team, as well as FireEye and is a noted wrestler. Hopefully we'll get to some insights that he learned on the mat that he can bring to the boardroom. And also Katherine Groenberg, who is a longtime friend. She runs Government affairs at NightDragon, has run government affairs for CrowdStrike, ForeScout, and if I'm not mistaken, Katherine, I think we first
met when you worked for Senator Judd Gregg on the appropriations. I guarantee it. Really excited about today's conversation. And Dave, Catherine, I thought we'd start. This is a little different. So we've gone deep in a lot of issues around Cyber. What I thought we could do is maybe go start going wide in terms of where we see some of the technical innovations coming. Obviously a little bit of your investment thesis in terms of what Night Dragon is. Is looking at and sort of roll from there.
So I thought we were going to arm wrestle first. You said about I don't
wrestle with wrestlers. So I, I learned that the. I'm smart enough to figure that one out. I'm not very smart, but that one I can figure out. So. Dave, thanks for joining us. Thank you so much for having us. Really appreciate it and
what a great venue you have here. Appreciate it. Great to have Kevin with me too. Awesome. Well, so tell me, what do you. What do you think? Some of
the. When we look at the tech landscape and lots of buzzwords, AI, ML, quantum, all of which matter. But what really matters from your perspective? I'll start. Catherine, Add
on. I've been talking Frank for, for the last 20 years. Literally. You mentioned McAfee, OG, but you know, for, for 20 years watching this market grow. And I called it the Perfect Cy storm 20 years ago, because you had these confluences coming together. And here we are 20 years later. These confluences are even bigger. And so you
think about technology inertia, right? I was like, the faster technology goes, the less we harden that technology, because the race for capitalism creates this opportunity, but yet we don't really secure by design much. So therefore there's a lot of vulnerabilities. The vulnerabilities then create a big attack surface. The big attack surface creates more and more attackers. And we've grown in every one of those areas. Then throw geopolitical tensions on top of
it. Anonymity on the Internet. Big storm. And we have a storm, right? And just over the last two decades, every one of those confluences got almost exponentially worse. And you have all these like, you know, revolutionary kind of tax. You know, the Internet comes along, mobile computing comes along, and now we have AI and quantum, you mentioned as well, and you put that all together. It's an interesting world. Last thing I would say is I talk about this, this fusion. And to your point of what's
interesting, we focus at Night Dragon investment advisory on these five domains, right? There's five battlegrounds really in the world. You know, space, air, oceans. I want to talk space and then cyber, right? So five domains. But what's happened is they're all fusing, right? So we now have cyber threats in space. We have threats in the air, oceans, land, and it's all kind of coming together. Whereas we used to have different, almost
bowling alleys, so to speak, of each of the domains. So it's crossing over, it's getting more and more difficult. And then of course, this year, 60 countries have elections. So that keeps it interesting too, with misinformation, disinformation. So a lot there. But may we live in interesting times, I always say. And boy, do we have interesting times.
And I'm glad they're interesting people doing interesting things to try to ameliorate the risk. I don't think we'll ever say game over, right? I mean, at the end of the day, it's a journey. Exactly. And I do want to pull the thread because I do think space and cyber are very applicable. They transcend all domains. Airland, sea,
space and cyber's respect and air, land, sea, cyber and spaces perspective. And I do think it's that convergence point where we're going to see greatest opportunities and also the greatest risk. And just curious, in terms of. And AI ML, those are enablers to all of those domains as well. Right. When you look at sort of an investment, what are you, Are you looking for the team? Are you looking for a technology? What differentiates Night Dragon from others in the space? Wow. I'll take the next 28
minutes for this one. Sorry. But we look for, you know, inherently we have a motto, secure our world for tomorrow. So, you know, it's a big mission statement, but. But the idea behind it is we look for the biggest threats, the biggest risks that we see on the planet across all five domains. And then we look for technology that can scale to meet that risk. I saw that when I was first looking at FireEye, for example, when I became CEO there. I never heard of FireEye.
