Melanie Teplinsky fell in love with cryptography at an early age, which led her to landing her first job at the National Security Agency at 16. From there, she found her niche in cybersecurity at the intersection of technology and the law. As a senior fellow at American University in the Law Tech, Law, and Security Program, Melanie helps craft cybersecurity policies that scale and attempt to solve big, societal problems. First, she has to understand how cybersecurity technology and models, such as zero trust, are implemented at companies and organizations of all sizes. Then, she applies those principles to existing laws and government mandates to understand the pitfalls and gaps. Between her early start in cyber and national policy-making, Melanie has a unique perspective to share with the infosec community.
Melanie Teplinsky fell in love with cryptography at an early age, which led her to landing her first job at the National Security Agency at 16. From there, she found her niche in cybersecurity at the intersection of technology and the law.
As a senior fellow at American University in the Law Tech, Law, and Security Program, Melanie helps craft cybersecurity policies that scale and attempt to solve big, societal problems. First, she has to understand how cybersecurity technology and models, such as zero trust, are implemented at companies and organizations of all sizes. Then, she applies those principles to existing laws and government mandates to understand the pitfalls and gaps.
Between her early start in cyber and national policy-making, Melanie has a unique perspective to share with the infosec community.
Listen to the episode to hear more about:
* How cybersecurity policy can transform small- and medium-size businesses’ approach to zero trust
* Why protecting innovation efforts at universities and small companies is paramount for the cybersecurity industry
* The positive outcomes from collaboration between the public and private sectors
Links:
* https://www.wcl.american.edu/impact/initiatives-programs/techlaw/our-team/melanie-teplinsky/
Jeremiah: welcome to the show, Melanie. It's it's so exciting to have you on. I know there's a lot of things that you've got going on right now. Um, there's a lot of things that you're working on. Uh, but first I'd like to just kinda talk about how you got started in cybersecurity. What brought you to the realm and, and, and what kinds of cool things you've been working.
Melanie: Absolutely. Well, thank you for having me. I'm delighted to be here. Um, what kinds of things brought me to cybersecurity? Um, my dad did when I was eight. He sat me down with the Washington post and showed me my first cryptogram and I fell in love with. And that led me at the age of 14 to apply to the national security agency.
I wrote to the director in a move that I still think was amazingly bold for a 14 year old. And I asked if I could work for him. And he was nice enough to write me back and let me know. I was way too young to do that. [00:13:00] But if I wrote back in a couple of years, they think about it. So when I was 16, I reapplied and I started my career as an analyst at the national security.
Um, after that, I went on to college and to law school, um, switched over from being a math major because I got very interested in the intersection of law and technology and policy and started working, um, right out of school as a lawyer at Steptoe and Johnson. I worked there for many years. I loved my work there, um, and had a number of.
Uh, positions across the private sector, government and academia over a 30 year career in cyber law and policy. And now I serve as a senior fellow at the technology law and security program at Aus Washington college of law. Um, I've done some work for CrowdStrike, which your listeners may know it's a leading cybersecurity company.
I served on their pre IPO advisory board. Um, and now I'm doing a lot of work with, uh, Aus tech lawn security program, which is very.
Jeremiah: That's [00:14:00] really awesome. Um, so, so I, I want to circle back. So you knew when you were younger, that you wanted to potentially work for the NSA. What, what kind of brought you there? That's that's such an interesting, because I don't know if I was thinking about the NSA at a young age.
Melanie: I grew up in an interesting household. My dad was a PhD in computer science. My mom was a math educator and my sister was really interested in, um, weather models. So she spent a lot of time trying to understand weather systems and eventually went on to be a PhD in computer science. And so when I was a little kid very early on, I knew I loved math.
Um, I got interested in puzzles and I read everything I could read about. Um, cryptography, but it turned out the literature stops at about 1945 because everything else is classified. And I decided I wanted to know more than was available in the public space. And the only way to do that was to work for the.
Bella: I have to assume that [00:15:00] like at 16 years old, uh, working at the NSA, you must be. Probably working around a lot of folks that are older than you, uh, different backgrounds than, than you, I guess, being a 16 year old, you don't have much of a, uh, background at that point yet. Uh, what was that like? Like, was it, was it weird
Melanie: was, I think I was the only one whose mommy dropped her off in the morning. Um, but I was very privileged, a lot of lovely and wonderful people took me under their wings. One gentleman in particular who liked to say that he had raincoats that were older than I was. Um, but I had a lot of wonderful mentors and they taught.
