The Intersection of Political Science, Risk Management, and Cybersecurity

September 9, 2019 • Zane Pokorny

Our guest today is Matt Devost. He’s CEO and co-founder of OODA LLC, a company that helps clients identify, manage, and respond to global risks and uncertainties. Matt Devost has been at the intersection of public policy and cybersecurity since it became possible to align the two. He has expertise in counterterrorism, critical infrastructure protection, intelligence, risk management, and cybersecurity issues.

In addition to sharing the story of his career journey, we’ll get his insights on managing cyber risk in a complex world, as well as his thoughts on threat intelligence.

This podcast was produced in partnership with the CyberWire.

For those of you who’d prefer to read, here’s the transcript:

This is Recorded Future, inside threat intelligence for cybersecurity.

Dave Bittner:

Hello everyone, and welcome to episode 124 of the Recorded Future podcast. I’m Dave Bittner from the CyberWire.

Our guest today is Matt Devost. He’s CEO and co-founder of OODA LLC, a company that helps clients identify, manage, and respond to global risks and uncertainties. Matt has been at the intersection of public policy and cybersecurity since it became possible to align the two. He has expertise in counterterrorism, critical infrastructure protection, intelligence, risk management, and cybersecurity issues.

In addition to sharing the story of his career journey, we’ll get his insights on managing cyber risk in a complex world, as well as his thoughts on threat intelligence. Stay with us.

Matt Devost:

It was something that I discovered that I wanted to do once I got to school. I had an interesting mix of being a political scientist with a focus on national security issues and in particular, asymmetric threats like terrorism, that was also a computer scientist.

Early on, I befriended, through bulletin board systems and later through university networks, folks in the hacker community that were tinkering with systems and learning and exploring just like I was. A few of them were a little bit more reckless and were breaking into official corporate sites and government sites. I had an aha moment where I said, “Geez, there’s a real blending of the two fields that I’m interested in.” Our increasing dependency on communication technologies and information systems coupled with the inherent vulnerability in those systems that I’m seeing through these friends poking around, creates a new national security threat. I started writing on that topic in 1992 while still an undergrad and it turns out that that was the cusp of the cyberwar, information warfare, information operations field.

Dave Bittner:

Give us a sense for what the lay of the land was then, in the early ’90s, what were we looking at?

Matt Devost:

Yeah, there was not a lot going on. You didn’t see a lot of stories in the news about this issue. Unbeknownst to me, the U.S. Department of Defense in 1992 also issued a top secret directive on information warfare. I didn’t know that it existed until three years later when I was out of grad school and I actually got a clearance. There was just an emergence of a community around these topics. For example, I think 1994 was the first InfoWarCon, so Winn Schwartau and Mich Kabay and Robert Steele getting together and saying, “Hey, we think we know enough crazy people that are talking about this topic, let’s hold an event.” So it was really, really early days. If you had asked me is cybersecurity an optimal career field, the likely response would have been it’s hard to envision it.

I do know when I got to grad school, which was a year later in 1993, I proposed doing my thesis topic on information warfare or the threats to national security in the information age and it was actually denied. And a year later we had gained enough momentum and there was enough dialogue and interest in the research I was doing regardless that that was enough for the university to reverse their decision and actually allow me to do my thesis topic.

Dave Bittner:

And what was your thesis topic?

Matt Devost:

It was called National Security in the Information Age.

Dave Bittner:

And what were you covering there?

Matt Devost:

I was covering the full gamut of threats to national security, ranging from the erosion of individual citizen privacy and what that would mean to cyber terrorism, to economic espionage, to full state versus state conflict.

Dave Bittner:

And at that time, what were the specific threats that were on people’s radars?

Matt Devost:

The real specific ones were the evolution of the nation state piece. We didn’t have the designations of APT and stuff that would come almost 15 years later, but we recognized that we operated in a complex global environment and that nation states engage in conflict. So that was one of the primary threats. Also, a lot of discussion, at least I spearheaded a lot of discussion given my blended interests, in the emergence of cyber terrorism, would there be terrorist and other gray area groups that would engage in these methods of attack, versus conventional terrorism.

