Advancing Cyber

We live in a world of vibe-coding and AI security, but how we got here is a longer story. With over 50 years in software and security, Steve Lipner lived through and drove many of the origins of our industry’s early efforts in software security and he is our featured guest on Advancing Cyber’s Origin Stories series with our host, Cristin Flynn Goodwin.Steve is the former head of the Microsoft Security Response Center, co-author of the Security Development Lifecycle, and current Executive Director of SAFECode and Chair of NIST'sInternet Security and Privacy Advisory Board. He was elected to the Information Systems Security Hall of Fame in 2010, the National Cybersecurity Hall of Fame in 2015, and a Fellow of (ISC)2 and the National Academy of Engineering in 2017. Steve holds an appointment as adjunct professor of computer science at the Institute for Software Research, School of Computer Science of Carnegie Mellon University, and is named as an inventor on twelve US patents. This Origin Story conversation spans some of the highlights of Steve’s career that parallel the evolution of software security in our industry. This is essential listening to understand how our security models evolved – from MIT in the early 70s to the US Government’s Orange Book, to Common Criteria turning 25 – and reflect early decisions about software and security that impacted decades of computing. We dive into Steve’spivotal role in the Trustworthy Computing initiative at Microsoft and hear his perspectives on 50 years of software development on the future of vibe-coding and the threat of quantum computing to encryption in the software ecosystem. It’s the ultimate origin story on software development and security, and Advancing Cyber is grateful that Steve Lipner is here to share it with us. #AdvancingCyber #OriginStories #software #security #softwaresecurity #engineering #softwarehistory #cybersecurity #AdvancedCyberLaw

With the Cybersecurity and Information Sharing Act of 2015 in suspension, threat intelligence and incident response teams are playing with a new set of rules. Advancing Cyber host and ACL Managing Partner Cristin Flynn Goodwin breaks down the top 7 things that cyber responders should do today until a new bill is passed.

On this episode of the Advancing Cyber podcast, host Cristin Flynn Goodwin, former CISA Executive Assistant DirectorJeff Greene, and current Snohomish County, Washington Chief Information Security Officer (CISO) Doug Cavit unpack the recent cybersecurity responsibilities shifting from federal to state and local authorities. Jeff and Doug explore the implications of this shift, including resource allocation, the role of federal agencies, and challenges faced by smaller municipalities. Doug shares the practical realities of managing cybersecurity at the county level, and the difficulties faced by smaller entities with limited resources. Jeff, with his extensive background in national security and cybersecurity, provides insights into the federal perspective and the critical role of federal agencies in supporting state and local efforts. Cristin, Jeff, and Doug also talk about what happens if the CISA Act is not reauthorized, and the impact that will have, including a request for the cybersecurity community to call members of Congress and voice their support. This episode is a must-listen for anyone interested in the future of cybersecurity and the evolving roles of federal, state, and local governments. #AdvancingCyber #cybersecurity #CISA #CISAAct #publicpolicy #cyberlaw #cybersecuritylawyer #threatintelligence #informationsharing #publicprivatepartnership #stateandlocalcyber

This is the exciting second half of the Advancing Cyber Origin Stories conversation with Katie Moussouris, hacker, founder and CEO of Luta Security, and cybersecurity pioneer. The technical and legal worlds collide here, with Katie and host Cristin Flynn Goodwin discussing the importance of cybersecurity standards, and the role of export control incybersecurity and its restrictions on software. Katie and Cristin also discuss the impact of AI and AI-assisted coding on vulnerability research and vulnerability disclosure. It's a conversation you won't want to miss. If you haven't heard Part 1, Part 2 can be listened to as a standalone, but we recommend enjoying the wholeconversation! #AdvancingCyber #OriginStories #hackers #hacking #vulnerabilities #vulnerabilityresearch #AI #AIAssistedCoding #VibeCoding #Standards #ExportControl #CyberLaw #PublicPolicy

