In this episode of the Redefining CyberSecurity Podcast, host Sean Martin and guest Sidney Pearl discuss the newly-formed AI-ISAC and the importance of information sharing in the cybersecurity community. They explore the challenges and opportunities presented by artificial intelligence and invite listeners to join the conversation to stay ahead of emerging threats.
Guest: Sidney Pearl, Executive Director at AI-ISAC
On Linkedin | https://www.linkedin.com/in/sidney-pearl/
____________________________
Host: Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]
On ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/sean-martin
____________________________
This Episode’s Sponsors
Imperva | https://itspm.ag/imperva277117988
Devo | https://itspm.ag/itspdvweb
___________________________
Episode Notes
Welcome to a new episode of Redefining CyberSecurity Podcast. In this episode, Sean Martin is joined by Sidney Pearl to discuss the AI-ISAC (Artificial Intelligence Information Sharing and Analysis Center). They talk about the importance of operationalizing security and how communities, such as CISOs and other business executives, play a vital role in information sharing.
Sidney Pearl, the newly appointed executive director of AI ISAC, shares his background and experience in cybersecurity. The pair explore the structure of ISAOs (Information Sharing and Analysis Organizations) and ISACs. They explain that ISACs were initially formed to develop public and private partnerships between the government and private industry to share information and identify threats to critical infrastructure. Over time, ISACs have evolved into ISAOs, which have members beyond just the government and focus on sharing information across various domains.
The conversation then shifts to the AI ISAC and its importance in sharing information about artificial intelligence-related threats. They emphasize that the AI-ISAC is neutral and aims to help all ISACs and ISAOs gain insight into the threat landscape associated with artificial intelligence. They discuss the challenges of navigating the rapidly evolving field of artificial intelligence, where bad actors can leverage AI tools for malicious purposes.
Sean and Sidney stress the necessity for organizations to proactively understand the trajectory of AI and make informed decisions. They highlight the importance of accessibility to good information for organizations to stay ahead of threats. Trust plays a crucial role in the success of ISACs, and Sidney invites the audience to engage with the AI-ISAC to foster trust and collaboration. Sidney also expresses the AI-ISAC's commitment to working together with the cybersecurity community to adapt to the changes brought by artificial intelligence. He encourages listeners to reach out and participate in the dialogue, emphasizing that we are all in this together.
Key Insights Provided:
___________________________
Watch this and other videos on ITSPmagazine's YouTube Channel
Redefining CyberSecurity Podcast with Sean Martin, CISSP playlist:
📺 https://www.youtube.com/playlist?list=PLnYu0psdcllS9aVGdiakVss9u7xgYDKYq
ITSPmagazine YouTube Channel:
📺 https://www.youtube.com/@itspmagazine
Be sure to share and subscribe!
___________________________
Resources
New Artificial Intelligence Information Sharing Analysis Center (AI-ISAC) Launches at Kennedy Space Center: https://world.einnews.com/pr_news/674452892/new-artificial-intelligence-information-sharing-analysis-center-ai-isac-launches-at-kennedy-space-center
___________________________
To see and hear more Redefining CyberSecurity content on ITSPmagazine, visit:
https://www.itspmagazine.com/redefining-cybersecurity-podcast
Are you interested in sponsoring an ITSPmagazine Channel?
👉 https://www.itspmagazine.com/sponsor-the-itspmagazine-podcast-network
How the Newly-Formed AI-ISAC is Protecting Businesses from Emerging Cybersecurity Threats by Building Cross-Industry Trust and Collaborating with Other ISACs | A Conversation with Sidney Pearl | Redefining CyberSecurity Podcast with Sean Martin
Please note that this transcript was created using AI technology and may contain inaccuracies or deviations from the original audio file. The transcript is provided for informational purposes only and should not be relied upon as a substitute for the original recording, as errors may exist. At this time, we provide it “as it is,” and we hope it can be helpful for our audience.
