Cyber resiliency and national defense | Guest Georgianna "George" Shea

Chris Sienko: 1:10

CyberWork and InfoSec would like to introduce you to our new Cybersecurity Beginner Immersive Boot Camps. They're designed to help you gain and enhance your expertise in the cybersecurity field. Join our live interactive virtual classes led by InfoSec's highly skilled instructors, who will guide you through the material and provide real-time support. And, as part of InfoSec's Immersives training, each student will have access to career coaching aimed at helping them start or switch to the cybersecurity field. You heard that right. We aren't here to just teach you the concept of what a security professional does. We want to prepare you to enter the job market with a competitive edge in six months time. Now I've told you about InfoSec certification boot camps, and if you're trying to hit your next career target and need a certification to do it, that's still your best bet. But if you're an entry-level cybersecurity professional or want to be, or you're switching your career and want to experience a career transformation, infosec's immersive boot camps are designed to make you job ready in six months. To learn more, go to infosecinstitutecom. Slash cyberwork all one word C-Y-B-E-R-W-R-K. And learn more about this exciting new way to immerse yourself in learning with InfoSec. Now let's begin the show Today on Cyber Work. I'm happy to introduce you to Dr Georgiana or George Shea, the Chief Technologist at the Foundation for Defensive Democracy's Center on Cyber and Technology Innovation. George finds new and developing technologies and develops pilot programs for implementation in a variety of locales, including DOD, government sector and critical infrastructure. We talk about George's first taste of security learn what it's like to be knowledgeable in several dozen connected security spaces rather than being the all-knowing authority in one, and the knowledge that outside of the dozens you know there are hundreds more yet to learn. And we answer George's most burning question of the moment why don't any of my interns know what NIST is? All this and some more talk about the security of the US water supply, because you know I'm never going to stop asking about that. All on today's episode of Cyber Work.

Chris Sienko: 3:10

Welcome to this week's episode of the Cyber Work podcast. My guests are a cross-section of cybersecurity industry thought leaders, and our goal is to help you learn about cybersecurity trends and how those trends affect the work of infosec professionals, as well as leave you with tips and advice for breaking in or moving up the ladder in the cybersecurity industry. My guest today is Dr Georgiana, or George Shea. She's a trailblazer in the realm of cybersecurity technology innovation and cyber resilienceblazer in the realm of cybersecurity technology innovation and cyber resilience. Currently serving as the chief technologist at the Foundation for Defense of Democracies Center on Cyber and Technology Innovation and Transformative Cyber Innovation Lab, george plays a pivotal role in identifying and implementing cutting-edge cybersecurity advancements applicable to the US government and the private sector. In her current capacity, she focuses on developing pilot projects that showcase viable technology and non-tech solutions.

Chris Sienko: 4:02

Dr Shea brings a wealth of experience, having close to three decades spearheading cyber initiatives throughout the Department of Defense and other government organizations. Dr Shea is a thought leader within her professional domain and actively contributes to industry and the community. She served as the Cyber Physical Systems Resilience Working Group under the President's Council of Advisors on Science and Technology, pcast, and served as co-chair of the Project Governance Board on the OASIS Open DAD CDM project, working toward establishing an international standard for a common data mile for influence operations. Dr Shea's reach also extends to the private sector, where she lends her invaluable insights as an advisory board member at American Binary Cybeats and the CyberHero v CISO Network. Her strategic guidance and visionary thinking contribute to advancing cutting-edge cybersecurity solutions enabling organizations to stay ahead of emerging threats. So today, george and I are going to be talking about cyber resiliency a term that she sort of introduced me to here, in terms of how it is being used with the government and within our international defense capabilities. So thank you very much for joining me today, george, and welcome to CyberWork.

George Shea: 5:17

Thank you for having me. It's good to be here.

Chris Sienko: 5:19

Thank you. So, george, to help our listeners get to know you better, boy, you have an incredible background there. So where did you first get interested in computers and technology, and later cybersecurity? What was the initial excitement, the initial spark?

George Shea: 5:33

I don't know if there was an initial spark or interest. I was going to college and majoring in math. I like math and I saw that I could get a computer science degree quicker than the math degree because it required a foreign language which would then take four consecutive years of taking that language. Where it was computer science.

George Shea: 5:54

I was already taking a bunch of computer science under the math major and I could finish quicker, so yeah, so I and this, of course, was you know decades ago, so it didn't have the, I guess, appeal and open knowledge that people currently have of it. So I just thought, oh well, computer science sounds interesting and sounds like it would apply to a lot of things, so I'll do that.

Chris Sienko: 6:19

Can you talk about that difference? You know, I think we talk about that all the time in the way that a lot of people who have been in the industry for a couple of decades you know sort of saw this industry being built. You know kind of like a like a like a Wild West town or whatever like built from the ground up. You know kind of like a like a like a Wild West town or whatever like built from the ground up. You know like it was started from nothing.

George Shea: 6:41

What was? What was cybersecurity like when you started and and how's it different now? Oh, so I started in 1999, I guess was my first job, and it was. It was the stand up of the, the certs. Under US government, they started a protection of critical infrastructure. There were a couple things that had happened. They decided, oh, we need to start protecting our networks. So it was new to everyone and they had stood, the different certs within the Department of Defense, the Computer Emergency Response Teams, the certs, and I was hired as a contractor out in PACOM as a part of their initial.

George Shea: 7:12

We need 10 people to set up this organization and we're looking for a computer scientist, we're looking for an engineer, we're looking for a mathematician, we're looking for people with military knowledge, and I had been enlisted in the army, so that was a perk for me. I had a math minor and my major was in computer science. So I went in, I interviewed for the position and it was pretty much okay. Here's our job. We need to protect the networks. And here's RSS Real, secure Intrusion Detection System. Figure it out.