It was like, what's a virtual machine in the network kind of thing. But because we could detonate kind of executables in the network, we were able to see malicious attempts occurring. Nobody else could quite see it. It was solving a major threat or risk. So we look for that kind of technology as much as we can and then we apply it from an operational standpoint. So think very strategic threats and risks,
make investments and then be good operators, helping our partners grow their business. So we're very domain specific, we call it security tech. And we want to be a great operating partner to help with government activities, help with partnering, go to market activities, help with marketing, sales, research and development, all the areas because we're operators ourselves. And so the more we can help them be deep in our sector, the better success we're
going to have in what we're doing. So that's what we are strategic operating. Investors
and more mid to late stage. More mid to late. So growth and beyond 20
million of revenue is where we like to start as opposed to the early stage where the tech risk is still a little higher. And you kind of mentioned two of the three T's that I like to talk about, team tech and tam. So we look for a really big total addressable market where a big threat is occurring. We then look for technology that can scale to meet that opportunity. And then we really look for a team, especially a team that has mission in their mind. Right.
So that's why we love the DC area and you know, military backgrounds, intelligence backgrounds. And the more mission they are, the more we're able to partner with government, the more we're able to partner with global governments, the more we're able to really bring them into the mainstream. Dream and trust. And so that's our little mo. Get the team right, get the tech right, get the TAM right. It's a great three T's.
That's something even I can remember, which is good. Catherine. I mean, perfect segue to sort of talk a little bit about government sector in particular. And I mean, this may be a little Pollyannish, but cyber security is a team sport. It's one team, one fight. Public, private. So crucial, what are your thoughts along. Those lines, well, following
up a little bit on what Dave said, kind of my role at Night Dragon is very much on the operational side. It's to really help our companies do fulfill that mission of providing their, we think, awesome capabilities to the government. And really when you join the portfolio, if you're not already doing that, it's an expectation that we then would help you with. Many of the companies already are oriented towards government, but a few of them really haven't cracked the nut for a number of reasons. It
can be tricky, it's expensive. People don't know how to do it if they haven't come from government. So we could help some of our smaller companies that haven't yet sold to gov, but have a great technology that they should be. And so the way you could look at it is I love when Dave talks about the portfolio
as a whole because we especially are good at creating synergies between the companies. So for example, some of our companies might be more mature in gov, maybe they're in existing programs and there are learning learnings there that we can cross pollinate to other companies and even bring them in. And then from the perspective of thinking beyond just cybersecurity, because the world isn't really only anymore just about cyber threat intelligence, it's also
about real world threat intelligence. It's seeing even beyond the synergies that exist for network security. It's actually seeing how data can be fused. I mean really even kind of within the platform. We're creating these relationships where it's better together. You know, we're taking technologies that relate, for example, to like bot intelligence and then what would traditionally be
considered threat intelligence and trying to get them to integrate and to work together. And those are really interesting conversations to the government because as you know, they are also trying to figure out how to sort of uplevel the game in terms of thinking about how we use intelligence and get smarter about it. Especially when you have AI capabilities that let the government sort of be, you know, look at larger fields of
data to collect and sort of synthesize that intelligence. So that's another thing, another thing we bring, which I think is really cool because it allows me to marry up kind of different aspects of my career is the way we help our companies work with and integrate with systems integrators or larger, you know, defense contractors and then some of the really key distributors here. People don't really understand that there's this large ecosystem
that you really, you can't operate independently. You said it takes a village. It Takes it's a team sp we have to work with bigger companies. We help integrate smaller technologies. And that's really the fun of being at night Dragon. Our vision always goes just beyond the one company we're investing in at the time. It's how they fit into the bigger ecosystem. Kathryn's amazing at helping our companies on this, and I give
her a lot of credit for it. We've had this playbook, almost this operational playbook that partners with the government to partner with the industry. So we start with the government and thinking about what we can do to partner not just with policy, but also with programs and various types of playbooks with the government, but then ultimately the critical infrastructures that they govern as well. So if you can do that right as
an investor or advisor, it can create a very powerful multiplier in the effective. And as you know, that playbook is hard to do, but those who know it, like Kaufman, can really create a lot of value add for our customers. No, not to
steal our own thunder, but we're going to be coming out with a transition task force and priorities for the next administration. It will be a new administration one way or the other. And one of the items we're looking at is playbooks in terms of responding to particular actors and to know what their pain points are and to know how we would respond and respond in kind. So you're preaching to the choir here and easier said than done because you have to have the political will and
do the reps, right? It's like going to the gym. You can't just suddenly go into game day without all the blood, sweat and tears to get to that point.
