The cybersecurity industry is full of headlines, but are we paying attention to the right ones? In this episode of Threat Vector, host David Moulton, Director of Thought Leadership at Unit 42, sits down with Rob Wright, Security News Director at Informa TechTarget, to discuss the stories the industry overlooks, the overhyped AI security fears, and the real risks posed by certificate authorities.
They discuss the challenges of cybersecurity journalism, the role of deepfakes in modern attacks, and the ongoing issues with transparency in breach disclosures. This conversation sheds light on what security professionals really need to focus on and explains why some of the biggest threats don’t always make the news.
Protect yourself from the evolving threat landscape - more episodes of Threat Vector are a click away
Transcript
Rob Wright: I think in -- if we turn around in a few months and find out that a major certificate authority has been breached and that a nation state threat actor has been sitting inside of that company the same way they've been sitting inside of telecommunications providers and doing God knows what with certificates and private keys and things like that, and what I fear is we're going to turn around when that happens and say, Oh, my God. How did this happen? It must have been AI, or it must have been quantum computing. It's not quantum computing. I can almost guarantee it's not going to be quantum computing. It's going to be some threat actor getting inside the mix at a low level and worming their way up and taking advantage of bad OpSec and obtaining private keys that, no, a super computer over in China did not crack. There's -- I don't think we're there yet.
David Moulton: Welcome to Threat Vector, the Palo Alto Networks podcast where we discuss pressing cybersecurity threats and resilience and uncover insights into the latest industry trends. I'm your host, David Moulton, Director of Thought Leadership for Unit 42. Today I'm speaking with Rob Wright, Security News Director at Informa TechTarget about covering the cybersecurity industry, underreported stories, and more. Today we're going to talk about the underrated and overrated in the cybersecurity media and Rob's take on a lot of things in between. Here's our conversation. Rob Wright, welcome to Threat Vector. Excited to have you here today.
Rob Wright: Thanks. Appreciate it.
David Moulton: Rob, talk to me a little bit of how you got into cyber journalism and how that's changed in the decade that you've been on this beat.
Rob Wright: Oh, geez. It has changed a lot. Went to college for journalism. All I ever wanted to do was be a reporter. I wanted to be a newspaper reporter. Got out of school. Tried working in newspapers, and it was like, this is awful. This is terrible. I was working cops in courts, just having to deal with truly awful stuff. Made the switch from newspaper reporting to magazine journalism and just happened to fall into tech journalism. After a few stops at some different places, I started getting into cybersecurity, working with another EBM publication, CRN. And then about 10 years ago, yeah. Got a -- got a job at TechTarget, now Informa TechTarget covering security. And, man, it has changed. It has changed a lot. We used to write stories about Anonymous and LulzSec and website defacement and pranks. And now we're dealing with, oh, the energy -- the energy grid might -- might get taken down in this country because of this new type of malware or what have you. So it's -- it's changed quite a bit.
David Moulton: Yeah. I've -- I've been in cyber just a bit less than you have, it sounds, but I find that it's a space where it's not a problem solved and, therefore, it's fascinating. It's irritating that it's not a problem solved. But I think it's one worth working on. And I think that's what draws a lot of folks to it, whether you're a practitioner, a developer, a reporter, or even -- even a humble podcast host. Rob, this may be a loaded question, given the current news media landscape. But how do you view your role as a cybersecurity journalist? And what drives your approach to covering this industry?
Rob Wright: Yeah. I do consider myself a cybersecurity news reporter. In terms of what drives my approach, it's changed a lot. The urgency around cybersecurity has increased what feels like, I don't know, at least tenfold over the last few years. So we try to -- I try to cover this stuff that I think has the biggest impact on the masses so not just enterprise security but also, you know, government and citizens at large, I guess, because it really has gone from -- the beat's gone from enterprise to just, I mean, this is something the whole world, I guess, has to deal with now so.
David Moulton: Who do you see as your main audience?
Rob Wright: We try to deliver our news with the hypothetical reader in mind. And that hypothetical reader is a practitioner, a technology practitioner, somebody that works in IT or IT security within an enterprise organization or a government organization. But we -- yeah. We try to deliver our content to the folks that are actually working with this stuff. You know, there's always room for some of the, you know, general consumer news out there and obviously some of the beginners that are just getting into this business. But, by and large, we try to focus on the people that are, like, really into this stuff, that are really working with it every day and that need to know about the types of technologies, the types of threats, the types of goings on that -- that are important to their jobs so.