George Shea: 7:46

So there was no. Here's your SOP. Here's your onboarding training. Here's any type of experience, just figure it out. We're getting reports, we're getting logs, uh, figure out what's normal, what's not normal, figure out what needs to be looked at, figure out what's going on. And um, it was. It was so early in the day that I remember the, the chief of the, the pack, arsert there um had had given me a you know the company credit card or government credit card and said go to the bookstore back when they had bookstores and buy all the books you can on it wasn't even called cybersecurity, on computer security and went there and there was one book. It was Stephen Northcutt's analyst notebook book on Snort. So that was the only book there. Now if you go to the Amazon, any book organization bookstore, you're going to find an entire section dedicated to cybersecurity. So that really kind of is where I started, where there's absolutely no reference, and now there's a lot of references.

Chris Sienko: 8:53

Well, in the last week I've had you're my second guest who said that very same thing. David Lee, who's big in identity and access management, said that he basically got into it because a previous boss dropped five books into his lap and said all right, I'm leaving for two weeks. At the end of six months you need to have the IAM system set up and I don't know how to do it, but you're going to learn now. So, yeah, I mean, can you talk about just that process of figuring it out, like what was the sort of learning curve, like what were some of the setbacks, and do you remember anything about that particular experience?

George Shea: 9:29

I do. It was very exciting because you know the way my initial job worked. I would go in, I would look at the logs and I don't think people understand how how much data comes in and logs. So when they said, oh, you could just find in your lock book, no, there's. There's a ton of data that you're looking at and there was a triage process that we had set up. And then it's kind of you figuring out what, what are you going to look at? What are you going to focus on? And there's no sysa, there's no CISA alerts, there's nothing pointing you to what you need to be looking at. There wasn't the collaboration that exists today. So it was really like a big puzzle. So it was very exciting.

George Shea: 10:02

From the very beginning. You got to jump in and figure things out and I would notice these different patterns within just network traffic. Like, oh, I saw this IP three weeks ago, also on Monday, doing the same weird thing and it's just showing up one time, whereas you know, on the logs maybe something else is showing up like a hundred times. So it looks like that's really happening a lot. But, um, you have to understand. Well, what is the traffic? What's going on? Uh, what's normal, what's not normal, right? So it was just really exciting from the beginning and it was I. Maybe I shouldn't say this, but I'll tell you. I was, you, really exciting from the beginning and it was maybe I shouldn't say this, but I'll tell you.

George Shea: 10:37

I was, you know, working on the Pacific Theater area, and so I would see things and intimately get to know what's going on. So I kind of knew this is somebody doing remote work someplace, because I would you know, call and track down the system administrators hey, I'm seeing this, what's going on? And every Tuesday I expect to see this down to the system administrators hey, I'm seeing this, what's going on? And every tuesday I expect to see this. But then, um, I got so familiar with some of the actual traffic that I couldn't go through and figure out what I'm seeing it. But I don't know why it's happening. And I would, um, I would then write up the reports to send to the headquarters that would you know, back in dc, for the entire this was under army, the entire army uh network, and, um, I would, I was expecting that they were digging into the details.

George Shea: 11:19

Um, I, I later then moved to the dc area and I was the person that was now receiving the reports from those people and I thought oh, no, yeah, no, they're not looking at the details because they're being swamped with other things and they also have only three people, but, um, for the entire world, not just one theater. So the more you went up the chain of command that, the less things got looked at and it just got thrown into a database someplace. So I was kind of really expecting that. Oh, in the notes section of our incident reports, I would put in a lot of extra information and say, hey, this relates to this other incident or this relates to this thing, and there's, there's some correlation here. They're happening on the same day. And then I was pretty disappointed when I got to the headquarters. I'm like, yeah, no one's looking at that.

Chris Sienko: 12:05

They're looking at what's a category?

George Shea: 12:08

one thing, and then they're looking at those.

Chris Sienko: 12:10

Yeah, we, we have, we have our hands full with other things and you're like no, but really this thing is happening every tuesday at 11 o'clock. Yeah, yeah, no, I think I think that's a, that's a, that's such a really interesting. I mean, it seems like kind of a dream in terms of, um, you know, you just don't have any guardrails, but at the same time, you have sort of you know nothing, but in, in terms of, like you, there's not this immediate threat, but you're also, uh, you know, looking at everything and free to sort of like you, there's not this immediate threat, but you're also, you know, looking at everything and free to sort of, like you know, follow each of these little sort of threads, like you said, a giant picture puzzle. So you're, you're learning sort of bits and bits and bits.

George Shea: 12:43

It was a lot of fun not to, you know, stay too long on this one question. But you know, later in my career I was then the person going out and reviewing these type of organizations, like, what are you doing for your defensive cyber operations? And you know, I would go and talk to some of the folks sitting there at the console where I started. They're like, well, I wait for the red button to come on. I'm like what?

George Shea: 13:06

Like I wait for it to tell me what's going on. I'm like what? Like what? It made no sense to me Because you have to have a a natural curiosity and you really have to dig into it. So I think that was very privileged, in fact, that I got to see the. You need to figure it out and then technology is there to support you. But I still underline that I understand that the underlying technology. You need to know what are the configurations, what are they picking up on what? Where is this coming from? And that that's not necessarily what everyone understands. When they're put in that seat, they're told all right, when this red light goes off, then you do this. Now it's time to go to work now.

Chris Sienko: 13:42

Yeah, yeah, well, yeah, I mean I'm glad you, actually, I'm glad you told that story, because it's a really good separation of the types of cybersecurity professionals that we're trying to create versus the way that sometimes they come through, which is I've learned all the things in the book, I've learned the proper way to do it, and if the solution is not within this narrow confine, then clearly it's impossible. There's no sort of lateral thinking or whatever. There's no sort of thinking about why I do it or you know. Similarly, if this thing happens, then I launched this tool, and if this happens, I launched this tool. But again, there's no sort of thinking behind in between.