In those early days that was a lot of the focus. Of course we also covered the personal privacy issues. We also covered the corporate espionage elements because that was starting to emerge as well, with documented cases of companies trying to compromise each other’s systems or embed microphones in sensitive locations to try and get that corporate intel that would give them an advantage in the market.

Dave Bittner:

And how has it played out in terms of the predictions that were made back then when it comes to things like global terrorism related to cyber, has it tracked the timeline?

Matt Devost:

It hasn’t. In 1995, I wrote a paper with two colleagues, ’96 I apologize, ’96, called “Information Terrorism: Can You Trust Your Toaster?” And looking back on that after having written it so long ago, we said, “Hey, what did we get right? What did we get wrong?” And in the paper we predicted things like the emergence of the Internet of Things. The joke in the headline was that your toaster would be connected to the internet. We knew that networks were going to be propagated and they were going to be everywhere. We knew that this was going to be an increasingly important issue. We knew that the U.S. would organize around this and that there would be a military function associated with it. We even predicted the emergence of Cyber Command and some of those entities. We knew that terrorists would use this technology for reconnaissance and doing their casing of targets and for fundraising and to facilitate other types of acts.

And we also predicted at the time that we would see some sort of cyber terrorism attack in the next 20 years that would target critical infrastructure in a sustained way. That was the piece that we got wrong. We thought over those 20 years that we would see some sort of significant attack that would manifest itself. And in reality we just didn’t see that. If terrorists adopted this as a method, it was very, very low key. It was more focused on fundraising and even nation states, we haven’t seen a sustained attack on a critical infrastructure that’s been notable. You have instances in the Ukraine and elsewhere that are definitely blips on the radar screen, but nothing like we predicted.

And the other thing that we failed to predict at the time was what we later defined as this targeting of trust. So looking at what institutions are trusted in a society and trying to erode those. And of course that’s the manifestation of what we’re seeing now with some of the influence campaigns and the targeting of election systems. That was another key thing that we missed. We didn’t realize that the institutions themselves and the trust that democracies have in those institutions would actually be a target of attack.

Dave Bittner:

Do you have any explanations for why terrorist attacks haven’t happened the way you predicted them?

Matt Devost:

Yeah, there’s a couple of reasons. One is that to have a sustained impact on a critical infrastructure requires a significant amount of technical expertise. It’s not something that you just luck into. It’s something that takes an understanding of how those systems work, and then extensive reconnaissance and compromise and then the ability to exploit them. So there’s a protective membrane of technical sophistication that the terrorists just lacked or didn’t develop over those years. That was one of the key reasons when we look back on it 20 years ago, is that it’s much more attractive, much more impactful to continue to resort to traditional terrorism, conventional terrorism.

Dave Bittner:

Well, what is your take when it comes to deterrence in the cyber realm? Are there nations who have a cyber equivalent to nuclear weapons for example?

Matt Devost:

I think we’ve emerged into that type of landscape where there are actors out there that are nation states that have the technical ability to launch a sustained attack against our critical infrastructure. What we like to describe is that if you think about intent on one end of the spectrum and capability on the other end, and you take for example a terrorist group, they might have the intent but they don’t have the capabilities. So those aren’t aligned for that attack on critical infrastructure. Then you look at the nation states and they might have the capability, but they lack the intent. So if you think about economic interdependence, fear of global condemnation, fear of escalation, to conventional conflict, these all serve as a traditional deterrence in waging a full-scale cyberwar, or at least something that would be significant enough to possibly provoke the other party into using conventional weapons as a response.

Dave Bittner:

And do we see any cases where nation states are making demonstrations of their capabilities to show the rivals that, “You better not mess with us because here’s what we can do.”

Matt Devost:

I think you see that, right? I mean there’s several attacks depending on which side of the spectrum you’re looking at, you could view Stuxnet as a demonstration of capability. You could look at some of the Russian attacks against the Ukraine power grid and other infrastructure as a test of capability. You can look at the emergence of some of this malware that is highly destructive, again, as a test to capability, maybe a test that went a little bit awry and ended up impacting unintended targets as part of the testing.

