Join Michael Sikorski and Michael Daniel on Threat Vector for a deep dive into cybersecurity collaboration. They discuss how competing companies and governments can work together. Learn about the Cyber Threat Alliance (CTA) and its role in sharing threat intelligence. The episode explores the challenges of trust and incentives. It covers topics from WannaCry to the impact of AI on defenses. Gain insights into responsible vulnerability disclosure. Understand public-private partnerships. Discover why collaboration is vital for global cybersecurity. This discussion offers key takeaways for security leaders.
Links: Palo Alto Network blog archive for WannaCry
Protect yourself from the evolving threat landscape – more episodes of Threat Vector are a click away
Transcript
Michael Daniel: Cybersecurity is not impossible. The truth is that you can actually materially reduce your cybersecurity risk, and there are things that we could do at the systemic level to reduce our cybersecurity risk as a society. We are not helpless in the face of this threat. There are a lot of opportunities out there for us to do that. There are things like CTA that help with that. There are policy changes we could make. There are things that companies can do. We are not defenseless or helpless in the face of this malicious activity.
Michael Sikorski: Welcome to Threat Vector, the Palo Alto Networks podcast where we discuss pressing cybersecurity threats and resilience and uncover insights into the latest industry trends. Today, I'm speaking with Michael Daniel, president and CEO of the Cyber Threat Alliance and former White House Cybersecurity Coordinator. Today we're going to talk about the strange but vital world of cybersecurity collaboration in an episode we're calling frenemies with benefits, which I think is really fun. Michael brings more than two decades of public sector experience, including leadership at the Office of Management and Budget, and as the top cyber advisor to the President. Since 2017, he's been building bridges between cybersecurity competitors and government agencies through the Cyber Threat Alliance, an organization that promotes real-time threat intel sharing among security vendors. I'm also a member of the board of the Cyber Threat Alliance, so I actually get to see Michael and really work a lot with him on this topic of collaboration. And this episode is all about trust or the lack of it in cybersecurity. Is collaboration across companies and countries actually working, or is it more just something we're doing to be polite in a world of competing incentives, intellectual property battles, revenue goals, quarter-to-quarter life of public companies. And Michael's unique -- uniquely positioned to answer these questions, since he's had to navigate this for quite some time. So, Michael, welcome.
Michael Daniel: No. Thank you for having me.
Michael Sikorski: Yeah. We're here in the New York City office, Palo Alto Networks, looking at the great view. A little bit of a gray day, but we see the clock tower out the window. Before we dive into the hard questions, you've been leading the CTA, Cyber Threat Alliance, for over eight years now. Looking back, what -- what moment stands out to you as the first time you felt, okay, this is working?
Michael Daniel: Yeah. When I think about that, to me, one of the early signs of that was during the WannaCry incident, that we were able to get a lot of different member companies on a call simultaneously and have them talk about what they were seeing and what they were not seeing. And, at the beginning of WannaCry, everybody thought that that was being spread by an email vector. And, when we assembled the different CTA members on the call and everybody started saying what they were seeing, and nobody was finding an email vector for WannaCry, and it was one of those things that you could almost feel it around the room of like, wait a minute. If nobody among this set of people is seeing an email vector, maybe there's not an email vector. And so it really prompted everyone to go look in a different direction. And that was one of the first times that I realized that, like, this model could actually -- could actually work,
Michael Sikorski: Yeah. Sort of like coming together amongst minds of, like, something that's really breaking and hitting the world hard like WannaCry. I mean, that was spreading like wildfire throughout networks, right?
Michael Daniel: Yeah.
Michael Sikorski: And the way it was spreading with the worm aspect of it was pretty interesting. But, also, to see a ransomware attack spread like that, we -- I don't think we've seen one like that recently. We haven't -- I want to start with like a basic premise is, like, why is the collaboration so hard? Is it cultural? Is it technical? Like, what do you see on that front?
