Resilient Cyber Chris Hughes

Nikki -  I wanted to ask you first what got you so passionate about vulnerability management - what was it that first sparked your curiousity and interest into security research? 

 Nikki -  You do a lot of awesome graphics and visualizations of vulnerability data from both CISA KEV and around types of CVE's - what kind of statistics do you think are most important for security practitioners to know - and on the other side, what is most important for executives to understand? 

Chris - You've now begun to even start to submit known exploited vulnerabilities to CISA to be added to the KEV, can you tell us about that experience, how you're identifying them and how the process has been?

Chris - We talk a lot about the need for vulnerability context, going beyond CVSS and using things such as KEV and EPSS. In your work, how do you see organizations leveraging context to help vulnerability prioritization?

Nikki -  We know that organizations could have a backlog of up to 10k vulnerabilities - based on some recent statistics. Where do organizations start? How do they get a handle on vulnerability management? 

Chris - What are some other trends you see in Vulnerability Management that organizations can use to start to get a handle on things?

Chris - You've made the transition from marketing to vulnerability research, visualization and some would say industry leader. Can you speak about the journey and advice for others looking to follow a similar path?

Nikki -  What's next for you - besides being the pre-eminent vulnerability researcher in this space?

Chris: First off, you've been knee deep in CloudSec for several years now, watching trends, incidents and the industry evolve. Where do you think we've made the most headway, and where do you think we still have the largest gaps to close?

Nikki: I'm really interested in multi-cloud environments and security - because of the connectivity potential between separate cloud providers. What do you think organizations should be most concerned with when looking at using multiple cloud providers? 

Chris: You recently contributed to a report with the Atlantic Council about the systemic risks of Cloud and Critical Infrastructure. Can you speak on that a bit? What are your thoughts about systemic risks are more and more of our critical infrastructure and national security systems now become reliant on cloud?

Chris: While we know most cloud security incidents are due to customer misconfigurations, we've recently seen some major hyperscaler CSP's experience some very damaging incidents that impacted many. Do you think these incidents are causing some organizations and industries to second guess their plans for cloud adoption or lead to trust issues in Cloud?

Nikki:  One of my biggest concerns in cloud environments is Identity and Access Management (IAM) - especially in complex development environments. What are some of the major configuration challenges around IAM in cloud? 

 Nikki: What is your favorite cloud security statistic?

Nikki:  I have to bring in the people angle - do you think that current tech teams have the skills and tools they need to manage cloud environments? Do you have any references or skills you recommend as teams build bigger cloud environments?

Chris: On the people front, we know misconfigurations reign supreme for cloud security incidents. Do you think organizations are waking up the reality that they have to invest in their workforce when it comes to adopting technologies such as Cloud?

Chris: We know you have your fwd:cloudsec event which has become an industry staple for learning and information sharing on cloud security. How did the event come about and what does the future look like for it?

- For those who haven't met you yet or come across your work, can you tell us a bit about your background?

- First off, tell us a bit about OpenPolicy, what is the organizations mission and why did you found it?

- Why do you think it's important for there to be tight collaboration and open communication between businesses, startups and policy makers? 

- Some often say that policy is written by those unfamiliar with the technology it governs or the impact of the regulation and it has unintended consequences. Do you think this occurs and how do we go about avoiding it?

- You were recently involved in the launch of the U.S. Cyber Trust Mark program launch for IoT labeling, can you tell us a bit about that?

- We're seeing increased calls and efforts for regulating technology and software, especially around software supply chain security, Secure-by-Design products and not leaving risk to the consumers. How do we balance the regulatory push without stifling innovation, which is often the concern?

- I recently saw you launch your own show and interview Jim Dempsey, who I've interviewed in the past. Among other topics, you all touched on the recent SEC rule changes and the increased push for cybersecurity to be a key consideration and activity for governing publicly trading companies. Why do you think we're seeing such a push?

- For those looking to learn more about Open Policy, and your efforts around digital policy and regulation, where can folks learn more and potentially even get involved?

- First off, for those unfamiliar with this problem and situation, what exactly is the challenge here, and why should more people be paying attention to this?

- What do you say to those who may say this is just something occurring in the digital realm, and not a physical or real threat, given the ubiquity of software, this seems short sighted, no?

- In the book, you touch on malicious actors using U.S. based infrastructure to attack U.S. targets, a topic that was touched on in the NCS, can you expand on that and the challenges with addressing it, particularly in the cloud?

- There's fears that these adversaries are looking to persist in U.S. based systems and infrastructure in advance of future conflicts. What could be some of the ramifications of this in the future, and how do we go about rooting out these threats in the here and now?

