 Live from Houston, Texas. It's theCUBE, covering Grace Hopper's celebration of women in computing. Welcome back to theCUBE's coverage of the Grace Hopper Conference here in Houston, Texas. I'm joined with, I'm Rebecca Knight, your host, and I'm joined by Tori Bedford, who is one of our tech reporting fellows. We're also joined by Andrea Limbago, the chief social scientist at Endgame, which is a cybersecurity company based in Washington, DC. Take it away, Tori. So welcome, thank you so much for joining us. I'm really just so excited to hear what you have to say about cybersecurity, but let's start with your role at Endgame and some of the work that you're doing there. Sure, right, we're a cybersecurity company, still probably at the start of this phase, and so we all wear a lot of different hats within the company. So part of my job is I run our technical blog, working a lot with our malware researchers, all-in-reality prevention researchers, data scientists, and so forth, and really trying to put out a lot of really good technical content that's useful for a variety of folks, and then at the same time, I also do a lot of research on the geopolitical aspect of cybersecurity, and so obviously there's a lot going on in that area right now, and that's a lot of where my research comes into play. So that's what you're talking about at the conference. Can you talk a little bit about that? You're focusing on national cybersecurity, and you're kind of taking a more offensive approach. Well, not offensive, but you're on the offense, dealing with offense. Right, well, I just more of a proactive approach, and so part of my talk is to basically highlight just how far policy is lagged behind in technology, so while technology obviously has been going at an exponentially rapid pace for innovation and change, policy has not. And so a lot of the policy right now still guiding cybersecurity and a lot of security and privacy issues are from the Cold War. So the framework from the Cold War and the policy itself is from about 30 years ago, and so we really need policy to leapfrog and advance to where we are today with the actual threat landscape, with a technological landscape, and to be more in tune with that, and so my talk is basically taking more of a proactive approach. I'll talk a little bit about the evolution of how we've been thinking about offense in the cyber realm, and then how we can use sort of the offensive mentality for strengthening our defenses, but then also helping inform deterrence, both in policy realm and through technology as well. Okay, I feel like that word offense is kind of a, we're seeing it as kind of a dirty word. I mean, we're afraid that we're going to go to war with Russia, and it's going to be the next World War III. Right. Is that a concern? There is a concern on that, absolutely, and so part of absent any government discussion and more government policy right now, or if there's a big discussion, largely something in a lot of private sector for more offensive capabilities, and so a lot of people are throwing out something like Letters of Mark, which basically documents the legalizing companies to actually go in and get their data back, and it's based on something from the 1300s. There's also our discussions of hacking back, which is basically going into another external network to either try and take back your data or to retaliate, and so I think that is very, very concerning that that's where some of the discourse is going, and so we need the government to step in a bit more and actually provide the parameters for what is acceptable and what is not, but it has to match both the current threat landscape and the current technological landscape, and so at the same time, we can be more proactive, and so there's going to be a fine line. You don't want to go into the escalatory area because cyber does become linked with all the other aspects of geopolitics, but we can also just sit back and do nothing. Just within the last few days, I think we've seen some really interesting developments. US officials are now saying that they believe that Russia is feeding information about the emails to WikiLeaks. Where are we now? Are they developing a plan? Are you seeing more progress with that? Let's say, well, yeah, obviously, I'm not privy to some of those conversations about what I would love to be, but even just right before this, a Russian hacker was just arrested in the Checkered Pile book, and so I think that, along with the Julian Assange, what Ecuador is doing there, I think that's the start of the proportional response that President Obama talked about in response to attributing the Russian hacks to the election hacks to Russia, but there's only been, I think, three other times in recent times where the US has actually publicly attributed an attack, and so the other one, the five PLA officers a couple years ago, earlier this year, there were seven Iranian hackers that were indicted, and that was for some of the bank cook and crime wear that they did, and then after Sony, of course, with the North Korean sanctions, and so we're in the exploratory phase, I would say, as far as creating that deterrent policy, because deterrence can happen, basically deterrence is preventing