Michael Daniel: Some of it is technical, but not very much. You know, you do -- in order to actually do sharing and -- and to do it at more than kind of one off, you know, I mean, it's fairly easy to, you know, one time have an analyst at the Acme Company send a spreadsheet of stuff over to, you know, his buddy at the XYZ Company, right? But, if you want to do it with regularity, if you want to do it at scale, if you want to keep it going over an extended period of time, then you've got to build some technical infrastructure to do that. And you need some -- for example, you need some technical standards, things like the structured threat intelligence exchange, right, a way to standardize the sharing of information. But that's really only one small part of it. A lot of the barriers are more cultural. They're more legal. They're both real and perceived barriers. There's, you know, concerns about, like, well, is this where my -- I'm actually making my money, right? Is this -- are there liability concerns that we might -- might we have some downsides to sharing.
Michael Sikorski: Customer exposure.
Michael Daniel: Customer exposure. Right. And, again, these things are not always, you know, myths or fake. I mean, some of them are legitimate concerns. And so you've got to build the right guardrails into the sharing in order to get everybody comfortable. So there's a lot of friction. And then I would say the other thing is that sharing is very rarely anybody's main job, right? It's usually their fifth or sixth priority in their job jar. And that makes it hard for people to prioritize it and to get to it. And so, when you see it work, it's usually because somebody has made it a priority. An executive somewhere has made it a priority for it to happen. Otherwise, too many other things just get in the way.
Michael Sikorski: I also was thinking of, like, how does the Cyber Threat Alliance and what we're doing and, specifically, our collective defense model, you know, how does that relate to some of these other sharing models that we've seen out there, the ISACs; JCDC, for which we're a member, you know, with Homeland Security, obviously. Like, how does their model different differ from ours? And, you know -- you know, how does that look? And then, also, what is one misconception people have about the Cyber Threat Alliance's mission as it pertains to those?
Michael Daniel: Yeah. A lot of times I would say, well, CTA, if you think of us as an ISAC for the cybersecurity industry, that would not be too far off. The -- I always say that the Cyber Threat Alliance is aimed at entities that are providing cybersecurity services to others. So cybersecurity companies like Palo Alto Networks but also the cybersecurity arms of telecommunication companies or platform providers, those sorts of things. And, really, the reason for that is because that's a set of entities that really do need to be sharing lots of technical data with each other at very large volumes. And that's really some of the CTA's stock and trade, right, is focusing on that. We are not focused on a particular industry vertical, which a lot of ISACs -- well, we are. It's just the cybersecurity industry as opposed to, like, a critical infrastructure sector vertical like, you know, financial services or energy. So really, that's kind of our space in the -- in the -- in the ecosystem as we try to occupy that -- that space, which really nobody, no other entity was really occupying before CTA, before CTA came along. So that's really how I see, you know, what CTA is and what we -- you know, and what we do. We also try to work with, you know, how do you actually get that collaboration built with the government? One of the things that we made a decision very early on for CTA was that we wanted it to be focused on the private sector, for what the private sector could do, and that governments can't be direct members of CTA. And that was deliberately designed to give some space in there, to make it so that it wasn't -- so that it didn't seem like governments had captured CTA and that CTA was doing a government's bidding, right? But, obviously, we have a lot of partnerships and work with responsible governments around the world. And so that, I think, is an important part of the -- you know, important part of the equation.
Michael Sikorski: Yeah. No. I -- I think it's one of those things where -- you know, where -- that's how I describe it, too, is, like, we're sort of an ISAC focused with the cybersecurity companies. One thing I also think about with the ISACs is, yes, they are industry vertical aligned. But they're -- you know, now that I've been doing much more involved with collaboration since I've been in Unit 42 those last few years, I do start to realize that there's a lot of overlap between industries. Like, especially if you take out, like, okay. You're doing an OT environment, or you have a point of sale system. These things that are very unique to different industries. If you take that out of the equation, a lot of the attacks are somewhat similar.
Michael Daniel: Yeah.
Michael Sikorski: Because you look at these ransomware gangs. They're looking to encrypt everyone. They're looking to harass everyone. They're looking to extort anyone they can for money. It's not necessarily like, Oh, well, I'm going to extort the retail industry different than I'm going to extort the manufacturing industry, right?