- The Defense Industrial Base (DIB) is often called the "soft under belly" of the DoD. We've seen increased targeting of the DIB by malicious actors and nation states and the emergence of efforts such as NIST 800-171 and now CMMC. How do we go about ensuring improved security posture of the DIB while balancing the cost and burden on SMB's and further constraining the diversity and resiliency of a DIB supplier base?

- On the flip side, we see the DoD, IC and Federal Government with deep dependencies on a small handful of technology companies, some, even despite continued exploitation and vulnerabilities impacting these agencies. How do we go about addressing this elephant in the room and demand stronger security outcomes and performance from these critical suppliers, especially with their massive financial and political clout?

- Much of these activities occur below the threshold of traditional "declarations or acts of war". How do we get our leadership to realize we're already at war, but in a new paradigm?

- You guys talk about how everyone with an internet connection is essentially on the battlefield. How do we address that reality while balancing aspects of our society that are unique, such as freedom and privacy. Citizens continue to use software and applications that expose their data, that of their employers, and in some cases, even of the DoD and national security. How do go about better informing and engaging the citizenry on this front?

- Another aspect you touch on, is that this isn't just a technical issue, but there's efforts such as misinformation and such to degrade trust in our institutions, sow resentment and stoke flames of divisiveness in our society. These threats are likely even more concerning, as we tear ourselves apart internally. What are your thoughts on this front?

Nikki -  In addition to your Senior Policy Advisor role, you are also part of several academic institutions, including one we have in common - Capitol Technology University. Can you talk a little bit about why you wanted to be involved in the technical and academic side? Have their been any benefits you've seen in academia that you've brought to the military space, or vice versa? 

Nikki -  We're seeing a ton in the news about software supply chain security, zero trust, AI/ML - but not necessarily how they relate to warfare or protecting our critical assets (critical infrastructure). Why do you think we haven't seen as much in this space and what are some of the major risks you're concerned with at the moment? 

Chris - We know you've contributed to the National Maritime Cybersecurity Plan - why is it so critical to protect maritime activities from a cybersecurity and national security perspective and how do you see this going so far, since the plan was originally published in 2020?

Chris - Switching from sea, we know you've contributed to some analysis and reporting from FDD on how space systems should be designated as critical infrastructure. Can you explain why that is, and where we have gaps currently?

Nikki -  We recently were talking about the US Cyberspace Solarium Commission and you mentioned you contributed to their report on the designation of space systems as critical infrastructure. Do you think we're missing a cyber space command or more legislation/guidance around this area? 

Nikki - On the topic of space and cyber, when it comes to critical infrastructure I think we're still lacking in a number of areas for detection/response for critical infrastructure. What are some IR considerations or potentially research we need in this space? 

Chris - In a previous role you served as the Director of International Cybersecurity Policy. International cyber activities and policies were also emphasized in the recent National Cyber Strategy. Can you tell us a bit about that experience and why international collaboration is key in the cybersecurity realm?

Nikki -  Since you went to UMD - I have to ask. Are you getting some MD crabs this summer?6. What does cyber resiliency mean to you

You are now at the Open Source Security Foundation - but you have a ton of experience (even as a former IBMer) from Google, to JPMorgan, and financial institutions through architecture, management, and engineering. Can you talk a little bit about your leadership journey? 

Let's dig into OpenSSF a bit more - we're only seeing an increase in software supply chain attacks - what is driving the OpenSSF and any particular threats you're concerned with at the moment? 

We know the OpenSSF has focused heavily on securing OSS and the ecosystem and even launched the OSS Security Mobilization Plan. Are you able to talk a bit about that plan and what it hopes to accomplish?

OpenSSF is obviously one of several organizations such as OWASP and others helping to provide valuable resources to the industry to tackle these challenges. Are you able to speak about any active collaborations with other organizations or institutions, academia etc. or how organizations can look to collaborate with the OpenSSF?

You are also a Fellow at the Center for Cybersecurity at the NYU Tandon school. Both Chris and I are also Fellows (at different organizations) - can you talk a little bit about what a Fellow does and how you got involved? 

Where can organizations really start though? With so many vulnerabilities, libraries, dependencies, and managing software and infrastructure, it is incredibly cumbersome for organizations to get a handle to what to work on first. Where do software teams start? 

Coming off of Father's Day, I noticed your LinkedIn tagline leads with Dad and Husband. How have you found success in balancing those critical roles and responsibilities while still pursuing your professional endeavors and aspirations?

What does cyber resiliency mean to you?