The basics of crypt analysis, they taught me an enormous amount about computer science, massively parallel, super computing. So I was privileged to get a strong technical background from some amazing folks.
Bella:Um, so today you're a senior fellow working in the technology law and security program at American [00:17:00] university. As you mentioned earlier, um, what, what is the day to day look like? Um, for a senior.
Melanie: so day-to-day, I do a lot of things for the program. I'm actually a recent joint. So I joined last spring. And so first I was learning the ropes. But what I love about TLS is that they've been active at that intersection. Between techno, among technology, law and security, they look at how the law addresses technological challenges to privacy security, free speech and democratic institutions.
And we look at all of those questions in the context of. And when I say security, I mean, national security, as well as the security, uh, democratic systems and the international rules-based order. So it's a very active group of people who are phenomenal. It's run by Gary Korn. Who's a retired army Colonel.
He was active for about 25 years in the U S military, the last five of which he spent as general counsel to the U S cyber command. And this incredible group of talent is working on some of the hardest problems that the. [00:18:00] Of lots of technology and security. We have projects that focus on, um, national security and artificial intelligence, privacy across borders is one of our projects led by a scholar in residence named Alex.
Joel, they're taking a really deep dive into questions of transatlantic data flows, post shrimps too. Um, and we also have a project on harmful content, which looks at, um, the varying degrees to which, um, actors have the power to cover. Or deny key services to undesirable actors in the system. Um, we have a free speech project, so they're really engaged at these central questions, um, of, uh, uh, at the intersection of technology, law and security.
It's a fantastic under.
Bella: How do you determine, or, you know, what is the process, I guess, for determining what types of issues or projects? Um, y'all focus.
Melanie: so we try to look at things. Um, there are a lot of people that are working in this space, but we try and take a look at issues where a deeper dive is necessary. [00:19:00] What we've found is, well, there's a lot of writing about very hard topics, much of the writing admires the problem. And so our approach has been a little bit different.
We take key people who have expertise in a space, and those people make a deep dive and try to make substantive recommendations of value in the areas where they're working. Um, and we've had a lot of success by applying a strong expertise to tough.
Bella: And do you like, this is just, I'm just imagining these are such massive kind of projects or topics to be thinking about and working about or working on, um, how do. Transition. How do you know when something is like done? Is there done on a project of this.
Melanie: That's a great question. Sometimes there is a done. Sometimes the idea is to understand the problem space, but often the purpose of these projects is to understand what needs to happen next. Think [00:20:00] about problems like encryption or privacy across borders. These are issues that have been around for almost 20 years and they have a tendency.
The debates have a tendency. Repeat themselves. And so our effort really has been to bring together folks across industry government, academia. It brings some of the best minds to bear and try and come up with some creative solutions, things that we really haven't seen before in these.
Jeremiah: I'm sure when you throw. Things like quantum computing and, um, sort of that next generation,. I'm sure that is difficult to sort of figure out how it ties into, uh, being innovative today in solving tomorrow's problems.
Melanie: it is. But one of the great things about this field is that the values that underlie our decisions in this space don't change. So while the technologies shift quickly, our [00:21:00] values often don't. And so if you can understand the problems in a deep way, often you can translate that understanding to new technologies.
And it doesn't mean we know all the answers now, but it does mean. Find a framework that can be applied as you try and understand the next generation technologies, whether it's quantum computing, uh, lattice encryption, or artificial Intel.
Bella: is there ever, has there ever been a time, or could you envision a time where some new technology just totally shifts, like the types of solutions that you're coming up with? I know, I know you just mentioned, like, are our values stay the same?
So as technology shifts, the approach that we're taking really doesn't, but like, what if there's some brand new technology that really does shift things? What would that look.
Melanie: absolutely. This is what I dream about at night. The thing I love about [00:22:00] this field is that the changes that are taking place can be transformational. They are not just right. This is kind of like when we got the railroad or whatever. The car or when we got the telephone, these are not technologies that exactly right.
They change our lives. And so that's, I think what folks in my field dream about at night, we love when we get something that is so transformational that we need to rethink how we deal with it. And it reminds me of a course. I took in college about the history of technology, and we learned about the fact that when.