Chris Sienko: 14:22

Yeah, your particular example and David's with IAM, like you're both having to think not just why does this lead to this, but also sort of how does this whole ecosystem work? And I think that's such a good advice for people getting into this is that it's one thing to know your job, but there's another reason to know why your job you know so. So, yeah, so I want to talk a little bit about one of your job roles. That's on LinkedIn. Here, you know, I like to go through and deep dive people's careers because it's a great sort of conversational starting point, but I wanted to ask about your 12 years as chief engineer at MITRE. So can you talk about what you did there and how your decade plus of being immersed in these huge matrices of vulnerabilities and attack paths and exploitations inform your current work?

George Shea: 15:08

Sure. So I started with MITRE and I think I was originally more of a systems engineer, so I was building systems and I had come from a computer operations intelligence background, defensive cyber background and now I was building the system. So my initial job wasn't necessarily security, it was how do you build it, what are the requirements, what is the process, what is the securing engineering V and how does that work? The verification and validation. So I think that was great. But then when you're in a company like MITRE or a defense contracting company where you have various sponsors, you then work on various projects. So I went from systems engineering to supporting some of the space programs. I supported US Marine Corps programs, I supported cybercrime with the Department of Justice, I did some stuff with the Department of Energy and compliance and honestly, I was kind of torn during my career because I would move around to different areas, including cybersecurity, testing, evaluation, and you find that you get on a project.

George Shea: 16:15

I know absolutely nothing about this project. I worked on GPS for a couple of years and I work with people who've been working GPS for their entire career, 15 years. They know GPS inside and out and I'm just learning that GPS is a type of GNS system and there's others out there. I'm like, oh okay, oh okay, well, that's news to me. So, um, uh, it's all, it's all new and you have a lot of spin-up. So you, you find it to be, I guess, if you can stay with one project for a long time, you become the expert there.

George Shea: 16:47

But as you move around from project to project, there's some real uncomfortable ramp up that you have to do. No idea what you're talking about, no idea what these acronyms are. Just you know, talk to me like I'm a kindergartner and. But then at the end of the year I always tell myself, end of the year, I'm going to have this, I'll be an expert in it, I'll definitely know more than I did walking into it. So that's going to be great. So you know, from from a career standpoint within the organization, I don't know if that was good or bad, because I was I would say I was never on a project for 10 years at a time like the long time expert there.

George Shea: 17:22

I was always sort of the newer person or I've been there for a couple of years, but that actually worked out really well for me when I left MITRE and now I'm at a think tank, because I really pull on that wide spectrum of experiences that I've had and when I say wide spectrum, like I said, it's been supporting cybercrime, cyber intelligence, cyber engineering, test and evaluation, compliance, risk management, some information operations, electronic warfare, and all of these things work together and it's it's. It's. It's difficult when you're on a learning path. I want to learn cyber to, to realize how all of these things fit together. And then they, they really do drive where you end up and who's going to hire you, because maybe you have no healthcare experience and you need to. You know you'd want to go work at a hospital, so it's, you know, while I was at MITRE, I got to work on a couple of, you know, va projects as well, so so I got exposed to a lot of things, which was which was wonderful.

Chris Sienko: 18:18

Well, yeah, what I was going to say with regards to that. I mean, I'm thinking specifically, I guess, of the MITRE ATT&CK matrix, but also MITRE as a whole I just imagine that being in in the situation where you're moving from you know place to place, like you said, it's always kind of your first day at work Always explain it to me, like I'm, you know, in kindergarten or whatever, but like I imagine it's something like the security equivalent of like a guitar player sitting down with a book of guitar chords and cyclophys and just memorizing because you're learning every conceivable type of vulnerability, every type of attack surface, every type of type of vulnerability, every type of attack surface, every type of, and so like. Now that you're working for a think tank, I imagine that you don't have to sit there and call the mind or look up well, what is this, what does this do, or whatever. Like you have this sort of interconnected knowledge.

George Shea: 19:05

It's funny because it's almost like speaking different languages and when I talk to someone I have to figure out, okay, what language are you speaking. Because I can talk to someone and they'll say something about CNA and OT and I'm like, wait, wait, are you saying C and A like certification and accreditation, or are you saying C and A like computer network attack? And when you say OT, are we talking operational test, or are we talking about operational technologies and sometimes these acronyms it sounds like you could be doing a certification an accreditation operational technologies but you're really talking about a computer network attack for an operational test Totally different meanings.

Chris Sienko: 19:44

Yeah, that's interesting. Yeah, well, I was going to say too is again. I think your example of all the different teams that you've gone through while working at MITRE is also kind of like two different ways to look at a career. Like, the person that's been at, you know, doing GPS for 15 years is an expert in GPS, for sure, but they also don't have the sort of, like you know, chain of experiences in all these different places that you have, where you have some experience in 20 things, whereas they're, like a subject matter expert in one or two or three things. So you know, I think those are things that you know beginners to the industry need to think about is which of those sounds more appealing to you?

George Shea: 20:27

And I'll point out, you know, since you said 20, I'll say, okay, I have expertise in 20 things and exposure there where someone else might have one, but that's 20 out of 100 things. So this is specifically my support to the Department of Defense. So nowhere in the Department of Defense are we looking at PCI compliance. Nowhere in the defense are we looking at NERC and FERC kind of cyber requirements there either. So there's different sectors of critical infrastructure that have their own language and understanding, so it's a huge field.

Chris Sienko: 21:00

Huge field, yeah, yeah Well. But again it's worth noting that even within a huge field you can still be a broad generalist and still only see like a small part of the field, and that to hyper-specialize means almost to sort of sequester yourself into, you know, one very, very tiny corner of the field. So you know again, choices to be made at the training or learning level and of course you can always change later in life. So I guess I was going to ask you about teaching at the higher ed level. But I think, since you mentioned the Transformative Cyber Innovation Lab and sort of your current work, can you talk about your work with Foundation for Defensive Democracies and what TCIL does?

