 Hey, thank you so much for joining. I'm Joe Peterson. I'm the vice president of cloud and security for clarify 360 and also the chief analyst at clear tech research and I'm here today moderating Security angle for you. Shelly is on a well-deserved vacation with her family and I've got an amazing guest to chat with today. I've got mr. Chuck Brooks of Brooks Consulting. Hi Chuck Are you doing Joe? I'm doing great. Thank you so much for joining today. I'm great to be here Um, well, we're excited to have you So in case you all don't know Chuck is the president obviously of Brooks consulting And he has over 25 years experiences cyber security emerging technologies marketing business development government relations Um on the daily chuck helps fortune 1 000 clients organizations small businesses and startups Achieve their strategic goals and grow their market share In case you don't know Chuck is also an adjunct professor at Georgetown University And he teaches courses on risk management, homeland security cyber security And he also designed a certificate course on blockchain technologies Chuck did I get it all? What else do you do to keep busy during the day? Uh, well, I do a lot of things. I travel a lot to conferences I actually just came back from uh, UK from bro speaking at the space comm show on cyber security space And I've got another one coming up in may Uh in rome, which i'm co-chairing on global cyber security and one I think in april and at uh Oh g-second in dubai. So I'm making the rounds there and I also visiting at our homeland security today and I write for forps and uh I'm here with my dog now appearing to have for this interview great Well, hello to the dog. What's the dog's name? Yeti he's that we rescued him from china. He was uh, Unfortunately going to be eaten. He was stolen from song. I think and and he's been here for now. It's his third year First day with us yesterday. And he's a great dog. He's an american estimate Happy birthday yeti He's ears per I'm not cute. Um, so we are going to chat about cyber security cyber security regulations And what's kind of going on in that in that space right now? um So a little bit of a precursor if we look back at 2023 We saw that congress didn't pass a comprehensive privacy bill But the white house pushed to implement a national strategy on cyber security And at the state level we saw moves to tighten data protection with lots of conversation around its implications So if we take a look through a legal security lens into 2024 We'll see legislative developments in a few areas We're going to see them the regulation of privacy and data security. That's going to be big More civil litigation around data privacy and then trends that pertain to government data collection And let's go right out of the gate and talk about the eo on ai that came out in the us here in october 2023 The ai act was also introduced in the eu in 2023 and there are huge differences between the two The legal team at dl piper draws them out really nicely. So The eo draws on the powers of the presidency to require primary executive departments to formulate consensus industries and legislations for ai usage Which creates a risk of diversion standards and then in contrast The ai act aims to establish a regulatory framework across the entire eu as a single regulation Which will be directly applicable in member states So the eo predominantly focuses on standards and guidelines whilst the ai act enforces binding regulations violations of which will incur fines and other penalties For further legislative action um, so the question that I have for you chuck is Does the eo do enough? Well, it depends from your perspective. I think first you have to clarify that, you know, there's there's a lot of Cultural and historical reasons why they're different. I mean europe already is basing this off a gdp Are which they enacted a few years ago for for privacy So they follow some of the same formulas and they enacted it as is one one entity now when you're dealing with the united states We have a completely diversion to a political system Based with lots of lobbyists and interests in industry that have Different viewpoints on what has to privacy and what constitutes data So you're having no real collective agreement on what to enforce and what to find so The the standards that are put forth from the us act. I think sort of makes sense For two reasons. One is that, you know, we most people just don't understand what artificial intelligence is we're too early and too uh I'm educated to really formulate strong policies in an act though And this is really I think uh almost a flyer to see what's going to happen And and creating standards is a really important area If there's been a lack of that in cyber security, as you know lack of that in the internet of things And when you're dealing with manufacturers all over the world and you're dealing with A global digital ecosystem, it's very difficult to to get on the same page with anything So having some standards at least makes it a goal worthy The second thing is that the act does draw attention to what artificial intelligence Is and what may do and I think this kind of awareness is a really good thing for debate There's all kinds of Thoughts on what AI is and of course, you know, there's a doom and gloom crowd that says it's going to destroy us and take us over relatively soon They a couple of people have predicted super into AI by the end of the decade so I think it's pretty interesting but You know, when you're looking at at trying to do any kind of enactment, you know, whether it be zero trust or Screwed by design really the toughest part is always getting the buy-in from the private sector and For governments to to do this. It's a little different of course again As I said earlier with with with Europe where they have to follow good And they also put stringent fines We don't have that capability here yet And so I