What's really interesting about the process that you're talking about and trying to inform a new administration, but also looking at all. I mean, this administration has been prolific in terms of many of the things that they've been EOs and is helping companies that may not be huge with a ton of people to look at these things, understand how they impact their mission and how they sell to the government and how they
can meet some of the missions created by those very policy directives. That's something that's really missing and that goes not just for governments consuming technologies, but it's also, for example, how a bank would take a technology in and leverage it per a directive or a recommendation out of nist. There's a lot of space that's created for organizations
like yours that are, that are synthesizing and explaining what these things mean. You know, there's examples all the time Of, I mean the executive order with section 4 and a number of software provisions had the effect of spurring innovation in that exact area. And that of course I believe was by design. But we can then see companies coming up into the market that might be ready at some point to scale to gov. And we can sort of flag those early because we have the bird's eye
view into what's how industry is responding, sometimes not even really directly knowing. And you can say to government friends like those technologies are on the way, here's what they look like today. And so that's a really cool thing that we can do in our partnerships with government. And we had Chris Inglis on in our very first episode
when the strategy came out in terms of burden sharing and not. The reality is ransomware has democratized the cyber threat and cyber risk. Everyone is a target, from the biggest companies down to the smallest companies. And the reality is, is not everyone has the resources, the wherewithal, nor the time and effort. They didn't go into business thinking they had to defend themselves against the Russian intelligence service or the Chinese military or
North Korean government hackers. But, but that is the world we live in. And it's this, this need to bring some of the, some of the different actors together that I think is important. But, but the reality is we don't fully have visibility, do we? And maybe that is the starting point because it's not just the zeros and ones in the traditional sense. It's physical. Cyber is converging pretty fast, isn't it? Yeah,
I mean, I believe so. I mean I see and have been speaking about cyber physical convergence for a couple of years now and we started to see signs of that with not Petya and wannacry and like, wow, we suddenly had a cyber vulnerability bring down the world's supply chain and operational technologies in a way that we just
didn't realize what a connected world we have. You fast forward now we're seeing, I mean it could be a hurricane, it could be an active shooter, it could be a physical event that ultimately has an effect on a data center or has an effect on some operations. So if we don't map our physical assets to our cyber assets, we're not doing a playbook for resiliency. And that's really the word now we need is resiliency. And that's well said. And yet not many companies have converged their
ITOT in a combined SOC to get a that visibility and more strategically to really look at it holistically. But that's kind of where we need to go, isn't it?
I believe so. I look at. We've had a number of companies in the OT space for years and when I was Even back as CEO of McAfee bought a company that helped at OT security I could see this coming. Then when I was at Mandate and FireEye we did a lot of OT incident response. I mean this threat's coming and the threat to the OT ICS world is much greater with kinetic
ramifications and potentially the cyberspace even. But you start to put ransomware together, accidents that can occur and then you put all this lack of air gapping we, we, we have a problem with. We were vulnerable and Americans, we've seen. That play out in
Ukraine. Well placed bombs can have kinetic attacks on cyber infrastructure. Vice versa can have significant effect. Catherine in Q Tel, what are your thoughts there? Because truth is I was a huge proponent when Ruth David stood it up and big fan of what they've done. Is that a model that's working in your eyes? I mean I think
so. I mean I don't have the academic study on it, but we have real world experience experience working with companies that come out of in Q Tel and I just. In general I think it's a great concept. The government should absolutely be in early stage technology because that's maybe a little bit less so than when it was started. There is much more private capital available for these sort of newer, younger defense tech ideas. But I think when it started it wasn't the case. So now it's
more of a nice combo. But it absolutely still has a role to play. And you know we, we enjoy seeing. That's our pipeline, seeing companies come out of an incitel. Yeah them and others. There's a few other defense type incubators that are either not for profits or actually sort of DOD sort of sponsored some of the services