George Shea: 21:42

Sure. So PESOL, the Transformative Cyber Innovation Lab, is a subset of their cyber department at FDD, and FDD is a think tank in the DC area that focuses on foreign policy and national security. So my job is to look at the technologies that are out there technologies, processes, methods that can enhance cybersecurity for the sake of national security. So maybe it's underutilized technology or not so well understood, or an emerging technology or even a process. It could be a process as well. So I um, I will, you know, kind of find those things and then run a pilot project to demonstrate the utility of of that and then and then promote it and give recommendations on how it can be used at a broader spectrum. And one of my favorite examples is a pilot I did a couple of years ago with SBOM, so the Software Bill of Materials.

George Shea: 22:39

I joined FDD right around solar winds. So you know, I looked at the solar winds attacked and it was a supply chain issue. And to me this is always kind of strange and again it goes back to who the audience is. You hear a lot about. Well, now there's a supply chain issue and it's a big new deal. It's always been there. That's not a big deal.

Chris Sienko: 23:00

It's always been there.

George Shea: 23:01

But now it's getting actual attention. So I started a project focusing on solar winds and kind of getting into the broader spectrum of supply chain. Kind of get into the broader spectrum of supply chain and, having just come from OSDs, test and evaluation under DOD and looking at supply chain and how you do test and evaluation, I was pretty familiar with okay, how do you test and evaluate the supply chain for your critical components, your systems and it wasn't real impressive, honestly. So I started digging into the SBOM, your software bill of materials, and thought, well, that would give some transparency, that would be fantastic. So I ran a pilot project identifying what it is describing you know how you make it, what you can do with it, and then deriving the intelligence from it.

George Shea: 23:52

So not just a list of your software, not just a list of who those developers are on the software. But who was this developer? Oh, maybe this is a Chinese hacker in the PLA that wrote this piece of software and then put it in GitHub. So do you want that in your software? Yeah, right, because that's not something that the end user and in this case I'll just say you know DOD. If they were getting it, they would have looked at or seen. They're looking at software packages that they acquire from defense companies and they slap their name on it, but 80% of all software is open source software. So where is that open source software coming from?

Chris Sienko: 24:33

is open source software. So where's that open source software coming from? And so if you can go through and just have that Going back to your thing before about how you had these detailed reports about all these things that were happening at low level like they don't have time to sit there and look at every little thing on GitHub, I imagine, so that's yeah, I think that's a really good. I'm sorry, please continue, but it just reminded me of that. Yeah, yeah.

George Shea: 24:50

So it's exciting kind of building out that understanding of the risk you may be taking by incorporating these pieces, not saying don't use it, not saying do use it, just saying that know what it is you're using. That's the point. And so my pilot went through and demonstrated some of the issues. I guess the goodness of SBOMs and, and then I included a bunch of recommendations in there, one being to update the cyber survivability KPPs within the acquisition process for DOD to include requesting an SBOM from their defense industrial base customers. And and they did so that was very exciting. It also ended up in the National Defense Authorization Act in their draft form a couple of years ago and I've gotten very involved with the SBOM community under CISA. So it's an area that I've seen grow and take off and now they're implementing it into various guidance medical device, pre-market guidance. They've required the use of SBOMs.

George Shea: 25:51

Mist has gone through and published guidance on SBOMs and secure software development framework. So I've been able to kind of see that grow and I feel like I was able to contribute to it by promoting like here is a maybe not a solution, but definitely a tool to help with the transparency of your supply chain. So that's my favorite example. So that's, that's my favorite example I also, so I work on multiple pilots, depending on you know where. The interest is that I have who I can find to partner with me, because this is a it's usually a coalition of the of the willing, so I'll partner with the company or individuals, find experts. Right now I'm doing some stuff with quantum computing and what that looks like for cyber professionals quantum computing and what that looks like for cyber professionals. I'm not a quantum expert, so I've got to find those people, partner with them and we develop these projects together.

Chris Sienko: 26:40

Now, just jumping back to the beginning of what you said there in terms of you find these projects that are out there. You do pilot projects based on things that you out there. You do pilot projects based on things that you like what is? What is your sort of discoverability path? Like what? How are you finding these, these things? Are you, Are you reading the trades? Are you sort of scouring people who are like innovating new things? Are you going to conferences, Like what is the sort of the sort of pathway to something, landing on George's desk and going, oh, this is interesting. We should, we should try and work on this.

George Shea: 27:16

Yeah, well, there's a couple of different different ways there's. I try to. I try to network people, network with people as much as possible, and so you know, especially practitioners like I, really like it's great to talk to the CEO or the general or the congressman or whoever's the high level, but that really doesn't help me. I really want to talk to the guy turning the wrench, the guy that was me 30 years ago sitting at the console saying I'm seeing this every Tuesday but nobody seems to care, and I'm putting this in the detailed notes section but nobody's reading it. So you know, I want to talk to that person, the person who understands what's going on and where the gaps are and how things can be improved. Not the person who's beating the this is the compliance drum that we have to meet but the one that says why are we doing it this way or what about this other thing?

George Shea: 28:06

So I do a good bit of networking with people and then I also follow the news, what's going on, the major attacks, and see how did this happen? And then how could it have been mitigated and what could you have done to better prepare people? And then, of course, just the following evolving technologies as well, so I guess there's not a set way. I'll take any path to a pilot way. I'll take any path to a pilot, yeah.

Chris Sienko: 28:34

No matter the guest. You know, and we just have we keep hammering this home for people who want to get into cybersecurity is that you're always going to have to be reading and you're always going to have to be learning and you're going to be looking everywhere and you're going to be grabbing from everything, and that's just the way it is.

Chris Sienko: 28:48

So I this may have already been sort of answered by you, but I want to make sure that I have it right. But you know your CV, obviously. You said I find to nurture technologically feasible, testable pilot projects. You know, and our mission is to help shorten the lag between idea and piloting and between piloting and the adoption. Are there any particular reasons for lags between idea and piloting that you're able to sort of clear out the way? Like, is this the sort of thing where maybe these departments sort of know about it but oh, we don't have time or we're looking at other things right now and you're kind of expediting things for them, or is there a certain red tape that you're cutting through, or how does that work exactly?

