The Changing Face of Cyber Threats and Defenses in the Age of AI

August 7, 2024 | Podcast: Future-Ready Business



As we navigate through the complexities of how both defenders and attackers are leveraging AI, it is important to stay ahead in the cybersecurity game.

In this episode of Future Ready Business, Art Cavazos and William Nilson discuss with cybersecurity expert John Dickson the current state of cyber threats, from the automation of ransomware attacks to the emerging concerns around deep fakes and voice-based authentication.

Featured This Episode

Our Hosts:
Art Cavazos

Art Cavazos
Partner, San Antonio
Twitter “X”: @FinanceLawyer
Follow on LinkedIn »

William Nilson
Associate, Austin
Instagram: @Austin Bespoke Fits
Follow on LinkedIn »

Episode Guest:

John Dickson
Bytewhisper Security, CEO
Twitter “X”: @johnbdickson

Episode Transcription

Art Cavazos: Hi, I’m Art Cavazos, a corporate and finance lawyer with Jackson Walker, and this is Future-Ready Business. I’m joined today by my co-host, Will Nilson, and our special guest, John Dickson. As always, before we jump in, I’d like to remind our listeners that the opinions expressed today do not necessarily reflect the views of Jackson Walker, its clients, or any of their respective affiliates. This podcast is for informational and entertainment purposes only and does not constitute legal advice. All right. So, to get started, we like to go around and let everybody introduce themselves a little bit. So, John, you’re our special guest. Why don’t you start?

John Dickson: All right. Hey John Dickson, cybersecurity guy, San Antonio person and AI aficionado, and I’m happy to be here. Thank you for letting me in here. Art.

Art Cavazos: Thank you for joining us. Will.

Will Nilson: I’m Will Nilson. I’m a commercial real estate attorney here at Jackson Walker at the Austin office. And I’m happy to be here too. And I’d like that. That’s the first time I’ve heard Someone say AI aficionado and it’s actually true. I think this is the first time I’ve heard it.

John Dickson: Did I say that correctly? I was worried about the pronunciation.

Will Nilson: Oh, absolutely. It’s just a hundred percent true. I love that. I’m very excited.

John Dickson: I don’t know if aficionado is Latin. That’s, I think it’s Italian, which is derived from Latin. So. Yeah. Close enough.

Will Nilson: We’re already angered. People are Googling now.

Art Cavazos: So, John you’re here today to talk with us about AI and cybersecurity. First, why don’t you tell us a little bit about your background how you got involved in cyber security and now how you’re getting involved in AI.

John Dickson: All right. So, my background is I’m an ex-Air Force officer. I was in something called the Air Force Information Warfare Center which is now a part of what’s called the 16th Air Force Out at Joint, at the Joint Base Lackland. Based here in San Antonio. So, I came from that side of the house, which is intelligence and what used to be called information warfare. And, you know, electronic denial of electronic collection, all these fun things that that I can’t really talk about anymore and then morphed into the commercial sector in the nineties have been in cyber security. I call it just security because nobody mistakes me for a physical guard or anything like that.

So, I just say security, but I’ve been in security since 97-ish, and which was a cool time to come on board and was a KPMG person for a long time. And then was at a company called SecureLogix and then a principal or partner at Denim Group. One of the three partners there and was there for over a decade until a successful acquisition in June of 2021.

So, I was all prepared to retire. And then AI kind of became a bigger thing, and I jumped back into stuff because of it. On, on the AI side, in 2018, I actually put on my list of things to do, learn AI. It was like on my bucket list, which is ridiculous, you know, like, like, like, read more about AI. And I submitted a call for papers at a big conference called RSA and it was like, I really didn’t know much about it, but I was like, this sounds cool. And it got accepted. And it’s like, oh crap, I really got to learn this. And it was luckily not a, like a hour presentation. It was just a peer-to-peer discussion where you get in a room and it turned out well. And then I did another one that was really machine learning like 2018, 2019. So was doing that for a while and it had learned it probably more than the normal person. And that’s how I, again, not, not really as a career thing, but I just did it. And next thing you know, I know more than, you know, the average person, I guess. So, there you go.