People learned how to spin cotton into thread. They had to change the way that it was done. Originally people did it by hand and one motion worked. But when we started to use machines to do it, it turned out there was a better way to do it by machine. And if you, instead of trying to copy the old methods of how it did it by hand, if instead we came up with a new method that machines could do better, we got much more efficient and effective use of cotton and that it [00:23:00] allowed for the textile industry to grow.
And I think that's what we're seeing. Right. We have to figure out how not to just take our old processes and copied them. Instead, we need to figure out how to translate them for new technology and really be able to, um, to fire a change.
Bella: So, uh, clearly you, you have, and do spend a lot of time thinking about, you know, technology, cybersecurity, um, and specifically cybersecurity policy, uh, how the government can compel businesses to do a better job. Both protecting consumers and also, you know, safeguarding their own systems. I know that you've talked recently about, um, [00:25:00] incentives like tax credits for businesses to build resilient or more resilient architectures.
Can you tell us a little bit more about this approach and why you think it could.
Melanie: absolutely. Uh, let me start by telling you the problem that it's designed to solve. Um, There's a really long standing problem in this space. The private sector is vulnerable to cyber intrusions, but particularly from well-resourced threat actors, think China think Russia, and this problem has been brought into stark relief over the past year.
There's been a series of headline grabbing cyber incidents. I'm sure you guys have spoken about them on this very podcast. Uh, we had the ransomware attack that shut down colonial pipeline, which folks know is one of the country's largest oil and gas sector. We have the Chinese state sponsored hack of the Microsoft exchange servers.
And that really served to intensify these repeated government warnings about China's rampant, cyber espionage, um, FBI director Ray at one point was talking about, uh, China's efforts to [00:26:00] steal its way up the economic ladder. And of course we had solar winds, which was the supply chain hack that enabled the Russians to spend months inside, but a large number of U S government and private.
Networks that impacted DOJ and treasury commerce, energy, hundreds of fortune 500 companies, all the branches of the military. I could go on and go on. And on that, you know, it triggered an emergency meeting of national security council. So we've seen all of these incidents just in the past year and what they really do is bring into.
The fact that the private sector is extremely vulnerable. So the proposal that I've been talking about is designed to fundamentally change the cybersecurity landscape and provide the basis for a more resilient cyberspace. Most of the private sector companies that we have just aren't in a position to defend against these sort of threats on their own.
And we can see this in particular with the defense industrial. [00:27:00] Um, the D known as the DIB, the defense industrial base really has continued to lose critical data as a result of nation, state, cyber thefts, and thousands of dibs companies essentially have been tasked with providing their own secure. So the vast majority of the DIB, about three quarters of it is made up of small and medium-sized companies and they just can't generate effective cybersecurity capabilities on their own.
They don't have the resources, they don't have the budget, they don't have the it staff. Um, and there's a lack of integrated cybersecurity offerings. So companies are just left to patch together, available cybersecurity solutions and try to create their own effective cybersecurity. So that was the problem that we were trying to say.
Jeremiah: With that, uh, problem set. I'm wondering if there's a fundamental flaw in the structure of the way that they do business as well. [00:28:00] Just, uh, speaking out loud. Of course. Um, it makes it difficult to innovate a lot. So my background is in, um, the DOD, uh, realm. And so, um, when I used to operate in that realm, uh, there's huge political boundaries, bureaucratic boundaries, and of course, things that inhibit innovation growth and streamlining processes.
And I'm wondering if that is also a contributing factor to some of the difficulties in the cybersecurity demands that we're seeing.
Melanie: so it is, there's been an incredible amount of innovation in the private sector on cyber security. Over the last decade, you can see this, um, in the development of the services that are available. I think on the private sector side, there's certainly been enormous innovation, but on the, on the customer side, right, the people who need the cybersecurity, they often just aren't in a [00:29:00] position to develop their own solutions, whether because of resource constraints or because their job is to build a great widget and they don't want to put their resources towards cybersecurity, they want to put their resources.
Building a better widget. Um, and so there are a lot of barriers I think, to, um, ensuring the companies have a kind of resilience that.
Bella: And this is this where this kind of approach of, of, you know, incentivizing businesses to focus on cybersecurity, through tax credits, stuff like that. Is that, is that what that approach is aiming to hit? Businesses don't have the resources and are incentivized to create the resources for this cybersecurity.
