Max Havey Hello, and welcome to the Security Visionaries Podcast, a show where we invite cybersecurity leaders from across domains and industries to come and talk to us about interesting stuff. I'm your host, Max Havey, and today we're diving into the world of Zero Trust and national security with our guest, Chase Cunningham, better known as Dr. Zero Trust. I'll give a quick intro to Chase for those who don't already know him or perhaps didn't catch him parading around RSA dressed as Macho Man Randy Savage. Chase started his career as a Navy cryptologist and has 20 years experience in cyber forensics and analytic operations. Over the years, he's held roles as a technology market analyst, a CISO, and a strategic advisor. He's also published numerous books and runs his own podcast, also called Dr. Zero Trust. Welcome, Chase.
Chase Cunningham Hey, thanks for having me on. I appreciate you bringing up the Macho Man thing too. [laughter]
Max Havey Absolutely. That was a highlight of my RSA experience, for sure.
Chase Cunningham I'm trying to get over the trauma of doing that, but hey, when you lose a bet, you lose a bet.
Max Havey There are much worse ways to go about that. And also joining us today is my co-host, Emily Wearmouth, who I can see is eagerly brandishing a very long list of things she wants to talk to Chase about.
Emily Wearmouth Hi, Max. Good to have you on, meet you. Who's on whose podcast here? I'm not quite sure. [laughter]
Max Havey So Emily, do you wanna jump in with some questions for Chase here to start off?
Emily Wearmouth I would love to, if I can start. Brilliant. Well, Chase, we had John Kindervag on the podcast a couple of weeks back, and I don't wanna start any fights, but he happily goes by the name of the Godfather of Zero Trust. And obviously you're Dr. Zero Trust. I wondered if you could give us your side of the origin story of Zero Trust. Where were you when it came into existence? What was your involvement? And what was the initial reaction from the world?
Chase Cunningham Yeah. So John definitely deserves the "Godfather" 'cause this was his conceptual approach to things. And if you're talking about a security visionary, John's the one. I'm just a, I guess, you'd call like a "stepchild" in that whole framework. But for me, when I got to Forrester, John actually recruited me to Forrester. When I got there, John kind of said, "Look, you're probably gonna take over the Zero Trust thing." And to be perfectly honest, I was pretty irritated about it because I was like, "Look, I wanna start my own approach to the market. I don't wanna follow up on anybody's coattails." And then the more I looked at it from the perspective of "because I'd been on the offensive side of cyber in the national intelligence community," I looked at it and said, "You know what? This actually is pretty dang solid. And it would make a heck of a difference from the perspective of 'If Zero Trust was in place, I would be unable to be operationally capable as a red team or as a bad guy.'" So that to me was where it was like, "Okay, cool. How do we take this to a different formalized approach?" Because I had not been too far removed from finishing my doctorate, so I was really into taking concepts and putting them into applied frameworks. So it just wasn't anything super amazing on my part. It was really more of like, "I just happened to be in the right place at the right time and saw an opportunity."
Emily Wearmouth Perfect. Who wouldn't embrace an opportunity like that? What I really want to get into with you today, though, we talked about an organizational implementation of Zero Trust with John. I would like to talk with you a little bit more about national government adoption of Zero Trust. And we have seen, particularly in the last six months or so, governments around the world really embrace the concept and put out advisory notices to organizations within their territory, but also start to look at how they use Zero Trust to inform the way they build their national cybersecurity defense strategies. I wondered if you had any initial thoughts about, what does that mean when you're running Zero Trust into a national situation rather than an organizational? Are there any major differences between those two scenarios?