Certainly there are those demonstrations and then you see now for 20 years, a lot of nations have been incorporating a cyberattack aspect in their traditional war games. So we often engage in war games as a demonstration of our military power and might. We also use it as a way to test our interoperability and ability to communicate and coordinate with our coalition partners. And we’ve included cyber as an element of that for many, many years. So you see that demonstration of capability in the military context as well.

Dave Bittner:

So I want to get back to your career journey, You got out of grad school and where did you go from there?

Matt Devost:

I got out of grad school and I realized that most of the dialogue around this issue is taking place in Washington D.C. I actually bought a one way train ticket to Washington D.C. with no job and no place to live. And the beauty of AOL messenger boards, I found a couple that had overlapping leases that in exchange for hard labor of helping them move from their old place to their new place, they let me stay for three weeks in the old apartment and left me a futon and an iron and an ironing board. And I just went and started knocking on the doors of all of the people who had expressed interest in my work. At this point I had attracted quite a bit of attention to myself. I had about 300 people that had requested my thesis when it was completed. Those ranged from generals and admirals to bestselling authors to the CIO of the Department of Defense.

knew I had an audience here and I just felt like I needed to get to D.C. in order for people to take me seriously. By the time those three weeks were over, I had a job working for SAIC, the big defense contractor in their newly minted information assurance division. It was myself and a retired colonel from the Army and a retired lieutenant colonel. They knew DOD and the military and I knew the technology. From there we built what was an incredibly robust practice over the next coming years.

Dave Bittner:

And what were the challenges that you were addressing in that era?

Matt Devost:

In that era, we were doing a lot on doctrine and strategy, because this was a new issue, so it didn’t really exist in DOD doctrine or strategy or how we’re going to deal with it. These tended to be at the service level or at the joint level. As you probably know, the Department of Defense really didn’t adopt a formal strategy for cyber until 2010. But back then we were working on a lot of these sub-doctrines. I worked on the President’s Commission on Critical Infrastructure Protection. So the thing that resulted in the issuance of PDD 63, which created our information sharing and analysis centers. I worked with the Defense Science Board on their first report on information warfare defense. So that was at the strategic level.

Then at the tactical level, I helped build and operate the first ever DOD-wide red team. I had the legal authority to travel around the world and target systems classified and unclassified that the Department of Defense was operating. For a small town guy from Vermont who hadn’t traveled a lot, it was great because it turns out that DOD is everywhere. In fact, I found a letter just a few weeks ago visiting my dad where I had detailed my upcoming travel plans for the rest of the year. It was quite extensive and-

Dave Bittner:

You feel a little bit like James Bond?

Matt Devost:

Yeah, I definitely did. It was early days. For the most part we were met with a lot of cooperation. Every once in a while we encountered some resistance. We were able to use what we did in the United States as the basis for creating a coalition red team that we called the CVAT, the coalition vulnerability assessment team. That was a five eyes-type initiative where I actually built and led it for the first two years. I brought in players from Canada, Australia and New Zealand, and the U.K. and when these coalition partners got together to test the interoperability of their command and control systems and engaged in these war games, we would operate as the red forces.

Through that process I developed quite a bit of notoriety because the team was very, very successful in what we did. So that attracted a lot of attention, woke a lot of people up with regards to the impact that a sophisticated cyber attacker could have on actual military operations.

Dave Bittner:

Now, I mean you were really at the leading edge of a lot of this and really blazing a trail. What were some of the lessons that you learned? What to do and what not to do?

Matt Devost:

Yeah, there were a lot of great lessons. We learned early on the importance of just fundamentals today. Patch management, and auditing, and having controls, a great identity and access management, et cetera, having strong passwords. I have a famous story I like to tell about the head of a command who actually had a one character password. These were really early days and we were encountering a lot of lessons.

We also encountered some lessons around red teaming. We learned that we really needed to think outside the box to not introduce artificial constraints in the red team. We would encounter that a lot where they would say, “Well, you’re only allowed to do this and you’re only allowed to do that.” We would have to argue and say, “Well, you don’t impose any constraints on the red team that you can’t actually impose on the adversary.” There was a lot happening there.

