Episode 142
Listen to this episode on
Episode Transcript
Speaker 1 00:02
This is CyberSound, your simplified and fundamentals-focused source for all things cybersecurity.
Jason Pufahl 00:11
Welcome to CyberSound. You’re joined again by Steve and Michael, because this is part two of our 2026 predictions episodes. All right, so 2026 right? We already talked a good bit about, about one of the one, you know, one of the things that I one comment I did want to make about misinformation. I’m curious about your thoughts on this, because we talked about, you know, the social trust part in, you know, engineering and whatnot. Are we seeing campaigns at all from threat actors trying to maybe debunk or steer people in directions that ar…
Speaker 1 00:02
This is CyberSound, your simplified and fundamentals-focused source for all things cybersecurity.
Jason Pufahl 00:11
Welcome to CyberSound. You’re joined again by Steve and Michael, because this is part two of our 2026 predictions episodes. All right, so 2026 right? We already talked a good bit about, about one of the one, you know, one of the things that I one comment I did want to make about misinformation. I’m curious about your thoughts on this, because we talked about, you know, the social trust part in, you know, engineering and whatnot. Are we seeing campaigns at all from threat actors trying to maybe debunk or steer people in directions that aren’t security appropriate, right? So we’ve got, we do security awareness training, we talk about all the best practices. What’s the likelihood of intentional campaigns essentially, you’re advocating for things that are the opposite of best practice, hoping to get those people who are under informed or uninformed to do the wrong thing
Steven Maresca 01:12
Through deception or by basically,
Jason Pufahl 01:15
Almost like, you know, almost like marketing campaigns, right? You know, shorter passwords are better, you know, easier for your number, you know, things like that. Now, obviously, that’s an extreme example, but you know that kind of idea,
Steven Maresca 01:28
It’s possible. Yeah, I don’t think I’ve seen any examples of it. It’s been more of the subtle deceit the end of the spectrum. I could see that type of thing working. I mean, let’s be honest, a lot of the a lot of the background for what we’re talking about in misinformation is that people are very easily convinced in acting against their own self interest, and if they believe that they are, I don’t know, obtaining an advantage over others that they dislike, if they believe that they are manufacturing advantage for themselves, which are subtly different but not precisely the same, people certainly fall in line with a suggestion that resonates with their worldview. It’s more about amplifying what they already believe and then nudging them in a direction away from what others would have them, have them do. We’re seeing it in all sorts of spheres. It’s easy to see it happening in security.
Jason Pufahl 02:28
I mean, again, it’s a long game potential thing. And I just, I don’t expect it to be mainstream, necessarily. But, you know, maybe, and maybe it’s because I focus a bit more nowadays on your marketing idea, you know, you just change people’s behaviors by using some of these capabilities. Now, new larger scale back, yeah, zero trust. Do we want to what’s the we I feel like it comes up a lot more in conversation. I feel like people are thinking about whether or not to implement it, but I hear, you know, but I feel like it’s more, you know, generally, more people thinking about, yeah, we need to move in that direction than last year. And I suspect we’ll see some active, you know, implementations of more zero trust type models going forward.
Steven Maresca 03:19
I think the term is updated.
Michael Grande 03:24
What would you what would you call it?
Steven Maresca 03:26
I don’t have an answer to it necessarily. It’s more that I see that certain pages are being taken out of the book to good end. But reality is far more complex than zero trust would have anyone believe. You know, if there are some orgs that are wholly remote, they have no one in an office, they only use SaaS platforms. They have been doing zero trust in some capacity for well over a decade before the term arose. And it’s not a new one, right? They didn’t call it that. It’s just they’re architected that way. Zero trust is usually marketed around the transformation of a more legacy, traditional organization with on prem assets or cloud assets, across multiple clouds, you name it. And the truth is, those businesses have a tendency to retain pockets of that and still require some on prem compute or on prem services, you name it, they don’t deploy anything fully zero trust. They just get rid of their VPN at the perimeter firewall and turn it into something that is more like a wire guard or a tail scale or something like that. That’s a great move. I think that they generally don’t need to use a more, you know, single point suite of zero trust solutions, because they can just use the the reverse proxies, the zero, the cloud, the cloud gate. Is provided by Amazon, the WAFs, there all of the other things that are the underpinnings of zero trust as a constellation of technologies. You pick what matters for the organization. And I don’t think zero trust by itself, will survive much longer as a complete term. That’s me from an no longer he’s prediction oriented position.
