The Department of Know: AI "transformation paradox," Copy Fail chaos, hacked lawnmowers

This is Rich Drafalino with the Department of Know, Jason Elrod, CISO at MultiCare Health System. I got to ask, what is your, what has been your priority this week? Wow. If it isn't dominated by the mythos drama, it is all about the upcoming HIPAA security rule changes in 2026. And my brand new favorite, which I think we're going to talk about today, the CI Fortify. Yes. Yes. Oh, so many wonderful things to fill the mind palace of your brain. It's truly glorious, truly glorious. I hope Jonathan Waldrop, the CISO over at Acoustic, has had a similar priority-laden week. Jonathan, where has your mind been at this week? Oh, man, definitely we're in the throes of the middle of the quarter, not nearly as interesting as what Jason's got going on, but we're not at the beginning of the quarter, so nobody's excited about it, but we're not at the end of the quarter yet, and nobody's rushing to finish all those projects, So we're right in that kind of dead zone in the middle, trying to keep things on track. It's not too late. You can jump on the Mythos hype train. Don't worry. That's true. That's true. And Mythos. Yes. Yeah. Of course, you have to say that. Dot, dot, dot. And Mythos for all CISOs for all time. All right, Producer Josh, we got everything. We got everything prioritized. Now let's run that open and get into the show. From the CISO series, it's Department of Know. Hey, everybody. Welcome to the Department of Know, your virtual Friday strategy meeting. And I'm going to even say a debrief here this week. We are super excited. We've got some fantastic guests. And we have a fantastic sponsor helping make the show possible. Vanta, thank you for supporting the show. We'll talk about them more later. Remember, if you want to get involved in our YouTube chat, you can if you're on YouTube and watching us live. We're broadcast every Friday at 4 p.m. Eastern. If you're watching us later, I guess you could leave a comment. I have no way of really seeing it or responding it now, and I'm not going to respond to ones from last week. It gets into a whole time is linear. I don't have time to get into it. But feedback at CISOseries.com for more of the async communication, if that is your bag. Before we get into the news, just a quick reminder that the opinions expressed by our guests are, in fact, their own, not necessarily those of their employer. So keep that disclaimer in mind at all times. You are legally now required. We've got about 30 minutes. So let's dive into our no or no segment. This is where there was so much news, so much going on. We need to jump through some stories quickly, find out if these are things you should be bringing to your security teams. First up here, I saw this one making a ton of waves. I was scratching my head a little bit, so I need some help unpacking this. Google Chrome installs 4-gigabyte AI model on devices. Computer scientist and lawyer Alexander Hand reports that recent versions of Google Chrome automatically download a roughly 4-gigabyte Gemini Nano AI model to user devices without explicit consent when default AI features are enabled. He says the file installs silently and can be redownloaded after deletion. Hamph argues the behavior may violate privacy laws, cause increased power usage, and calls for an opt-in prompt. Jason, I'm going to start with you here. Google updates Chrome all the time. We don't usually bat an eye when it downloads a thing and we don't necessarily get consent here. But do you think there's more about a local AI model install that we need to dig deeper into? Or is this a no thank you for you? I'm going to go with a nothing burger here. OK. So we do need to know more about it and should definitely have an opt-in here. But this really hasn't earned the airtime in my weekly stand-up. For instance, this is just Google updating something with its latest AI. apparently if this is a surprise to anybody they don't run any kind of Microsoft operating system yes I was gonna say like I mean people were angry about Windows 11 adding all this stuff but like no one was asking for I guess explicit consent for this it was just we're at the behest of Microsoft we're at the behest of Google with Chrome Jonathan I'm curious are you of the same vein or does this does this maybe rise a little higher in your book wait are we saying that when you download things from the internet there's fine print to read and there's other fluff that you didn't know you were downloading that you should go look through to see if you're downloading it i'm surprised that we're surprised frankly right um to me i agree with jason this is kind of a like yeah i probably guess i probably just assumed that that was already happening anyway um i don't mean to dismiss some of the privacy concerns and there was an environmental aspect to it if you know if everybody starts running these these uh these models locally and we're gonna you know all that kind of stuff so i think it's good to be aware of but yeah this is not taking up any cycles in my in my week this week i i will say as someone who runs their hard drive because i'm too lazy to clean it out pretty close to full up all the time i am sympathetic to the fact that four gigabytes is a non-trivial amount and could all of a sudden be like that is fair what what do i got on it's oh man i gotta that's probably the takeaway empty trash can empty trash can oh you know what that's that's the data retention policy rich come on no i zfs snapshot everything i have uh years and years