Art Cavazos: And so, when you talk about using AI in cybersecurity what exactly, how does that work? Cause right now, a lot of what I think about when I think about AI is. Things like optical recognition, you know being able to see things and recognize what they are, or, you know, generative AI has been making waves the past year and a half or so and that’s all like text based, you know, generating text, but so how do you use AI in cybersecurity?

John Dickson: Wow. So, the cool thing is this is a like six-hour podcast here. No. Wow. That’s a broad question. Settle in. The, the real question is. Just how, how do the defenders use it and plan to use it? And how do the attackers use it, or are using it right now? So let me start with the attackers, because that’s always the part that gets everybody’s attention. The real fear right now is that the protagonists, and when I say protagonists, I mean mostly the criminal syndicates in Eastern Europe. And the nation state threats I would say Russia, China, Iran, North Korea are using it to do quicker and more sophisticated attacks. And what I mean by that is, you know, phishing attacks that used to be in halting English and with grammar problems look exactly like perfect English. Now the responses, the iterations are all faster, better. So, what we’re already seeing is in the phishing world, the phishing, phishes are getting faster, better, and harder to detect.

We’re worried about you know, the adaptations because again, the whole thing around cyber, cyber security, whatever is cat and mouse. You change and adapt and adapt. So, the adaptation cycles faster on the defense side. Which is the good guy side, you know, corporate America. It’s really about how do we understand where can this help us? How do we understand our vendors and how they’re using it and embedding it in their systems and what, what, what gains that provide us? What are the potential weaknesses? If you’re building software and like your developers start using chat, GPT to generate code, what does that look like?

All these things, which simply didn’t exist as a area of focus or area of study are now a thing. And I, I was at a conference in Denver two weeks ago and I was talking and I asked a, the audience, like, hey, when, when did, everyone talks about Microsoft copilot is like the example, right? I said, hey, when did copilot go general availability? When did it go GA? Does anybody know, roughly?

Art Cavazos: I mean, I’m assuming in the past 12 months.

John Dickson: It’s like February, like this year. Then people talk about it as if it were 365 or Excel or word. Oh, it’s just been exist, in existence for less than a year, you know? So, it’s, and that’s the thing that’s nutty and crazy about this is how fast it’s going and the arms race between all the different folks that are out there. Open AI versus anthropic versus, you know, meta versus Google. You know, whatever Sam Altman is doing to Elon Musk and vice versa, all those things, all that has happened and created this crazy cottage, cottage industry that didn’t exist. So, there you go. That was a long answer to a short question.

Art Cavazos: Will any thoughts or I, I can keep going.

Will Nilson: No, I’m just enjoying this. Art. Please ask your, this is, yeah, I’ve got too many thoughts to put it into a question.

Art Cavazos: So, you mentioned AI being utilized by, you know, malicious hackers, uh, state actors you know, what, what exactly are they doing as far as you know, you mentioned more sophisticated phishing that’s kind of like social engineering attacks, right? Where that relies on a person, you know, seeing that and, you know, clicking on the wrong link or giving the wrong piece of information. Are they also using it to kind of find weaknesses in the code and, you know, can they use AI to just kind of set an army of bots on companies?

John Dickson: You should use the term “Army of Bots”. Okay, that’s my next ska band that I create is army of bots. I saw one, by the way, there’s a, an exploit or a, a protagonist group that got named last week called Velvet Ant. And I don’t even know who named that, but that’s another band I want to start is Velvet Ant. I don’t know what.

Will Nilson: Is it A N T or A U N T?

John Dickson: Either one, that’s a good, that’s good. It’s A N T, it’s A N T, but you could go with either one quite candidly. I would say it’s, you know, I gave already the example of, fishing and the English language deal, that’s the obvious one that I think everyone has already seen right now. The ability to do deep fakes in real time are, are quite, well, what that means is that if I got three seconds of voice of you on the internet, not everybody does, but we now do, the four of us or was that five? Sorry. No, that’s four. So that didn’t count.