Melanie: Yes. Um, so this, uh, idea, which was the brainchild of a colleague of mine, Frank. It was the former assistant secretary of defense in the Clinton administration and another colleague, Bob Butler, who also has worked, um, uh, in this [00:30:00] space for decades. Um, the idea was how can we enable, uh, companies, particularly companies in the critical infrastructure sector.
Water companies, power companies, electric companies. How can we help these companies to develop the capabilities that they need? It's been about 20 years that we've been talking about this problem and we haven't been able to solve it. And so the idea was, well, if we could spur the development of an integrated cyber security service offering so that people that are in the critical infrastructure space could go out and buy what they need.
That would be great. No, of course we all know when I say buy what we need, this is not a package. You don't go out and buy zero trust. Right? So our thinking was, well, how do we put that together? Well, we would want to be sure that that any cyber security [00:31:00] provider that was providing services would have certain expertise.
So for example, they need to be able to implement zero trust architecture. And for listeners, I'm not going to get technical here. I'll just say, think of zero. Trust is an alternative to the traditional perimeter security model of cyber, the perimeter security model focused on keeping the bad guys out. Um, perimeter security would basically post a guard at the entrance to the building.
Zero trust takes a different approach. It posts a guard at every door, every hallway, every elevator, the ziti model, zero trust security model assumes that bad guys have gotten into your network. And it takes a deny by default approach to protect critical. It says, if you don't know someone don't let them in.
And then if you combine an architecture, that's based on zero trust with threat hunting, right? Threat hunting again, not technically threaten hunting is the equivalent of having a security guard, patrolling the hallways. So it's used to detect attacks that might have been missed by other security controls.
[00:32:00] So when you combine an expert provider zero trust architecture with a threat hunting capability, You're essentially providing the equivalent of what the federal government has recently asked itself to do in terms of security in the cybersecurity executive orders that president Biden signed. Um, so we're saying let's bring that same level of cybersecurity to our critical infrastructure, private sector companies.
And to do that, we propose this new paradigm. Of established, uh, basically spring the establishment of an industry of these experts, cyber security providers. And then of course we had the question, well, how do we pay for this? Right. The age old Washington question. So
Jeremiah: funding.
Melanie: funding, but that's really hard. Right?
So, um, the thought was transferable cybersecurity, investment tax credits. Okay. That's a mouthful. I understand. But the idea there is. Uh, Congress would established tax credits for companies that rely on these expert [00:33:00] providers. The credits basically reduce the taxes that a company pays on a dollar for dollar basis.
So to effectively serve as monetary payment for the services that are provided. And the reason that we suggested making them transferable, it's simple. Some of the companies that need to purchase these services, don't, they're not profitable or they're not making money. So they can't really take advantage of a tech.
So by making the tax credits transferable, the companies can basically pay their cybersecurity providers by transferring the tax credit to the provider and it effectively allows for payment directly. So that's the.
Jeremiah:Um, so, so with all of the things currently going on in cybersecurity, it's a huge topic right now, right? I mean, you rattled off several of the instances. Uh, currently there's the war that's going on with Ukraine. Um, we've had log for J the colonial pipeline, the solar winds issue, obviously, you know, cybersecurity is a huge topic.
Um, given that context, where, in your opinion, do you think the U S is most at risk right now?
Melanie: right. [00:35:00] So certainly critical infrastructure would be where I'd want my shields up. Most suss obviously has a campaign, the shields up campaign, which is to ensure that American companies are ready. Um, if there is some kind of a cyber attack that stems from this conflict, uh, I think the surprising thing to a lot of cyber experts, right.
Is that we haven't seen more yet. Uh, the Russians are first rate at cyber attacks. They really have best in class, um, cyber operations. And what we've seen so far while concerning has been relatively mild, given what we know that the Russians are capable of doing, we have seen the attack on ViaSat, um, which, uh, deceased.
Some modems that were used in the ViaSat satellite communication system. Um, the malware that was in the, that was used in the attack, brick, the modems, and it had some unintended implications for oddly [00:36:00] wind turbines in Germany. Um, but, um, there's a thinking here that the Russians assumed they'd would win this con you know, win this war, this conflict quickly.
And as a result, really. Bring all of their cyber tools to bear that's one perspective. Um, others think that perhaps they're saving their, a game to use against the west. So we'll have to see, I think for the moment, the, um, the knowledge that conventional knowledge is shields up, increase your resilience, keep your eyes out and see something.