of snapshots on this thing don't worry don't worry all right next up here let's let's uh this is one of the more interesting stories of the week here new pcp jack worm steals credentials and cleans team pcp infections this is the most i thought i never thought i'd talk about pcp so much uh in my time here at the cso series a new malware framework called PCP Jack is stealing credentials from exposed cloud infrastructure while actively removing Team PCP's access to the systems. It targets services like Docker, Kubernetes, Redis, MongoDB, RayML. You pick your enterprise deployment, you're probably using it. Sentinel Labs believes that PCP Jack may have been developed by a former Team PCP affiliate or member who started their own operation. Jonathan, this is now the second week in a row we've seen threat groups, I'm going to say, kind of getting pissy at each other. Do we need to know more about what's causing what seems to be increased competition among threat actors? Or if they want to fight each other, is this a great no thanks, don't need to know more situation for you? So first of all, I would just say that this is the ultimate insider threat turn disgruntled employee threat actor type of thing. So even the bad guys organizations have this problem that we still have in the corporate kind of enterprise side. Right. So I don't want to overlook that for one. How much do we care? I don't think most companies are in a position to, to try to figure out necessarily who, or, or, or from a retributional standpoint, like how, why do we need to attribute there's some, there's some, certainly some tactics and techniques that we can glean from that and knowing maybe how they, what they do next. Um, but I think the key here is that nobody's happy. even the bad guys are fighting each other. So is this a case of the enemy of my enemy is my friend? I don't think we're quite on that side of it yet, but no, this is very interesting to see. But again, to me, my big takeaway was like, wow, they have the same HR problems that we do. Yeah, Jason, threat actors, they're just like us? Question mark? Oh, yeah, question mark. Yeah, when I looked at this, I was like, let them eat themselves. That's the kind of competition that happens in the market, even if that market is a criminal one. So it's funny that people are getting surprised that people are going to have their own side hustle against the hustle and then go out there and then there's going to be competition. I do like the point that was just made, hey, maybe there is some tooling or some understanding about, hey, practices and procedures and technologies they're using to attack each other that we can watch. So part of me wants to land, like I say, you know feed it a little bit oh no i'd pay your rent somewhere if i wasn't already paying theirs wow what's some advanced negotiation techniques you know you're the second person here i've already i've already bought girl scout cookies you know so not to mean that to make the assumption that those are criminal organizations but you know but as the father of girls i've already paid here We're fine. Yeah. Off we go. So this is interesting. I love the idea of like more competition among threat actors might actually benefit end users. I can't dispute that logic. It's troubling, but yes. Okay. I think we solved it, guys. The more time they've been fighting each other is the less time they've been fighting us. I like that as a takeaway here. We're going to need it to because it turns out Linux kernel flaws abound. Security researchers at Theore are informing admins of a newly discovered security flaw that's been hiding in the Linux operating system since at least 2017 named CopyFail. This uses an AI or they use an AI power scanning tool called Xint code or Zint code, whatever you got. It allows anyone with a basic account on an affected computer to seize full admin control. It also works as an escape route from cloud containers, which is, you know, bad. Theore said the flaw resulted from three separate individually unremarkable changes to the Linux kernel and no one recognized the danger created by their combination for nearly a decade. And then we also saw the dirty frag privilege escalation Linux kernel bug that allows users to escalate to escalate to root on all major distros. Embargo on that was actually broken early So there actually no patches or CVEs even assigned to it yet but a mitigation has been published for that So not all hope is lost there But you know Jason we gonna be talking about the kind of the patch wave coming at us a little bit later in our wider discussion here But you know, a nine year old potential Linux kernel bug, do you want to know a little bit more about this? Or is this more academic than a critical concern for you? No, this one lands specifically in the no item. We want to we want to know more about this one. because this is something that's not only a vulnerability, but an exploitability across systems. I think there's a distinction there between things that are vulnerable and things that are exploitable. And given the mythos effect that has dominated the news cycle, I think we're going to be seeing more automation of these types of composable exploits being taken advantage of by threat actors. And our ability to pivot to rapid mitigation will be critical. I mean, if you think about the copy-fail, that's three small things to create one big issue. So our evaluation of the impact of the CVE now needs to contemplate that composable nature of it. It needs to contemplate that type of chaining. So we cannot rely on