And then also a lot about the importance of expertise. I still remember a famous briefing slide coming out in one of those red teams that basically said, tools are not talent. I had access to some of the best tools available in that context, but it was really the people and the ability to build a robust team that was an enabler for us to be successful. I found the exact right guy in the Canadian military who had the skills and the computer science background, on the U.S. side actually, recruited out of the National Guard. I had a member of my red team who actually worked for one of the big technology companies by day and then in the summer I could snag him for six weeks to go and engage in red team operations. So we also learned a lot about how you build teams, how you structure teams, and the fact that you really need that human operator, that human capability, that tools can only get you so far.

Dave Bittner:

And so what led you then along the journey to where you are now as a confounder of OODA?

Matt Devost:

Yeah, there’s quite a few steps in between. After PDD 63 and this recognition that information sharing was a big issue, I left SAIC to actually be one of the founding employees at a company called iDefense. I’m sure you’re familiar with. It’s still around today, owned by Accenture, which was basically the first commercial cyber threat intelligence company. I helped to build the first cyber threat intel report, sell to the first customers. This was a new market, emerging days, and had lots of fun.

Then I left to spend a little bit of time with a small group of hackers that was doing red teaming against commercial infrastructure. These were guys that I had known for almost a decade at that point. We started going out and offering what was an early version of the commercial red teams that are popular now.

The market’s fairly saturated with capability and companies out there. But back then that was an early novelty. That company was actually acquired by Cylink, the link encryption company, which later became SafeNet.

And then I spent a decade building my own company. I mentioned the information terrorism paper that we had written, at the time to protect ourselves from liability of putting that content out in the internet domain, we created a company, a legal entity, and operated a website, terrorism.com and started publishing and writing and doing collaborative research. We didn’t have Skype and all of these great tools back then, so we had to create the secure extranet and let people from the foreign countries connect in and collaborate with us and share information.

We started to get a lot of momentum. I had grants that were getting funded, I had an intelligence center that we were running. I started to get clients coming to us and saying, “Hey, we really liked the research you did on this topic. Could we pay you to do research on topic Y?” It reached enough momentum that I actually left my full time job and put the company in my basement as the official headquarters and built it out. Obviously, we get a couple of years into it with some great momentum, some great programs, and then September 11th happens. Because we had these programs that predated September 11th and we had the credibility in the market and we’re not seen as exploiting circumstances that allowed for tremendous growth momentum.

Sold that company in 2006 and then stuck around for a couple of years helping the acquirer and then left to do cyber threat intelligence again. For a while I helped John Watters and the iSight Partners team. I was the COO there. And then decided that I wanted to be an entrepreneur and run my own company again and created a company called FusionX. FusionX focused really on advancing red teaming in the commercial market. I had seen where the red teaming that I had done in the prior years had become a little commoditized, it had become a little too focused on the tooling. It hadn’t been focused on the threat or real threat models.

So what we did is, we said we’re going to create a red teaming company where it’s all senior security engineers with 10 plus years of experience. All guys that know how the adversary thinks, we’re going to use real threat models so that when we target your organization, we’re acting with the same interest that the bad guy would act in and we’re going to operationalize these attacks. We’re going to actually steal money from the bank, we’re going to replicate stealing intellectual property. We’re going to replicate going after physical infrastructure. And we built a very successful red teaming and incident response because we’d often get pulled in, there’s an incident that’s happening who’s the best team that we know about thinking like an attacker. They would bring us in to help with that predictive analysis.

In 2015 we sold that company to Accenture. At that point I became Accenture’s global cyber defense practice lead. I inherited a lot more employees and a much larger portfolio and did that for a few years, left and spent a year in the investment world. Then back in January we started OODA. So that’s the full almost 25 year spectrum.

Dave Bittner:

Wow. So I want to touch on threat intelligence. I mean another thing that you were on the leading edge of, what is your position when it comes to organizations and how they can best implement threat intelligence?