think we're going to see what has to happen going forward and what the feedback is You know, if you look at things right now, we're you know, we're still you're talking about cmc and defense for You know, cybersecurity several years ago, but we still don't have an enactment yet So our process is much slower and much more difficult to enact And as as a unified entity. So I think uh, you know, so it's a good as bad. It's good that we're talking about it It's probably It remains to be seen whether it's really good or bad and it's in its directives I'm glad you brought up cmc because as you were chatting about this being a good first step At least that's what I was hearing You know The government sort of pushed the envelope with cmc as it relates to ztna And said look if you want to do business with us You gotta have cm, you know cmc says you've got enough ztna in place Are we going to see the government put a foot forward in your opinion to say, okay Well, if you're going to work with us on an ai project in any way, you've got to kind of have this framework in place You think we'll see that same sort of thing Yeah, I think we'll see it but again, even with cmc It's not enacted yet and there's a lot of issues because a lot of the small businesses can't afford To have that expertise or pay for it, you know, so I think There's there's a lot of divergence on what what constitutes the requirement So, uh, I think with artificial intelligence, we're just beginning to understand the implications itself You know what generative ai is is is quite unique in a lot of ways and there's a lot of competing interests that use different llms and other things So getting a grip on it's going to be difficult for the government But I think the direction is exactly what you're saying eventually When this really went whenever it sort of starts to go out of control, uh, which it may do Uh, there's going to be a call a political call for for action And I think there'll be a next couple steps probably to to try and regulate it More effectively and that may include, you know, some stipulations Similar to scc where if you don't do this in a certain amount of days, if you don't disclose it Or if you don't report to this entity, um, that you have an issue there that you may have Subject yourself to some sort of fine or a penalty. So compliance is going to be a much tougher issue with with ai Um, you know, then anything else because it's not necessarily generated in the united states either Can be from anywhere out of the globe. So, uh, just like cyber security So it's difficult to get a foot on and so, uh, we're still in goal as we go And, uh, you know, I think if you're looking at congress is the answer to things, you know Over the last few years they've they've demonstrated their ignorance of technology and In of what is happening generally in years ago They voted to ban the office of technology assessment because they thought they didn't need it So I don't think we have the expertise legislatively. So again, I go back to our system It's it's competing interests, uh, you know, the big companies small companies meeting companies Various industries all have different perspectives and to collectively get one Together is too difficult. That's why it's interesting to watch what? uh, with zero trust is uh happening because that that was sort of enacted uh, very strongly to get control of data and identity management and it's really taken a A foothold in in all the various federal agencies by mandate but now in the product sector So I think that's maybe a good model of follow, but it'll take some time Yeah, that's and you know, it's interesting As I see AI bubble up into the mainstream media The thing that they talk about or that I hear them talk about at least Is consumers are worried about their data Right that's from that aspect Not not so much as some of the other things, but the consumer data Um portion of things are you hearing the same? I'm hearing the same, you know, it's uh It's it's again, it's it's a sort of a dichotomy between uh, Europe and here They're they're they're very much concerned about privacy and data over there Here, uh, you have a strong privacy group element, you know, that wants to protect data all costs And even identity even in cases a whole net security interest But I think most consumers are ignorant of this they they voluntarily, uh Post too much or or give whatever they want to give up without knowing it I mean their disclosure is of course on the data, but I think uh with social media Uh algorithms now it uh, you know, the cat's already out of the bag You know, they know everything about us and what we do or where we shop what we buy And and what our interests are and uh, you know, I don't see any regulation coming sit on that No, but I you know, it's interesting as I was prepared to chat with you I was doing some reading about The state Wide or the states that have adopted comprehensive data privacy legislation and since 2018 14 of them have done that Um five are currently effective and the remaining nine are going to go into effect between 24 and 26 Um in your opinion, do we need national regulation on data privacy? I think we do You know, uh, uh, you know vint Cerf, of course, the you know chiefs of angels for google said there's just things private seem more But I think it's still uh, it's still the main, uh Platform for for for fraud And and particularly uh victimizes the elderly and and less informed people that that use the internet So it's it's going to grow and they're now saying that the younger generations don't even care They're they'll they'll they'll give anything. So so if unless it's federal, I don't think it's going to really be enforced I think, you know, states Are going to have a lot of challenges because again, this is this is a uh internet. This is, you know, where where is it? You know, where's the jurisdiction at? Um, and who's going to enforce that