Michael Daniel: Yeah.
Michael Sikorski: And, again, once you -- once you account for the different -- differing technologies. One, I want to change topics a little bit to the -- you know, talking about incentives. You know, one thing that everybody always asks me when I talk about the CTA is, like, your competitors. You know, as the leader of the CTA, how do you convince, you know, new members to come on board and share that intel, you know, where they do have to be making sure there's no business risk, there's no liability and things like that but also the fact that we're just naturally competitors and we have that in our nature.
Michael Daniel: Sure. So there's a few answers to that. One is that virtually no one really makes their money off of providing threat indicators, right? Like, you don't go to customers and, like, say, Here's a bunch of indicators for you. Good luck with that. Right? Like, that's not really anybody's business model. The --
Michael Sikorski: There might be a few out there.
Michael Daniel: Maybe a few, but --
Michael Sikorski: Certainly nobody at the size of members of the CTA, right?
Michael Daniel: And so, instead, what you're really competing on is what you do with the threat intelligence, right? You are competing on the basis of my technology is better, my customer service is better, my understanding of your industry is better, right? And so, in that, when you look at it that way, if you have access to more knowledge, right, and you're using that knowledge to fuel your protections, to fuel your customer service, to fuel your knowledge of an industry, having more of that knowledge makes you more competitive. Yes. At the same time, it also helps the ecosystem and your competitor. But, at one level, what I say is we're actually raising the competition up off of what we know, which is kind of the base level, up higher in the value chain. So that's actually better off for companies because you're more competitive. It's better off for the ecosystem because that competition is happening at a higher level. And, oh. By the way, more of that protection is being spread, so everybody's protections are better off. So my argument is that, actually, the sharing, in fact, makes the entire ecosystem better off and more competitive at the same time. It's a little bit of a counterintuitive idea until you really understand how cybersecurity companies work and how they use information to do what it is that they do. And the other thing is that we built some very strong protections into CTA. So, for example, we have a antitrust compliance statement that we say at the beginning of every meeting, right, that, you know, one of the things we talk about is threats and what the bad guys are doing. One of the things that we do not talk about are products, prices, and anything related to a future roadmap for our members, right? So there's a whole set of things that are off limit to CTA members to talk about. If you're inside the bubble of what you can talk about, that's great. You've got all sorts of protections around that. And, by the way; members really like that because it helps, like -- you know, make it clear what's allowable and what's not.
Michael Sikorski: Right.
Michael Daniel: If it's outside of that, we don't talk about it. And that also gives our member companies a lot of comfort because the rules are very clear about what's in scope and what's out of scope.
Michael Sikorski: One thing we've introduced, I'd say, more on the recent side, obviously, we've been sharing indicators and signatures and all these kinds of things that we can do and then collaborate on big events, like you mentioned WannaCry. We've also been doing early sharing of our publishing.
Michael Daniel: Yeah.
Michael Sikorski: I particularly have found that very useful of getting access to know when my competitors are going to publish something in a few days. So we -- in the CTA, for those that aren't familiar, is that we share. Hey, we're going to be publishing this to the world, sometimes with more notice, sometimes with less notice, depending on the sensitivity of -- of the research. This could be a threat research article, a paper, a blog, whatever, a tweet. Could be anything. And one thing we -- we take a look at is it lets us get prepared.
Michael Daniel: Yep.
Michael Sikorski: I mean, one of the things that I often get bombarded with is, Hey. You know, Fortinet or CheckPoint or whoever it is just publish this research. What does Unit 42 know about it?
Michael Daniel: Right.
Michael Sikorski: Do we have protections for our customers, and that's like the first question I get when somebody publishes research very often. But, by being in the CTA, I'm able to get advance notice of that, get my protections in place, and have an answer for that question when it comes. It's not, Wait. What did they publish? I didn't even -- I read --
Michael Daniel: Right.