Jason Pufahl 05:26
He prediction. He predict. He’s debunking my prediction already.
Michael Grande 05:30
No, well, it’s good. We’ve got, we’ve got counter predictions, right? So someone will be right.
Jason Pufahl 05:35
There you go. That’s the way we need to construct this. Then we’re batting 1000 coming out of it, like no matter what
Michael Grande 05:40
Exactly someone’s always going
Steven Maresca 05:43
to be right. Change definition to make us both right.
Jason Pufahl 05:46
That’s right. That’s our goal. All right. Mike, you’re up.
Michael Grande 05:49
Well, we talked. Steve used this description as sort of the arc earlier, and I think seeing it from a small business into mid market, you know, sort of cyber education, even into security awareness training, for sure. Over the last several years, adoption has increased dramatically, right? It’s a component of insurers requiring it, in many cases, much more accessible from a management perspective. You know, it seems much more pervasive and widespread. I think internal adoption and enforcing rules and enforcing the education component at organizations is still, especially in the smaller orgs or less sophisticated, is still sort of a work in progress. But, you know, I like the idea that it will become much more experiential, much less potentially. I’m going to sit here answer a couple questions after I just witness, or, you know, watch the video on something I see it being, you know, much more sort of in line with what the expectations of those users in, whatever segment, business segment they may be in, may be experiencing on a day to day basis, and I think that’s a positive thing. So I think the sort of evolution of security awareness, training and education over this year into next year, this may be another long play type prediction, but I think that it’s going to change the way it has been done and be much more ubiquitous in what we’re doing. It’s got to evolve, right? So we need to understand more AI threats, and it’s less about what is phishing, and much more about how do you define reality versus not? Right?
Jason Pufahl 07:34
Yes, there’s strategies to recognize it. Yeah,
Steven Maresca 07:37
And those orgs that have already pursued awareness training and socialization of these obligations have now started to layer on appropriately role based training for those that are outward attack targets and things like that. That has not been common, except in some industries that understand that risk. It’s now becoming more pervasive, even in those that you wouldn’t normally associate with that. So that’s a positive move. I think we’ll see more of that too.
Michael Grande 08:10
I know we’ve got a big buzzword out there that we’ve got to get to before we wrap.
Jason Pufahl 08:14
Well, I think, yeah, there is. And we’ll, we’ll, that’ll be a slightly fun one. But Steve, anything you have, the ones that you had thrown out, we could be touched on a whole bunch of things, anything you want to add to.
Steven Maresca 08:29
I mean, most of mine are dire, so I feel sort of reluctant
Jason Pufahl 08:33
to bring them. I don’t know. I’ll give you, I’ll give you a nudge. I mean, I do think your first one is pretty relevant.
Steven Maresca 08:40
So I’ll address that as a quick hit. I think that we will have large, disruptive outages, greater than 24 hours, multi day outages of large service providers, ISPs, platforms like 365 or AWS. We’ve had a smattering of them over the last several years. They’ve been quick to resolve. They’ve been traditionally aligned with DNS or misconfigurations errors right, easily, explicable. I think we’re heading into the land of protracted issues that affect a lot of things that we now rely on as businesses with SaaS platforms and cloud properties we had just from a topical nature, Verizon had a fairly substantial regional outage that affected some folks where we are. I was not affected personally. A lot of my family was it affected the Pare of some of my relatives in a medical capacity, like it had real impactful impact. So anticipate something large there. I think, though it’s easy to make that kind of prediction, realistically, I’d like to shift to one more related to business continuity in general, and that’s power oriented. I’m not going to spend time on the growth of AI data centers and things. Of that nature, if we ignore that entirely, the annualized growth of electrical load demand even in regions that don’t have a lot of that new load, you know, it’s four to 6% year over year growth, the doubling time there for electrical load is what, 11 to 14 years? That’s crazy. And there is an article out yesterday related to the electrical generation folks that were between like Kentucky and New Jersey, where they expect rolling outages to be a relatively common outcome by 2030 The truth is that that’s not so much a prediction as it is reality, because there’s no new generation being put into place. So the prediction that I have is actually that businesses will start to have on prem ups that far exceed what they used to have. They will have cogen pursuit as part of their actual business sustainment strategy. It’s a weird situation to be in, but I can’t see that as anything other than an expected outcome, given the low growth in the energy sector for that particular area and the the dependence that we have on this sort of thing.