Matt Devost:

Yeah, I think threat intelligence is multifaceted. It’s a key component of a security program that anyone would put in place for a couple of reasons. One is, I’m a risk management purest, so when I think about what measures you should be implementing to mitigate threats in your environment, it means that I want to have as much information about the variables as possible. The threat component of that is critical. A lot of times we see where people are operating with very poor threat models or they’re operating for threat models that aren’t applicable to their industry or they’ve overemphasized one threat actor and de-emphasized another. What threat intelligence does is it provides you with that accurate real-world picture of the threat environment.

You might get direct indicators with regards to who’s interested in targeting you. You certainly see indicators and get intelligence with regards to how folks in your sector are being targeted. So peers and competitors, you are getting intelligence around the evolution of the tool set. So you start to understand, maybe I feel like I have a great vulnerability mitigation strategy right now, but then I see the emergence of an evolution of how attackers are operating or the tools that they’re using, and I need to be able to incorporate that and guide my future security strategy.

Security, like threats, is very dynamic. So if you don’t have that threat picture coming in or that threat intelligence coming in, then you are not going to be able to have a dynamic program. If you’re not dynamic and adapting and monitoring the threat, you’re going to get caught flat footed, which means you’re likely going to have a significant incident that you have to mitigate.

Dave Bittner:

Have you found that there are misconceptions that people have or missteps that they take when they start to spin up their use of threat intelligence?

Matt Devost:

Yeah. A lot of times they might be overly comprehensive or they say that they’re engaging in threat intelligence and all they’re doing is subscribing to a vulnerability feed or an IP blacklist. It really takes some effort to sit down and say, “How are we going to consume this threat intelligence?” And then the key piece of it is how is it going to inform our actions. If you consume threat intelligence and you don’t have a plan for how you’re going to use that to engage in behavior change, how you protect against the threat within your organization, it’s going to be useful, it’s going to be informative, but you’re not going to be getting the maximum value of it.

I think most of the organizations that I’ve worked with that have problems in setting up their threat intelligence capability is that they haven’t thought through the entirety of the process and the process is that a decision is made or some action is taken based on what’s coming in. And then you evaluate that and incorporate the feedback from it back into your future decision process. It’s no surprise that I have a company named OODA, which is after the OODA loop, coined by Colonel John Boyd that stands for observe, orient, decide, act. That’s almost a mirror to some extent of the intel cycle, it has a couple more steps depending on who you talk to, but that’s the process that you need to be going in and it is a circle. It is iterative and the threat intelligence needs to be consistently informing those actions.

Dave Bittner:

As you look ahead, as you look towards the horizon and particularly thinking about the expertise you have when it comes to policy, where do you suppose we’re headed? What does the future hold for us?

Matt Devost:

The policy front is typically hard to predict. You have the erratic aspect of changing a large body of elected officials every two years. But I would say some general trends that we can probably count on, one is that I think we’re going to see an increase in the regulatory environment. We’re going to see an increase in the regulatory environment, particularly as it relates to privacy. I think we will see the emergence of maybe GDPR-like laws that get enacted at a federal level. I think we will see the emergence of some federal breach disclosure laws. Right now the breach disclosure laws tend to be state by state and not consistent. I think we’ll see the emergence of policy at the national level.

But most importantly, I think we’ll see a continued focus on how do we continue to create an open and relatively secure internet from which these societies that want to benefit from it can benefit from it. Where it becomes an asset, not a liability as we’re moving forward. And how do we expand the scope of connected peoples in countries that exist out there. I think we’ll see activity there, as well as some … I’m hoping with the emergence of an AI strategy, some real thoughtful consideration on what new technologies are coming, and how do we make the use of those technologies in the most secure manner?

One thing that I evangelize on a lot right now is on AI security. And when I say AI security, I’m not talking about let’s use AI in the cybersecurity industry. I’m talking about, let’s apply the principles that we’ve learned over the past 25 years, as we’ve built technologies like the commercial Internet and Internet of Things and other platforms, to make sure that we have a framework for building these AI and machine learning systems in the most secure way possible.
My fear is that, as with most technologies, there will be an incredible rush to market. The benefits are so comprehensive that the technology will be deployed and what we will be doing is bringing inherent and increased risk into these systems. Unfortunately if I build a camera and it has a default password in the firmware and I ship it out, it only ever is a camera. It might get hijacked for some purpose of being involved in a large scale botnet, but the risk associated with that device is fairly constrained.