Chase Cunningham Well, the biggest one is that you have the heft of a federal government that can come behind something and actually say, "You have to do this." And that's what you're seeing in the US federal government, where they've allocated a couple of billion dollars. There's laws that are in draft stages. It is a really big thing for the US DoD. Fast forward, and Australia used to have this thing... Well, they still have it. It was called the "Essential Eight," and myself and a really awesome lady at Forrester named Jinan Budge wrote up a paper about adapting the Australian Essential Eight to ZT. And then now they've come up with a whole of government move towards Zero Trust. I think the UK government is doing that to a degree as well. But the reality of it is when you have these large mega organizations with lots and lots of money behind it and they're saying, "This is how we're going to do it all the way up in the US to the president of the United States," it's substantial and it's... John talks about changing the incentive structure. That's really what we're seeing here. We're moving away from all time stick to sort of carrot-and-stick, which is better. And we'll continue to get there.
Chase Cunningham And at the national level, really, what I think that folks have to remember is, this is about if you accept the digital living, if you will, is a kind of a human right now for most people on planet Earth, you have a right to also operate in a safe and secure manner as well. And how we do that is going to be via these strategic initiatives that will make the difference. So I think that it is a categorical shift in the approach overall. And it's really good to see that there are governments aligning on this as well. Because security is the only space that I've been able to find where industry follows government; usually it's the other way around, and we're seeing that in real time.
Emily Wearmouth On that point of who's following who and where you start, if you're looking at this from a national perspective, where do you start with Zero Trust? We talked about on an organizational level what you might select as your order in which you approach things. How do you order things on a national level? Where do you start?
Chase Cunningham Well, the first thing really at the national level is to have a directive that comes out from someone in the food chain that has teeth, right? That was the executive order from the president of the United States that said, "Thou shalt do ZT." I believe the US government has until September 30th of this year to show that they've actually formalized the process and put it in place. Doesn't mean they're done with Zero Trust. It just means they had 180 days to say, "This is what we're doing, how we're doing it, we have a plan and etc, etc." So that's the first thing that has to happen. The second thing that I really think has to happen is, you have to have some of these follow-on tactical capabilities to go off and actually ensure that what has been mandated is being done.
Chase Cunningham 'Cause that's been the biggest problem that we've had in cyber at the national level, is we've got lots of compliance initiatives and we got a lot of requirements, but they're not usually taken very seriously. It's a pencil whipping exercise. People figure out ways around it. Self-certification is one of the dumbest things I've ever heard of in the history of dumb. And, [chuckle] you know, we're just not pushing it forward enough. So that's where this is starting to go, is that it has to happen that way. You have strategy that's guided and led and required by leadership, and then you have tactical execution to do the things to make sure that that's actually in place.
Max Havey Do you have any thoughts on the evolving cyber attack or national cyber defense landscape? Are there any threats that are sort of a lead in that realm?
Chase Cunningham Well, we're... As a nation, the US is constantly... And the UK, too. We're like, we're constantly under attack from a variety of organizations. And I always think it's worth people understanding, too. There's no Geneva Convention in cyber. There is no agreement of terms. This is a space where every country on the planet is literally competing to get a leg up on the competition. So the US is doing things, the French are doing things, the Israelis. It doesn't really matter who you are. This is a space where you can gain competitive advantage. And the other interesting part of it, too, is cyber warfare has become the bridge between espionage and kinetic conflict. And that's what you're looking at, is you're seeing nation states that are trying to cause changes at the national level. And they don't have to do it anymore by putting boots on the ground. You can do this via social media, you can do it via electronic systems, you can take down critical infrastructure. That is the future of what it looks like to be a player in the digital space. And China and Russia and the US are the big dogs in the yard. However, there's lots of dangerous chihuahuas, if you will, in that yard as well, too.
Emily Wearmouth [laughter] I'm wondering how certain government, national leaders might feel about being called a dangerous chihuahua.
Chase Cunningham Hey, I mean, a chihuahua could always hit an artery in your ankle or something, you know? [laughter]
Max Havey Is a Geneva Convention for cyber a realistic prospect? It's something I've heard folks bandy about over the years as something theoretical. But looking at it as something that could exist, is it realistic to think about it that way?