David Moulton: So you kind of see it as something for the grunts in the trenches.
Rob Wright: Oh, yeah.
David Moulton: Maybe as -- is that primary audience. Okay.
Rob Wright: Yeah, yeah.
David Moulton: Yeah. Talk more about that.
Rob Wright: So I -- I think it's a hard job. I think being in the trenches and having to do this stuff really, regardless of what type of organization you're in, whether it's financial services that has a huge, you know, $500 million cybersecurity budget or whether it's a smaller startup and the IT team is three or four people, it's a hard job. There's a lot to keep up with, just with patching alone. And it's easy to kind of get lost in what you should prioritize and what you should focus on. If we can do a little bit, just a little bit to help kind of direct people or give them some advice on where to go and what to pay attention to, I think hopefully we're doing a good thing because there's just so much noise, so much to keep track of.
David Moulton: Yeah. It's a really complex and dynamic space to work in, and each one of those could end up occupying your entire day, entire week. So, you know, having somebody that brings clarity to a topic, brings clarity to an idea, you know, that editorial mindset, it's really helpful to have, you know, somebody out there like yourself digging in and bringing to light some -- you know, some insights or some points of views. You know, on that, I'd be interested in your opinion. Are there underreported cybersecurity issues that you think deserve maybe more attention from the industry, from media?
Rob Wright: It's easy to overlook some of this stuff because I know some of it can be boring. The first example that comes to mind is just the -- I think the overlooked nature of internet security infrastructure. And I'm using kind of a broad term there, but certificate authorities as an example, I think certificate authorities are kind of boring to people.
David Moulton: Yeah.
Rob Wright: I find it fascinating. But I think that this is an area that just does not get enough attention for a variety of reasons. And I think there's huge ramifications for how that industry is run and how it's operated. And some of the things that have gone on recently with certificate authorities have just been absolutely wild, and I don't think there's enough coverage on it.
David Moulton: Can you give us an example of a story where a certificate authority had a major impact or got less coverage than you expected, given the nature of what happened?
Rob Wright: Yeah, yeah. A couple. The first is Semantic. And I'll try not to get too fired up about this story. But I think it was back in 2017 Semantic was informed by, I believe, Google and Mozilla and other members of the CA browser forum, the major browser makers, that they had been caught misissuing, you know, tens of thousands of certificates, sort of recklessly and insecurely. And during the -- I think it was -- this was -- this went on for, like, over a year, many years, I think. During the process, the browser members found more misissued certificates, more sort of the questionable practices. And, I mean, I don't think people kind of appreciate it at the time that this was -- I mean, I know Semantic now is part of LifeLock, and they've kind of gone away like a lot of legacy cybersecurity vendors. But there was a time when they were the biggest. And Google, I mean, it's amazing to me. Google, Mozilla, they came out and they said, We're giving you two options. You're out of the club. You either have to destroy your PKI and rebuild it from scratch, or you need to sell your business. I mean, these are other private -- public companies, but you get the point.
David Moulton: Right.
Rob Wright: Companies coming to Semantic and saying, You need to -- you need to sell. You are so bad. This is like -- this is like a sports team. It's like a sports league going to like Donald Sterling and saying, You need to sell the Clippers. They said, You're so bad at this that you have to sell. You're such a danger to internet security, the foundational linchpin of internet security that you've got to sell. And I -- I think there -- there's a lot of things that Symantec was doing that other CAs are doing and just haven't been caught yet. And there was the case with TrustCor I think it was a couple years ago. Washington Post did a great story. Joseph Menn did a great story uncovering how this small CA was tied to government contractors that were doing spyware. And TrustCor came out and said, How dare you accuse us of this stuff. We haven't done anything wrong and denied it all. And, yet, there's business records. There's all this data. They find out that there's an SDK for this spyware company sitting inside the email program that TrustCor, their secure email -- I'm doing air quotes for the listeners -- secure email program that TrustCor does on the side, an SDK for a spyware program in their email product. And they're just turning around and saying, Well, we don't know how that got there. That was some contractor. That was some -- that was some contractor that we had to fire. We didn't know it was still there. I mean, you can't think of a better excuse? They are going to destroy your business. They're going to kick you out of the CA. Like, you're not going to be able to do certificates anymore. You're not going to be able to act as a CA. And the best that these people could come up with was, Oh, that was some rogue programmer that we hired. And we fired them, but we don't want to say who it was because we don't want to get into a labor dispute. I mean, it's just absolutely mind-blowing. And if there are companies like that doing this stuff, big and small, you've got to wonder what's going on with some of these, like, really foundational companies that do things like certificates, digital certificates, cross signing certificates, all this stuff. It's just terrifying.