vulnerability management. We have to focus on exploitability management. And that's a little bit different of a thing. Ooh, I like that. I like that. Jonathan, where are you at with these Linux kernel flaws? Yeah, I love the thought behind exploitability management. And I think that is a train that more of us should be on. You know, we focus a lot because there's tons of vulnerabilities, like you're talking about, Rich, that are purely academic, that they happened in a very clean lab environment where, you know, these conditions are set type of thing. But you wouldn't actually find it in the real world. This one feels a little more dangerous. The Internet runs on Linux, if you haven't heard. Turns out. Yeah, as it were. So this one really is going to be one to watch and to know more about, particularly if you're running in a cloud environment, something that's available over the Internet. You know, all those kind of typical things we would look for in that exploitability. What's the risk level to us? Yeah, this has taken up some cycles where some of the other articles haven't. Yeah, we got this in our discussion, so we'll be digging into that in a little bit, just a second. But we have to talk about possibly the greatest story of the year. I'm not going to lie here. It turns out every Yarbo lawnmower is essentially hacked instantly. No problem. Don't worry about it. Security researcher Andreas Macris disclosed that every Yarbo lawnmower is essentially a Linux computer whose root password is reset to a known stock value with each firmware update. And they're all the same. Like it's the same root password. Macris was able to vibe code a map of all mower locations, remotely control them, and get passwords for the networks they were on. and directly disregard user commands to like shut down, not run over somebody like that. Those would be the things that it could override. The company had no bug bounty or channel to report bugs. And when trying to go through customer service to report the bug was told that this was by design. So Yarbo could diagnose issues. Jonathan, we all know secure IoT security is a disaster. But do you want to know more about what's going on with Yarbo? because there's blades attached to the IoT? Or is this a so sensational, it's a no thanks for you? No, I think we should really care about this because anybody who lives in suburbia and has lawnmowers, I mean, this is a very real risk now. All of a sudden, now we have machines with blades. No, I think if there's something to take away from here, it is that we've got a company who had a responsible disclosure attempt and they said, no, no, no, that's how it's supposed to work. I mean, and who knows? I don't know. I wasn't there. I wasn't disclosing it and I wasn't taking the call, right? But I think that is really where we need to train some external facing customer service folks to, even if you think it's so far-fetched, take the call, send it to your security team, let them have a look at it. This also does remind me of, it was about 10 years ago, Um, Wired had an article about a, uh, hacking a Jeep Cherokee on the road. It was like people they knew were in it and this kind of thing, but the same type of thing taking over it. And it just, I think it really just shows you how, how precarious things are. Um, you know, have we, have we talked about mythos yet, but I gotta, gotta drink again. All right. Yeah. Yeah. It's definitely some of the underlying aspects. Once we get past the, the murder blades on the lawnmowers, murdering lawn lawnmowers, It is really kind of an interesting thing to think about. Potentially murderous lawnmowers. Yes, allegedly. Let's not impugn the integrity of our Linux running lawnmowers who have kernel vulnerabilities too on top of everything. Jason, what about you? Is this too – how are you contextualizing this story? Sensational, terrifying, where are you at? All of the above. This is definitely sensational. It's terrifying. And not just because I have a kill bot in my garden shed. It's really about the backdoor controls built in, right? By creating a backdoor by design into your infrastructure, remember, it's a feature, not a bug. You're having this pathway from your IoT CPS, cyber physical security. It's a pathway to the rest of your IT infrastructure. And this particular attack vector is advancing rapidly. So it's a matter in personal life as well as much as the enterprise life. Another example of that frontline being everywhere. In healthcare, I'm already sort of in that space where there is a cyber to physical impact. Like you come in and you impact like an infusion pump or something. There's a potential to have a physical human impact. I just didn't think I'd have an episode of BattleBots in my neighborhood. Well, I'm also thinking, I just realized, like, because this is not patched yet. Like, you could just drop a bunch of ransomware also and lock up a bunch of people's, like, don't do that also, please. Don't do that. Good disclaimer. No, yeah, yeah. Asking for a friend, Rich? Yeah. I'm not saying that, but what's my Bitcoin wallet? You want to mow your lawn? It's my category of it's so awful that it's looped all the way back around to awesome. I refer to these as awesome. Well, something that is an unmitigated awesome is our sponsor for today. So let's spend a few moments and thank our sponsor for today. And that is indeed Vanta. risk and regulation ramping up and customers expect proof of security just to do business vanta's automation brings compliance risk and customer trust together on one ai-powered platform