Chase Cunningham You could have all your G7s and NATO's sign a piece of paper that said, "We will not do X and Y and Z in cyber." It should be written on toilet paper, to be perfectly frank, because that's about as good as it's gonna get. There's non-attribution. There's no accountability. This is a space that is perfect for getting away with things and not being caught. That's the real issue that we face. So would it be great and would it make everyone feel warm and fuzzy? Sure. Is it actually something that will execute and make a difference? No.
Max Havey It's happening with the best of intentions there, but it's ultimately kind of hollow.
Chase Cunningham Well, you know what they say about the road to hell, it's paved with good intentions. [laughter]
Emily Wearmouth On that note, are democratic nations, those that we would like to think of as highly accountable and embracing ethics guidelines, are they setting themselves up with more challenges and a disadvantage in facing the adversary if they're holding themselves perhaps to ethical standards and accountability in a way that perhaps the adversaries that they're facing aren't, and we don't have this mutual understanding of a Geneva Convention for cyber?
Chase Cunningham Yeah, that's part of the issue. And it's a really good point you make about the ethical side of this, because the US and Five Eyes nations really do kind of play by the rules. And I've sat in the chair; I've literally been in the room doing those sorts of things. And you do play by the rules, whereas when you look at our adversaries like North Korea and some of those, there is no rule, there is no law, it's whatever they can do to get the next leg up on the competition. And that puts us in an unfortunate position. Without getting myself into trouble, there's some ways that we do things that are slightly beyond what you would typically consider to be legally agreeable. But it's just the nature of what happens there that goes in. And that's the other problem that I think a lot of regular everyday folks that aren't in cyber don't understand, is no one plays by the rules but the people that play by the rules. And that's not a good place to be when you're in a digital conflict, combat scenario.
Emily Wearmouth Your background came through the military, and I wonder how much that informs the way you think about cybersecurity and whether it's inherently different to the way that someone who's perhaps come through the private sector thinks about cybersecurity and some of these nation state challenges. Do you think it changes the way you look on the challenges?
Chase Cunningham Absolutely. I've been privileged enough to be in the dark windowless rooms with the bad coffee where the people are doing ops that are literally in adversary nations and whatever else. And that really lets you know what's going on there. And then the other problem, too, is having said, I was lucky enough to do some work at FBI cyber a long time ago, seeing how the disconnect happens between authorities within our own national infrastructure. It makes you kind of sit there and go like, "Wow, this is a problem, it's very siloed, and we have all these requirements that we can't get past." But the bad guys don't play by those rules. So it puts the chessboard advantage for them, unfortunately, instead of for us. And for me, I'm not like a tinfoil hat weirdo, but I am more, I guess, you'd call it realistically aware of what's actually going on.
Emily Wearmouth I'm gonna ask you a question now that I feel I should say upfront. Don't go against any official secrets acts you may have signed. But I do want to know, what's the coolest SOC room you have been in? Which has the best flashing lights? Tell us about the SOCs. [chuckle]
Chase Cunningham Well, I would say that the SOCs in the military and the national security infrastructure are actually pretty boring. The ones that are cool are like if you've ever been to IBM's SOC up in the Massachusetts or Dell's SOC down in Texas, those are really cool. They've got lots of monitors and nice blinky lights and all the other things. Those are the ones that look like they're something out of a movie. If you went to the ones for the military and NSA or whatever, you would be like, "Wow, this is really disappointing."
Emily Wearmouth [laughter] Okay. Chase, when we spoke a bit before this recording, you mentioned the concept of Contested Space. And I wondered if you could talk us through what is that, and how should security professionals think about that when they're designing for Zero Trust?
Chase Cunningham Sure. So "Contested Space" is a term that's typically used in warfare combat scenarios where you're thinking about where's the areas where you will never have ultimate control, right? If you're thinking about the stuff we did in Iraq or whatever, you never really had control of certain areas outside of Baghdad. Or if you're looking at World War II, the areas around like Stalingrad and whatever else where they couldn't gain total control, there's always conflict going on there. And in cyber, anything that is not directly under your control that you can apply an actual fix to, that's Contested Space. And part of the problem that we have with folks in this space, in my opinion, is they're thinking that there's a perfect model, right?