George Shea: 29:28

Well, I'm trying to give the topic exposure so that policy is super slow. Technology is way faster than policy. So you know we constantly have new advances in technology, new types of attacks, new threats to cybersecurity, the AI, you know, coming in. How is that affecting you know, cyber, cybersecurity, cybersecurity practices? And then the policy side usually comes in after there's, you know, lessons learned, observations, people bring it up. It's not immediate. So there's that, you know, gap there of you know feeling the pain and then someone doing something about it.

George Shea: 30:09

And when I say someone doing something about it, I mean like a legislative or policy or this is what everyone has to do. Because, um, it goes back, I guess, to the compliance piece. I think compliance is great, but it's it's not an end-all, be-all, it's a, it's a minimum standard of a baseline for what we've learned historically. But things are constantly changing, so you constantly have that and and new emerging stuff. So I try to shorten that time from the new emerging stuff to the decision maker and you go through and run these pilots and demonstrate. Ok, here are some recommendations.

Chris Sienko: 30:45

Yeah, oh, fantastic. Ok, yeah, that makes sense. It's more or less what I was hoping to hear. So obviously you have your feelers in a lot of different directions, but one of the things that we talked about in our pre-episode conversation one of your current projects is something that you called cyber-informed engineering. Is that something you can explain the concept in brief for our listeners? Because it sounds sort of like to me, like DevSecOps, but for engineering and ICS infrastructure. Is it kind of like that, where you're just sort of pre-baking the security into something that's not necessarily a security framework?

George Shea: 31:18

Yeah, absolutely. I don't think I've ever heard it phrased that way. But yeah, that's exactly, that's a great, that's a great comparison.

George Shea: 31:25

So, cyber-informed engineering is actually a project or a program that was developed under Idaho National Laboratory. There's a book on cyber-informed engineering by Andy Bachman and Sarah Freeman, but in general it gets to understanding the possible cyber impact. Cyber attack impacts on a system before you build it, so before you actually develop the requirements. So in my experience with systems engineering and requirements, you get the requirements, you build the system and then there was a requirement and then make it cybersecurity, which means you go through and you add your NIST 800.

Chris Sienko: 32:04

You're throwing tinsel on the Christmas tree at that point? Yeah, you're still like okay.

George Shea: 32:07

But if you take a step back and you determine, okay, we're going to build this thing, how do we ensure its resilience, how do we ensure that it's going to function and meet its mission regardless of a cyber attack, then the engineers can actually go through and re-engineer it so that it can perform and it can withstand those types of cyber attacks, and that could be anything from building segmentation or redesigning it so that it's not as susceptible to certain type of attacks.

George Shea: 32:37

I'll give you a great example In the water industry you might have a city's water that gets chemicals put in it, like fluoride, and so a hacker could break into the system and then dump that little reservoir of chemicals into the water so that it becomes a lethal dose and then poison or kill the entire town. But if you're the engineer building that system, you could say well, what if the cup just held a non-lethal dosage of chemicals? So instead of dripping out some of the chemicals, you now change the processes and you dump the chemicals once a day versus once a week. And now, even if a hacker comes in, goes through your system and is able to dump that reservoir of chemicals into the water, no one's dead, no one's poisoned, because it's never a lethal dosage, it's never a beyond safe amount, beyond safe amount.

Chris Sienko: 33:31

Now, yeah, that's. I mean that that lines up well. We had a previous guest, robin Berthier, who was talking about specific things like that, where, you know, instead of looking at the sort of cyber incident things that are happening, you're looking at maybe different timings and the mechanics of the sort of what you know. Like you're you're seeing the problems not in terms of like this packet is coming in or this thing is being breached, but, like you said, the cup containing the chemicals is being poured out too quickly. What's going on over there, kind of thing.

Chris Sienko: 34:02

So now you specifically said that this is, you know, in the sense of building the system with the security in mind. Is this something also that you can kind of retrofit to existing infrastructure? Because I know that's a big thing. Is a lot of these legacy systems 20, 30, 40 years old and really hard to sort of figure out how to secure? You know things that are still running on. You know decades old mainframes or you know just sort of actively resist that type of cyber tinkering. Does this work in that regard as well?

George Shea: 34:38

Well, every system is a special unicorn, that's what.

George Shea: 34:41

I've learned in cybersecurity. So that's why there's a lot of guidelines and not mandates, because, well, this is a special one, so you can't do that, or this is special, you can't do that, so there's guidelines for it. So, yes, you can retrofit some systems, some you can't. But then you can also be aware of the issues and build the securities around it. I like to harp on just ensuring the resilience of the systems. So you know, beyond the cybersecurity piece of it, but knowing what those critical components are, what the mission is, what the expected minimal viable output is or process is, and ensuring that you meet that and then determining that you have the protections, the processes, the reserves, whatever you may need, to always be able to meet that mission requirement.

Chris Sienko: 35:29

Yeah, you said the R word, resilience. I'm wondering and that's come, that's, that's come up, you know, that's, that 's, I guess, even more so than you know. Cyber informed engineering, like cyber resilience, seems to be your sort of reason for being your umbrella, sort of like what you bring to the world. Can you talk about that cyber resilience as it relates to defense, to infrastructure, to state and local, all the different things that you use it for what? What is? What does cyber resilience mean broadly?

George Shea: 35:59

It means being able to accomplish the mission regardless of a cyber attack or natural disaster or some adverse condition that may be affecting the system or the organization. So, in cybersecurity terms, you focus on the protect, protect, respond, restore. You focus on the controls, you focus on the compliance, and that starts to become sometimes a little separated from the actual mission. So you may be pushing like, ok, we need to put up this firewall or make sure no one can get through, but the sad inevitability is someone's going to get through. If a you know, a sophisticated nation state is motivated enough to target you or you just be. You're just unlucky enough to be in their range of IPs that they scanned and you look vulnerable, then you're going to be compromised. You know it's almost. You will be compromised. So prepare for that. Don't, don't, don't. Keep putting all the effort into trying to not be compromised. You know, start putting effort into we're going to be compromised. How do we get through it? How do we continue? Business as usual.