someone from doing something that they otherwise might do, and that's more from the international relations aspect of it, and so it can happen by punishment or denial, and part of what I'll be talking about is that the punishment is where the policy aspect can come in, and that's really looking across the statecraft tools and the economic sanctions, indictments, freezing assets, information campaigns, those kind of things, but the technology needs to step it up as well and help deterrence by a denial, and having better, denying those hackers even the access into the networks as well, which will never 100% prevent that, but we need to do better than what we're doing right now. So you're essentially saying we give an ultimatum, we say, if you do this, we will do this. I think we need to make that clear, so that's a declaratory policy that needs to be done, and on the one hand, you need more of the flexibility, and that's the key thing, honestly, for geopolitics that was having some flexibility in there, and so you need to make clear what the range of options are that are available. If we see our critical infrastructure attacked, here are the range of options to how we're going to consider responding, and so we need to have some of that, it's not necessarily a red line, as we've seen, red lines haven't been working over the last few years, because especially if you don't follow up on them, but we need to make it much more clear that we're not going to sit back and do nothing, and if that more or less has been what's been going on for decades, and that the first time the US government attributed a major breach was back in 96, and so nothing has changed. You mentioned our infrastructure, I understand we have kind of a complicated protection of our infrastructure, certain things are pretty well protected, other things are very weak, I want to talk about our electoral system, that's a huge concern, that's what's coming up now, how susceptible are we to an attack of our voting machines or our electoral process? Right, I think some of the fear-mongering is worse than what the actual risk is, because thanks to federalism, all the different electoral systems that are using different technologies and run in very different ways, and we also have, more on the policy side, there are a lot of people actually standing guard on watching over those, so I think it's rightful to be concerned, and we need to be aware of it, and we absolutely need to strengthen our defenses around the electoral process and then the system itself, but at the same time, a lot of the discussion that's going on right now is really overblowing it so far as far as voter fraud and those kind of things, I mean that's a pretty well, not necessarily secure, but it's followed closely to make sure everything is working the way it's supposed to. If you look at the data, voter fraud really is not very common, then you hear it being talked about, like it's happening every day, and it's just it's not that terribly common, and so I think we should be concerned about it as we should be about every part of the critical infrastructure, but I think that might be one of our, not necessarily the least of the worries, but not necessarily as worrisome as another aspect. So you shouldn't freak out that Russian hackers are going to take the election. I think we need to be worried about it, but I also think that we're on top of it. Okay, I wanted to talk to you about hackers. You've written about hackers and kind of the bad rap that they get. I wanted to talk to you about what you think we should do to improve the relationship between our cybersecurity companies and our governmental efforts and hackers in general. Right, no I absolutely, I actually wish that the term hacker could go back to its original connotation, which actually was quite positive. It's basically exploring new ways to do things, breaking things and fixing them. That was really part of the original aspect of what being a hacker was. And then getting you throughout really in the 80s, they started to change a little bit towards more of a negative connotation. And that was still when people were exploring things, you're looking to almost find ways to get in and then actually a lot of that helping build that defense. But it does have a terrible connotation, especially people in the media and Hollywood. Mr. Robot, it's a great show, but I don't work with anyone that's like Mr. Robot. People I work with are really smart and they range from some self-taught experts to PhDs in a variety of disciplines, but they're all working together. And I think that's the great thing about security. And that in regard is that the disciplinary backgrounds can come together and educational backgrounds and those kind of things can work really, really well together in security, but that's never portrayed. And I think if media and in Hollywood and so forth could actually show a little bit of the diversity and grant your security is by no means a diverse field. It's like eight to 10% women. So obviously there's a problem, but we need to get other industries on board for actually how they portray hackers. And assuming if we continue the perspective of all hackers as socially inept, men living in a basement