Say something.
Bella: I find myself whenever, whenever we talk about particularly Russia, uh, and the. Potential risk. I just find myself like my brain just can't slow down. I'm like, oh my goodness. There's, there's just so much going on. slightly, slightly [00:37:00] switching gears a little bit. Uh, I know recently there was some legislation that was just passed, uh, regarding, uh, mandatory cybersecurity incident reporting. Um, which I think is really interesting. Uh, and I guess I just wanted to get your take on it. Are you in favor of this?
What do you think, uh, positively or negatively? What do you think this.
Melanie: right. So this is really interesting. This has been working its way through Congress for a very long time. This is a. President Biden basically signed a bill that expanded cyber security reporting obligations and, um, in particular, uh, expanded them to critical infrastructure. On the one hand, this is not surprising, right?
The federal government has been interested in getting a better picture of what our cyber threat landscape looks like. And one way that they do that is by getting reporting from private sector companies. So they know when there has been an incident and what the incident looks like, and that helps them [00:38:00] to develop situational aware.
So there's been an effort, um, for a long time now to improve reporting. These are great steps. The Biden administration has been very active in cyber. There have been a number of executive orders. There have been a number of pieces of legislation and we are moving in the right direction. We now have Jenny's truly leading. We have Chris Inglis leading the national cyber directorate.
So we, we have great people doing great work. We have an Neuberger on the NSC. All of these appointments, um, are showing the Biden administration's attention to this issue and willingness to try to improve our, um, our, uh, position in this space. But it's still, there's, there's more work to be done as always as the case in cyber.
[00:40:00] And, um, at this point, I think one of the things. Uh, things that we can do is, uh, figure out how to improve our resilience. And then when we do that, when we do have an issue, we'll be able to focus our resources on the small number of smaller number of serious issues that we have rather than having to try to defend all of our assets.
Bella: I know that you mentioned, uh, you know, sort of in the beginning of, of talking about this new, new law, you mentioned that it's really important to get this data and that it's useful data, right? Finding out when cybersecurity incidents are happening, what, how was that data used?
What makes it useful? Like what happens once we start getting more of this?
Melanie: right. So the reason the government wants to understand this data is. Once they know [00:41:00] that someone's been hit with an attack, they can push that information back out to other members, either of the private sector or through the information sharing and analysis center structure to private sector entities in various fields.
Uh, energy or electric or financial. So if there's attack on one company, other companies know to be looking for it, right. And if we can understand better, who's behind the attack, what's motivating the attack, how we can, then it helps us to stop that attack before it progresses. And I think that's the important point here is that we are essentially crowdsourcing our knowledge.
So instead of just having one company that's hit and they try and deal with. The, um, the implications of that incident, we actually are able to say, oh, there's been an attack. Are other people going to be hit? Did anyone else see anything? Do we know where it's coming from? Do we have the ability to stop this?
How can we keep it from becoming a larger incident? And
Bella: So you envision this information rather than Joe. [00:42:00] Going like going to the government being analyzed by the government, staying there and, and maybe informing some, some other laws or directives in general, you see this more being used by companies like all companies. So do you think that like, would this be information where, you know, uh, a company reports an incident and then immediately other companies find out about.
Melanie: I think the eventual goal yes. Is to have a kind of operational hub that in when there's an incident, we can have real time immediate kind of reporting and folks can use that kind of threat intelligence to stop future. Yeah.
Bella: that sounds really cool. I love the idea of companies kind of like helping each other, watch out and warning warning one another about potential threats. Uh, but it, it like, it almost sounds idealistic.
Melanie: so we
Bella: some ways, almost
Melanie: a lot of the, um, so for example, in the financial services, [00:43:00] There are companies that have banded together to work together, to try and provide early warning and share information there's competitiveness in industries. Right? Of course, the different companies within these industries compete for customers.
But when it comes to cyber they're on the same side, none of them wants to be attacked by Iran or Russia or China. And so there is a real effort to work together. Not to share competitive information, but to share information about threats that really go to the security of our Homeland or go to our economic sector.
Bella: Yeah, that makes a lot of sense.