_________________________________________
Sean Martin: [00:00:00] Welcome everybody. You are very Welcome to a new episode of Redefining Cybersecurity here on the ITSP Magazine Podcast Network. This is Sean Martin, where I get to have some amazing chats about how we can operationalize security for the benefit of the business and one way that organizations kind of get themselves positioned to protect themselves is through communities, CISOs, band in communities, executives, band in communities.
A lot of information is shared. Um. Sometimes off the record, behind the scenes. And I believe that it's important that things happen a little more formally. And, uh, there are organizations that have helped to do some of that. And we're gonna talk about that. Uh, information sharing associations. I always get the acronyms wrong.
What are they? Uh, I'm gonna, you know what I'm gonna do? I'm gonna say, I'm gonna let my guest help because I'm not the expert. Uh, Sydney Pearl said Pearl, thanks for joining me today.
Sidney Pearl: Yes, thanks for [00:01:00] having
me, Sean.
Sean Martin: Uh, it's a pleasure to meet you and pleasure to have you on the show. Uh, I, I saw a post fly by my feed about, uh, the AI ISAC, and I was like, let's figure out what's going on there.
I know about a lot of ASACs, uh, but what's the AI ISAC going on, going on there? And, uh, newly appointed, uh, executive director. Congratulations on that.
Sidney Pearl: Thank you.
Sean Martin: And, uh, so we're gonna talk about what, what the AII SAC is about its role, uh, in, in the, the business world, and who should be a part of it and what they can expect from it, and just your view of what's going on there.
So before we start, a few words from you Sid, about, uh, some of the other things you've been involved with. You have, you have a nice history of, uh, of accolades there. Uh, so maybe a few things to help people understand where you, where you're coming from as you enter this role.
Sidney Pearl: Yeah. Thanks again, Sean, for having me.
Um, yes. Um, I, first of all, I'm, I'm a humble [00:02:00] person, so I kinda a big fan of talking about myself, but I will certainly do so. Uh, I, I will start with, I served 20 years in the United States Navy, a number of years, uh, supporting, uh, information technology. Uh. Information gathering and research. Um, probably the best way to describe it, uh, for this capacity of this call today.
And, uh, so I've been in and around, uh, in my military years on, in, out into the private sector. So I spent 12 years on active duty, uh, and eight years in the reserves. I finished up my time in 2007, uh, in 19 ninety-nine when I went, uh, into sector, I went into it. Finally known name today of cybersecurity.
And as in all things back in those days, uh, we were to be, uh, seen and not heard. And, uh, fast forward several years now, and after working in in this [00:03:00] industry, I've been fortunate to be in a number of companies, uh, where I've been serving in significant leadership roles in the areas of cybersecurity. So fortunately, I've been able to.
Work on a number of areas across government, military, law enforcement, private sector across multiple industries, financial services, et cetera. So it's that breadth and depth of understanding how the bad guys operate, the who, what, where, when, why, how, and then how do you connect the dots? Into business, help the business understand the importance of it, and then be able to evolve their organization in such a way where they can make better informed decisions.
So that's what I bring to the table in conversation when I work with my clients and, and other organizations around the world. So, uh, appreciate the opportunity in discussing the AI SAC in that context as.
Sean Martin: Probably saw and everybody else listening heard and saw me butcher [00:04:00] all the acronyms. Um, would you mind kind of walking us through the structure of these, the ISAOs and the ISACs and there's a standards organization. I don't know how much of that you want to cover, but if you can kind of paint a picture of the general, uh.
Information sharing realm, that would be fantastic.
Well, it's been a journey, uh, just like my career. Uh, it's been a long journey. It's, it started in the nineties and under President Clinton, he authorized the first ISAC, um, to be formed. And the ISAC stands for Information Sharing Analysis Center. Now, the difference between an ISAC and information Sharing Analysis center and an ISAL, an information sharing analysis organization is.
Under the center model, it was just that it was designed for public and private partnerships to be developed between government and private industry to share information That was the original intent, to identify threats, uh, to critical infrastructure and share [00:05:00] information amongst those organizations as it evolved since the nineties into today.