have their own houses that are working on early stage software technologies. So it's a little bit more of an ecosystem than just in Q Tel but they are really pioneers I would say we like to think of ourselves as sort of filling in the really important gap that comes after because companies that come out of Inkitel, they then have to, if they're successful, which you know, they have the support of Inkitel and I really think that's invaluable. It should be said if it's, if I didn't
say that directly, it's very invaluable. We can catch them and see them through their growth phase. And why is that? Important. I think that's important because people very often talk about the difficulty of scaling that technology to actual production, especially a DoD like
they're a sort of. That's a common topic of conversation is the valley of death and how we actually take these technologies that just have had pilots or sbirs, those are small business contracts into like, you know, ideally everybody would want enterprise level deployment. That's why they're investing their dollars is to get to that level. And so we have a special place in that chain too. So we see all those early stage efforts as being very interesting and valuable and we try to stake. Can I do
a quick shout out? I mean I watched Ink U Tell under Chris Darby and Steve Boucher for years. They were an investor in the FireEye very early on and to watch the progress they've made, to watch the impact that they've had, it's real shout out and you can see it now. I go to the In Q Tel conferences in Palm Springs. You know, the number of companies, the community they've created, the collaboration with the community they've created, it's come a long way now having said that,
we still have a long way to go. You know this isn't an ink util thing but when you look at diu, you look at darpa, you look at Red Cell and some of the others and Data Tribes, we have a few of these EIR like programs, entrepreneur and residence programs and ways to build but we need more of that. And for an investor who's going to Israel for 25 years and I watch the ecosystem in Israel, the education system, the innovation system, the connection from higher
education to innovation, the entrepreneur model, the early stage capital. I mean this is a well oiled machine there that we aren't quite well oiled yet and we have more work to do. And I'm definitely going to pull the thread on on Israel and
other small countries that punch well above their weight. I put Estonia there, I put Singapore. They all live in tough neighborhoods. There's there might be a reason they don't have a choice but to do it. Well, another one is India coming as well.
There's now not so small, but not so small, but another country. They've developed 300 cyber companies in the last four years, several unicorns. A lot of reverse immigrations occurred during COVID and you're now starting to watch an India ecosystem rise up because they have the institutions and education and the experience too. So it's interesting to watch. This
is worthy of a full conversation around India because why Is it an emerging massive market hasn't done but if you look at the executives in the United States, a huge percentage comes from India and are educated in India and I think in time it's going to be homegrown as well. But before we sort of jump into that because I do want to sort of talk the global market as much as we can and some of the challenges for doing business with US government given cfius and
and some significant supply chain related issues. But on the public, private anything when starting now you guys are mid stage so it's maybe a little different but when you start a company very different than if you're going to serve government and industry. Right. And I'd be curious what you think some of those telltale playbook. What are the first three things And I'm not gonna make you list. We have a really long
checklist. She does. It's like. Well we have to really assess because as we've grown especially we're adding companies all the time. Some are cyber, some are data, some are real world sort of intelligence. But we do have a really long checklist to assess maturity. We call it sort of it's a maturity assessment to know how our companies are ready to go to gov and to try to make sure that we are helping them in areas where they're not and a big area you would have to.
I think it's where people start because it makes them most nervous is all of the requirements right. If you're a cloud company you have to comply with FedRAMP. If you're any defense company you have to comply with 800-171 and soon CMMC. Beyond that there's now the new requirements for software code validation and determining whether you're providing
a something that's deemed critical software. There's a patchwork quilt of those things and I think the key thing is not to be afraid of them but also to see that requirements like that can be your friend. There's a bunch of other areas. Sometimes it's just finding a team that knows how to sell to gov because the same people that are selling to your commercial companies are probably not going to do that. Well when they're pitching Department of Energy maybe they can't even get in the building.