Will Nilson: If there was a, you should tell us if you heard a person.

John Dickson: TikTok, there’s a fifth person on there. You just don’t know it. No but, but the deep fake thing is interesting because it blows up voice-based authentication. It creates another avenue.  Fraud, again fraudsters not so much nation, state, state actors, but like these things that you didn’t envision a few months ago is suddenly an attack vector. That’s the part that I, I think the, the thing that I would say is that most broadly is that the cycle of you know, attack and defend of adaptation has just gotten even faster. And that’s, it was already fast to start, to start. And so, I, I think it’s really, really tough. And I mean, that’s part of, you know, our effort is to help clients understand this and better, faster to be on an equal setting with the adversaries, the whatever actor it is. And I don’t use the term hacker either. I use the term act, you know, like essentially, it’s what, what is the threat and what level. And, and the truth is, is that I think that with AI, the most unsophisticated attacker now can look more sophisticated.

And that’s an overused word. I apologize. But it makes a what we used to call script kiddies or amateurs look like the Russians. And now everybody looks like the Russians. Okay. That’s that used to be able to say you can discriminate and say, okay, if you’re this type of client, if you’re a commercial real estate client, to use an example, what’s your realistic threat? And you say, oh, it’s not the Russians. Okay, well then, then you can have a certain profile and posture that looks like this. Okay, but now if everybody looks really, really great, then it makes it tough. I used to say this too, where I’d say you’re either a target or you’re a target of opportunity. What I mean by that is if you’re a bank, if you’re the U. S. government, if you have a certain profile, you’re a target by nature of who you are and what you do, a critical infrastructure target. Then you become a target of opportunity because if you do something less than great. And I’ll give you an example.

Now with phishing, with ransomware and automation of attacks, I don’t have to go after just the banks and where the money is. I can go after everybody then. That’s what’s happening with ransomware is I can go after everybody and that means school districts. That means hospital districts. That means real estate firms. That means people that I could care less about five years ago suddenly between automation and ransomware, and the automation of ransomware I should say, and then business email compromise, which is the other side, doing that in scale. Suddenly I can get mom and pop shops, I can get everybody. And it is, I would say I don’t want to be too pessimistic here, but I think it’s safe to say it’s gotten murkier and with AI will get murkier even much more so. So it’s a lot out there, right? And that’s why folks like me, I don’t think really have the latitude or luxury to tap out and go play golf and I’m gonna hang out and, you know, whatever. It’s just too much stuff going on right now, and it’s trending not positively. Is that the way to put it?

Art Cavazos: So, yeah, well, it does really sound like an arms race, you know, where, I mean since there’s all these malicious actors out there able to use AI and these sophisticated attacks and at scale and really target, you know, everyone from a large corporation to a mom and pop. It seems like now everyone needs to kind of up their security just to participate in, you know, normal commerce.

John Dickson: I did a TED Talk in Vail several years back, and this was on the heels of an issue my parents had. I think the, I think it was WannaCry of all the different attacks, WannaCry happened several years back. And I remember having two or three days of fun with clients. Everybody’s okay after two or three days, everybody, you know, like, like they avoided it.

And then I called, and my parents asked if I could swing by the house, their house after work because they in fact had an issue. And my mom had clicked on something, and I think they had just backed up or had a new computer or something. So it wasn’t that big of a deal. Well, I did a TED talk about this because, like, what could we reasonably expect from our parents or from non-practitioners? And I threw out an idea. Around defensive driving of like, if you think about the natural risk of driving on, particularly in Texas or Houston specifically, sorry.

Will Nilson: No, I’m in Austin. I’m not in Houston, I’m in Austin.

John Dickson: No, I was going to say, well, you don’t have that problem in Austin. Cause it’s going five. Everyone’s driving five miles an hour on the highways. There you go. Yeah. No, but seriously, like, like that was like a nice jab on Austin.