so whether you're prepping for a sock 2 or running an enterprise grc program vanta keeps you secure and keeps your deals moving learn more at vanta.com slash cso I have to warn we have CCL in the chat. If you're rolling on the floor, make sure there's no lawnmowers around. Okay, just make sure you're good. The floor is no longer safe. I guess the floor is it's the lawn rolling on the lawn laughing would be the danger here. All right, let's dive into our first story. This one making news the last 48 hours really here. It turns out school's out for Canvas. As my children's rising apathy might indicate, the end of the school year is indeed upon us, which means it wasn't a great time for Instructure's digital learning platform, Canvas, to go into maintenance mode for free for teacher accounts yesterday, following a ransomware attack by the Shiny Hunters group. Canvas had been listed on their leak site since May 1st, and this outage and defacing of Canvas' site seems to be a second wave of attacks to ramp up pressure to pay a ransom. The full scope is unclear. I still think at this point in terms of how many institutions were impacted, but Shiny Hunters claimed 8,800 schools. We saw confirmations from Harvard, Columbia, Rutgers, and Georgetown sending alerts to students about the outage. And Instructor CISO Steve Prout said impacted information includes names, emails, student ID numbers, and messages on the platform there. This exploited a flaw in the free for teacher accounts and Canvas seemed quick to want the situation to seem resolved pretty quickly there. And then seeing that second stage attack, we've seen long term impacts from the power school breach from last year. This is a big kind of ed tech thing I can I can kind of wrap my head around here to compare it to. Right now, everything is back up as of this recording. It seems like things are back to normal. But this was a big kerfuffle, especially given the time of year. I'm sure we'll get some more details on this. I'm curious, Jason, let me start with you. What lessons are you learning from this that you might bring to your teams or what kind of takeaways are you seeing from this? Well, I think there's a couple of things. From one, and we talked a little bit about before we got on the show here, it's about the asymmetric attack vector. And what I mean there is you're seeing that threat actors like, you know, shiny, happy attacker, whoever we call them today. They don't go after the individual schools. They go after vendor concentrated areas. It's like, where can I attack? Where can I have that impact Where it going to have the most outsized again impact compared to where I do I have to hack one spot and it going to impact like they saying here 8 different people on it. So I think there's two aspects to it. We have to be really aware just from a supply chain standpoint, if nothing else, or a third parties where are not just me and my close cohorts using, but where's the entire sector, What is an entire sector, whether it's healthcare or, in this case, education? Where is it concentrated? And we're going to see an increase in these type of attacks. I'm starting to see an increase in these type of attacks where it's a concentrated service. And then, to your point right here, they're now looking at how do I even pour gasoline on that fire? Well, then it's a concentrated, outsized, asymmetric timing. So I'm in there. I get it done. But then I hold it. Or maybe I just time that so, hey, you know, not only that, it's going to cause the most disruption for the most drama, the most leverage I'm going to have against those victims. Jonathan, where are you at in terms of trying to wrap your head around everything that we've seen this week regarding Canvas? Yeah, I think honestly for this one, if you're not directly impacted, it's probably not going to take up much of your time. but again there's always something to learn learn things the easy way when other people have a bad day unfortunately and we're not wishing anybody ill but at the same time i think there's there's always lessons to be learned about breach response and and the public nature of that and anytime somebody says oh yeah we're good oh we're not good anymore like that that never ages well um but it's also it's also indicative of the the pressure and the stress that these teams are under And, you know, one of the things that we have discussed as well was, you know, this is to Jason's point, this is the exact most critical time of the academic year for most people. and you know we've seen threat actor behavior change over the years from you know lie and wait live off the land for a little while until until everything's just right and then it escalated sorry accelerated from there to hey we saw you know the the initial initial attack and gain a foothold here and then minutes later people saw you know we're seeing a ransomware screen maybe this is is kind of getting back to hey let's let's wait until we can really make it hurt and and really make it from a, from an attacker standpoint, that is make it potentially the, the, the, sorry, victim here is, is more willing to meet some demand or, you know, whatever the case is. I think maybe, maybe they can talk to the, the PCP attackers from the previous story and see, can we, can we negotiate down the ransomware payment? If you know, we'll be nice and I'll pay this, but I won't pay that, you know, all that kind of stuff. So I think jokes aside, I mean, this is very obviously a very serious issue for the Canvas team. So we wish them well. But yeah, I think