Advancing Cyber

This is the exciting second half of the Advancing Cyber Origin Stories conversation with Katie Moussouris, hacker, founder and CEO of Luta Security, and cybersecurity pioneer. The technical and legal worlds collide here, with Katie and host Cristin Flynn Goodwin discussing the importance of cybersecurity standards, and the role of export control incybersecurity and its restrictions on software. Katie and Cristin also discuss the impact of AI and AI-assisted coding on vulnerability research and vulnerability disclosure. It's a conversation you won't want to miss. If you haven't heard Part 1, Part 2 can be listened to as a standalone, but we recommend enjoying the wholeconversation! #AdvancingCyber #OriginStories #hackers #hacking #vulnerabilities #vulnerabilityresearch #AI #AIAssistedCoding #VibeCoding #Standards #ExportControl #CyberLaw #PublicPolicy

In this episode of the Advancing Cyber Podcast, we talk with Katie Moussouris, hacker, founder and CEO of Luta Security,and pioneer in vulnerability disclosure and responsible security research. Katie shares her experiences from her early days of cybersecurity and unpacks the evolution of vulnerability disclosure and the pressures on the security research community, managing bug bounties and working with researchers, and the importance of security standards. Katie and host Cristin Flynn Goodwin also unpack the challenge of Coordinated Vulnerability Disclosure and what happens when industry quietly fixes an issue, and government doesn’t know about the interim risks. Katie highlights the challenges of governments assessing vulnerability equities and the tradeoffs of government exploitation and relative risk. Stay tuned for Part 2 where we dive into export control and restrictions on software, and the rise of AI in cybersecurityand coding. We’ll explore the risks of vulnerabilities developed by AI-assisted coding and what that will mean for vulnerability disclosure in the future.

Christopher Painter is a globally recognized leader on cyber policy, cyber diplomacy, cybersecurity, and combating cybercrime. Chris been at the vanguard of cyber issues for over 30 years, first as a federal prosecutor handling some of the most high-profile cyber cases in the United States, including the prosecution of hacker Kevin Mitnik, as a senior official at the U.S. Department of Justice, Computer Crime and Intellectual Property Section, held leadership roles at the FBI, and at the National Security Council in the White House, and finally, as the world’s first cyber diplomat at the Department of State. Cybersecurity norms and diplomacy, cybercrime and hacking, inter-governmental tensions and policy development - it sounds like a TV script but it's Chris's origin story, and it's a great one.

The Government Policy Pioneer: Richard A. ClarkeEpisode 1 of the Origin Stories begins with the founder ofmuch of our modern cybersecurity policy, Richard Clarke. Dick served in the White House for ten years under three different presidents. He is responsible for so much of our early cyber policy, developed the first national strategy to defend cyberspace, and has been an influential voice in global cybersecurity discussions for decades. He now leverages that knowledge as a bestselling author and as the founder and CEO of Good Harbor Security Risk Management. As the AI and quantum eras begin to define the next generation of critical infrastructure and cybersecurity policy, we go back to the very beginning of critical infrastructure protection and cybersecurity policy, looking back to advancecyber forward. The conversation starts here.This episode is available on Spotify, Apple Podcasts, and Advancing Cyber's new YouTube channel. Subscribe to stay current with all the episodes in the series – you won’t wantto miss them!

On this episode of the Advancing Cyber podcast, host Cristin Flynn Goodwin, former CISA Executive Assistant DirectorJeff Greene, and current Snohomish County, Washington Chief Information Security Officer (CISO) Doug Cavit unpack the recent cybersecurity responsibilities shifting from federal to state and local authorities. Jeff and Doug explore the implications of this shift, including resource allocation, the role of federal agencies, and challenges faced by smaller municipalities. Doug shares the practical realities of managing cybersecurity at the county level, and the difficulties faced by smaller entities with limited resources. Jeff, with his extensive background in national security and cybersecurity, provides insights into the federal perspective and the critical role of federal agencies in supporting state and local efforts. Cristin, Jeff, and Doug also talk about what happens if the CISA Act is not reauthorized, and the impact that will have, including a request for the cybersecurity community to call members of Congress and voice their support. This episode is a must-listen for anyone interested in the future of cybersecurity and the evolving roles of federal, state, and local governments. #AdvancingCyber #cybersecurity #CISA #CISAAct #publicpolicy #cyberlaw #cybersecuritylawyer #threatintelligence #informationsharing #publicprivatepartnership #stateandlocalcyber