who's going to give it, you know, how much law enforcement? Activity are going to really direct towards that with all the other issues going on So I think it's good that states are considering it and and and they're all varying too, you know Not a lot. So I think what what it really is needed is a federal level a law that is is consistent But maybe not necessarily Strided in in requiring every privacy because there's circumstances that That may negate a need for that and again looking for law enforcement and other issues, but uh, I think it's it's a necessary goal at least to to to go for because You know, we're in a we're in a world now that is almost entirely digital and It's just starting to get it's bad already. That's going to get much worse Yeah, and you know, I was reading about this concept of data minimization And that some states are looking to impose obligations on the data controllers like the organizations that maintain the data Um, can you explain to us in case folks aren't familiar? What is data minimization and what should we see so? Be thinking about as it relates to data minimization Yeah, it's it's really a policy in a sense to really what data is available to share, you know if you look at what you're looking at in terms of when you deal with transactions and and and You're doing what's a lot of the vendors and stuff like that They often have disclaimers or they will say that your data will not be shared outside of this, you know So it's that's it's that's basically a post where you can't you can't do anything That's that's not stipulated upfront So I think, uh, you know the minimizing of of where it can be shared is really what it's about But again, uh, the enforcement part of that is very difficult You know, I mean, how do you track, you know, where everything's gone? You know, I mean there's a lot of a lot of uh services and stuff like that But again, most people aren't aware of it and I'm sure all of us have experienced the fact that once we've we've Watched something with a vendor all of a sudden we'll get 50 different advertisements from someone else our data sold um and You know selling the data is is a big issue too and data aggregators Are a big business and as as long as it's a profit for these companies and they're making huge profits on it They're going to do all they can to try and dismiss any uh efforts to really Uh, you know lock down that data because that's a valuable commodity for them. It's like well And data is valuable and uh, you know for vendors and retailers particularly Uh, knowing the buyer behalf habits and behaviors Is is like gold for them too. I mean they they need that uh to to basically streamline their their industries In that end. So I think again all this is really Interesting and I think it's you know, all you know, it's just like law itself. I mean, there's always there's always gray areas and uh, you know, you you have to really get a hand on on The global digital ecosystems before you can even Try to enact a lot of this legislation and then there's so many different components to to prosecuting it enforcing it and uh, and also You know disclosing and uh, you know, you you're seeing, you know, it's much easier in europe I think to do that than it is here because we just don't have the mindset for it Yeah, you're right. It is partly mindset But you know, I've I've been thinking this whole time that data is vacant, but no no you uphold and told me that data is oil Um, I want to talk a minute about health care data you know, um There are states that are really being forward about what they're going to allow and what they won't allow And in april 23 Washington states governor j instantly signed the my health my data act into law And it modified the legal landscape with respect to health related data for certain washington industry you know entities, um The mh mda creates this privacy regime focused on personal health data Did you think we're going to see more states follow suit here? And if yes, what does that mean for health care sissos that need to sort of adhere to these due to loss? Well, they still have uh, you know the HIPAA laws already in place in uh, you know, so uh You know it how you know that the data itself Is valuable and it's a privacy issue. There's two things. There's less valuable than it was I think the bigger problem right now with the health care industry is the ransomware Because uh, they're being forced to pay and uh, yeah Patience and and yes, but I'm going back to your question. I think uh, I think there'll be some moves to that um, you know, washington's not a really Uh example of a of a of a typical state, you know, that they're they're smaller That they tend to be uh more consumer oriented than other states. So I'm not sure and there's not much You know that you know that uh, if it's going to be uh, sort of replicated in other states But I think it's a good idea. I mean everyone You know, uh, you know We are we are in the roster if you really want to get futuristic We're going to look at you know our DNA and everything now it's being shared. So it's it's uh, You know, it's just not just our health data. It's our very cells That is at risk and I think we have to implement those kind of privacy legislation for the future because uh, you know, it is going to be um, you know a big brother kind of situation, um, if we don't and uh And and and also the the obviously the I still think the cyber security risks is still a big problem You know, that that doesn't necessarily pertain to the data privacy It didn't pertain to the data the data security, but uh, you know, uh, you know, I think there's a long way to go again Again, we the hip-hop stuff is been around for a long time and there's compliance issues enforcement issues But you hear every day of data being leaked, uh private data and and the consequences have not been that severe Yeah, well and yeah, that's true. Well, my last question, um