Will Nilson: Yeah. I wish it were that.

John Dickson: I would say, think about this though, seriously, like how fast and how crazy, I mean, they, well, you just look out here to downtown San Antonio and people are trucking along at 60 miles an hour in a metal device. And like, I mean, that is inherently dangerous, but because of, you know, certain things, safety components within the car, but the real deal is if you get in a wreck. Regardless of airbags and seatbelts and all that, you’re going to get banged up real hard at 60 miles an hour. So, what you do is you do, you know, you implement defensive driving. You don’t, you make sure the car doesn’t have problems before you, you know, jump in it. You stay away from big trucks. You do all these different things. That metaphor, if we could take that to the online world, I think would be very helpful for non-practitioners because I have a perception that people still do mindless clicking, clicking on links as if it’s like, okay, why would you do that? People like me don’t do that. And I, I think it’s, It’s particularly difficult with certain types of folks, including elderly people, because you know, they didn’t grow up in this, but also they’re susceptible to it. So I think from a corporate standpoint, there’s a lot of, you know, there’s an arm race and they’re trying to keep up with the attackers on the, on the private or the residential or the, you know, the home front.

It’s, it’s kind of converged in a weird way. Cause I mean, obviously a ransomware at home that didn’t exist. Five or 10 years ago. I mean so yeah, there’s fraudsters now that are targeting you know, people on the stupid Amazon credit card or Amazon cards or the Apple cards are going after individuals, you know? And so, you know, some of this stuff is fraudster slash you know, cyber-attacks, but I mean, candidly, it’s only gotten worse. So, I don’t know.

Will Nilson: Do you see, sorry, I didn’t mean to.

John Dickson: No, go ahead, Will, please.

Will Nilson: Do you see a cross section and I mean, I’m sure there is a cross section, but how do you see the cross section between U. S. kind of regulatory regimes around internet and open internet and, or not open internet you know, ISPs and, and attacks like this, like you’re describing, the security of just general internet infrastructure. Do you think this is headed the right way, the way we’re regulating or not regulating? How would you think?

John Dickson: I mean, honestly, it’s not a planning consideration. Or not even a thought from somebody like me I’ll give you an example, like the, I might be naive here, but I think the, the, the telcos might be able to manage a little bit better how, Robocalls go, right? Are the fraudster a component of that? You know, fraudsters are essentially using the telephone system, the telephone network, to inject these massive calls, right? That, to me, strikes me as an infinitely solvable problem. It might be at the carrier level. But I think our reluctance to, to do that means that you’ve got vishing, voice vishing, you’ve got all these different things you can do.

The fact that you can spoof caller ID, and is ridiculous, right? And I’ll give you an example that it is tolerated. And this is one that drives me nuts. This is a great story. Hi, my name is John Dickson, D I C K S O N. There is a, another John Dickson in the security world who is the CISO or Chief Information Security Officer at Colonial Pipeline. And if Colonial Pipeline is a name that jumps out at you, they were the ones that had the big ransomware attack a year and a half ago, two years ago. And John Dickson, the other John Dickson, came in afterwards and he’s doing a great job. He and I know each other. We don’t, we’ve never met, but here’s what happened about a year ago. Some sales person in some security vendor company put my mobile number into the other John Dickson’s record in a database called zoom info, which is this universal sales.

So, I get every call now. From every salesperson on the planet. And it’s funny, I had to, you know, switch it off so that I only get calls that are in my contacts. But I get all these calls and I’m coaching them up on their sales pitch. And tell them, here’s a book to read, you really need to work on your art. But one thing I noticed in this whole process is I was getting these phone calls from the 210 area codes. Like, from San Antonio, and because I have kids, like, I don’t know, maybe it could be the school nurse, and I don’t know that number, I pick up the number. That is a strategy from certain vendors that are doing that, because they know people will pick up more frequently from the local, and that’s something that I think is egregious that phone companies probably could fix technically. I just don’t know. I don’t think we have the appetite to fix those type of things. So, where I look at is for guidance.