Chris Sienko: 37:09

Right, yeah, and again I think that goes, goes well as a, as a piece with the cyber informed engineering of you know, if something happens, if, uh, you know if the, the, the, the, the trip, trip, wire trips, and you know the chemicals fall out, like what, what is? What are the sort of like physical backups, and so you're basically sort of like talking like a series of you know fail safes or or you know blast door. I don't know. I'm using weird movie metaphors because I don't know. I don't know what we're talking about, but is that kind of what I'm what I'm hearing Like as long as you know? So you know, because it sounds like it connects to everything from like endpoint security to you know it does.

George Shea: 37:45

Yeah, it really does.

Chris Sienko: 37:46

It's like the big picture of all that.

George Shea: 37:48

It is, and I'll I'll mention a report I was able to work on last year that was published this year and you mentioned it in my bio. It's the PCAST, the President's Council for Advisors in Science Technology recommendations on cyber physical systems resilience. That was given to the president earlier this year and we focused on how do we ensure cyber physical systems stay resilient and when it's a cyber physical systems before we were talking about DOD, that's usually a lot of it cybersecurity. So is my network working or my office systems working? Is the data good? But when I say cyber physical systems, I'm I'm talking more of those, those operational technologies that are you know running a factory, that are you know running the energy sector, that are running the water sector, that are you know producing some type of physical output. So when those things stop, our you know our life as we know, it completely changes that. The colonial pipeline, cyber physical systems. We no longer get gas. You know a hospital? Okay, we no longer get well. I mean a hospital, and there's this OT systems within a hospital.

Chris Sienko: 38:55

They do their own water stuff but it could be as bad as an emergency room or as little as you know. The other day I had to, you know, take my paper prescription to the because that you know, my, my, my hospital system got ransomwared and their, their online prescription system is not working. So it's Right, all kinds of different ways that can hit, yeah.

George Shea: 39:12

So on the OT side, that operational side, where there's a sort of kinetic output, some machine that's doing something, it's important to have the resilience there, like I said, the cyber-informed engineering. So you built those systems from the beginning to withstand these types of attacks. Establishing the public-private partnership because it's really interesting when you get into the governance side of this and the recovery side of this and you start to think, well, what if there was some type of major cyber disruption? And you go again. I know your audience might be predominantly DOD, so outside of DOD a lot of critical infrastructure is privately owned. So you don't have a commander someplace under the direction of a general someplace and do this for everyone. You have an energy sector that's comprised of privately owned companies with their own ceos that have their own level of uh prioritization on what they're going to do and how they're going to do it. And, um, they, they need a good relationship with the government. So in the time of, okay, there's no more energy in the United States, there's a massive blackout, so how does the government work with those companies to ensure we can bring that back up and we have that coalition?

George Shea: 40:26

There's also other aspects of resilience besides the public private partnerships, the cyber informed engineering, the identifying within critical infrastructure in your systems. You know what are those critical components, what is the supply chain of those. I use the example of a flux capacitor because I think people understand what that means. If your flux capacitor goes out, that's going to be a lot different than blowing a tire. It's going to be easier to replace the tire or fix the tire. Then, oh no, it's a flux capacitor.

George Shea: 40:58

So do you have a stockpile of those? Who are you getting those from? What does that look? How long is it going to take to replace the flux capacitor? So you know, once you start to incorporate that into your system, then you can start to have that ensured resilience for your mission. And you really only get that by identifying that, that critical path of um. You know what is that minimal, viable piece of what you have to do, that minimal, viable um, um, um, uh, object, uh, uh. What is the word? Uh, um? Your objective, you know. So, yeah, ensuring that you you're putting out the what you need to in an emergency for service or product.

Chris Sienko: 41:41

Okay. So I guess, pulling back a layer again, because you know our listeners are sort of window shopping, some of their, their future careers and so forth, and obviously you've had, you know, I think, a fairly interesting and idiosyncratic sort of way to get where you were. But like thinking in terms of like cyber resiliency as something that you, you work on and think about and do and implement with you know, the government, vod, defense, whatever military, what would be a career path to that? Now, like, where, where would you see someone who is doing this job in 25 years? Where, where are they starting right now? What are the sort of like building blocks of knowledge? I mean, do you think it does require that sort of circuit rider mentality of like you know a couple of months at each of these different places and being coming in a generalist and different things? Or or, or, but what? What do you think?

George Shea: 42:37

Well, yes, no, I mean, it depends on where they want to be, what they're going to have to pull from for that, but they definitely have to have an understanding of the current landscape. So what is out there? What are the systems? How are things done from a policy standpoint? What is being enforced to be done from a practitioner standpoint? How are they doing it? And then you know identifying those, those gaps, and and then you know looking for those solutions that can then ensure the resilience piece of it. So it's, it's. It's really just understanding the ecosystem of the system.

Chris Sienko: 43:16

It's really just understanding the ecosystem of the system, right, okay, so, but and to do that, I assume you're going to have to really kind of go deep in terms of how all these systems work and the sort of nuts and bolts of it, and it's, it's. It's not just a policy thing. You really need to understand why these machines are doing what they're doing and so forth.

George Shea: 43:30

Yeah, I mean, it would be great if there was a just basic 101. This is how you can do it. But yeah, like I said, every system is a unicorn, so so this system is dependent on these three systems, and then this other system is dependent on this system, and then you have to have these you know, people's processes and technologies to make all these things happen. So it becomes a very delicate balancing act of ensuring all these things continue. And then what if something doesn't happen? Right then how do you overcome that? So it's, uh, yeah, yeah, just just really getting to know, like whatever system you're working on okay, that's good.

Chris Sienko: 44:01

Yeah, no, I just wanted to do that, as you know, to sort of distinguish it from things like, uh, you know grc or privacy, where you don't necessarily need to know the guts of the machine to do you know policy and compliance things, or threat, threat modeling or what have you. So but this is definitely something where, like like OT and like ICS, like you really need to like know every single piece of why the machine that goes beep goes beep and so forth. So I wanted to. I wanted to talk about advice for students and young professionals, because one of the things you said in our pre-show conversation that stuck with me enough to quote it was why don't any of my interns know what NIST is? So tell our listeners why you don't want your internship supervisor to express incredulity that you quote don't know NIST, and why knowing about the languages of the industries you choose to work in is so crucial at the novice level.