Evolving into an information sharing analysis organization in ISAL. Those organizations not only do that mission, but they now have members beyond just purely members coming from and from the government, etc. So now they're sharing out to other organizations which enabled them to be. Attach that name organization to how they describe themselves.
So it's been an evolution in that sense. And, uh, the ISAC reason why, for the artificial, artificial intelligence ISAC, is that we wanted, we knew that we're gonna need to be able to share with both government and private sector. And so going back to the traditional intent of what an ISAC was formed to do, we felt an ISAC was best placed for the AI to be able to operate.
Yeah, and it's interesting because, uh, I might be mistaken, but Financial Services was the [00:06:00] first one. Is that correct?
Or was it more critical one? Yes. Yeah. Uh, yeah. Financial services and National Health was one of the first ones. Yeah.
And so just those two alone and I. If you extrapolate that, you can kind of see it's sector oriented.
And what I find interesting here, ai, and then if we, we will, we'll include a link to the press release, uh, that, that where there's some quotes from some folks, it crosses all the sectors. So it's not just automotive, it's not financial services, not healthcare, all the others. This one crosses many. So how, how does that change how you look at this?
'cause you have people from. From all over the place now.
Well, you know what's interesting is that each ISAC and ISA is working toward the same goal and as the identification of threats that can be shared with their members and out to other parties and organizations within their specific domain.
Financial services, as an [00:07:00] example. Uh, credit unions, uh, mining and metals, etc. So all of them are working the. AI crosses all of these and each organization is gonna have some part to play in this. We're not stating that the AI SAC is going to be, uh, have all insight to everything that's going on with artificial intelligence.
Naturally, we're gonna have a role to play, but each ISAC and iso. Is still gonna have a mission in the context of artificial intelligence. They're gonna need to know what's going on. And we're here here to help the ISACs and ISALs themselves be able to gain insight to what's going on in the threat landscape associated with artificial intelligence.
And then help them be able to articulate to their own members within their own specific ISACs and ISALs. Be able to do that. So it's. It's challenging to take on a new domain like artificial intelligence as broad and as deep as it is, and change your operating model of what your current [00:08:00] mission is for your current ISAC or ISAL.
So that's one of the reasons why the AI-SAC was created is to be able to help those ISACs and ISALs as well as our own members, be able to gain insight to what's going on with artificial intelligence. And as you know, artificial intelligence is gonna be touching, uh, areas like robotics, for example. And how do you know, how are you gonna navigate those types of waters and be able to know how's it going to affect my operational environment and what does that mean for me in the future?
So those are all various reasons why we felt the AI sector need to be established and stood up.
Yeah, I love it and might be a step back here, but yeah. For folks who may not be completely familiar with. The process of what it does. Uh, can you describe what an ISAC does? It sounds like now you have members of your ISAC and then also this ISAC extension, this web of ISACs that, that you have to work with as well.
So can you describe the process of who's sharing [00:09:00] what and, and how that's used?
Well, the, the foundational goal of any ISAC and ISAL is to share threat-related information. By and large related specifically to cyber and cyber related threats. And then when you take it from that level up to say, mapping it into critical infrastructure, gathering the threats across those different types of domains for their specific area, financial service, for example, health care, etc.
They gather, they gather the specific. Cyber-related threats and then share that out to their various members. And so what we've created, and I'll give you an example, the our current AI ISAC is associated with the International Association of Certified ISALs Outta Kennedy Space Center. And there are others coming outta Washington that come under a different, um, umbrella, if you will, as to how they're structured.
But the goal is still the same and I is to gather [00:10:00] cyber threat-related information and share it out to their members for purposes of knowing what's going on and what actions can they take. And, and that also, that is all part of their membership, uh, that they get when they are part of this.
So can, can you describe the, the gathering process and the analysis process?
Um, I, I would imagine there, there has to be some tooling and, and some infrastructure and, and some people. Um, what can you share, share with us there?
Well, you know, I can't go into too much detail. Yeah, of course. Yeah. And don't wanna get into methods, uh, too much here. Yeah. Uh, 'cause I do need to protect those that are working on this.