I hate to say it and I’m not a regulatory person per se, but this is one that’s a little bit where it’s a close to a market failure. I would argue is, candidly, is EU or California or New York because they have an appetite for regulation and because California has such a big buying authority and New York controls, you know, a lot of our markets, financial markets, same thing with EU from a buying standpoint, they use that as, It’s essentially leverage to make the rest of the world do what they want. And it really doesn’t pertain to Texas if you’re doing work in Texas, and you’ve got Texas clients. It’s not a big deal, but as soon as you go to Europe, you have to think about their AI regulations, their privacy initiatives, their, the way they operate, which is entirely different. So anyhow, that’s, I think those are harbingers of what we’ll see, but right now it’s going to take, unfortunately, I think some spectacular failures before there is any of that, I guess. Sorry.

Will Nilson: Maybe some broken bones. No, that was, that was really informative. And it brought to mind, you know especially earlier, we’re talking about defensive driving and kind of the mom-and-pop examples. And, you know, what are my parents, what are they going to click on that I would never? I would look; I would never be fooled by. And then what do I click on that you know, a, a Gen Alpha would never be fooled by, which will definitely happen. I, I start, I always kind of start thinking about closed networks and how useful closed networks might be in certain environments. And does that ever come into your, to your practice?

John Dickson: Well, I mean, I think that way. I mean, there is a concept in the security world, cyber security world, called zero trust, zero trust networks. And that concept is, is, well, I mean, a thing that one thinks about, you don’t trust anything. Or I think it’s zero trust ideas where you don’t trust any input, you don’t trust any link. That’s from a system or architecture standpoint. Like if you’re building a network, the other one is defense in depth. You assume things like it’s gonna happen, like you’re going to get dinged or breached or whatever. How quickly can you identify that and how quickly can you respond and mitigate that?

I mean, so it’s not a, an if it’s a when and then how do you respond? I think those are ways, different ways of thinking that the larger, more sophisticated, sophisticated companies. Think that way. And I’ll give you another example. Is we did work for one of the big cloud providers at, at Denim Group, my previous company. And these guys were fantastic. I mean, they were, you’ll be happy to hear they were really, really sophisticated. And we went and met with them. I won’t tell you where, cause you can figure out who that was because there’s three. But it was in the West coast. I’ll leave it at that. And we’re meeting with these guys and we’re completing each other’s sentences. And it was like, like, Security like Nirvana. I was like, okay, that was a cool point. But they did testing within the software development teams. So, they did security testing, not, not like regular tests. They would do testing, not QA testing, not regression testing, actual like security, trying to break the code within the software development process.

Then they had external testers within the group. Then they had us people like us that came in, then they would publish it. And they had a bug bounty. And I mean, there’s like six or seven levels of, of scrutiny and constant scrutiny and a feedback level because they know that this stuff can never be perfect. Its technology is flawed, and we have human beings building, which is also flawed. So, think of it that way, but they had multiple levels. They could never say it’s secure. Anybody, by the way, if you ever hear that, Oh, it’s secure then you know, say, wait a second. And I, I talked to this guy named John Dickson so, so absolutes are, are so, comprehensive statements about security are big flags, red flags. You can say, a sophisticated answer would be like, here’s the things that we’ve done to mitigate that. Here’s how we respond. But the truth is, it’s going to happen, and you got to think that way, so defense in depth is an idea, zero trust. All these are key concepts that practitioners know, and they view that world that way.

So, and it’s tough to on the human level because I’ll give you a personal story. My wife is like the nicest person in the world and trust people and I’m the opposite where I’m yeah I’m looking at everybody’s a fraudster, right and it’s like how do I as a as a security person and human being, how do I reconcile that? And we had somebody that rented a rental home from us a few years back. And you know, we all friendly and all this, and then they gave us the deposit the first month’s rent in cash. And I’m like, oh, I mean like, let’s, you know, like a variety of things. And, you know, my wife’s like, oh no, that’s not that big of a deal. And then I was like, yeah, they were fraudsters. And, and it was, it was from that point on a nosedive, and we ended up having to evict him and all this stuff, but like, but there are bad people out there and there, I, a lot of them. And, and, and particularly in this realm, they’re, they’re, you know, they’re targeting old people because old people can click through to things and old people are.