George Shea: 44:53

Yeah. So, uh, having, you know, taught at a couple of different colleges myself, I've, I think NIST might've been a like in passing word in the approved curriculum that you, that you're given to teach the students and I, you know, I I would harp on this because I know it's the practitioners um, you know, desktop reference to everything, uh, cyber security and a lot of these of these things aren't necessarily you don't have to recreate the wheel every single time. And so when you discover Nest, you realize, oh, there's an entire catalog of guidance out there for you name it and they have a guidance catalog there and they regularly update it. So, whatever books you're getting in schools, those are sometimes a little outdated and they don't necessarily come from the practitioner standpoint. For when you get out and you get a job, they're going to expect that you meet a national standard, and that's what NIST is, the national standard for what you're supposed to be doing. So, you know, I think some people, even in just basic terminology, you'll say something like well, what are your security controls that you're adding here? Or critical infrastructure, and they may not realize, no, there's an entire catalog of controls. Like that's not a word I'm using, like not in general, like you can pick up the catalog and go through here's hundreds of controls and specifically identify AC1, ac2, ac3. These are the controls I was talking about, where they might think it was just a general term. So if you know that's the origin of the language, then just go to the origin and start educating yourself there.

George Shea: 46:25

If you have a question about software development, go to the secure software framework development document. If you have questions about controls, go to the controls document. If you have questions about controls, go to the controls document. If you have questions about, well, how do you do test and evaluation assessments? Great, go to the 853a, you know, go to the assessment document. Risk management go to the 837. So so these are the, the current national standards of how things should be done. My, my, my college years were, you know, decades ago. I took C++ assembly. Some, you know, things I don't even use anymore. I still have some of the books on my shelf. They're all outdated. I mean, they're good to have, it's good to know, but it's not current and it's not the standard. So just, you know, go right to the source of where the standards are coming from.

Chris Sienko: 47:16

Yeah, yeah, absolutely. Do you have any advice on on kind of getting quickly up to speed? If you're, you know, realizing that someone above you is is expressing incredulity that you don't know the list of controls or whatever like like, how do you sort of make sure that you're you know, that you know by the next day you're like okay, now I know what you're talking about. I'm not a dumb dumb anymore here but do you have any advice for getting up to speed in the sort of like the language of whatever industry you're working in in that regard, whether it's GDPR, hipaa, nist, dod, framework?

George Shea: 47:44

Yeah, I would say you know, identify where you are, what sector are you in, what area of critical infrastructure. And again, when I say sector, there's 16 identified sectors of critical infrastructure. It's not just a general word I'm using. And then each of those sectors has a sector risk management agency that then, you know, puts out guidance on this is how you should be doing stuff, or this is the you know risk management for that sector. So definitely understand the policies, the guidance. Definitely understand the policies, the guidance, what the sector is being told to do, what the existing direction is, and then from there it'll point you to, you know, like HIPAA is going to point you to areas in NIST and NIST goes through and gives you information on that. So understand the governance side of where you are so then you can meet that governance requirement.

Chris Sienko: 48:36

Perfect. So I guess I want to, as we start to wrap up for the day here, I want to get some of your insights from working with TESOL and having the year of the White House and other governmental entities. What are your thoughts on the current pace and state of security and cybersecurity directives being handed down to achieve things like, say, universal asset management from non-military government agencies or full zero trust system for DOD or whatever the current state of CMMC is? Do you think these directives and timelines and sort of accelerated things are useful or feasible? And if you had the magic gavel, is there anything you would do differently in this area in terms of getting cyber resilience sort of going faster?

George Shea: 49:18

Yeah, that's a big question. So I will point you to the PCAST report that I was able to work on because we had four high-level recommendations for resilience. There, things like better public-private partnership, identifying those minimal, viable objectives of your organization, your system, incorporating cyber-informed engineering, having supply chain piece, knowing what those critical components are. So I guess I would recommend enforcing the recommendations that we came up with, because I think they were great recommendations. One recommendation I'll highlight was the development of a national cyber observatory so that the government can have an understanding of, like a digital twin of what critical infrastructure looks like in terms of the security posture. Because you know, in my time with DOD testing, evaluation, it's always interesting. You, you have the requirements, you know meet these requirements for cybersecurity, your, your RMF, your controls, your vulnerability assessments, your software development. So you go through and you meet all of those, but you still have, you know, gaps in areas that the the adversary can take advantage of. So so, collectively, looking at that and seeing okay, this is how we look from the adversary, each of these different sectors and programs and systems might be. You know they focus a lot on ensuring the cybersecurity, but there's not a lot of effort put into following the attack surface area of the system or the sector, and what a sophisticated adversary. Let's just say China, who's been looking at the system for the past three years and following it. What they may know. They know who the contractors are, they know what the requirements are, they know what systems you're using and it's really not one person's position to pull all that stuff together. So the National Cyber Observatory is, you know, a recommendation to go through and you know, identify those just sort of a representation of how we look.

George Shea: 51:25

And when I say how we look, it's also important to understand that there's an uneven distribution of talent and resources towards cybersecurity within each of the different 16 sectors of critical infrastructure. So the Department of Defense, it's, it's, it's fantastic. I mean, you can, you could point out a lot of you know, I guess you know bad sides of it or it's not perfect, but I would say it's definitely leading the way because they're a well-funded organization and if they, you know, want to do something, they're funded to do that. However, when you get to things like, you know, the water industry, the energy, that, that that is not funded necessarily by the government and again it's the CEO who's looking at day. What are my, what are my priorities? We're making money based off of customers, so why am I going to spend an exorbitant amount of money on cybersecurity when the risk is low, an amount of money on cybersecurity when the risk is low? So it may not get the attention that it may need or they may not have the talent that they may need, because you're not recruiting people in from, let's just say, an army base of training where you know absolutely nothing and they train you. It's no, you need to come here with experience, so it's a little harder to find the talent.