Michael Sikorski: I read it after my -- you know, my leadership. No. Instead, oh. We already know about it. We've already accounted for it, and we're right there in play. So I found that to be, you know, one of the big value adds that that we've had in the last -- I don't know. When did we roll that out? Like, a year and a half ago?
Michael Daniel: No. Two years.
Michael Sikorski: Two years, three years ago.
Michael Daniel: Yeah. Four years. Yeah.
Michael Sikorski: Four years. So even predated me.
Michael Daniel: Yeah. Definitely. But it's gotten -- you know.
Michael Sikorski: It's ratcheted up as far as the amount.
Michael Daniel: Yes. As the volume -- and we've been steadily trying to increase it over the last few years because our members find it valuable in exactly the way that you just described. And, again, it doesn't actually detract from -- you know, part of it is, you know, we were talking about what makes CTA work and some of that. And some of it is that we've built this trust space, right, and that we have been very -- you know, from the CTA staff side, we're very ruthless in our sort of approach to being fair among our members, right, that we treat all of our members equally. But we are also -- you know, people respect the embargo, right, that comes with those early shares. And everybody knows that, like, if you violate that embargo, like, that's toast. And everybody finds that -- that having that access, that early heads up, the ability to prepare, very valuable. And, again, it doesn't detract from anybody's ability to get press, to get coverage. But it enables the whole ecosystem to prepare better, which, again, is -- only makes everybody better off.
Michael Sikorski: Right. And what do we see attackers do, right? Yes, there's the nation state threats who often have the zero days early, who often have them hour early and all that. But then once -- once the -- either the POC comes out or a publishing comes out and it gets all attention on it, then we see everybody else latch onto that style of attack, right? Very quickly too. We often talk about it; it's within hours when we talk about it. We say 42 to 72 -- or 48 to 72 hours is what we say in Unit 42 when something's published before other attackers start jumping on the bandwagon. So getting early access is almost needed to have those defenses in place in time --
Michael Daniel: Right.
Michael Sikorski: -- which I think is -- is really cool. And I think we've also, you know, gamified the situation. A lot of people say, How do you make sure people are sharing? Well, we gamified it, right, to say you get points for doing certain things. And then you get to stay in the club, essentially, is the way I look at it to -- by sharing more and more. One thing I wanted to mention and talk about is sort of this concept of the CTA is like a family in a way. I mean, sounds a little cheesy to say that, but I do feel that way, in that we do look out for each other. We do want things to be done in a right way. And, when I say that, I mean from an ethical standpoint. I think people, you know, can weaponize things that are happening at different vendors in a way that is not appropriate. And, you know, we have a way of sort of looking out for each other. I found that, you know, when I've seen something in somebody's research and I -- and I don't, you know, see something that maybe doesn't look right, everybody in the CTA seems very welcome to, like, feedback and then quickly changing things. I don't know. You know, one thing we've -- we've recently formed is sort of, I don't know. What are we calling it? Was it like an ethical pact of some sort?
Michael Daniel: Yeah.
Michael Sikorski: Where we -- we've all sort of agreed to be a part of thinking about things in this way. Do you want to just describe that briefly --
Michael Daniel: Yeah.
Michael Sikorski: -- because I really was a fan of it.
Michael Daniel: Sure. So, you know, there's a long-standing sort of tradition and methodology for disclosing vulnerabilities has emerged, right? So there's the responsible vulnerability disclosure process that most places have. So, you know, if you're a researcher and you find a vulnerability, there's a process that you're supposed to go through before you just flop that vulnerability out there for everybody to see, right.
Michael Sikorski: Yes. Right.
Michael Daniel: Because the bad guys take it and use it, right? You're supposed to -- you know, the ethical way to do it is you contact the vendor, and you give them some time to fix it and other things. Now, if they totally blow you off, then eventually you -- you know you're within your rights to go publish, right? But there's this whole body of sort of ethical behavior that's built up around the disclosure of --
Michael Sikorski: Which not everybody follows.