So, uh, there's a combination as, I dunno, it's a cliche within our industry, people, process and technology, but it is exactly what it is. Uh, we. Tools, and I'll say we have a portfolio of tools and capabilities included within our portfolio is [00:11:00] artificial intelligence to be able to extract information from different sources and information, uh, and bring that in.
We have human analysts, uh, that gather information and through their sources, gather that information and then validate and.
Gather this information, roll it up into a, in a standard report on a daily to weekly basis, and just deliver it out that way. So there's a thorough vetting of the information that is coming in before it's released. So it is a combination of people, process, and technology of how it's aggregated, correlated, and then ultimately.
Actioned and operationalized for our various members.
And I don't know if you can say, but do the members contribute to the information as well?
They do actually. In fact, [00:12:00] we encourage it. Um, so in essence, what we're also expecting here with this AI SAC, and, excuse me, you can imagine. That, uh, in a topic like this, in a topic in particular that is so, I would say, uh, interesting is probably, uh, uh, not the word I'm looking for, but it gets a lot of interest. From various parties for different reasons, right? So, uh, we have some organizations that are the large technology companies that are interested in driving AI to the point to improve efficiencies within businesses. And that's a sincere intent to good things for organizations and their clients.
On the other hand, we know that AI is gonna be used in highly malicious ways by bad actors to target organizations. So what is the balance between those two? How do you tell someone on one hand that, uh, everything's [00:13:00] rainbows and butterflies and there's nothing to worry about? And to strike the balance between bad actors that are seeing the opportunity to take those same tools and apply them and put them into their own toolkit and be able to use them maliciously against organizations and yet still maintain a balance in saying there's nothing to worry about here.
Live long and prosper, right? So I think it's that balance that we want to bring to this conversation. And I think one unique aspect to this is we're neutral in this conversation. Uh, and that I think if you were to approach this in, in somewhat of a, a research oriented, lab based, think type, think tank type, expert related situation, and I think we'll be able to bring some knowledge and expertise to.
We hear this side of the conversation. We also hear this side of the conversation. Here's a fair and balanced approach in net neutrality based on facts embedded information, which is why it's important [00:14:00] to you, and bring that so going beyond purely the information sharing and threat analysis. I feel the AI SAC has a responsibility not only to its members, but more broadly than that globally, to help people understand what's really happening and can I truly take what it is that I'm being, that's being shared with me and have confidence that it's being done in the right way for me to make informed decisions.
I think that's a critical value, uh, outcome that I think will be important as the AI SAC continues to evolve.
Yeah. Yeah, definitely. And in terms of, of membership, um, don't need, uh, whatever details you can share, but I'm wondering what, what's required to become a member. I'm sure there's some filters. Is it organizational level, is it individual level representing an organization, or what, what's that look like?
Well, I mean the membership opportunity is there for government and [00:15:00] private sector organizations to be part of this. Uh, naturally we welcome opportunities for individuals that wanna come and be part of this as volunteers. Um, we welcome that if they want to participate. So feel free to reach out to us.
We'd be glad to discuss role.
It's government members and also, uh, private sector members that, that really are primary customer base for how we'll deliver the threat sharing information out to those organizations.
And perhaps even looking back at the original, uh, vision for these ISACs, um, can you describe what the goal is? Is it, is it to.
Help a broad stroke of organizations respond to an active attack, or is it to be specific and say, this organization or this group of folks or businesses are prone [00:16:00] to attack? We're seeing activities, so they should shore themselves up. Uh, looking at security operations. They measure themselves by meantime to detection, meantime to response, meantime to recovery, that kind of thing.
Are there those types of objectives or how, how do you measure yourself, I guess?
As a, uh, former, I guess some might say, um, maturing, uh, old Intel guy. Uh, I'll simply say I see the world through an intelligence lens. Okay. And, and that intelligence lens. Drives me to become more proactive versus reactive.