definitely things to learn from a from a public response perspective. Yeah. And to give them to give them full credit. I mean, we like the fact they're coming out with the information that was lost. Oh, yeah. I mean, you know, we have seen I will say compared to the power school, we know so much more now. And admittedly, obviously, completely different situation. So I'm not saying anyone's better than anybody else. But if I was impacted by this, I would feel at least a little better. And hey, maybe I'll get some free credit monitoring out of this too. Yeah, but we're not going to change your grades for you. Yeah, gentlemen. Dang it. And I think there's a couple of things there. What is good about what's happening there? To Jonathan's point, like, hey, it's the measured transparency, right? They're coming out and they are giving those updates as soon as they can. And so at least the impact individuals beyond, you know, Instructure, which is the company for Canvas, beyond their impact because they're a victim. Okay, so they've been attacked and they're sub victims kind of down the road, you know, re-victimization that goes along with it. So doing your best to help those folks who are also impacted by a second, third sort of order is key. But, you know, that's a hard needle to thread for any organization. like when do I release this information what do I say because unfortunately I think it's a sad state of affairs but the re-victimization of organizations is a real thing so every word you put out becomes a potential legal or regulatory follow-on attack and I do consider them attacks an attack vector for organizations so again hard needle to thread I think they're doing a good job and I wish them all the best on it all right next up here everyone is trying to ride the patchwave. The chief technology officer at the National Cyber Security Center in the UK, Ollie Whitehouse, fantastic British name, said in a blog post, the use of AI tools by sufficiently skilled and knowledgeable individuals is increasing the likelihood that vulnerabilities will be identified and exploited at scale. He encouraged all organizations to prepare now when a patchwave arrives. Talk to Linux kernel admins. They're right there with you. And we're already seeing the economics of this patchwave play out, though. Google revamped its vulnerability reward program for Android and Chrome. Android Secure Enclave exploits are getting a bump in bounties up to 50% for the top prize, 1.5 million, I think now. But Chrome exploits are getting a cut of up to a 10th of their former payouts. They have a really weird weighing scale for a lot of that. So it's tough to kind of know exactly. But Jonathan, I'll come to you first here. I said, we're going to talk about the patch wave. Here we are. As AI vulnerability scans are getting more sophisticated, we're likely going to see ever more complex chains of exploits, both from our internal scans. Hey, we found the thing, yay. And from bad guys, boo. We know it's coming, but I'm curious. We kind of talked about no longer looking for vulnerability scanning, but exploit scanning. I guess when we see something like this as an industry, how are we responding here? I think there's a couple of things to think about. Exploitability is definitely one that's top of mind and what the actual risk to your organization is. There's so many, particularly in software vulnerabilities, there are so many different configurations and layers and possibilities that if this switch is flipped, it is vulnerable. If this one isn't, even though other conditions are true, it may not be vulnerable. So it really comes down to what's your risk tolerance? What's your risk profile? I do think there are a lot of us, and I put myself in this boat, trying to figure out if we can automate the identification of vulnerabilities, we should be able to automate the resolution of those issues. And so, you know, I think we're seeing a lot of times we see tools come out and there's a good guy use of that tool, if you will, like what security teams would be using a tool for. And then we see the misuse and the perversion of that tool by attackers. Maybe this is the case where attackers came out with the tool first to identify these vulnerabilities, but we need to turn that around and really work and put our heads together to come up with some ways to automate some of this resolution also it's it's of note that we don't have to patch something to to prevent an exploit right there's lots of layers there's web app firewalls there's all different kinds of technologies that are out there too many to list right now where we need to have those layers of security it's called defense in depth for reason the other side of this coin that i will say is that you know we zero day exploits in any form get a lot of press and not unreasonably so especially when you have um potentially murderous lawnmowers i mean that's again i can't stress that enough yeah but i think i think here that the key though is is we you have to have your whole house in order like if you've got all the other stuff from from last year or three or four years ago that's patched up great think about this too but there's some basics that i think we we should all be sure we have set first before we spin out of control on the latest XYZ. Again, some of those things really might float to the top of the list. Some of these Linux vulnerabilities that are coming out very well may hit that point. But there's a lot of these that are like, okay, maybe we can take a little risk there to go upgrade that OS that's seven years