So there's all these considerations. There's also, and this is kind of a favorite of mine is how you market. I mean you think you can take your decks and your sort of your pitches that are for private sector buyers and they have to be changed. And the other thing is In Gov you really have to create especially because usually there's specific requirements that are lacking. Right. The government has to do hardware
asset management and software asset management. All the basics that were in cdm, they have to do edr. Now they have to do certain things per various OMB requirements, but within that there's not a lot of specificity as to how they should achieve it. And so you're really trying to sort of sell them on the attributes of your product. Right. And that's really tricky because buyers in government, as you know, they may not be motivated to buy the most secure the product that can bring them the
most security. They may be going for the lowest cost. Right. Lpta. So there's considerations that exist in government that you know and not to mention acronyms that you can't even wrap your head around. And so you know, that's why we think we provide such great value to the portfolio because they as they come. Yeah, this sort of basics alone, I'm sure I've missed a bunch but those are the ones, those are the big ones that I would help our companies with. We've had a couple of
in depth discussions around Chevron deference and what those implications can be from a regulatory standard perspective. I think it's fair to say that from a government perspective those will still all be in place. And one thing I just want to foot stomp around in Q Tel and this is what I thought, I believe is most successful. It's not the companies themselves, it's the fact that culturally they've been able to build trust.
CIA in particular, where its DNA is from, not invented here is a big issue even within that tribe. If you're not part of that exact tribe, you're not necessarily going to get residents. So I think to me that was one of the biggest things to come out of in qtel's success is that it has nurtured some trust. And to me that takes a long time to build and pretty quick to lose.
Well, not to preach for a second, but when you look at what happened during COVID and that window where so much of our massive talent base disseminated back to countries around the world or was unable to come to the country as part of the the changes in travel that occurred, we now have a world that is innovating at a very fast pace outside of America. America needs to become a hub. This isn't just for America born and raised tech companies. This needs to be a world
born and raised. Coming to America in a way that enables us to control and manage as much of that security infrastructure as we can. And I say control, you know, careful work. But you know, my company FireEye was founded in Pakistan. Not a lot of people know that. I did not know the team. 80 engineers sitting in Lahore, Pakistan. You know that technology immigrated to America. The team immigrated to America and
it became a great success story in a lot of ways. You look at Apollo Alto Networks, in a lot of ways was in Israeli, near Zuk and the team there. There is so much goodness around the world that we need gateways to come to America, not just through Inky Toe, but through a lot of programs. The better we are at that, the safer we'll all be. Let's segue into that discussion. Looking
at the marketplace outside of the United States and I am worried that at some point we get to the point that there's autocratic regimes and democratic regimes. I think that is the ultimate firewall. We still need to keep up. But I'd be curious what some of your thoughts are. Why is Israel. And we've had the Israelis on board, including the former head of 8200 and the National Cyber Director and others. But I'd be curious what you think some of the success there. Systemic culture I'll start
with. And education early military service. Clearly, you know, 18 citizens are part of IDF for a three year service. This is a, a capability that they leverage in an incredible way. It doesn't have to be exactly that model for America to be great at that, but we can be great at it. When you look at America's cyber education system, we don't have a much or want. Right. And I always compare what Israel's doing with education early and China's now doing with education early. And then I
look at America, we're very sporadic 440 higher education kind of universities in America. How many really have a cyber program with job and innovation as part of that program? You know, a couple of fingers. So if we don't systematize our education into innovation, into job, job creation, we're going to miss what's an important thing. Now you see pockets and I'm watching CISA and others looking at this as a big problem. But
cyber education, cyber education, defense has to happen, right? And it has to happen early and often to get it to a cultural impact. You know, you're going to make
me do my little infomercial here. So the state of Alabama has the first magnet school I'm a trustee for Trans Transparency. It's the Alabama School for Cyber Technology and Engineering. First Magnet school at the high school level focused on engineering and cyber security. Love it. And I got to tell you, these kids are rock stars. They're going everywhere and some are going straight into the marketplace out of, out of high school.