Jeremiah: so you mentioned, I want to go back to cyber resiliency. You, you kind of mention. Would be an area of focus that you would be looking at today as well. Um, what in cyber resiliency would you be focusing on specifically or would you recommend focusing on
Melanie: right. And I think that takes us back to this proposal that we were talking about. There are some critical [00:44:00] areas in our country that need protect. Um, so we've written a report, uh, with the Atlantic council recently about how to protect innovative, small, medium, small, and medium sized enterprises and academia.
Right. We have some small companies in this country that are doing incredibly cutting edge work, innovative work. If you look at some of the. Key technologies in the last 25 years, they've come out of either small and medium size companies or academia. The technology for the N 95 masks came out of an academic project.
The technology for the cochlear implant, right? The technology for the cell phone, for the iPhone, some of the touch techniques. Many of these technologies are coming from very small businesses or academia, but they are the most vulnerable to attack. They don't have the time, the [00:45:00] resources, the expertise to Batten down the hatches.
And so the concept is we have to come up with ways to bring resilience to these entities, particularly when these entities are doing work at the edge of technology. When they're working on innovative technologies, they're working on artificial intelligence, biotech. Um, uh, computer technology, battery technology, all of the technologies that are critical to our national security, because those are the technologies, right.
That folks who are interested in attacking us are most interested in getting their hands on. And so one of the thoughts here is identify your critical spaces and try and Batten down those hatches.
Bella: UUh, [00:46:00] earlier you, you mentioned a lot of amazing folks doing great work, uh, in Washington right now, thing, you know, people that are, that are, that are getting good stuff done.
I think potentially including this law that we talked about earlier, um, what things do you think maybe in addition to this law or beyond this law, uh, what things are people working on in Washington that are, that are good like that they're getting right in terms of cybersecurity?
Melanie: So one thing we're getting right is we're learning to work with each other better, faster. And that's really important. Um, we've also, we are working through Jen easterly, for example, SISA, she's really working to develop a trust between the government and the private sector. it's more than just partnerships, but the partnerships are extremely important because trust is really at the heart of all of this, um, other work that needs to be done. There are some really hard, big questions in this space. I would say for looking long-term down the road, what is our identity and infer?
What is our identity structure going to look. Right. If, as we move toward, um, concepts like zero trust, if you're [00:48:00] going to try to, um, limit access based on someone's credentials, we need to understand the underlying infrastructure, the credentialing infrastructure, and the identity infrastructure. And as you develop that infrastructure, that raises issues, um, that are very difficult.
Questions of civil liberties and identity. And so we have to be very careful that we structure our infrastructure properly so that we protect the core values that are most important in our society while still satisfying our cybersecurity.
Jeremiah: so I think that's really interesting, right? Like that's kind of a technical thing for how we can do better. Um, and I think Bella brought up a great point, you know, what are we getting? Right. But what are we getting. Maybe not so right on the policy side, what are the things that we could do better on the policy side?
Melanie: we need to be fast. I would say there they're really two things. Number one, we need to be fast. And right now we're slow. [00:49:00] So it is 2022. And we're getting some reporting legislation. We need to do that faster and better. We have an enemy that does not need to get lawyers in the room to get things done right.
When they want to come in and do a cyber attack, they do not ask their lawyers if it's okay under the constitution. And we are, um, both emboldened and saddled by her and restrictions. So we need to figure out how to make our democratic ideals work for. Rather than feeling hindered by those, um, by those restrictions, right?
They are very important. We absolutely need to make sure that we uphold our values as we work in this space. But at the same time, we cannot let that become, um, a restriction on our ability to act. We have to figure out how to move at the speed of.
Jeremiah: So on the technology side that you just sort of mentioned, you brought in the concept of zero trust. Um, I'm sure you're also familiar with the concept [00:50:00] of principle of least privilege, um, which is, which has been around for a while. Right. So what's kind of the difference between the two
Melanie: nothing. One of the elements of zero trust is the principle of least privilege. So zero trust really has a set of elements that are essential to its adoption. And one of them is least privileged. It also would involve, um, uh, identity map. Right. You need to understand who someone is so that you can decide whether or not they have access to things you need the least, least, um, uh, at least privileged meaning.
Um, someone only gets access to the smallest number of things that they need to have access to in order to do their job. Right. Um, you need, uh, monitoring, right? You need to be walking the hallways of your network to make sure the bad guy didn't slip in. So there are a series of things that go into building a zero trust system and least trust as well.