old. Jason, where are you at with this legacy vulnerability management is dead and that model actually was never achievable there was never achievable it's sisyphean so you're never going to make everything that's vulnerable invulnerable and that's i'll even posit that right now everybody listening seeing this podcast right now is vulnerable you just don't know it yet because that's that idea of zero day. So if you're concentrating on like, I'm going to be able to react fast enough at the speed of threat, the speed of vulnerability, nobody's ever been able to do that ever because you're like, Oh, patch comes out. I got to fix it. And I got to do a patch cycle and it's patch Tuesday or whatever it is. And the SLA between there, we used to kind of have a little bit of a time flexibility, a little bit of a time gap to do that. You don't have it anymore. You just, you just don't. And so like, as I lean heavily into the exploitability management of it. And so So find out what's the accessibility window look like to the things that are exploitable. And then you really concentrate your vulnerability management and your mitigation is there as much as you can to break that kill chain, to make sure that you've handled it. And at that point, it doesn't necessarily need to be a patch. It can be a mitigation And so exploitability can be handled through mitigation often is things like internally you should be looking at micro segmentation I like okay CI Fortify is going to tell you, you have to do this in critical infrastructure. If the security will going to have to do it, no longer addressable, what required. So when you think about say micro segmentation, it's really just about limiting that blast radius. You limit the impact of that vulnerability being exploited. So the idea here is to understand where your crown jewels are, what are your primary assets, what are your critical functions, and isolate the potential damage should one of those get impacted, or the things that are around it that could impact it adversely. All right, I don't need to breathe into a paper bag. Like, sometimes I read some of these stories, and I'm like, okay, all right, that all sounds tough, but manageable, and that makes me excited for the opportunity as opposed to dreading the inevitable, which may be the same thing, but I still feel better. So thank you for that, Jason. Our last story of the day, a tale of two critical infrastructure attacks. Taiwanese authorities arrested a 23-year-old student for interfering with the Tetra communication system used by the country's high-speed rail network. The suspect allegedly used a software-defined radio to send a general alarm signal that triggered emergency braking on nearby trains. This resulted in four trains being halted for a little under an hour on april 5th the system's verification keys hadn't been refreshed in 19 years which was the age of the system and used known broken encryption then poland's domestic intelligence service said attackers breached water treatment facilities in five towns in 2025 in some cases getting access to industrial control systems that could have disrupted water supplies the country's internal security abw said this posed a direct risk to the continuity of water supply operations to which i would reply. Neither of these sound great. Obviously, water facilities like that is some very critical, critical infrastructure and a familiar target for APTs these days. But the train one, I think, sticks out to me. You know, SDRs are old tech, like this is nothing new here. But it seems like we're still encountering critical infrastructure, which is secured by the idea that, hey, if the hardware that needed to exploit it is expensive or it's niche, that's kind of a security through obscurity there. I don't feel like that's the case anymore. I'm curious for you, Jason, which one of these stands out? Well, they both stand out for different reasons. And security through obscurity is a lie. It's not security. It's smoke and mirrors. Security, air quotes, through obscurity. I think we have two things here. when we have a tick tock tragedy okay not to make it last but i think the more dramatic there is the train right because that would be something that would get an immediate news attention you know it's literally a train wreck right so it's going to be more acute invisible impact on people even if it only affects only affects you know a few hundred people the bigger problem here though the one that's really problematic is the water treatment facility because again back to that asymmetric impact. I take out one train of horrible and dramatic and tragic in that aspect. But if I take out a water treatment facility, that could fracture a non-trivial part of an area's ecosystem. Instead of a few hundred people being impacted, tens of thousands could be. And then I look at it this way. So if I take out the water treatment facility, I'm also taking out the hospitals. I'm also taking out all the things that would rely on that too. So it's that example of a hyper-concentrated thing that you don't necessarily think about that butterfly effect. What is the downstream effect? It is way more impactful. So I think we need a lot more intention, intentionable action on what I would call invisible threats, because it's definitely the worst of the two. Jonathan, do you feel the, I mean, same way there? I mean, yeah, I mean, It's tough to argue against water, right? Yeah, for sure. As something that one, obviously, we all rely on every day. We rely on safe drinking sources for all of our water. And