They're all the five star recruits. All universities are trying to get to them. There is a model, it's just, it needs to be replicated, scaled. We need to scale it on steroids, not slowly because that is what we're up against. And here's what's
amazing too is it's no longer a technology problem. We invested into a company was called Thrive dx. Not for a minute infomercial on this, but this came from Israel. They trained the IDF 8200 personnel on it. It's basically creating all kinds of gamification to learning cyber with boot camps and things. And in a 16 week boot camp we can take a relatively uneducated person into a sock analyst or a pen tester so that the tech is there. And with AI now we can train and teach
in a virtual way. Yep. How do we make this part of all of our education infrastructure or stuff like it if we do that, wow, can we fix. And
I love the gamifying. The reality is is there are so many young, incredibly talented women and men in America that are on the sidelines because they may be neurodiverse. You give them a gamified approach to be able to play ball and they're. They're
on the D1 and reskilling veterans like the tech for vets and wounded warrior programs where now we have education we can bring back to them because they had a mission focus early on experience. Exactly. And want and desire to help. So we just need the programs put in place to do it and we have all the pieces. We probably need a leader to drive all this tops down. But it's. I think
we know what your next, your next gig is Dave. So please, seriously, for cyber
education. Yeah, yeah, yeah, no, absolutely. Let's. So let's go to a current massive incident
that occurred not so long ago. Oh, I didn't notice. And we'll call it the CrowdStrike incident. Even though it's more broadly impactful. But that should have probably brought up some memories. Right? You had your own CrowdStrike moment at McAfee. 59. 58. So I'd be curious what some of your thoughts are there. And, and quite honestly you came out of it stronger. So curious what our thinking is there because I'm going to
tell our audience now like we've said every time, patch, patch, patch. But that doesn't mean it's always going to be the right answer or won't have downstream unintended consequences. But please. Well, it brought back a lot of memories. I wouldn't say all Good.
A little PTSD is that day unfolded. So July 18th at about, about 10:00 at night, west coast time, I started to have my phone lit up and a lot of activities occurred. Reminded me of April 21, 2010 at 6am that morning, which was the 5958 issue. So I was CEO of McAfee. We had a faulty DAT release. We called them dads back then. These are content updates with all the virus protections, similar to the C591 that crack CrowdStrike sent out erroneously. And so, you know, what
are you dealing with here? You're dealing with an incredibly complex environment with these operating systems and things. So 14 years ago, when McAfee had its issue, we were able to roll back the content within about 16 minutes. We affected 1692 companies. So I got 5, 9, 8 and then 5, 9, 5, 8 and then I have 1600, 172. And that's how many companies got injured that day by McAfee. And some are
big, right? Some are very big. One of them was Intel Corporation who later bought
McAfee. But we, we did our best to recover. Fast forward to July 18, 2024. You know, Crossro did everything in their powers to, to recover everybody. This is not for lack of efforts. These accidents will happen. The speed of threats, the speed of risk that's occurring, the complexity of kernel level access to a Microsoft platform is intense. And you know, accidents will occur. Now, having said that, there was a lot of
learnings out of this one. I mean, this one affected 30,000 customers directly in minutes. So instead of rolling it out in stages and rings, it was a big bang kind of model. And you know, what did we learn from that? Massive ripple of
effect. It had a massive ripple effect. 694,000 companies ended up being affected by this
outage. This was supply chain along with the 30,000 directed. She had a very big global impact that occurred. But I always say, you know, what doesn't kill you, it makes you stronger. Right? So we need as a team, public and private, to work together on change because we don't have a sector regulatory agency governing cyber. Right. We,
what do we do to learn from staging, testing, rollback, resiliency for cyber vendors? What do we learn about segmentation of networks so we can roll it into networks easier. All things that just weren't in place even after 14 years from the McAfee event. So we need to learn from this. We never let it happen again. And so like rollback should be mandatory for every cyber vendor, every patch vendor rings of staging should be a part of this. So there's inherent like NIST control, like things that
need to be in place for cyber vendors and frankly IT vendors overall. And I don't want more regulation. But if we don't put this in place, I call it like security by design. Not just secure by design, but we need cyber security. Security by design. So passionate topic for me and but I give a lot of kudos to the teams for what they did best efforts. But having said that on accident of that proportion cost billions of dollars. Unfortunately it was the case and if. You
think about it, if it were intentional at a time that it could be the first volley or first phase of something more significant, it does show our dependence and it begs for greater resilience as you. Absolutely. As you double tap. We think about
almost every company has patch management processes risk quantification around patches, with the exception of the cyber vendors because we all been taught that these threats are dynamic. So if they need to update every minute or every hour, every day or whatever it is, let them update because I'm safer by being a little able to update. So they obviate the patch management processes and directly update production systems, servers and workstations all over
the architecture. And we've allowed that to occur. So what safety and you know, security do we do to that going forward? Not that we don't want the speed of response for a threat, but we need safe speed and resiliency to that threat. Absolutely.