In this episode of the Advancing Cyber Podcast, we talk with Katie Moussouris, hacker, founder and CEO of Luta Security,and pioneer in vulnerability disclosure and responsible security research. Katie shares her experiences from her early days of cybersecurity and unpacks the evolution of vulnerability disclosure and the pressures on the security research community, managing bug bounties and working with researchers, and the importance of security standards. Katie and host Cristin Flynn Goodwin also unpack the challenge of Coordinated Vulnerability Disclosure and what happens when industry quietly fixes an issue, and government doesn’t know about the interim risks. Katie highlights the challenges of governments assessing vulnerability equities and the tradeoffs of government exploitation and relative risk. Stay tuned for Part 2 where we dive into export control and restrictions on software, and the rise of AI in cybersecurityand coding. We’ll explore the risks of vulnerabilities developed by AI-assisted coding and what that will mean for vulnerability disclosure in the future.

The drumbeat for “hacking back” resurfaces in public policy circles every few years, usually coinciding with a rise in cyber attacks. It’s a logical, emotional response. An attacker has stolen sensitive data, and frustrated victims ask, “How can we fight back?”Emotionally, it feels justified. Technically, it’s a minefield. From a policy standpoint, it’s an issue that bogs down in liability, unintended consequences, and geopolitics. On the Advancing Cyber Podcast, cybersecurity experts Nathan Case and Stacy O'Mara join host Cristin Flynn Goodwin to debate the pros and cons of hacking back, and the very real risk that collateral damages are greater than the original harm itself.

Christopher Painter is a globally recognized leader on cyber policy, cyber diplomacy, cybersecurity, and combating cybercrime. Chris been at the vanguard of cyber issues for over 30 years, first as a federal prosecutor handling some of the most high-profile cyber cases in the United States, including the prosecution of hacker Kevin Mitnik, as a senior official at the U.S. Department of Justice, Computer Crime and Intellectual Property Section, held leadership roles at the FBI, and at the National Security Council in the White House, and finally, as the world’s first cyber diplomat at the Department of State. Cybersecurity norms and diplomacy, cybercrime and hacking, inter-governmental tensions and policy development - it sounds like a TV script but it's Chris's origin story, and it's a great one.

The Government Policy Pioneer: Richard A. ClarkeEpisode 1 of the Origin Stories begins with the founder ofmuch of our modern cybersecurity policy, Richard Clarke. Dick served in the White House for ten years under three different presidents. He is responsible for so much of our early cyber policy, developed the first national strategy to defend cyberspace, and has been an influential voice in global cybersecurity discussions for decades. He now leverages that knowledge as a bestselling author and as the founder and CEO of Good Harbor Security Risk Management. As the AI and quantum eras begin to define the next generation of critical infrastructure and cybersecurity policy, we go back to the very beginning of critical infrastructure protection and cybersecurity policy, looking back to advancecyber forward. The conversation starts here.This episode is available on Spotify, Apple Podcasts, and Advancing Cyber's new YouTube channel. Subscribe to stay current with all the episodes in the series – you won’t wantto miss them!

Cristin Flynn Goodwin dives into the world of DeepSeek, a Chinese AI company stirring up controversy with its cost-effective, powerful AI built on lower-power chips. Concerns about efficiency, privacy, and compliance with Chinese laws dominate the discussion. The podcast raises alarm about vulnerabilities reported to the Chinese government and how they could affect U.S. user data. Cristin posits that even if DeepSeek isn't a security powerhouse, it underscores the urgency for improved tech and policy safeguards for users.

Chris Hale, Senior Director for Cyber and National Security Law at Cisco, and Emily Lemaire, a Financial Services Regulatory Lawyer at Covington & Burling, delve into the implications of the EU's new cybersecurity regulations. They discuss the Digital Operational Resilience Act's stringent reporting timelines and how compliance is reshaping U.S. approaches. The duo examines whether short reporting requirements might amplify risks and consider how potential billion-dollar penalties influence organizational behavior. A thought-provoking conversation on navigating compliance in a rapidly evolving regulatory landscape!