The drumbeat for “hacking back” resurfaces in public policy circles every few years, usually coinciding with a rise in cyber attacks. It’s a logical, emotional response. An attacker has stolen sensitive data, and frustrated victims ask, “How can we fight back?”Emotionally, it feels justified. Technically, it’s a minefield. From a policy standpoint, it’s an issue that bogs down in liability, unintended consequences, and geopolitics. On the Advancing Cyber Podcast, cybersecurity experts Nathan Case and Stacy O'Mara join host Cristin Flynn Goodwin to debate the pros and cons of hacking back, and the very real risk that collateral damages are greater than the original harm itself.

In this episode of Advancing Cyber, Cristin Flynn Goodwin unpacks the growing concerns surrounding DeepSeek, a Chinese AI provider driving headlines for its powerful AI model built with cheaper and lower-power chips than its Western counterparts. While this breakthrough raises questions about AI efficiency and affordability, it sparks serious privacy concerns, and many have been quick to point out that DeepSeek’s Terms of Service clearly show compliance with laws and government requests in the People’s Republic of China.  What hasn’t yet been explored are the impacts of Chinese cybersecurity laws on DeepSeek, particularly the Chinese regulation on vulnerability reporting. Cristin explores the implications of a DeepSeek “test bed” - vulnerabilities reported to the Chinese government, combined with US user data flowing into DeepSeek servers, accessible by the Chinese government. Cristin unpacks the potential that this is, indeed, a Sputnik moment. She challenges that even if DeepSeek isn’t “good enough” from a security perspective, industry and government must create better technical options for and policy protections in place for US users.  Join the Advancing Cyber conversation on Spotify, Apple Podcasts, and on now on YouTube!

The EU has taken the lead in cybersecurity regulation, and the business impacts are already being felt worldwide. On this episode of Advancing Cyber, Cristin Flynn Goodwin is joined by Chris Hale, Senior Director for Cyber and National Security Law at Cisco, and Emily Lemaire, Financial Services Regulatory Lawyer at Covington & Burling, to unpack Europe’s leading cybersecurity regulations – the Digital Operational Resilience Act (DORA), Network Information Systems Directive (NIS) 2.0, and the Cyber Resilience Act (CRA), all of which have passed milestone dates in the past 4 months. Together, they explore how these landmark regulations are reshaping the global security landscape and causing companies—especially those in the U.S.—to think about their approach to compliance and resilience.  DORA’s 4-hour incident reporting rule, NIS 2.0’s expanded scope, and CRA’s product-focused requirements impact how organizations manage cybersecurity and operational risk. Cristin, Chris, and Emily delve into the profound implications of these laws: whether short reporting timeframes increase risk, whether disclosures of newly detected exploitation of vulnerabilities amplifies risks, and whether the potential for billion-dollar penalties drives more effective compliance.   The discussion doesn’t just stop at the rules. They tackle the deeper questions: Can the U.S. maintain its best-practice approach in a world where compliance is increasingly driven by law?  How will companies balance compliance obligations and business needs now that regulations include model contractual clauses? This episode is essential listening for cybersecurity, legal, and policy experts navigating a world where the EU is rewriting the playbook—and daring the rest of the world to follow. 