Michael Daniel: Which not everybody follows, but it is become widely accepted across the industry, right? So what we did within CTA was we said, okay. Once that's out there, though, we also need to have a responsible way of talking about those vulnerabilities because the truth is that every software, every piece of software out there has vulnerabilities. Every cybersecurity company product has vulnerabilities that have been discovered at one time or another and so that we should -- as an industry, we should not try to immediately use the fact that one vendor has had a vulnerability disclosed about their product to point fingers and say, ha-ha. They had a vulnerability. And now you should come get our stuff because we're better, right? Because the truth is, the next day, It'll be your turn, right?
Michael Sikorski: That's right.
Michael Daniel: And so what we -- what we did within the CTA was we said, okay. We're going to -- we're going to have a policy that our members are going to sign up to that says this is how you -- this is how you talk about vulnerabilities in a competitor's product in a responsible manner. And notice it doesn't mean that you don't talk about it because it is entirely legitimate for a researcher to say, Hey. I have seen the adversaries use the vulnerability in the Acme firewall in this way, right? But there's a way to do that kind of research and publish that research in a responsible way where, A, you give Acme Company heads up that you're going to -- you know, you tell them that you're doing this. They don't get a veto over it, but you just tell them that you're -- you're doing this. And there's a way to talk about it in a manner that's not sensationalist, that focuses on how the adversaries are actually using the vulnerability. And so what we've tried to do is say we're going to have a process. We're going to have a policy for how you talk about these disclosed vulnerabilities in a responsible way that, again, improves the security of the overall ecosystem because we need the research on those vulnerabilities. We need companies to fix them. We need to know how the bad guys are using them. But we need to not, like, catch each other and, you know, the friendly crossfire.
Michael Sikorski: That's right.
Michael Daniel: Like, keep the -- keep the -- keep the -- keep the weapons pointed at the bad guys.
Michael Sikorski: I wanted to kind of pivot a little bit. I know we've been talking about the CTA and sharing and what we do there. Kind of want to talk about some of your experience as well. So, when we talk about public-private collaboration, going back to your White House days and beyond, is like, you know, I feel -- and I'd love to hear your opinion is that the government has gotten better at trusting the industry, at trusting the private. Do you agree with that thought?
Michael Daniel: Yeah. No. I think the -- I think very much so. The government, the US government, in particular, has matured a lot over the last, you know, 15 to 20 years. I think some of that is because the private sector has also matured, right, that there's been growth in -- you know, on both sides. And my own view is that some of what we've been seeing is the development of an understanding of where does the private sector bring comparative advantage versus where does the federal government bring comparative advantage? And they're in different places, and that's what opens up the opportunity, I think, in particular for public-private collaboration is because different elements bring different things to the table. Now, there are also some cultural issues that make it often challenging to execute on these kinds of collaborations, but I think there's a greater capacity on both sides to do that.
Michael Sikorski: What do you think is the thing -- I don't want to say it's -- that's broken. Or I would say more like what do you see is like the best way we could improve the US government's approach to cyber partnerships? Like, what is the thing, like, if you had a magic wand and you were in charge of all, all partnerships with the government of private across the US government, what would be, like, you know, either one or two things that you would -- you would quickly think about either changing or enacting?
Michael Daniel: Yeah. I mean, I think one of the things that I would say is one of the struggles that the federal government has is that we have worked very hard over decades to make sure that there are a lot of rules inside the federal government for how it treats the private sector and to treat the private sector equitably. And what this has translated to is that, if you are working with one entity in the private sector, you've got to work with all of them equally. And the truth is that, in cybersecurity, not all companies are created equal. And some parts, some entities in the ecosystem are more important in certain situations than others. And so --
Michael Sikorski: Based on the technology deployed worldwide, based on their visibility, based on their expertise.
Michael Daniel: Absolutely. Yes. These are based on very what I would almost say are objective factors, right? This is not about preference, you know, based on who's friends with who but it's based on the technology, the infrastructure, the capabilities, right? And the federal government needs to be able to have a better ability to say, look. I'm going to collaborate with this set of entities in this case for this reason. And, no; we're not going to have to let everybody and their cousin into this collaboration because they don't bring enough to the table, right? And that's really hard on the federal government side right now.