David Moulton: So moving on from what you called a boring story, although I've got to tell you I'm fascinated. Right. You know, and things that are really undercover to, you know, something that we might decide has been a touch overcovered, AI.
Rob Wright: Yeah.
David Moulton: You know, earlier you said that being the security practitioner is a hard job. And I agree. Do you see AI making that job harder or easier?
Rob Wright: The thing that I worry about with this stuff is it feels like we're getting a little bit ahead of ourselves, a little bit over our skis with how much this stuff can do. I was at an event not too long ago. I spoke with somebody at a very large company, very important person in a very large company. I don't want to air this person out and make too much of their comments. But I said, you know, AI, I think people think it's more intelligent than it really is. And he said, Well, yeah. All AI is just machine learning. It's not cognitive computing. It isn't Hal 9000. It's not doing all this stuff for you. It's not really intelligent. And I said, by calling this stuff AI, are we leading too many people to think that it is intelligent? I mean, it's in the term. It's artificial intelligence.
David Moulton: Right.
Rob Wright: So I think that there's a lot of really interesting applications for this stuff, again, in cybersecurity and a lot of places. But the problem is, I think we're -- I don't want to say we're in a bubble. I definitely don't want to say we're in a bubble. I'm in cybersecurity. I work in tech, in media. I don't want this to be a bubble. I want this to be a real thing. I just want to say, you know, there's a difference between being a skeptic and an outright hater and thinking this is all going to explode in some bubble. I don't want that to happen. But I do think we're kind of getting a little too -- we're overcovering some of this stuff and getting a little too ahead of ourselves in terms of what it means for the industry at large, for the tech industry at large. You know, it wasn't that long ago that there were companies like -- not to pick on Cylance, but, I mean, Cylance was -- in 2017-ish, they were, like, the hottest startup. And they were bringing AI to cybersecurity, and they were seen as this huge pioneer that you couldn't get hotter than this company. You cut to a couple years later. They're acquired by BlackBerry for 1.5 billion, I think. And now, just a few weeks ago, they're sold -- BlackBerry sells them to Arctic Wolf for pennies on the dollar, pennies on the dollar. So I think there's a longer way to go with some of this stuff than we are leading people to believe. And I think that we're overcovering it a little bit to a degree that is I think hyping it a little too much. That said, I think there are a lot of things that are positive about -- about AI and cybersecurity that are -- that just blow my mind, like really blow my mind.
David Moulton: I kind of see using AI and, you know, how it works as, in some ways, like talking to another person. If I ask you describe your dinner from last night and then 10 minutes later ask you to describe it to me again, and if you use the exact same story to tell me about what you had, who was there, the overall vibe of dinner in a robotic fashion and a classic compute model, I would be freaked out by you. But, if a computer does that, says the exact same thing over and over, I'm like, yeah. That's what I expect. It's a programming problem. I got some inputs; I get an output. It's always the same. And AI breaks that relationship with the machine in a way that causes us to step back and go, oh, no. And sometimes you can't tell if it's just doing the analysis, you know, of what word next a little different. Or if it's just BSing you, right? And you don't know, has it -- has it decided to hallucinate? That's a fun term.
Rob Wright: Yeah.
David Moulton: Or is it just telling you the story in a new way? And I think that's the part that causes me pause in an industry like security where you're going, is it telling me that this is a false positive and I move on? Is it telling me that this is an incident and I need to go after it, and it doesn't really know it's mathematically assigned a rating. And that can be -- that's problematic.
Rob Wright: Yeah.
David Moulton: So solving for that is -- I think that's going to be key.
Rob Wright: Great.
David Moulton: Rob, what strategies can cybersecurity professionals and journalists use to verify some of the claims about AI-related security incidents to separate the height that we're seeing from the reality, especially before reporting on them?