hopefully, everybody has access to that. And that one definitely for sure is the one to watch closely. I will say on the train article, I don't want to overlook that the system failed closed. and that the result was there were four trains halted for 48 minutes, 48 minutes for people to be inconvenienced rather than the train thought it was slowing down, but it actually was accelerating or, I mean, any other catastrophic kind of thing could have happened there. So I think there may have been, I mean, I'm speculating here, obviously, but there may have been some sort of control. You know, the last ditch effort is stop the train maybe, and that's the that's the deny all at the end of the the rule set right um but but at the same time again the the water source anytime you've got to jason's point that concentration of impact uh it's not even concentration of impact it's the the um the reach of a potential impact from one concentrated source is is really that's that's where we should be we should be focusing so these kind of attacks unfortunately aren't aren't new um but hopefully we're learning from each one to figure out how to close some of those vulnerabilities because not all of them might be exploitable. But in the case of water supply, anything that's vulnerable, we've got to have eyes on it. All right. Well, we're just about out of time here on the Department of Nub. But before we get out of here, is there any piece of advice that based on our conversation today that you could share with our audience? Jason, I'm going to start with you. Anything that's kind of stuck out here as a good takeaway for the audience? Outside of Kill Bots? Yeah. I mean, it could just be Kill Bots. Don't go buy lawnmowers. No, no, no. I think it's the big takeaway here is start looking at where that concentrated risk is. Where are the key constraints that have the asymmetric impact? That happens in your organization, but also happens in your own personal life too. So start thinking about the things that impact not just you, but could have that outsized impact in your programs, in your life, in society, in your friends and family. I would say, hey, that's where you need to focus. And then you need to focus the second order on that is how do you mitigate it? Because you're not going to stop it from being, you know, it's not going to make it invulnerable, but know where to focus your resources. And that's probably where you should focus them. Interesting. I like that idea of finding a way to, I don't know, disaggregate that bundle of, make that asymmetric, you know, not as big of a target. I like that. I'm thinking about how do I apply that in my personal life? That will be my challenge this weekend. Jonathan, what about you? Any piece of advice for the audience and for me? I'll take it, too. I'll take the non-cybersecurity path and check on somebody that you know, that you care about this weekend. This weekend is Mother's Day in the U.S. And unfortunately, not everybody has a great relationship with their mother. So check on somebody. If you do and you have a mother-like figure in your life, please go tell them how much you appreciate them. I couldn't think of a better way to close out the show. I hope everybody enjoyed this fascinating discussion. I mean, just a lot of interesting threads in this show today. So thank you both for being on the show for your time. I know you are busy, folks. I know a Friday, lots of stuff going on. So thank you so much for being on the show. Before we get out of here, Jason Elrod sees you over at Multicare Health System. I hear you. If people like you on this podcast, they might be able to hear you somewhere else, right? There is an opportunity there. So if you want to connect with me, go on LinkedIn and connect with me. I'm the Jason Elrod. Jason Elrod's taken. I'm the Jason Elrod over on LinkedIn. Go ahead and follow me up there. But you'll know it's my site because it'll link to my podcast, which is Drink Coffee, Do Cool Stuff. Less kill bots, more entertainment. More entertaining than kill bots? I don't know. Wow. I'm trying. I'm working on the tagline still. That's the podcast guarantee. Podcast guarantee. What would you do if you didn't have to do anything? You didn't have the constraints. The answer would be drink coffee and do cool stuff with people of purpose. Come on over and listen. Thank you, Jason. And thank you also, Jonathan Waldrop, the CISO over at Acoustic. We will have links to both of your LinkedIn in the show notes as well and have you back on the show before too long. Two of my favorite guests to have on the show. And a big thank you also to our sponsor for today, Vanta. Thanks for helping make the show possible. Remember to send us feedback anytime. feedback at CISO series.com. Remember to join us next Friday for 4 p.m. Eastern for another edition of the Department of Know. And make sure you're going to events, the events page at CISO series.com to see everything that we've going on, all of our Super Cyber Friday events. Make sure you're registering for those. We have live events coming up. We have all sorts of fun stuff there. So if you're a fan of the CISO series, make sure you're seeing how to stay engaged. Thanks for coming to our Friday stand up here. Have a great week. Stay secure out there. For myself, for our wonderful producer, Josh, for the big boss man, David Spark, and the rest of the CISO Series team, here's wishing you and yours to have a super sparkly day. Cybersecurity headlines are available every weekday. Head to CISOseries.com for the full stories behind the headlines.