George Shea: 52:30

So there's definitely an uneven distribution of talent throughout the entire, you know, critical infrastructure paradigm. So it's, you know, good to sort of identify what that looks like and even it up where, where possible, so that meets the threats. Because when I mean, do you want to go without water, or do you want to go without transportation, or do you want to go without defense, like like you pick, like where do you want your, your, your Like you pick, like where do you want your resources to be? And then at the end of the day, you're like well, I like having water, I mean, and I need water for energy, and I like having like the lights on. So at the end of the day, I really want all of those sectors to work. But again, varying levels of susceptibility to cyber attack.

Chris Sienko: 53:14

Yeah, and I mean you said something at the beginning of the program about how they're always saying, oh, this is a new development, or this is the newest threat, or whatever, and you're like, this has been. Gps has known, this has been going on for 15 years or whatever.

George Shea: 53:28

And.

Chris Sienko: 53:28

I feel like infrastructure is going to be the next one, especially water and power is going to be the next one that we're going to hear on the news like a brand new threat of you know, security compromises at water plants is happening. It's like I've been talking to people for five years and it's been going on at least twice that that people are like sweating and, you know, drinking and the things trying to figure out like what's next here. You know, because you know, when you read, you know press releases from EPA, that you know they're getting a huge $7.5 billion, like you know, to help rural water programs. It's like that's pocket change. You know, like I mean, these are, like you said, very tight margins and for very, very important things. So I don't know, I think that's good advice, but do you have any like final thoughts on sort of evening up these different funding of these different agencies?

George Shea: 54:18

Well, in our PCAST report we included in there a recommendation to go through that ensure that all sector risk management agencies are properly resourced and funded and they have the resources to ensure we have the critical infrastructure that we need.

Chris Sienko: 54:33

Yeah absolutely All right. Well, I'm going to let you go in here a bit here, but before we go, george, I just wanted to ask you something. I asked all our guests what is the best piece of career advice you've ever received?

George Shea: 54:45

You know, I, I thought about this, I, I don't really know, I would say network, but I, I would say when I was told to network, I didn't network. But I would say, when I was told to network, I didn't network. You know, I worked within a company. I would talk to my boss, I worked on a project, so I would say my, you know, my world was very small. You know I worked, and MITRE is a big company, so it was there.

George Shea: 55:15

But you know, now that I'm, you know, with a think tank, it's. I don't have a minor organization where I have cyber experts. I, I literally have to network with other people and reach out to other companies. So, and there's nothing, you know, I look back and like there's nothing prevented me from doing that in the past. I just, I just didn't.

George Shea: 55:27

So I would highly recommend people start, you know, start doing that. I used to, um, you know, see, see an issue or a problem and have an idea and then you bring it to your boss or your manager. They're like, well, that's not in scope, we're not here to solve world hunger. Like that's great, but not on our dime. Like this is what we're doing today, this is what the sponsor wants. So there's no again. That's, there's no reason why you can't continue the exploration of those ideas, or write them down or, you know, get together with people online LinkedIn is great to you know continue that exploration and development of your ideas and thoughts. So I would say, don't be hindered or don't be, you know, bounded by where you are.

Chris Sienko: 56:11

Yeah, and by what the sort of scope of your current work is, I suppose, yeah, that's real, that's great advice. So we're just out of time here, but before we go, george, you're involved with an astonishing range of boards, panels, advisory groups, freelance writer, educator. If there's anything about yourself or your work that you'd like to tell our listeners about, now's the time to do so.

George Shea: 56:30

OK, well, I'm fortunate to work for FTP Foundations, defensive democracies. You know, as a think tank we're we're funded through us philanthropy. So because of that, I don't have the, the sponsor, looking over my shoulder saying, no, I want you to work on this. I get to work on those emerging technologies issues, and so I guess I would say it's, it's, it's. It's a fantastic freedom that I have, and if anyone wanted to contribute to FTD, that would be fantastic, whether, as through philanthropy or a pilot project working with me, that's also fantastic. So I guess that's it.

Chris Sienko: 57:08

Great. Well, one last question for all the marbles here If our listeners want to learn more about you, george Shea, beyond what they've learned on today's episode, maybe you'd have some writing online or whatever. Where should, where should they look for?

George Shea: 57:19

you. You can look me up on LinkedIn and also FDD has a website, fddorg and then you can go to people look me up there and I think all of my FDD publications are posted there. If if people reach out to me on LinkedIn, I try to. I don't always get around to it, but I'll usually ask if we can meet in person, just so I can understand what are you working on. This is what I'm working on. How can we possibly collaborate? Are you a real person you know? Just to-.

Chris Sienko: 57:46

Oh, yeah, exactly. Are you going to waste my time, or are you not? Yeah?

George Shea: 57:50

Or are you just a fake person? Sometimes there's fake profiles, so that's true, yeah. From this actual, real life person.

Chris Sienko: 57:56

Astonishing number of those, unfortunately. Well, thank you so much, George. I really enjoyed getting to know you and learning about your work.

George Shea: 58:01

Well, thank you for having me.

Chris Sienko: 58:03

All right, and thank you to everyone who is watching and listening and writing into cyber work with feedback every week. If you have any topics you'd like us to cover or guests you'd like to see on the show, feel free to drop them in the comments. Don't forget infosecinstitutecom slash free, where you can get a whole bunch of free and exclusive stuff for cyber work listeners, including our free cybersecurity talent development ebook. You'll find in-depth training plans and strategies for the 12 most common security roles, including SOC analyst, pen tester, cloud security engineer, integration risk analyst, privacy manager, secure coder, ics, professional and more. That's infosecinstitutecom slash free and the link is in the description below. One last time, thank you to George Shea and thank you all for watching and listening. This is Chris Sanko signing off. Until next time, happy learning.