Rob Wright: This is hard because I think there's a lot of AI washing. And I think there's a tendency for people to kind of get carried away with applications for AI that are really neat and interesting but, like, don't -- it's not a one to one. It's not -- just because you can do something over here doesn't mean you can take that same technology and apply it over there. So, for example, just because Deep Blue can beat the world's chess champs and you can build an application that is very, very specifically tailored to do one thing really well, same with Google and AlphaGo, the Chinese game Go. It created this game and, Oh, my God. And it beats the world's best Go players. Just because that is -- is out there and you know that that works doesn't mean you can just take that technology and bolt it onto a cybersecurity application and have it do wondrous things. I think the thing that people should be aware of, the practitioners out there, is that a lot of the stuff is kept in a black box. But, if you can get to the vendors and the providers out there that are using this technology and really touting it, just run some simple tests. Just run -- run simple tests and just see. Start small. Start innocuous. Don't ask it to, like, run your SOC. Don't ask it to run -- you know, don't ask Copilot or whatever to just do these complex things. Just start small. I start small with AI. I ask Google AI very simple questions. I asked it a couple weeks ago, what are the great -- what are the best-selling American rock bands in the history of modern music? And it comes back with the Rolling Stones, Pink Floyd, ACDC, Led Zeppelin. If you can't get that right, if you can't get that right, stop. Stop and -- you know, I'm not saying throw the vendor out, but just reevaluate. Just say, come back to us in a few months when you have that cleaned up, and we'll take another look. So I would start small with tasks like, okay. Is it picking up these -- you know, these login attempts from this IP address or the -- we're -- we've got 100 attempts on this account in this amount of time from this region. Is it flagging it? Simple, simple stuff. And, if it can't get that right, then just move on.
David Moulton: Rob, what are some of the red flags or indicators that really make you skeptical about claims of AI's involvement in reported attacks?
Rob Wright: So when we see stories out there, and we see them all the time about deep fakes being used, you know, so and so unnamed organization just made a $50 million transaction, fraudulent transaction because they -- they were duped by deep fakes. I want to know -- I want to know specifically who that victim organization is. What did they see? Did they see anything, or was it just audio? And, if it's audio, look. The Scattered Spider guys are very good at social engineering. Okay. I don't know what they do specifically. I don't know if they use voice disguising or if they're just good at imitating accents or what. We don't know. I want to know what they actually saw, what happened in detail before I'm ready to say like this was a deep fake attack. And I know that the FBI and a lot of other law enforcement organizations out there have said deep fake attacks are on the rise, so on and so forth. I just -- I want to see it. I want to see it before because these types of attacks, these tech scam -- tech support scams, these attacks have been happening for years. And they never needed AI to trick people on Teams or trick people on Zooms. So is it -- is that really happening right now? Are these guys really using these tools? Did they invest, did they buy this super expensive software to create live video? Or are they just doing what they've always done?
David Moulton: So, Rob, wait a minute. You're saying that we should have credible evidence before we -- we fly off? You know, that's a real hot take, man.
Rob Wright: Yeah. I'd like to have some credible evidence. But there's been a lot of it, and --
David Moulton: Sure.
Rob Wright: Just pump the brakes, and let's see the evidence. Let's see what they're using.
David Moulton: How do we strike a balance between raising awareness about those potential AI threats and then avoiding this unnecessary panic and hype?
Rob Wright: Yeah. I mean, that's a good question. I think probably what needs to -- what we need to start with is let's just look at what -- let's keep looking at what ChatGPT and generative AI can do in terms of coding, right? Let's look at the safeguards. I know there was a -- there was a lot of coverage early on about the safeguards and how you can basically -- you know, you can't ask ChatGPT to, say, write me a new variant of LockBit ransomware. It's not going to do that. But you can word it in a way or you could word it in a way that would get it to spread out a script that could do something similar to that.
David Moulton: Right.