Chase Cunningham Even if you have a Zero Trust on steroids instantiation, it doesn't really mean that you will never have a breach, and it doesn't mean that you don't have Contested Space. And what that actually is is valuable, because you don't spend a lot of time and a lot of resources trying to fix what can't be fixed. You control it, you understand it, you observe it, but you don't sit there trying to go, "How do I keep putting water back in the bucket when there's holes in the bottom?" And that's what people get wrong in cyber. And that's also where a lot of non-cyber people are misled, is they think that there's a way that this can be done and never have a risk or an issue or perfection. That just doesn't exist. The very nature of technology means one person can build it, someone else can reverse-engineer it.
Emily Wearmouth When you first mentioned it to me, my mind automatically went to cloud applications, perhaps being a good example. Is that a good example? Are there other examples where you see it very clearly as Contested Space, but perhaps you see security professionals thinking they're safer than they are?
Chase Cunningham Yeah, I think cloud's a great one. I think all the stuff we do now with kind of burst-able infrastructure, Kubernetes and those types of things is also part of that equation. And I would argue that the Internet writ large is Contested Space, and people should think about how they operate in that threatening environment all day, every day. That's also part of the problem, too, is we see a lot of folks that are trying to apply very human concepts to a very technical problem. And that is not a smart application of resources.
Max Havey Reflecting on broad learnings that you've had from your time in the military and time, working with cybersecurity as it relates to national defense, are there any learnings you've taken from there that have been particularly useful when talking to organizations about concepts like Zero Trust?
Chase Cunningham Yeah, the biggest one that I've seen that's gotten some acceptance really is to just I ask people, "Do you think that you're better than any of the hundreds of other organizations that have spent billions of dollars that have been breached?" And the answer, if they're intelligent, is no. And then the question becomes, "Okay, well, doesn't it make sense logically to say, 'Well, what did those organizations do? Where were their gaps? And can we do something different?'" It doesn't mean that you drag them over the coals 'cause they failed. That's just not the nature of the space. It's really more of, "If everybody out there had this particular thing happen to them, you're not different. Let's figure out how to be more secure in that particular problem and then we'll get better." And then the other concept, too, is that unfortunately in cyber, much like in warfare or regular operations and military and national infrastructure, a rising tide does not lift all ships. This is about survivability. And if my org does better than yours, and you get breached and I don't, sucks for you, but Chase is fine.
Emily Wearmouth [laughter] Chase is fine. [laughter]
Chase Cunningham I mean, it just is the reality, you know? That's why people put... I say this a lot during workshops, is like, "Do you think everybody in the US that has those ADT signs in front of their house actually has ADT?" No. They buy a sign and put it in the front of the house. Why? Because that makes criminals think twice, and they'll go to the house without an ADT sign.
Emily Wearmouth Yeah.
Max Havey I believe folks call that "security theater." I've heard that described before as the idea of making it seem like you have security in place without necessarily having set security in place.
Chase Cunningham It's deterrence, is what it is. You know what I mean? There may not be any actual capability there, but at the very least, the people that are targeting you will go, "There might be some increased risk for me. I should find an easier target."
Emily Wearmouth You've come from the public sector into working with a lot of private organizations while still keeping your hand in public sector, so you've seen both. And I wondered if you had any thoughts around skills, individuals and careers transferring between one and another. Is it easier to go from one side to the other? Are organizations in public and private sector looking for very different skill sets? What is your take, if we've got listeners obviously across both, if we've got listeners in the public or the private thinking about making that move, what sort of things should they keep in mind?