And again, whether it's solar, wind, just having visibility is sometimes very difficult. Catherine, anything you want to add? Yeah. And I think we're going to see some changes in government. I think you probably are. We may have been a little weaker, for example
on the guidance we had coming out relating to updates. Right. We so much focused on software integrity and assurance which is. Right. Because that's what we Learned out of SolarWinds and supply chain. But I think there's going to be more focus on the updating process. I do think what's interesting if you. Lift and just before I think
I'm correct in saying most DoD systems were not impacted. Right. Because of some of their testing. Is that fair? Well, I don't know if it was because of testing,
but it also may have been the ubiquity with which some of those products were deployed at DoD maybe in that case. I also think that the DoD and US civilian agencies are better at knowing where their software is and what's running. And so they're might be a little. More optimistic than I. Some of them, some of them
are, they've deployed technologies that should have let them know that anyway. But I think if you lift the conversation up a level and what's great is I guess that we have conversations like this with our, you know, sort of these higher order conversations with our government partners. I think that there's, and Dave and I are part of
these conversations. There's more ask on industry and the asks are, hey, could you guys do a better job integrating your products beforehand so that we don't struggle with it when we're putting them together in these programs in DoD and civilian. And so that's
kind of an ongoing conversation. But in light of everything that has happened this summer, they will also ask and should ask, well, when you're updating those products, are you going to test them together and do those testing environments even come close to approximating what my tech stack looks like? And so this is a conversation that I think the government is sort of looking at industry and saying like what responsibilities do you
have out there before we're installing stuff out here? So I think that these conversations are going to have higher order ramifications for us. You said something that I don't
want to get lost together. The reality is when we look at public private partnerships, I've long said long on nouns, short on verbs. The reality is it has to be operational collaboration. If you're not practicing together, you ain't gonna be a team when it matters. I think that there are, there's been a lot done in unifying threat
intelligence and even in ir. I think we could say that. And that's, you know, it's been coming, but it's been recent. But I also think this is my opinion that there probably isn't adequate testing facilities and that maybe there's more of a thought of there needs to be sort of more robust joint testing capabilities that comes to mind and make the. Mistakes when it doesn't matter. And by the way, if I
could, this is again not a technology problem. We have cyber ranges, we have the ability to test, we have the ability to test together, but we haven't implemented it right. So we don't have like if you think of vendors on one side, customers and critical infrastructure another, what's in the middle? Testing everything on the vendor side to
prepare it for customers on the other side. We haven't put the middle thing together and we've done it from some thread sharing and from some incident response frameworks with the work we've done with JCDC and some of the CSRB efforts that have occurred. But how do we now test better together? I think it's the future because customers are getting thousands of patches a week. We're going to have more of those problems.
Very well said. And we're close to the end of our time, but I wanted to ask sort of the unfair question and Yogi Berra once said the future ain't what it used to be. Where do you see things going right now in terms of not today, but five, ten years out? Where would. And the best way to predict it, I guess is to shape it right and put the, put the time in to get it done. What does that look like? Because I spend my life
thinking about bad people doing bad things and bad country. It's nice that every once in a while flip it. Even if, if, even if I still have to hit my snooze button and wake up with the same headache one day. The quick answer
is on the ominous side for a minute. But now go to the positive side. It's been scary to watch the last couple of years because a number of threat actors has really risen almost 3,4x like when you have a 3 or 4 times multiplier. When I left FireEye and mandated 2018 we tracked 880 bad actor groups. There are 3500 known groups today with 3500 TDPs with unique fingerprints to what they're doing and attacking. So now you have even apt those that are even at the highest
level sophisticated. So you have very, you have virtual groups now, you have nation state
groups, you have proxies, proxy groups. And it's amazing how the actor group has grown. You put money in economics on that ransomware as a service and you suddenly have this out of control with very little adjudication of people and retribution of what they're doing. So bad things can happen. And then you put all that motivation of these bad countries with bad leadership. You end up use all source, not just cyber means.