And I think that's a lot, that's what's missing in most organizations today. And when we speak in terms of to detect respond, that to me says reactive across the board. Okay. Uh, and in the world of where I want to try to get ahead of the curve and try to identify the threat before it actually becomes a problem, that's a [00:17:00] space where a lot of organizations don't have the opportunity to operate.
And, and all too often we see them struggling because they're, they're putting out the next fire. Waiting for putting out the fire, waiting for the next fire to come along and not focusing on the future state, which is where they need to be in identifying and artificial intelligence is gonna be unforgiving in that domain.
So I would say that it behooves all of us to really understand what's going on and not simply accept, uh, what's being said in. The global marketplace, uh, and I'll leave it at that. Uh, it, it requires all of us to know what's going on so that we can make the, in the right informed decisions about how this is going to affect our operational environment.
So, to answer your question, first and foremost, we need to be proactive and in order to be proactive, we need access to good information, to make vetted decisions, properly vetted decisions to determine to. Before it [00:18:00] becomes a problem. And that's where I want the AI ISAC to be able to get, to not simply gather threat-related information and share out to the members.
And I think that's a big difference in comparison to some up to, uh, some of the other ISACs and ISACs that are operating out there today. Yeah, yeah.
Makes sense. And are there, I I'm looking at the, looking at uh, like threat intelligence feeds. I know there's been discussion of organizations. May not be quote-unquote mature enough to get the value out of a feed, let's say, um, they might not have the systems or the team or whatever processes in place to really make the most of it.
Is it the same for an ISAC and, I don't know, maybe even more so for an AI ISAC,
you mean the amount of information coming in and the ability to take action on it?
Does an organization have to reach a certain level of maturity? To be able to benefit from being part of [00:19:00] the ISEC?
Well, I'm going to answer your question with a somewhat of a broad-based question to the question.
Okay. And that is this. Can you, can you afford not to have access to this information? Is the question right? As fast the world is now moving today.
Challenges we've experienced in bad. Get their tools in place, sell those tools out to their own marketplace and e exponentially grow their own business and, and do damage across those environments. Can you afford not to have access to the information? Right. So I would argue, and I do advise a lot of clients in saying, well, and when I hear we don't have the time, we don't have the resources, we don't have the.
[00:20:00] All of that. I completely understand. I've been in their shoes, so I fully understand, as I said before, AI is not, is gonna be unforgiving. It's not, you're not gonna have the luxury of saying, I don't have the time or the resources to be able to focus on this because it, it is moving so fast. It will be beyond you before you have the opportunity to even understand truly what's going on.
Yeah. And of course there's, uh, the, the cyber criminals do. Pretty decent job of sharing. Right. And collaborating and, and, uh, they have their own supply chain of providers of services and technologies and all that stuff. I presume they have something similar for themselves. I don't know if you have any insight in into that.
Yeah. Well, yeah, they have their own operational networks. They have their own means and, and ability to be able to do a, orchestrate their networks, get their, let's just call them tools for lack of [00:21:00] a better, of a better word, uh, to get their tools to their networks. For that to then be spread all over the world.
Um, and that happens continuously. Uh, and now when you take artificial intelligence with the ability to real-time translation. I'm talking about code level translation to something that may have been developed in say, China or Japan or somewhere in the Middle East or United States, whatever the case may be.
When you can do real-time code translation and turn that into a malicious code. For your own operational purposes. Now, Pandora's Box has been opened in ways that you haven't even thought about before, right? So now it creates a whole new level of challenges that most organizations just aren't quite prepared for.
As I said, I think this is why the AI SAC has a mission beyond purely threat sharing. We need to be able to help these organizations understand the trajectory of where all this is headed.
Yeah. [00:22:00] Yeah. I love that. Uh, big, big, uh, effort ahead of you. What, um, what do you need to succeed Sid, and how can, how can this audience, uh, help you, uh, have CISOs, security leaders, practitioners, business folks, uh, listening and watching us here?
Uh, how can they help you?