Michael Sikorski: Because it could feel like you're picking favorites? Is that why?
Michael Daniel: That's right. And seen as picking favorites. And it's like, no. We're not picking favorites. We're picking the entities that can actually do something to, you know, make a meaningful difference. And if you've ever been in any sort of collaborative exercise, then you know that, as you get bigger, it gets harder and harder to do the collaboration. And you reach a certain point, and it becomes almost impossible. And so that, to me, is really one of the, you know, key sort of factors that we have to take into account and that the government needs to have a better ability to process. I think, on the private sector side, there needs to be a better understanding of the fact that the government operates under certain constraints that a private sector company will never operate under and that not all of this is just about bureaucracy, that it's about very real reasons for why we want the government to not be picking favorites in most situations, right?
Michael Sikorski: Right.
Michael Daniel: And that we want the government to operate in certain ways, and so that imposes some constraints on how the government operates that private sector companies don't have to follow. And it means that it's not because the government is stupid or because they're incompetent or lazy. It's because they operate under a different set of rules. And so we need to bring a lot more of that understanding to the collaborations and have respect for the constraints. And, again, and that also works -- the government also needs to understand that, in many of these cases, the -- when a private sector company is collaborating and working with them, every minute that they're spending working on this thing with the government, they're not making money.
Michael Sikorski: I want to flip the question a little bit on collaboration and think about, you know, when does collaboration not make sense? When, right, are there situations where the risk of sharing outweighs the benefits that you see as being correct?
Michael Daniel: I think there's more situations where collaboration, where it really is very rare that collaboration can't come along at some point in the process, right? There are definitely times when there is a need for secrecy, right? There are certain operations that the government -- on the government side. You know, for example, if they're going to, ultimately, the end of the day, for example, if the government is going to, you know, execute a, you know, operation against a -- you know, a foreign country or law enforcement is going to execute an operation, then at a certain point there's limited collaboration that can occur because there's just some constraints. There's a need for secrecy. There's other things like that. Similarly, there are times when companies need to protect their intellectual property. They need to protect customer data, right? It's inappropriate to ask a company to share something, for example, where to share it would inevitably reveal the customer, right, unless the customer is, you know, comfortable with that. So there are definitely constraints on it in that sense.
Michael Sikorski: I wanted to ask you, you know, one of the things that happened back at RSA, there was a talk given, US government side about there would be -- sort of I think a lot of people were wondering if some of the -- how the sharing in public-private would be going under the new administration. I think there was an announcement -- you could correct me if I'm wrong -- about the fact that the liabilities and protections for companies for the sharing is still in place into the future. Is that -- is that a true statement?
Michael Daniel: So, yes. However, the legislative authority that underpins that is called the Cybersecurity Information Sharing Act of 2015, and it is up for renewal this year. It needs to be reauthorized. And so one of the big pushes that we're working on is to get Congress to reauthorize that statute. It expires on September 30 of 2025, and we need Congress to reauthorize that statute. Yes, there are probably some improvements that could be made to it. But, right now, we just need them to reauthorize that statute so that we don't go back to a pre-2015 sharing world.
Michael Sikorski: Right because then companies won't have the protections in place that -- if they were to share. And, particularly, I think some of the real value we've had is people talking about the attacks that they're dealing with.
Michael Daniel: Yes.
Michael Sikorski: I think there's been tremendous value, that. I think saying that you're dealing with an incident response in your environment is something nobody talked about 20 years ago, ever. You swept it under the rug. You talk to your -- maybe your lawyer. If you will, talk to your lawyer to be like, can we sweep this under the rug versus now you might even have an obligation to report to the market and publish something.
Michael Daniel: Right.
Michael Sikorski: I think -- want to get your take on -- on the SEC policy. You know, I've been doing incident response for upwards of 20 years now. I personally think it's very hard to get a handle on what you're dealing with quickly sometimes. I think the SEC is -- how many days is it?
Michael Daniel: 96 hours. It's four days.
Michael Sikorski: Four days you have if you have a, quote, material cyber event.