Bella: I have a [00:51:00] question that is, is just like me thinking about zero trust. I'm thinking a little bit about the analogy that you made now, but also earlier this idea of like zero trust is not just having a secure. At the front door, it's having one at every single door and having one patrolling the halls.
And while you were like, while we've been talking about this, I'm thinking about how far, like in a, in a physical security standpoint, that's pricey, right? That goes from one security guard to like, what 5, 10 20 is zero trust. Like, is this specifically more feasible because we're talking about digital.
Melanie: So absolutely it would be very pricey and it wouldn't scale very well. If you were in the physical world, fortunately we skill better in the digital world. So yes, the answer is a simple answer is yes, but you're also right to call this out. It's not an inexpensive or easy thing to do things like zero trust and threat hunting.
It [00:52:00] requires an investment of time and energy to implement a zero trust system. You need to understand what on your system. You need to understand how to protect it, and you need to build it up in layers, but you can start doing those things. Now, even if you're not a sophisticated company, there are small measures you can take, right.
Two factor authentication, simple things that will start moving you in the direction of having the kind of security that you need. With regard to the person patrolling the halls. That's really an analogy for threat hunting, threat hunting. Um, the thing that makes threat hunting hard is that there's a human element.
There are people who look and see if there's a novelist behavior in your network, but we've figured out how to use artificial intelligence to supplement this human work. What's happening with the most sophisticated threat hunting programs is, um, we automate the portions of the threat hunting that are repetitive.
And then we use the humans have human intervention only in those places where we [00:53:00] really need a judgment call. And by having a feedback loop, the more we figure out things that can be automated, the more we can develop our AI system. To really efficiently threat hunt. And then we can develop a pretty sophisticated threat hunting system that does scale pretty well.
You still need threat hunters at the end of the day, we still have that big problem in cyber. The workforce problem, right there just are not enough people to fill the jobs. And that I think as a nation is a place where we can invest. Congress has started to do that. I certainly at American am hoping to be part of solving that problem by helping train the next generation.
Of cyber policy leaders. Um, but that is a national problem of resources. We have to do a better job of getting kids interested in stem early. And here I put my money where my mouth is. My eight year old is learning to do Python coding. And yeah, I mean, I, I'm a big supporter of, um, Teaching your kids early.
So she's [00:54:00] eight that's when I was sparked to get interested in encryption. So my view is, you know, expose them early and see if it takes my 15 year old, not interested in the least in coding. Um, fantastic at English singing history, but not doesn't want a computer. Um, I will say I was challenged to get the word trampoline on this podcast.
I'm going to tell you, they both love to jump on the trampoline. Um,
Jeremiah: that's fair. That's fair. I've got
Bella: who doesn't also.
Jeremiah: about Python. Funny enough. I was recently reading somewhere, uh, that. And I think it was a coworker, uh, who, who is also doing something very similar with, with their children. They're explaining, uh, about coding, what coding is and sort of talking about a coding language Python and, and all of this to which, uh, their young child responded.
Uh, so your boss speaks to you in a Python language. And so which immediately makes me think of, of Harry Potter and parcel tongue [00:55:00] and all that fun
Melanie: absolutely. Or as I like to say to my kids, coding is involved. Every time you get in the shower, if you ever read a shampoo bottle, right. It says lather, rinse, repeat the computer. Scientists can never get out of the tub.
Jeremiah: I've done that. I've done that. And I've said, this is a flaw in logic. Okay. This is a logic flaw, and this is, this is they need to rewrite
Melanie: Absolutely. Infinite loops.
Jeremiah: with,
Bella: uh, that's what I like to call job security. Right? That's when we need the human intervention. Huh?
Melanie: Absolutely.
Jeremiah: Um, just quickly circling back around to zero trust again, because it's such an interesting and fascinating topic for me, especially when we get into a compliance and policy and technical implementations and figuring out the right way to do this because everybody's got an opinion. And so from an actionable strategy perspective, um, with regards to small and medium sized businesses, um, how can they begin to implement zero trust?
Not [00:56:00] just for these sort of one-off things, but say they want to go all in on zero trust. What sort of an actionable strategy they can take.
Melanie: Well, so that's why we think there should be these cybersecurity investment tax credits. Right? The whole idea there is that they don't have to do it. Right. They, the idea is that we would spur an industry. That would be able to help these small businesses do these things. Because I think at the end of the day, trying to rely on each individual business to become a cybersecurity expert service provider is a flawed concept.