Michael Grande 11:22
So it would be, it’s probably an unpopular opinion, but, you know, I think I’ve been harping on it for several years now when it comes to power and generation. But obviously there’s a the NIMBY, not in my backyard perspective. But you know the fact that as a as a society, we have abandoned nuclear energy and invest nothing into new development of it at any scale, is very telling. And then at the same time these private companies are taking reactors back online in Connecticut, we had millstone get a new lease on life to continue to power. So, you know, potentially and again, long term, probably not a 26 issue, but if there are rolling blackouts and people start to feel pain, potentially that leads to a sort of reframing of, okay, where else can we get power from, and what are other ways to do it? You know, I think obviously, solar, wind, a lot of different ways to generate, but that’s, that’s a thought that I’ve had for a long time,
Steven Maresca 12:28
Yeah, and I think it will the NIMBY aspect of it will subside when it becomes simply down to dollars, where it it is absolutely reasonable to Put some panels on the roof that nobody’s on any way or looking at, and reducing costs by 10% or something like that. Anything that, anything that shaves off the peaks and raises the troughs from costs, are going to be pursued, and that’s one of them. Battery storage is having a resurgence overall, and some people know that I have a dabbling interest in that of a very non related to cybersecurity way. It’s probable that that type of thing will have large grid scale deployments in even small towns. So we’ll see. But bottom line is, I know that we will talk about that type of thing in a disaster recovery, business continuity context in a very, very attentive manner going forward. So I think
Jason Pufahl 13:34
it’s fair to say that you have more than a dabbling interest. You’re, you’re, you’re a passionate battery fan over well,
Michael Grande 13:44
his nickname. His nickname is Duracell. If the public actually
Steven Maresca 13:49
knew I don’t represent myself as an expert, is what I’m trying to say.
Jason Pufahl 13:53
You’re certainly well versed, but that, but your prediction just, just for just for clarity, your prediction is, much less about intentional disruption of power, agreed, etc. It’s more power generation and over utilization and under generation.
Steven Maresca 14:12
And to put a fighter point on it, I’m thinking about it from the adjacency of business, continuity of cybersecurity. I can never escape that subject as as a required side trip down the overall preparedness path, because it’s part of the hypothetical exercises we put into place to say, hey, how, how much outage can you tolerate? What is the restoration timeline? Well, everyone says asterisk. We presume the power is up and the ISP is functional, okay? Well, we actually have fundamental proof outward from us, not from non experts, that others are concerned about it. Let’s plan around it.
Jason Pufahl 14:52
That’s all fair enough. So we’ll end with our sensationalized question. Hey. Right? I threw it on there only because it feels like I’ve done a variety of presentations this year, and the question about quantum computing comes up everywhere and not every time, but more than it did before. I feel like where people are now raising their hand and saying, Hey, all the things you just told us, what impact is quantum going to have, and so it’s clearly more on the forefront of people’s minds. I’m not suggesting 2026. Is the year of quantum, but, but it is interesting to see that all of a sudden. I don’t know if it’s the news that’s generating the questions. If it is, you know what the reality is, but, but they’re coming, and they’re coming more than they used to. So I’m curious if anybody had thoughts on that.