I should say old people, bad term. Seniors, our seniors, our loved ones. But they also like when they get phone calls. Hey, I got a call from this person who’s very nice on the phone. Asked me to send him my credentials. I did it, it was easy. It’s the only phone call I got that day. You know, like that’s, that’s just purely evil stuff, man. You know, somebody thinks about this on a whiteboard and like, hey, let’s do this. Let’s start calling down all the retirement centers.

Art Cavazos: Yeah. And sometimes I wonder if cause you know, you, you made the metaphor or analogy of the highways and driving in vehicles, but you know, we typically don’t have like these roving bands of like highway robbers, you know, like breaking into vehicles, like as they’re, you know, driving down the highway,

John Dickson: Not in this country.

Art Cavazos: But I feel like that’s kind of how the internet is where you do have just, you know, roving bands of bad actors you know, seeking to you know, do malicious acts and steal money. And so, it almost seems like a more danger, like even more dangerous than.

John Dickson: I mean, you can lose all your money. Yeah. I mean, like, in a, in a way, I mean, they can’t kill you, so the roving bands of of folks on the highway can kill you, right?

Art Cavazos: Yeah.

John Dickson: It’s harder to do that, you know, virtually, but yeah, you can lose all your money.

Art Cavazos: But the risk seems higher. Like, it, there, there’s the likelihood, the likelihood.

John Dickson: Likelihood, right. You know, if you’re out there doing dumb things and clicking on stuff and you’re, yeah. I mean, like, if you, you know, become a target, you know, you’re not gonna be. a target, but you become a target, then yeah, maybe, I mean.

Will Nilson: I mean, everyone here has seen, I robot, probably everyone listening has seen that or what, or read the book. I mean, ask them. And so, when we think about automated technology and as that increases and enters the home more, we already have some of it. It’s just not as physical.

John Dickson: And you know, we’re talking about security, we’re talking about AI, they’re not the same thing, there’s an overlap. But I’ll give you an example, one that I think of that I’m like, okay, the Christmas lights, do I really need to have a network connection and connect them to the internet? Do I really need that? Cause you know, they have all the ones that have the timers. I know what the time zone is, and I know that I need them about 6:30 p.m. to about like 2 in the morning. I don’t really need to worry about that. Because with that IOT device and there’s certain things like, do I need to have an IOT toaster? Do I really need to worry about that? Is that one more thing that is an avenue, potential avenue into my house? I don’t know. So, yeah. And by the way, where are most of those devices made? Not here.

Will Nilson: Not here. I like that answer. And I think you bring up a really good point and to kind of hone in on some of the complexity of the point you’re raising is not just that folks could use their attack from that vector to create a difference in the lights being on or off. It’s that they could use that attack vector potentially with the wrong vulnerabilities. To infiltrate completely different parts of the interconnected network.

John Dickson: It depends on what the device does technically. But like, you know, worst case is it does a lot. And they could essentially use that as a leverage point and look at other traffic on the network. But some of those are single purpose devices that do very little, but there’s others that do more. And the point is, is that most consumer grade stuff that you put in your house doesn’t take that into consideration. I would, I have a bit of confidence in Ring and Blink. Just because I know who they’re owned by, and I know those organizations do rigorous testing. I have a degree by brand, not by, and I’ve never done that. My company has done that for certain other organizations where like I can say unequivocally that app is in great shape because these are the guys that did it, you know. But, but I can infer some stuff by brand, you know, connection that, but like the stuff, again, the Christmas light example, that’s from stuff that you grab at Walmart for like 20 bucks a pop, you know, that you can connect to that, that is a different, different beast. I would say so.