Rob Wright: Now, the safeguards have gotten a lot better. I do think there -- we need to keep focusing on how these tools, these -- especially ones that are free are being abused. Right now, a lot of the abuse seems to be just shady stuff, like nonconsensual pornography and sexualized material, like taking the images of people, taking images of your classmates and just, you know, declothing them and things like that. But I do think there's a world in which threat actors are going to say, Oh, these tools are available. I can think of a really interesting way to start building malware, you know, not just phishing emails but, like, I can -- I can construct actual tools to commit attacks and find vulnerabilities. I mean, there's a couple of companies right now that use -- we don't have a great look at how this all works but use AI to find vulnerabilities. Well, maybe they'll start doing the same thing. So it's definitely something to keep an eye on. It's overcovered, overreported, I think a little bit sensationalized in terms of what the real threat is. But I can't argue with keeping a close eye on it because I do think they're going to start to -- the threat actors, if they haven't already started to try to move up the chain here, they're going to so.
David Moulton: You could really look to those tools to help you move to being a more effective, you know, call it phishing, phishing writer. And those things make sense that you would see those already. Finding evidence that somebody did or didn't use them, I find that a little dubious where you're going, like, unless you're sitting there with a threat actor or the team that's writing those phishing emails, you don't know if they did or they didn't or how much they used. So, you know, that's a -- that's where I agree with you. I think when you go up to, like, the malware level, we've talked to some of our researchers here; and they are able to coax some of the AI tools to ignore their own rules and guidelines and really build some nasty bits. But it took them quite a bit of time. But, once they got going, they said that it was surprisingly effective to have that as a tool but that it was actually just cheaper to go out on the -- you know, out on the -- out on the market and just buy it done rather than spend months figuring out how to make the tool right for them. Looking ahead, what emerging trends or technologies in the cybersecurity landscape do you think will shape the industry's focus in the coming years?
Rob Wright: Technologies. That's an interesting one. I would have said -- I would have answered this question a couple of years ago with zero trust. I thought zero trust was a way to really get away from credential theft and account breaches and things like that, that seem to be tied to a lot of the major attacks that we see today. For whatever reason, we're just not there yet. I don't know why. I don't know if it's because zero trust architecture is something that's very complex and takes a lot of work. I think we need to take a hard look at how we do that, though, because we just -- we are so bad at protecting credentials, protecting accounts, securing them. I know a lot of people make a big deal of, you know, Google with its phishing resistant security practices. They basically use, you know, security keys, account production, beyond core zero trust network to prevent their accounts from being -- from being hacked, to secure them. We can't even get people to do MFA. I mean, we can't even get, like, organizations to implement MFA across the board. I still think there is a future in which zero trust is made easier. It's simplified. It is easier to apply for organizations big and small. And to require more than just one password login and even an IP address, there needs to be more criteria to grant access to, especially the mission critical stuff. And that's a big one for me. I really think that needs to be pushed forward. I don't know why it's not there yet.
David Moulton: You know, we're here in January when we're recording. And I -- you know, I'm still looking at what resolutions I want to go for. And certainly I've looked at my pantry and said, I should put the chips at the top shelf where they're really tough to get to and maybe the healthy foods a little closer to where I can easily grab them when I'm, you know, running in for some snacks. And I wonder about MFA and passwords in the way that we've got things set up. You know, this almost strikes me -- for full disclosure, I spent 20 years as a designer -- as a UX issue as much as a security issue. If we make passwords the default, if we make that pattern that you're very used to, username and password; and you've got to remember the passwords that you kind of fudge it or you use the same one, man, that's easy. I know it. I'm comfortable. I'm resistant to change. I think that, if you were to make the MFA model simpler and the password model harder to use, it was -- you know, some level of friction, some level of resistance from the organization and start to think about what's the -- what's the better security model but make that a little simpler, make that a little easier to do, that we might see that change. But you're right. We don't protect -- we don't protect our identities. And it ends up being, you know, this -- this downfall across a lot of stories where you're like, oh, yeah. They lost --
Rob Wright: Yeah.
David Moulton: They lost a login. They -- they got a social engineer or they had somebody acting as an insider who had lost their credentials one way or another. And that becomes the breaking point.
Rob Wright: Yeah. And we turn around, and I feel like we blame the person that lost -- that had their account compromised. Like, we've just got to take it out of the hands of the individual. We really do. There's just too -- there's too many lures. There's too many clicks to make. There's too many potential mistakes for your average IT employee or average developer to make that you just can't. You can't -- you can't put it all on the individual.