or the 400 pound hacker, that does nothing to progress our field at all. We have a lot of really innovative, smart people who are working out to try and find that balance between security and privacy for everyone. In terms of progressing the field, I mean, we're here at Grace Hopper with all these incredible women. I understand that Endgame has done a lot to make it a more inviting environment for women, make the workplace, retain women, advance women. Can you talk a little bit about that? Sure, and I'll say if somewhere to, I think was talked about the keynotes earlier, we by no means have solved it, but there's a lot that can be done and that's the end of tons of social science research. Actually, you can help every single organization, they only implemented some of it. So it's anything from giving out swag that is in women's sizing, we didn't used to do that. And so I had a bunch of really big t-shirts, very little things like that have a big role in in-group, out-group dynamics. And so the more we can make women feel like they're part of the team and integrate them, the better. And so doing things like that, our social activities, ensuring that those are more inclusive both across gender, but throughout demographics as well. And so anything, we would do book discussions, play soccer. Recruiting changed as well. Recruiting as well. And so a lot of the studies show that the way that you actually write up your job recommendations, do you list 50 requirements? A lot of women that are going to get turned off by that because for women, they'll go through the list, if they can't do 100% of them, they're not going to apply. For men, it's like, I can do two. And so I'm only in women need to change that mindset, but until we get there, we need to make the job descriptions much more approachable. And so still keeping the bar high, but just not listing 100 different languages that you may or may not need to know for that specific position. And then also using language that isn't, you target at an 18-year-old boy. And I've seen a lot of that stuff out there as far as are you a coding ninja or are you a cyber warrior? And those kinds of terms are offsetting to women. I think there could be female ninjas and warriors too. There can, no, absolutely. And that's, but if you want to make it more inclusive, and then a lot of guys will say that they're not a ninja, right? And so it's just making sure you're using terminology that will appeal to as broad a segment as possible. And that's why, even with the social activities, like, well, people maybe don't like sports, so they're not gonna play soccer, and that's fine. And so it's very hard to appeal to everybody, but if you have enough to cross, to cut the cross, so there are aspects of the company and the team building and those kind of things that appeal to the various groups, I think that's the key goal. What do you think that women are looking for in a workplace? That's a good question. Flexibility, and that's actually what's supposed to highlight today for the top business, flexibility is key, and that's not just, that always gets associated with working moms, and it's not just working moms. You know, women just out of college, they want flexibility. Women, perhaps at the stage of raising a family, they want flexibility. Women, for their long, in their career, need flexibility. And so do men. I mean, we just had, I think, over a dozen, we're about 130 people, we had about a dozen babies this year at Endgame, and most of the words that were dads, that they want that flexibility. It's not just a women's issue. So I think the flexibility aspect, I think being able to master their skills, professional development, and that's another aspect I should add to anything that we're doing as far as professional development. We help, I get to speak here, partly through our program that we have that encourages us to submit abstracts, get out there on the circuit, and so forth. So professional development absolutely is a key aspect, and there's a Harvard Business Review study of why women leave engineering, and one of the big reasons was it wasn't family, it wasn't kids, it was because there was no career advancement. So ensuring there's that career advancement, there's the opportunities to advance professionally, I think that has a lot to say. And then just autonomy is another big aspect. Being able to work, obviously with the team, but also being able to work on your own as well, and getting, which leads back to the mastery and so forth. So I think, be it those, but then obviously, there are some workplaces that are more toxic than others, and so obviously you want to be avoiding some of those, but inclusion, I would say. Yeah. Well thank you so much for joining us. We really appreciate it, thanks for taking the time. No, thank you. That was a great interview where you weighed in on everything from what women want in the workplace, to voter fraud, to Russia, to finding the balance between security and privacy. That's great, great. Thank you so much, Tori, for that great report. And thank you for joining us too. This has been the coverage of theCUBE's coverage of Grace Hopper Conference here in Houston, Texas. We'll be back soon, just after the break.