It's got a little bit of spice to it because it's it's uh, it's an opinion question. So earliest part of it is the sec adopted new cyber security disclose your rules for public companies and I had changed the game a little bit, right as it related to risk management strategy government um, sort of impactful for some organizations Can you break that down for us? And then can you tell us, um How sisters are feeling about it that you talk to? Yeah, it's a mixed bag from what I'm hearing. Um, but it breaks down is that you know, they have four days to disclose a breach material breach And um, you know, that itself is not a bad thing because there's been obviously legislation and court activity around, uh, that has put the CISO at risk uh, you know from from, uh Several cases actually recently And I think from CISO's perspective, um, most don't like the idea because it puts more liability on their their shoulders And it puts more responsibility and there's some that say that, you know, they're they shouldn't respect So it's the c-suite's uh role to protect the you know, the corporate activities Not the CISO shouldn't go to jail or be fined because of that. So, uh, that's a separate issue but um, you know the sec value I think is that Too many companies have been very lenient on cyber security awareness In part of this this legislation calls for cyber security awareness But they have to get the fundamentals down, uh, the breach is just one part of it But they have to have an expertise what they got rid of was that requirement on the c-suite and the board that you have a cyber security expert and uh, that was originally in the legislation for Which I think was a bad thing Because I don't think for most c-suites They just don't have a clue and they and nor should they necessarily have it because cyber security Landscape is pretty complicated with all the different technologies and all the different levels of security required no compliance And um, you know, it can't all be on the c-suites shoulders And you need people on the board who understand the implications and liabilities And and that needs to be I think that that that missing ingredient needs to be reenacted So I think you know, uh The sec is again just like everything else. It's it's the first step Um, and what happens and disclosures I know several companies that were reluctant to disclose particularly public awareness because it defects their stock price you know, and You know, everything is always a bottom line with these corporations and its security has always been Second thought, you know, it is a cost diamond But now I think what it does is it puts security up front And anytime you have security up front is a good thing So I think what we need to do is go back to this and look at how do we make this more functional? And how do we really make it more fair? And it's it's uh, you know, it should be really looked at also to protect Consumers and protect the small and medium businesses too that don't have an understanding Of of what cyber security is or the resources or the expertise To to really adhere to this but public companies have no excuse anymore, right? They need to know Yeah, they need to know I I you know What i'm hearing on the fairness aspect is And maybe even a rethinking on some on part on the part of some of the sissos that I talked to Some of them feel as if hey look if I'm reporting to the cio and I asked for budget for this stuff And I don't get budget. How can I be held responsible? Right, and it's a fair question And the second thing that I'm hearing and talk about is okay. Let's maybe let's give myself a different title here Yes, so yeah And then and then all of a sudden and then I forget whose feed it was today But now there's insurance coming out personal insurance coming out for sissos for For a live bit. Had you seen anything around that? I've heard about it. Now, you know, I that's a good thing in my opinion But you know, they need it You know, I think just like anywhere else in the c-suite. They need insurance But you put a really good point there because they don't have most sissos don't have budget authority Um, they don't even have half of them don't even have current authority. So if they want something, that's they get it And they're forced to sit there and deal with a lot of compliance and a lot of issues half the time So having having a sissos responsibility for a breach that something may have been a system that After they came on, you know, which often is a case There's there's always lateral movement in these things and and you're going against state actors too as a company Most of these are instituted by state actors or are supported by state actors as groups Particularly the ransomware group. So how do you hold an individual that doesn't have the resources of capabilities? Responsible for fines that part is wrong. You know, I think it's wrong disclosing a breach is a different thing You know, obviously the thing awareness is another thing but holding liability to a sissos. I think is the wrong way to go Yeah, I did too. Um, yeah, so Well, thank you for taking some time with me today. Thank you for sort of You know, sharing your thoughts on some of these upcoming and or existing Legislations that we're seeing happen. It feels like We're at the start of some of the stuff for ai that we've but we're just sort of peeling back the onion a little bit Um, so it'll be interesting to see what happens in the next few months And we'd love to have you back and have you visit with us again Yeah, I've seen a lot now with the the chief digital officer is now chief digital and artificial intelligence officer So it's it's interesting. They're they're starting But they're starting at the very beginning of the finish. You know, the finish line is one way off Oh, for sure. We're just all learning about it. So thank you again for taking time Thanks everybody for joining. Yeah All right. Bye. Bye