If we’re building stuff in the machine learning space, some of these machine learning technologies iterate in ways in which the human data scientists are no longer able to map to what they’re doing. They create their own variables and they draw their own conclusions and move forward and we become addicted to the results. A 10 percent increase in inefficiency or in sales or whatever it may be. The problem is that if an adversary is able to manipulate that, if they’re able to violate the integrity of the training data that’s used, that bad data, those bad decisions is like compounding interest in a bank. It just gets worse and worse and iterates over time. So what might be a small mistake, small discrepancies, small compromise, compounds to one that can be much larger over time. And given the complexities of these, it’s not as if I can say, just restore to yesterday and we’ll start over. In a lot of these systems that is a restore to zero and then you lose the benefit of that iterative machine learning over those multiple years that you’ve been running it.

Dave Bittner:

Yeah. And I guess the fear we joke about is that one day you wake up and Skynet has gone self-aware.

Matt Devost:

Yeah. I’m not as worried about the Skynet as I am that we just program some of our dumb intuitive mistakes into the machine learning. I’m not as concerned with the sentient aspect of it as I am in the … We’re programming these narrow AIs to basically be decision machines for us. We’re automating the decision making process and if we don’t build them to be secure and robust and resilient, then we’re going to be in a phase where maybe they are making decisions that are counterintuitive or are economically or financially, or even from an information perspective, destructive. I worry about that. I’ll leave for the next generation to worry about the sentient Skynet type activities.

Dave Bittner:

But I mean, there’s a, who watches the watchman thing too. Who’s deciding how the decisions within the AIs are made. I guess one of the points you’re making is that you could have unintended consequences.

Matt Devost:

Absolutely. Yep. Yeah. I write about this a little bit on my blog over at OODA Loop. What are the frameworks? What are the things we need to be thinking through and that is one of it is, you have to have an AI governance. We have to make sure that you have algorithms that are performing as intended, that you have data that is in high integrity, that we understand our external data dependencies. I get this with a lot of entities where they say, “Well, I’ve got an algorithmic trading platform that uses sentiment analysis off Twitter.”

Those systems are very good at finding the guy who decides to create 500 Twitter accounts tomorrow and say that Apple stock sucks. That noise is pretty easy to discern and filter out. How would they perform against a sophisticated influence operation like we saw against the election, where the people, the accounts are not created in one day. The thematic is not that strong that it’s interwoven. Would you be able to have an influence on a platform like that with a sophisticated adversary based in influence operation? Those are the types of things that we need to be thinking about as we rush to deploy this technology in the market.

Dave Bittner:

Our thanks to Matt Devost from OODA LLC for joining us.

Don’t forget to sign up for the Recorded Future Cyber Daily email, where every day you’ll receive the top results for trending technical indicators that are crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses, and much more. You can find that at recordedfuture.com/intel.

We hope you’ve enjoyed the show and that you’ll subscribe and help spread the word among your colleagues and online. The Recorded Future podcast team includes Coordinating Producer Zane Pokorny, Executive Producer Greg Barrette. The show is produced by the CyberWire, with Editor John Petrik, Executive Producer Peter Kilpe, and I’m Dave Bittner.

Thanks for listening.

Related Posts

Threat Hunting, Mentoring, and Having a Presence

Threat Hunting, Mentoring, and Having a Presence

December 2, 2019 • Monica Todros

Our guest today is O’Shea Bowens He’s CEO of Null Hat Security and a SOC manager for Toast, a...

From Infamous Myspace Wormer to Open Source Advocate

From Infamous Myspace Wormer to Open Source Advocate

November 25, 2019 • Monica Todros

If you are of a certain age — an age where you may have spent a good bit of your time online...

Solving the Business Challenges of Governance, Risk, and Compliance

Solving the Business Challenges of Governance, Risk, and Compliance

November 18, 2019 • Monica Todros

Our guest today is Syra Arif, a senior advisory solutions architect in the security and risk...