Art Cavazos: Have you seen that actually used as a vector, like a, like retail items like that, that are just, you know, sold.

John Dickson: Not my area of, of practice, so to speak. I haven’t, but there’s others that I would just say I haven’t seen that. But anything with a capability provides some little modicum of attachment potentially. And again, that’s why I’m saying if it’s a single purpose device, it doesn’t do a lot, maybe so, but these think of Ring and Blink and aggregators around that, that are non-brand, you know, that do a lot, but you really don’t know much about it. I don’t know. I mean, I think in, the problem is again, who’s going to run a, vulnerability scanner on their network components at home or it’s that’s back to the defense in depth. I’ll give you an example okay, so back to defense in depth I don’t store any passwords and browsers like that drives me nuts that like Chrome and Safari or whatever the, the, the Microsoft browser is called now. It, I can store those. Like that’s the first thing that they do. If they get control of your device is to harvest passwords to other things. So, there’s a defense in depth thing is to have less, you know, I, I authenticate to all my banking apps all the time. So it’s not like they, if you got my machine, you can do some pretty serious damage, but you couldn’t get into my bank.

So. So there’s an example of, you know, defense in depth at the personal level is, is it a pain in the rear when I’m doing my financials? Oh, heck yeah. You know, like the first five minutes of going into it is I got to authenticate to everything. It drives my wife nuts. But I’m, if I, if worst case somebody, myself or somebody in my family clicks on that device and is owned by somebody, it, it, it limits the damage potential and that’s, you know, what you can do. I also don’t, you know, passwords, like little passwords, you know, I don’t use English language stuff. I don’t use easily guessable. passwords. They’re not all about the Spurs or the Aggies or the Longhorns or Cowboys, you know. True story, back 20 years ago we ran a password cracker against a password file for a major institution in our region. I’ll leave it at that. And like two thirds of the passwords were sports related, evenly between Spurs, Cowboys, Aggies, Longhorns. It was like the first, first like, hey, you know and oh, by the way, the bad guys have Spanish language dictionaries that they pull into their crackers. So, like, if it’s a word in most languages assume that it’ll get there.

And oh, by the way, AI, the, the, there is, I’m, I’m, I’ve not followed personally how AI has enhanced the password cracking function. But basically, because compute power is so cheap now, and hackers have a lot of time, if they get access to what’s called a password file, it’s just a matter of time when they can brute force a password. And they’re not actually cracking the password per se, they’re matching the cryptographic algorithms to look the same, or the cryptographic not keys, I’m trying to think of the word. But, what’s that?

Will Nilson: Hash.

John Dickson: The hash. Thank you. It was on the tip of my tongue. So, they’re just matching the hashes is what they’re doing. And I think that may get trickier too. So, who knows? It’s not going away.

Will Nilson: How often do you advise? I mean, I think that the hash question already raises, you know, cryptocurrency concerns are pretty huge on that too. But how often do you advise folks let’s say midsize to larger companies on using physical, independent physical devices as a second factor of authentication?

John Dickson: I like, I mean, like, I mean, like using 2FA across everything. For starters, right? Unless you live in countries where an authoritarian nation controls the telephone system. You know, that’s less of a worry. Although, remember the, those, those are third party systems that put out those. So, there’s a risk there. You’re right. So, I find myself using those third party auth apps from Google and others more frequently. Those are probably the State of the Union, the best ones. Also, recovery codes, keeping those offline. But, but, you know, I’d rather have everybody use 2FA on everything for starters and then get fancy from there. Using key fobs, I guess. Less in style now because of the stuff that I think using, I like the Google off app. The Salesforce has one. I think everybody has one now. So, they’re pretty slick.

Art Cavazos: So, we’re unfortunately going to run out of time here pretty soon, but I did want to ask one more question about AI and cyber security. So, when developing you know, systems that use AI capabilities in cyber security. Are those being built, like, from the ground up? Or are they utilizing things like ChatGPT, Copilot? Anthropic?