We're not going to be able to do that. That's like asking me to become proficient in Chinese and asking my husband to do so too and asking my kids right. It doesn't scale well, and it doesn't make a lot of sense. So it makes a lot more. Just like we did. If you think about the energy sector, right. When we wanted renewables to take off, we had investment tax credits for businesses that invested in renewable energy.
And somebody spent a lot of resources to develop [00:57:00] smart renewables, and then everybody else bought them. We should do that. Right. You invest in an industry, you get the development of an overall industry of expert providers. You tell them that those expert providers need to be certified to a certain standard.
I'm not saying a technical standard, not a prescriptive standard, but a standard of, um, capability you're capable of providing zero trust services to your clients. And then you encourage those small businesses who can't afford to get this. Right. Without some help you say to them, not a problem. We've got you covered the government's going to invest here in the way we're going to invest is through these tax credits.
Jeremiah: no, I think that's really important. Um, it's also helpful because as we mentioned, you know, the principle of least privilege has been around for a while. Um, and people have known about this stuff for a while, but I think some of the problems that have been holding people back have been, have been these very monetary [00:58:00] challenges, uh, you know, that you just mentioned.
Bella: So I know we talked a little bit, uh, moments ago about, um, talking to our kids, our families about cybersecurity. I know you mentioned that you talked to your kids about cybersecurity, I guess, about tech in [00:59:00] general. Um, Beyond that I know that you have a sister, Phyllis, Phyllis Schneck.
Melanie: I do.
Bella: that correctly.
Um, who is the former top ranking cyber official at DHS, uh, and now working at the Aspen cybersecurity group, which is so
Melanie: now she does work at Aspen, but she is the CSO for Northrop Grumman.
Bella: Wow. Okay. Even more credentials to add to the list. So my, my question is I have to imagine that family gatherings must have at least some moments of just, you know, big nerding out about NIST frameworks, AP Ts. What does that look like when, when y'all get together? Is it just like all cybersecurity?
Melanie: we are a family of geeks. I will say this. I feel for my mom, who is one of the smartest people on the planet, but does not do cyber security. Um, but it, it is, it is a family of
Melanie: I will tell you, you know, my sister and I talk a lot about these things. And in fact, when I worked on this paper, I sent it to her and I said, tell [01:00:00] me, what do you think of this?
Give me some feedback, you know, is this something that you think would be valuable? And similarly, you know, she will ask me, certainly not about company proprietary, but generally about, um, responses in this space. Um, For many years, I worked on data privacy issues. So we've had a lot of talks about the intersection between data privacy and cybersecurity, how those two spaces interact.
Um, there, there was not a deep understanding of that certainly in the early days. And even sometimes, um, now there's not as much communication as there needs to be among, um, professionals in those fields. Um, so absolutely we have a lot of interesting dinner conversation, but I will say I'm always.
Jeremiah: uh, just kinda wrapping up here. I know we're getting close to time and, um, I've certainly enjoyed this conversation, shifting gears to a little bit of a lighter tone. Um, I was wondering if you could tell us, which is something we ask of all of our guests. Um, if you could tell us something that we wouldn't know, uh, about you just from reading your LinkedIn profile, um,
Melanie: so this is really where the word trampoline should've come in. I'm thinking.
Jeremiah: [01:02:00] keyword trampoline.
Bella: it in
Melanie: Exactly.
Melanie: Um, something you would not know. Um, let's see. So I played the violin,
Melanie: so there are many things I could tell you. Um, I love to play the violin. Um, I am an avid tennis player. Um, and let's see, what else can I tell you? And, um, I'm extraordinarily competitive. Like to a fault,
Bella: in that.
Melanie: a fault. So when my
Melanie: my, my, I just, I just coached this cyber nine, 12 team.
And I will tell you my favorite thing that happened in the whole competition right after they won one of my students, right. Three of the four students were celebrating, but the fourth student looked up and she said, when do we get the score sheet? I want to see how we did. And I think. Okay. Right.
[01:03:00] Competitive like
Bella: Yes.
Jeremiah: Uh, thank you so much for your time, Melanie. We've enjoyed having you on the show. Uh, definitely. It's been a pleasure.
Melanie: a pleasure to be here. Thank you so much for taking the time to do this.