Information sharing used to be about trusted exchanges with those who had data to trade. Today, that information comes from the multi-billion-dollar threat intelligence industry and the experts who hunt threat actors and cyber criminals. On this episode of Advancing Cyber, Cyber Threat Alliance President and CEO Michael Daniel and Professor and cyber threat intelligence expert Sergio Caltagirone explore how threat intelligence has matured into one of the fastest growing segments of our industry with customer expectations for timely and actionable data. They unpack how that reality contrasts with the post-9/11 paradigm of information sharing and the insatiable demand for information from government, critical infrastructure, and organizations around the world. Cristin, Michael, and Sergio wrestle with the reality that not every critical infrastructure owner or operator may need the same level of threat intelligence or priority treatment, particularly in times of crisis. The actual exchange of information, or giving information to those who can action it, requires a much smaller community of responders. Cristin, Michael, and Sergio also debate what a new executive order for information sharing and threat intelligence should include – regulation, threat intelligence marketplaces, tactical and strategic scoping requirements, clear articulations of legal and privacy obligations, and other important priorities - highlighting that information sharing is still a hard problem to solve, but there are options and solutions that can help.

Natural disasters have been hitting the United States hard in 2024, and programs designed to help ensure telecommunications resiliency have been working well in the background to keep people connected and facilitate response. In this episode of Advancing Cyber, host Cristin Flynn Goodwin, joined by telecommunications policy expert Kathryn Condello and telecommunications and cybersecurity veteran Marcus Sachs, addresses a critical problem: what happens when cloud services are taken offline at such a scale that customers and sectors compete to decide who gets restored first? As cloud infrastructure increasingly underpins vital sectors—finance, healthcare, utilities, and government—the question isn’t whether disruptions will happen but how devastating the impacts will be when they do.   The discussion dives into the structural and regulatory vulnerabilities in current cloud frameworks that sit at the intersection of cybersecurity and telecommunications, evaluating whether an approach like the telecom sector’s Telecommunications Service Priority (TSP) regime can be adapted for rapid cloud restoration in times of crisis. As data centers carry multiple tenants with differing priorities, the panel explores the impact of the lack of regulation on cloud services in times of crisis, in the US and internationally.   This episode challenges cybersecurity policy and tech leaders to reassess how regulation, prioritization, and strategic partnerships must evolve as we recognize the cloud’s role in national security, emergency response, and national resilience.

At the heart of the debate on this episode of Advancing Cyber is a fundamental question: Is “artificial intelligence” itself a critical infrastructure? Join host Cristin Flynn Goodwin, legal expert David Simon, policy leader Jason Healey, and technical expert Jesper Johanssen as they talk through a hypothetical nation state attack against AI to unpack how government and industry would respond. The experts weigh the risks and benefits of regulation, increased sector coordination and collaboration, and the need for an AI-ISAC to prepare for future attacks.   Given the diversity of uses for AI, the panel clashes over the notion that AI is critical infrastructure. The panel considers whether the issue rests with the now 25-year-old definition of “critical infrastructure” and whether it may need to be reconsidered for the new AI era.   This episode pushes boundaries, challenging the public and private sectors to prepare for the growing role AI is taking in our world. It’s clear from the debate that this is a question that needs to be answered – before the attackers answer it for us.

The CrowdStrike aftermath, the rise of AI regulations that can’t keep pace with technical change, and nation state actors testing and using AI in cyberattacks. In this premiere episode of Advancing Cyber, host Cristin Flynn Goodwin is joined by Jason Kikta, CISO at Automox, Jen Ellis, Founder of NextJen Security, and Jessica Herrera-Flanigan, Partner at Monument Advocacy, to dive deep and dissect recent cyber events. With differing points of views, they explore the implications of the CrowdStrike incident on software liability, the evolution of cybersecurity and AI technology and regulation, and the role of AI in threat intelligence and its use by nation states in attacks - including disinformation operations the Paris Olympics. Tune in to this must-listen discussion—subscribe now on Apple Podcasts or Spotify! #AdvancingCyber #cybersecurity #AI #incidentresponse

Advancing Cyber breaks down the leading issues in cybersecurity – incidents, law, public policy, and technology – from diverse expert perspectives to highlight what really matters.  Hosted by Cristin Flynn Goodwin, cyber law and policy expert for 25 years with the world’s largest technology companies, Advancing Cyber brings together experts in cybersecurity technology, law, and policy to explore current issues and trends impacting cyber.