David Moulton: No. I -- you know, months ago, I talked to Mike Spisak here about this idea of a personal security agent that follows you from device to device in, you know, different environments. And I see this as one that certainly makes sense in a highly sensitive environment like your -- like your business but also would be awesome to have at your personal level, right, so that the cross-contamination doesn't happen or you don't become, you know, compromised or blackmail. These things can happen. And to have something that's just kind of sitting on your shoulder going, you know, yeah; that's okay or, man, don't click that. Or, you know, throws up the blocker because it's reading it and, you know, using the wisdom of the crowds to alert others that, hey, we've caught this. This looks like a beast. But I think we're getting close to that where you could have that, that security agent, that AI agent just tagging along with you, helping with that hygiene. But, to your point, it takes it out of your -- your hands alone and puts some level of help at those critical mistake points, you know, so that you're not seeing this level of compromise, not seeing the loss of credentials. And this is a tough one, you know, because I think that -- a few years ago there was this -- this saying that every company is a software company. I think that everyone needs to be cyber aware now is -- you know, if everything's software, then you need to be on your toes all the time.
Rob Wright: One hundred percent.
David Moulton: Are there any trends that you're seeing now that you think have the potential to be overhyped in the medium to near term, and maybe why?
Rob Wright: I think we're getting -- again, I understand why this is happening. I think we're getting a little carried away with the nation state threats. And what I mean by this is, obviously, the nation state threats are -- they're bad right now. They've increased exponentially. The types of attacks, the types of intrusions, the types of activity that just China, People's Republic of China has been accused of that have -- the attacks that have been attributed to PRC-connected threat groups is really, really bad. You know, we've had government agencies come out and say we think that they're infiltrating critical infrastructure targets, whether it's, you know, telecom providers or energy providers and setting themselves up in case there is a global conflict presumably with -- you know, involving Taiwan. And they want to be able to, like, basically disrupt, switch it off, cause a disruptive attack to disrupt communications, critical infrastructure, what have you. And I get all that. That is bad. There's -- there are Russian cyberattacks. There are all sorts of cyberattacks tied to nation state groups that are really bad and that we need to be aware of. But I think we're getting a little carried away with this stuff because it seems like I get pitches, and I see blog posts and vendor reports and really long vendor reports that are about a subset of some nation state group that is, you know, attacking a small island nation that's doing something in -- no disrespect to the people and the government agencies of Vietnam. But, like, I don't know why a lot of this stuff really is that important to you, certainly our readership in the US but just big picture-wise. If they're not using novel techniques, if they're not doing anything that's especially, like, interesting that tips their hand about what they may be doing in the future that shows, oh, they've really advanced -- you know, North Korea has really advanced beyond just stealing cryptocurrency. They did something to this small country in Europe that really shows that their skill level has -- has risen dramatically and that their technique, they have new techniques. If we're just kind of churning out these reports and saying, Look at this. Look at this hack. Look. Oh, my God. They stole millions. Or they did X, Y, or Z to this small country. I don't really understand why that gets so much attention. I don't really understand why it needs to be broadcast at the level that it is right now. And it seems like there's so many reports out there, so much blogs and, you know, white papers and PDFs that end up in my inbox that are just about nation state hacks that are kind of mid-level, kind of -- kind of meh. And, again, I understand what the big picture is. I understand that there's a lot of threats. But it feels like, from a media perspective, that we're getting -- we're focusing a little too much on this stuff, focusing a little too much on hacks that are not very consequential, in my opinion, and don't really, like, illustrate what -- where this may be going and why it's applicable to the US and bigger picture, I guess so.
David Moulton: Yes. Rob, I'm going to switch gears to a couple of questions that I think will interest -- well, these will interest our listeners. So, in case you're not familiar, Joe Sullivan, the former security officer at Uber, was involved in a really significant legal case related to a data breach that occurred at that company in 2016. He was accused of covering up the breach, which compromised the personal information of 57 million users and drivers. And, instead of disclosing the breach to authorities, Sullivan allegedly arranged to pay the hackers $100,000 under the guise of the bug bounty program there at Uber, requiring them to sign a nondisclosure agreement. This incident led to his indictment and subsequent trial where he faced charges of obstruction of justice and imprisonment on a felony. And the case has highlighted the importance of transparency and proper disclosure practices in handling data breaches. I'm curious, what are your thoughts on the media's handling of Joe Sullivan's incident, and what lessons can the industry learn from it? >> Rob Wright:. We covered this pretty extensively as it was happening, and we wrote a number of articles at TechTarget at Search Security. We talked about it at length on our own podcast, the Risk and Repeat podcast. My feelings on it are pretty simple. I know that there are a lot of folks out there who feel like Joe Sullivan was railroaded, was -- was unfairly targeted. And I definitely think there's something to the questions. I mean, the judge in this case himself, I think, said at one point, I don't know why the Uber CEO, former Uber CEO isn't up here with Joe Sullivan. So there may be something to that. But what I've seen a lot of, especially after the conviction, was that, well, this sort of thing happens all the time. And I kind of just -- I roll my eyes at that because, well, number one, I don't think you can make the argument that Joe Sullivan didn't know any better. Joe Sullivan is a former federal prosecutor. Yeah.