Michael Daniel: Event. Right.
Michael Sikorski: So I think, personally, I feel that that's a great policy at heart. And the reason I say at heart, I mean, people are going to talk about the attacks they dealt with, which means people are probably dealing with similar attacks, which means they could better prepare themselves. And also it makes it not such a everyone gets hacked, period. That is what I've seen time and again doing incident response for 20 years. And many people get hacked many more than -- than one time.
Michael Daniel: Yeah.
Michael Sikorski: So we're all dealing with it. So let's, like, not make it such a negative thing. Instead, let's bring it to light. So I love that that's at the heart of the policy. The part where I have a little bit of an issue with it is the time.
Michael Daniel: Yeah.
Michael Sikorski: And the time is very quick because, in four days, you need to not only know what you're dealing with, but you need a story for the market to say we're dealing with it. We've triaged it. We've hired someone to come in and help us, so on and so forth. What are your feelings about the policy? Do you -- do you see it the same way I do? Do you think there's ways to make that policy even better?
Michael Daniel: So, I mean, I definitely think that, for publicly traded companies, they should have an obligation to report if they have had material cyber incidents on their regular disclosures, right? So, if you look at a lot of -- prior to some of the SEC actions, you know, you would get the -- you know, the 10k or whatever would say, like, in a footnote someplace, if you had a cyber incident. Or we have cyber protections in place. Okay. Probably not enough disclosure for investors to actually make a, you know, informed choice. I feel like the public, the requirement to report publicly within such a short period of time is actually counterproductive --
Michael Sikorski: Right.
Michael Daniel: -- because it makes companies overly lawyered, overly cautious.
Michael Sikorski: There's probably a lot of lawyers who got jobs just to define what a material cyber event is, right?
Michael Daniel: Yes. And, instead, what we really want is -- like, and you don't know enough within four days. And particularly if it's actually material. You don't actually know enough in four days to actually say what the real impact is. And so, to my mind, it was the -- it was an idea that I agree, that, like, the intent of it is right. And so I think actually having regular disclosure requirements, that's totally appropriate. I just feel like the timeline is way too short. And it should be much more tied to, like, the quarterly and annual reporting that publicly traded companies have to do. And that's entirely appropriate to say, if you've had a material cyber incident, then you should really be telling your investors, you know, and the -- and the public that you've -- you've had that incident, and this is how you've addressed it. And this is how our cyber defenses are laid out. If you're a publicly traded company, that's part of your responsibility. But I do think, again, we were talking about responsible vulnerability, you know, communication. There's responsible incident communication, as well, because there's no point in panicking people if you don't actually know what's really happening. And my own experience with incident management is, like, I remember working incidents in the government where it'd be like, well, this agency has been affected. Well, actually, this agency. No, not that one; this one over here. No. Actually, you know. And two weeks into it we're still trying to figure out, like, so was it 40,000 people? 50,000, you know, 100, we don't know. You know, and it's -- it took like a month or two to, like, get to where we actually had a handle on what was happening. So I have a lot of sympathy for entities that are going through an incident.
Michael Sikorski: I will also say I'm filling in for the regular host, David Moulton, of Threat Vector. And he's a huge fan of cybersecurity dad jokes. Do you have a favorite cybersecurity dad joke that you could share?
Michael Daniel: Oh, gosh. You know, so -- well, I guess there's one that's at least vaguely cybersecurity related. So why did the farmer take his router to the barn?
Michael Sikorski: Why?
Michael Daniel: Because he wanted to get stable Wi-Fi.
Michael Sikorski: David's going to love that one. That's it for today. If you like what you heard, please subscribe wherever you listen; and leave us a review on Apple podcasts or Spotify. Your reviews and feedback help us understand what you want to hear about. I want to thank our executive producer, Michael Heller; our content and production teams, which include Kenne Miller, Joe Bettencourt, and Virginia Tran. Elliott Peltzman edits the show and mixes the audio. We'll be back next week. Until then, stay secure. Stay vigilant. Goodbye for now.