John Dickson: Yes. All of it. Well, I mean, the nature of software now is nobody just starts at the top. And it’s like starting writing lines of code. They first of all import what are called libraries. They have components. So, nobody goes out and writes their own TCP IP stack, you know, right there, you know, like HTTP stack, they just go grab either open source or license components. And the key is everyone’s trying to go so bloody fast. So. The business imperative is driving all of that and, you know, software development through agile methodology and what are called sprints, like they’re going real, real fast trying to do stuff and put it out there and pull it back. If it doesn’t work is only getting more. Faster. Faster with AI. And so, code assisted QA, code assisted everything.

I think the area that I like as promised is code assisted documentation. Because software developers hate to document stuff. So, if they can do all the undocumented stuff, software development tasks by a non-human being, even better. But just the imperative is to go fast. You know, from the moment that a businessperson thinks of it, it’s, you know, why, it’s capability that’s out on the web. That, that’s, those iterations, those cycles have gotten faster and shorter. And so, I think, I also think it’s about AI and security is knowing the components and knowing how AI interacts with the software is an absolute imperative and not everybody does anymore. So, like, I think it’s, it’s only going to get more interesting going forward.

Art Cavazos: Well, I think that’s a good place to wrap up. And we’ll, you know, on that note, we’ll have to have you back sometime.

John Dickson: When Skynet’s aware.

Will Nilson: As soon as that happens.

John Dickson: I hope you keep in touch. I enjoy this guys. And I mean, there’s a lot going, and it would be fun just to like revisit in a year because like, who the heck knows in a year.

Will Nilson: Right?

Art Cavazos: Yeah, absolutely. All right. Well, thank you everyone for joining us on this episode of Future-Ready Business. We touched on a lot of things today regarding AI and the future of cybersecurity. John, again, I hope you’ll join us again soon. In the meantime, where can folks find you if they’re interested in learning more about your new company, I don’t think you’ve even mentioned but I know you’ve got some new stuff going on.

John Dickson: You know what? That’s a really great point. I should have thought of that in the intro. Both of us should have thought of it. Okay. We’ll get it in now. So, CEO of Bytewhisper. So, I’m John at bytewhispersecurity.com. It’s ByteWhisperSecurity. And I’m also on Twitter @johnbdickson. So, if you want to get ahold of me either way, and again I appreciate being here. Thank you.

Art Cavazos: Yeah. Thank you. Will.

John Dickson: Thank you, Will.

Will Nilson: Thank you, John. Oh, my socials I’ve just relaunched some socials for my custom clothing company. It’s at the, @Austin Bespoke Fits, at Austin Bespoke Fits. Check it out. But you can find me in my most professional legal form on LinkedIn. And I’m William Nilson, Esquire.

John Dickson: Esquire, I like that.

Will Nilson: I’m one of the only that use it. It makes me feel a little weird. I was just thinking about taking it off.

John Dickson: No, I mean, you can be in a Dickens novel with that, sir.

Will Nilson: Yeah, it feels very Dickinsonian, is that the word? Dickinsonian?

Art Cavazos: All right. If you like the show, please rate and review us wherever you listen to your favorite podcasts and share FRB with your friends and colleagues. You can find me on LinkedIn and also Twitter and TikTok @FinanceLawyer. As mentioned at the top of the show, the opinions expressed today do not necessarily reflect the views of Jackson Walker, its clients, or any of their respective affiliates. This podcast is for informational and entertainment purposes only and does not constitute legal advice. We hope you enjoyed it. Thanks for listening.

Visit JW.com/future-ready-business-podcast for more episodes. Follow Jackson Walker LLP on LinkedIn, Twitter “X”, Facebook, and Instagram.

This podcast is made available by Jackson Walker for informational purposes only, does not constitute legal advice, and is not a substitute for legal advice from qualified counsel. Your use of this podcast does not create an attorney-client relationship between you and Jackson Walker. The facts and results of each case will vary, and no particular result can be guaranteed.