Michael Grande 15:48
My only, my only thoughts is, from a security perspective, is how long until some legacy systems, if quantum, quantum becomes much more prevalent, you know, are we worried about sort of encryption standards and things like that, from sort of legacy things. And, you know, does it lead to more refresh schedules and other types of of issues?
Jason Pufahl 16:08
It blows it all up if, you know, 2026, was the year of quantum but I think that we’re just not, we’re not there. I don’t think we’re really that close. And maybe that’s the question for Steve, is, you know, what’s your prediction in terms of, you know, are we five years away? 25 years away?
Steven Maresca 16:26
I will say this is a lot like fusion, which is always 50 years away, but it feels a lot closer today than it ever did. I’ve, I’ve had a personal interest in quantum entanglement and things like that for a very long time, and I’ve even done development work to generate really high quality entropy from quantum sources for contract work. 20 years ago, the risk of ciphers and encryption standards and things of that nature actually falling. It’s there every year passes, with news and accolades around increasingly stable quantum qubits and quantum proof of concept compute clusters, where they’ve lengthened decoherence times into the milliseconds or minutes, or, you know, some other variation thereof. In the last year, candidly, I forget the entity that asserted it. There’s someone, some company, that’s achieved, some research team that’s achieved, sort of a refreshing cycle where they pump new material into an entangled state to replace something that has, you know, fallen out of coherence. That is certainly the sort of innovation that might lead to broad construction of infrastructure that in the future achieves what we’re talking about today. I don’t think it’s an immediate risk. I think this is largely still the domain of research and nation state level effort, from an engineering perspective, to get anywhere for risk. A lot of the discussion around quantum preparedness from the certificate authorities and so forth. I think it’s appropriate to think about I think that there is a profit motive that they possess, and they are also compensating for weakness in existing standards to protect certificate authorities that have issued certificates that they shouldn’t have. There are a lot of other reasons that they’ve pursued the shortening timeframes for that type of thing. I don’t think anybody needs to worry about it right now. I don’t think anyone will need to worry about it by 2030, time will
Jason Pufahl 18:58
tell it is really
Steven Maresca 19:01
in a in an academic way, I’d be thrilled to have a truly stable quantum compute infrastructure that isn’t, that isn’t a toy that needs to be kept at ludicrously low temperatures. Yeah, that will unlock so many different interesting things from a research and computation perspective, forget encryption. Encryption is an afterthought. We’ll solve that in other ways, quantum frankly, intrinsically makes that viable.
Jason Pufahl 19:32
I think some of the comments stem both from potential security risk, but I also suspect as AI gets more prevalent, this concept of the rise of machines and just quantum, you know, have an impact on I mean, I think, honestly, I think people are coming at it from that perspective,
Steven Maresca 19:52
a little bit. I think they’re coming at it because those are words they hear adjacent to each other, not because they’re connected yet.
Michael Grande 19:59
Um. In it, Ex Machina.
Steven Maresca 20:03
I want, I want people to walk away with this quantum computing, quantum entanglement, things of that nature, in a very interesting way, solves the problems that it intrinsically creates. Quantum entanglement. Schemes are the mechanism by which the fall of encryption can be compensated for and made a non issue. Yeah, it’s a paradigm shift in communication and things of that nature. I am less worried than than I think we hear in the press. So, so maybe
Jason Pufahl 20:42
the risk lies in between. Let’s say that you the day that quantum becomes reality to the time that quantum
Steven Maresca 20:50
the lag between will be, yes, absolutely. There will be a period where huge infrastructure changes need to take place, and there will be a supply chain issue to get, you know, stable quantum entanglement sources distributed to all the entities that need them. There will be a has and has not, kind of a stratification. But when we get there, I think we’re a really substantial distance away from that kind of threshold,
Jason Pufahl 21:21
as always. Thanks for joining guys. I think actually, this was good. This was fun. It’s great. So thanks for listening
Michael Grande 21:27
Exactly. We hope they enjoy.
Speaker 1 21:28
We’d love to hear your feedback. Feel free to get in touch at Vancord on LinkedIn, and remember, stay vigilant, stay resilient. This has been CyberSound.