Well, first, let's understand that there is no us versus them. In this scenario, uh, there is, there really needs to be a, a, the silos broken down between I'm in industry, I'm in this industry, I'm in this domain. I'm not questioning any of that. What I am saying to you is, is that at the pace that Industrial five dot-Oh, is moving as an.
Well quickly start to see things like, for example, industrialized robotics now becoming more of a personal type situation in [00:23:00] your own personal domain over the next several years. So to answer your question is, is that what I'm asking everyone to do, uh, with sincerity is to. Move beyond their comfort zone in the silos that they currently operate in within their own domain, and think more broadly about artificial intelligence, not only how it can help you and improving your business efficiencies, which I fully support.
I wanna say for the record that I fully support the efficiency in the positive use of. Benevolent use of AI in a positive way. However, on the dark side of the moon, as they might say, um, I equally would ask the CISOs, uh, and others that want to be part of this, to first step out that self, step out of your comfort zone and say, AI is more broadly applicable to everything.
And so how can I bring my experience, my knowledge? And my team and my perspective [00:24:00] to someone like the AI-ISAC help provide some insight to that so that we can aggregate this in such a way to where we can help everyone, uh, not just a specific.
Yeah. And would you mind taking a moment, uh, because to, to be comfortable in doing that requires trust.
Can you kind of describe how that trust is established with the ISAC?
Well, I will say to you, going back to the, I'd say the, uh, genesis of the ISACs, that one of the biggest challenges and they've had over the years is the trust between private sector and government. On one hand, government will say, provide me what it is that you have and trust me.
In return, not give them anything back in return, right? And so we don't want to be in that position. And again, please understand, I'm not picking on our friends in the government by [00:25:00] any means. Uh, I'm simply saying this is why has been experienced by a number that have been involved with this over the years.
Uh, so building trust is critical. Trust is earned. So I'm not here to say to anyone here today that you need to trust me because I've been in the industry for 30 years. Uh, that's just a credibility statement for you to have at least a beginning conversation. Trust is earned and I would encourage you to engage with us.
Reach out to us, let's have a dialogue, and let's build that trust together, because as I. We're in the early days of this, and we have a role to play, and I'd like for us to work together to build that trust together, to do the right things for the world and for humanity. Uh, and we can do that. And I think that trust will happen naturally as we work together to be able to achieve that
and the, the, the connection to the other ISACs probably helps with that, right?
Tho those members again, that's Well, the sharing, yeah, the sharing [00:26:00] back and forth between you. Yeah.
Well, again, that's a credibility statement, right? The ISACs and ISALs had been around for a number of years, and, and so they're credible and, and their, and their backgrounds. Uh, so building off that trust, you now know that there's, there are people with experience in building this ISAC that will bring those types of resources to bear to help us be successful as well.
Got it. Well, Sid, I'm, uh, I'm grateful for the work you're doing. Um, I think we'll, we'll all be better for it, of course. And, uh, I encourage everybody to, as you noted, uh, reach out to you and, and. Become part of the conversation, start to, uh, start to explore what you're working on and how they can contribute and then we can all all benefit from that.
So any, any final thoughts said before we wrap here?
Just my message to everyone is, as I [00:27:00] stated, uh, we want to work with you, we wanna collaborate with you. We wanna build, uh, the organization of trust with you. And my last statement is, is that we're in this together and if we work together, uh, we will be able to adapt to these changes that are coming our direction and we welcome the opportunity to part.
Got it. And I will. Whatever social details you want to provide us, uh, Sid to share with folks, uh, listening and watching. Any links you have, I'll certainly include the link to the press release, uh, uh, that, that outlines and has some, some good details in there as well about, uh, what you're working on. And yeah, hopefully, hopefully you get some folks, uh, joining you here shortly.
I'm quite certain we will. So thank you, Sean. Thank you.
Thanks everybody for listening, watching and, uh, be sure to subscribe, share, and all that other fun stuff, um, right after you reach out [00:28:00] to CID and, uh, and become part of, uh, the AI ISAC. Thanks everybody. Thanks CID.
Thank you. Take care.