Chase Cunningham I think anybody... Honestly, I think that we don't have a lack of human talent in cyberspace. I think that's a market-created initiative. Really what we have is people keep looking for the unicorns to do stuff: The ex-intel, ex-military, ex- crazy cyber hacker person or whatever. And they say, "Oh, well, those are the people we got to have for the job." They're already hired, and they're very few and far between. We need to be hiring and training and educating people that just have the, I guess, you'd call it wherewithal to do the work. I've staffed up people that have come from working in restaurants. I've staffed up people that have come from banking, from sales. To me, it's always been about their desire to do the work, and can they solve problems, and can they figure things out. That's what we're actually looking for. The transition between military or private and public and et cetera, the biggest thing you'll have there is gonna be the culture shock that occurs. If you're one of the other, it's going to be an entirely different scenario for you when you transfer in. And I did not have an easy transition out of the military. It was very uncomfortable for me, and it took years to get to a space where I felt like I was actually a valuable civilian employee. So I think that that's something that people should be aware of as well.
Emily Wearmouth Are there any specific learnings that you came away from that uncomfortable transition, advice that you would give to someone who might be in that particular situation right now?
Chase Cunningham If you're coming out of the military and moving into the civilian space, the biggest thing I think is patience. The op tempo is not what you expected in the military, and for me the biggest thing was always, you would have a task and it's like in the military, if it's a task, we're on it, we're gonna go through, and we're gonna get done as soon as humanly possible, "Katy, bar the door," just do the thing. In the civilian world, it's more like, "Yeah, we know we got to get to that," and it's part of the plan, and you're sitting there going, "Well, when?" "Well, we'll have a meeting about that." So I think the biggest thing is to understand that there's a lot more patience required and a lot more collaborative execution. I would still argue in the civilian space, a lot of times what I see from people too much is they're always looking for total consensus, whereas that's kind of a not a good way to execute. With my groups I work with, I like to... I get what I call "violent agreement." If we have enough agreement in the space that we're not willing to punch each other in the face, okay, well, let's go.
Emily Wearmouth [laughter] "Disagreeing agreeably," I think another podcast calls that. [laughter]
Chase Cunningham Yeah.
Max Havey Well, I can see our producer is waving at me that we're coming up to the end of our recording here. But Chase, before you sign off and let you go here, I know you do a lot of work for charity. And while I usually ask our guests to plug at a minimum, I wanted to give you an opportunity to talk about the charities that you support, and let people know how they can support those as well.
Chase Cunningham Yeah, so the biggest one is, there's a group called "Veterans Exploring Treatment Solutions," VETS. It's in the US. And what they do is they help people with post-traumatic stress disorder and other issues, anxiety. They do alternative treatments. They're funded by the federal government. And a lot of my friends are our folks that have dealt with that issue. And it's been very beneficial for them. I've seen them change lives. I've seen them save lives. My own actual brother, my flesh and blood brother, went through a treatment similar to what they offer, and it changed his life. So that's the one that I try and support most directly. And it's honestly because I know the guy running the org, and I can text him and make sure that I know the money is going where it's supposed to go.
Emily Wearmouth That's accountability. [laughter]
Max Havey Absolutely. Well, and we'll be sure to have a link to that in the show notes for the episode here. But overall, Chase, thank you so much for taking the time here today to chat with us. This was a fascinating conversation around Zero Trust and national security. We really appreciate you taking the time.
Chase Cunningham Hey, thank you very much. It's great talking to you all.
Max Havey Absolutely. And Emily, thank you for joining as well. Always great to have you on doing co-hosting episodes like this.
Emily Wearmouth Always my pleasure. [laughter] Thanks, Max.
Max Havey You've been listening to the Security Visionaries Podcast, and I've been your host, Max Havey. Please subscribe to the podcast if you haven't already. And if you liked this episode, please be sure to share it with a friend or anybody else you think would enjoy the show. Between myself and my co-host, the great Emily Wearmouth, we air fresh episodes every two weeks covering many interesting topics, that there's definitely plenty more you'll wanna dig through in our back catalog. If you like this one, I particularly recommend you pop back and listen to the Zero Trust and Identity episode with Neil Thacker and John Kindervag. And with that, we will catch you on the next one.