Rob Wright: He presumably knew the law. And I don't think you can sit there and say not with his track record and not with his experience that he didn't know you couldn't do that. He was -- he knew the company was under FTC order to disclose all this stuff. And, look. They didn't. And whose decision it was originally, who knows? It's not totally clear. But he played a role, and he made the decision. And he was convicted. And so, for the people out there who say that this sort of thing is done all the time, that's not an excuse to me. I -- just because there are a lot of -- and I have talked with people out there who have said off the record, yeah. I know for a fact that these companies did something similar. And so I absolutely believe that it does happen where companies turn around and just use their bug bounty to pay off a hacker in a breach that was definitely not a white hat hacker, definitely not an ethical hacker, definitely not a security researcher and did something that had nothing to do with the stuff that was in the scope of the bug bounty. Now, do I think the Joe Sullivan's conviction is going to have any effect on how people behave? Not one iota. Not one shred. There's -- there is no evidence that I've seen in talking with people that that has done anything to scare people straight. I think this sort of thing keeps going on. I think it -- there's all sorts of horrible disclosure practices out there. I mean, for crying out loud. Like, there was a news this summer that somebody paid $75 million to the DarkAngels ransomware group. Okay. I know Bloomberg came out. They had a report that said it was this pharmaceutical firm, Cencora. All we know is that is a top Fortune 50 company and that, you know, they paid $75 million. And we -- no one's disclosed the payment. No one's disclosed that they stole -- that DarkAngels stole 100 terabytes of data. We have no visibility into this. We have none. And the fact that an organization out there, a top 50, according to Zscaler, which found the payment, a Fortune 50 company, a public company with presumably billions in revenue can just turn around and pay 75 million to a ransomware, the biggest record-breaking known ransom payment and just not disclose it, not disclose the full scope of the attack, not say that they stole 100 terabytes of data, 100 terabytes of data. How long were these guys in this organization, and what type of data? Like, it's --
David Moulton: Yeah. Presumably, quite a while.
Rob Wright: It's amazing. We are just -- we are so bad at disclosure. We are so bad at transparency in this country. And I get it. There's tons of lawsuits. The minute a breach comes out, you have so many folks out there, class action lawsuits, all these law firms. So I get it. I get the trepidation that an organization is going to have about disclosing an attack of that nature. But, my God. You've got to do something. You can't just -- $75 million. And then, when the Joe Sullivan case, again, it doesn't feel like it's had any effect at all.
David Moulton: Yeah.
Rob Wright: Like, Apple --
David Moulton: No push to change bug bounty programs at all, either.
Rob Wright: No, no, no. And I've talked with the bug bounty guys that do these services. And it's like, hey. We try to tell them to do the right thing, and you can't do this. And, like, I know what they're telling them. But they know what's happening too. They know. I'm not saying they're complicit in the payoffs and the secrecy and all that stuff. They have no control over that, but it's bad. It's bad.
David Moulton: Rob, thanks for an awesome conversation today. I really, really appreciate you sharing your candid takes on the cybersecurity industry.
Rob Wright: Appreciate it. Thanks.
David Moulton: That's it for today. If you like what you heard, please subscribe wherever you listen. And leave us a review on Apple podcast or Spotify. Your reviews and feedback really do help us understand what you want to hear about. If you want to reach out to me directly about the show, email me at threatvector @paloaltonetworks.com. I want to thank our executive producer, Michael Heller; our content and production teams, which include Kenne Miller, Joe Bettencourt, and Virginia Tran. Elliott Peltzman edits the show and mixes the audio. We'll be back next week. Until then, stay secure. Stay vigilant. Goodbye for now.