So that scares you. On the other hand, I'm also really encouraged by what I'm seeing in AI. Like really encouraging. And I'm sure you hear this all the time. But automating, like for example automated pen testing. What a concept we had for years. Pen testing was like a bunch of humans coming in to Attack a network to kind of see what vulnerability. People did it once a year. Okay. Then we do it once a quarter. We have autonomy platforms to do constant pen testing of a
system to rid of every vulnerability and self healing as part of that now. So automation using AI, what's called, you know, these autonomy platforms are really encouraging to watch because what we had to do with a hundred cyber professionals inside a big company
can be done with none. Yeah. And we can automate this still higher. Well, we need both right at the end of the day, but watching AI and the ability to automate and create faster responses and better intelligence, machine learn, open source intelligence to get everybody helping faster. There's some real promise to what the defense can do here too. So it's going to be a battle. Can'T lose the AI. And, and Quantum
can change the whole game. Right. But, but AI, we can't be followers. We have
to have to be leaders. Absolutely. And in the area of Quantum too, and the next technology that coming, I mean watching what happened with chat, GPT 3 to 4 coming to 5 and the speed of this is incredible. And so many other technologies
that are incredible. Catherine, anything to add to that? And by the way, we had Phil Venables on not too long ago who was a huge proponent. I've always thought that the initiative remains with the attacker, but he is all in on blue and the defense. Yeah, I guess I would offer an insight which is that at night
Dragon, we get to sit with these technologies as they're maturing and getting ready to really offer themselves at scale to either companies or the government. And it's pretty cool when you sit there and you're like, wow, okay. And you're starting to understand how it's changing. Technologies like Dave is mentioning are going to just totally shift the landscape for all the existing tools that are already in the environments and make them better
maybe, or make them obsolete. And obsolete's an important. We have to learn when to
let go of technologies. And this is sort of the unfair question. But endpoint, do you see that playing as prominent a role 10 years from now? I do. You do? I mean, I think it's going to diminish a little bit with virtual machines
and the way in which we can carry our virtual image around without a computing device in a way and just plug it in, anything. But having said that, I mean we're going to have a lot of endpoints, IoT endpoints. We're going to have SCADA. Right. There's just too many connections to IP networks today. To not have that and get close. To the data too, though. Correct. So we'll start with you, Katherine.
Last question. What questions didn't I ask that I should ask? Man, you covered so
much, Frank, you know, I don't, I don't know. Like we could have talked more about PQE. We're going to be working on a project on NStack with Post Quantum. And I try to remind people it's not only about encryption. Right. We're talking about how quantum technology is just going to. Quantum compute is going to change the whole technology landscape. We forget that because we're so focused on how quantum computing is going
to bust encryption algorithms. Very important. Well, I think for me, I guess your question to us could have been and maybe for next time is what? But I'm so blessed I get to be around all the people in government who are doing the coolest things or contemplating the coolest projects from fusing intelligence to Post Quantum. So I'll say to Dave, let me go do that. That's a great learning opportunity. And so always, if I was on the outside, I would say, what is Night Dragon trying
to learn about? And so that can be for your next episode. Let you close
it out, Dave, sort of what questions didn't I ask him? I love the way that Katherine teed that up in terms of Night Dragon. I'd like to just say
thank you. Thank for hosting us and thank you for the content you provide here. It's incredible. And I just say what an honor. I've had a Chance to serve four administrations now, been involved with this community for 20 years and to watch the village that's getting created, people working together. This is a team sports cyber. It's a team sport, you know, across the world. And the more we work together, the better.
A big shout out to our leadership and government. The cyber leadership's been amazing. Watching the work Jen Easterly does and Anne Neuberger does, and I think you have David Lubin coming. You've got, you know, like everybody's energy and effort to partner with private sector and private to partner with public sector is here. So we need to keep it up through the next administrations. And if we do, it's going to be a
better world. Dave, Catherine, thank you for your time. Thank you for your service. And
it's always great to see the good guys have some of the best talent fighting all of this. And is this a bad time to say go blue for defender
versus red for auburn? Orange. Orange. You can say red. We don't care about that.
So that's fine. Thank you. Thank you. Appreciate you. Thanks. Awesome. Thank you both. Thank you for joining us for this episode of Cyber Focus. If you liked what you heard, please consider subscribing your ratings and reviews. Help us reach more listeners. Drop us a line if you have any ideas in terms of topics, themes, or individuals you'd like for us to host. Until next time, stay safe, stay informed, and stay curious.