Conquering cyber risk isn’t just about technology; it’s about understanding the human element and anticipating the adversary. Join us as Perry Boyle, CEO of MITS Capital and a seasoned adventurer who has skied in Antarctica and bicycled 148 miles in a day, shares his profound insights on navigating the complex world of cyber threats. Discover the unique challenges of operating in a war zone, the ever-present human vulnerabilities within cybersecurity, and the looming impact of cutting-edge technologies like AI and quantum computing on our digital defenses. Perry also delves into the often-misunderstood realm of cyber insurance and highlights the critical need for a proactive, owner-like mindset in managing cyber risks.
—
Watch the episode here
Listen to the podcast here
Navigating Real-Time Cyber Risk In War Zones And Boardrooms With Perry Boyle
Welcome to Navigating Cyber Risk, where we explore the challenges faced by executives as they grapple with new cybersecurity mandates. We have an amazing guest who has skied in Antarctica. He’s bicycled 148 miles in a day, crossed both Arctic circles. Introducing the CEO of MITS Capital, Perry Boyle. Welcome to the show.
Cybersecurity & War Zone Operations: Risk And Reality
Thank you for having me, John.
Thanks for joining. I’m just going to jump right in here with our lead question, which is, how would you explain the difference between cybersecurity and cyber risk?
I always think that risk is something that can go bad and security is the mitigant to that is to make sure that if you cannot prevent the thing from going bad, you do. If the thing does go bad, you catch it quickly and minimize its damage.
I would agree with that.
Consistent with your thoughts?
Risk is the bigger part of it, right? Overall, are you dealing with all of the risk, but yeah, cybersecurity is much more of the day-to-day, the technology, the processes, the procedures, the mitigation of those risks. Just like having insurance. I agree with that. As a CEO, what’s the most significant cybersecurity threat that you see facing most companies?
It’s hard to speak for other companies, but we operate in a war zone. We operate in Ukraine, so we have multiple levels of cybersecurity risk. I’m holding my phone in my hand, this being one of the most risky things that we have. I spend a significant amount of time in Ukraine, as do many Russian agents. It’s very hard to know when and where, and how badly your phone got compromised.
There are certain hotels I won’t go into because I know what goes on in those hotels, but so far, the sweeps on this have been good. Just even operationally, we operate in the drone wars, and the security of communications in the drone operations is that our number one threat right now is getting jammed. How and where they jam us, they being the Russians, is very sophisticated. They’re very good at this game.
I had a lot of practice and more so coming. I got a friend who actually did something similar. He’s now retired, but how to take a drone out of the sky in the US. Also, what you talked about with your phone there? If you’re doing traveling and you’ve got different SIM cards or eSIM cards, those can be hacked or those can be duplicated on a separate phone? Which a lot of people don’t maybe understand is that this can compromise their two-factor authentication.
There’s no such thing as 100% secure, I don’t think. Every system can be gamed, every lock can be picked. When quantum gets here, I don’t know what we’re going to do.
Every lock will be picked at some point. It’s always a matter of when, not just if. No matter how good a lock you have, somebody will break it.
I think that goes to a key point that you’re asking about cyber risk. One of the challenges is how concentrated is your risk and how diverse is your risk? How resilient is your approach? Do you have one system that, if it fails, lights out, or do you have redundancy and resiliency built into the architecture?
Have you planned for it? The other ability is that if you have an issue, have you practiced? Who do you call? Who’s that PR person? Who’s the lawyer that you call? Do you already have retainers with them because at some point, it’s going to happen. You just have the retainer there for when it does.
We know that we are going to be invaded. It’s just a question of when and how bad. I think we presume the worst.
Prioritizing Cyber Risks: Thinking Like The Adversary
That’s what you have to prepare for. Along those lines, then as a CEO, what are you doing to prioritize risks? What would you tell other CEOs that they need to do to prioritize those risks?
Obviously, you need to think like the adversary and anticipate where the holes in the network are and where the vulnerabilities are. How much security can you afford? It’s not free. It’s not cheap. It can slow you down. My brother used to work for a three-letter agency. It took him from the car until he was at his desk, took him seventeen minutes just to get through all the doors and everything. It took him another thirteen minutes to log on to his computer every day. That’s half an hour a day of security before you do any work. That has a cost. Finding the right balance. You never find the right balance, because you only know ex post whether you had enough security.
There’s also an acceptable level of risk that you have to take, the air you breathe. When it comes to cyber, is a little different, but I mean there’s always risk, no matter how much you’re doing to try and prevent it. Somebody might click on the wrong email. Somebody in the organization might just be distracted and cause an issue.
In a contested environment, it’s even worse because of wireless printers. Anything that’s connected, sometimes you don’t even think about it. Do you drive a Tesla? Did they get to you that way? Anything that you’re connected to is a vulnerability.
I just set up a grill this last weekend, and I was trying to connect to my network, and I was having questions about whether I really wanted my smoker connected to my network. In my case, I set up a guest VLAN and everything else. Yes, it was a valid question of random.
I mean, the Internet of Everything is very cool, but do I need to be able to turn on my washing machine from anywhere in the world? Is that important to me? My coffee maker, do I need to be able to wirelessly connect to it from bed?
I know people with coffee makers that that would be something that would be required. It just depends. I think that depends on addiction, but that’s another podcast that we’d have to do.
As always, people are your biggest vulnerability. I’ve been around the block enough to know that you just have to have extremely low expectations of everyone’s commitment to security, especially the bigger the company you are, the less that your employees feel ownership over the outcome of a bad event, the less likely they are to protect you from it.
I think that there’s also just a level of distraction. From a personal level, I can tell you that I had a period where my father passed away, and for probably the next six months, my distraction level was much higher than it normally would be, or maybe my tolerance. I would look at an email and maybe not process it, for instance. Not clicking or not doing the things that I was supposed to, I wasn’t quite as vigilant in doing those things. I think that’s the distraction, depending if you’re talking to a child, if you’re talking to a parent, if you’re talking things like that with something going on in life. That’s just human weakness that comes in. That’s part of what you have to understand and do your best to mitigate.
Where I was going with this, though, is affiliation. How affiliated do your people feel with your organization? If they feel totally clued into the mission, very appreciated when they show up for work, I think they’re more vigilant than if they’re just a cog in the machine. It’s just a job. They’re working for you today, but they could go work for somebody else tomorrow.
I would agree with that.
They have to care.
As I said, we’re saying the same thing. The life experiences are what I was talking about because those override some of that culture and the pieces, but only to a degree. Yes, having a mission and having everybody committed is absolutely one thing. When personal things happen or that distraction can still take you from the mission for a short period of time or distract you from it. We’re saying the same thing. It really does that human part where we’ve done our best in technology to make what we call the human firewall, but there are still human mistakes. It’s still the keyboard chair interface, as we say.
Which is a terrible interface, and a 150-year-old and terrible keyboard layout. It’s really the worst possible interface that we could have now, but I’m waiting for when they put the chip in you and then you think things, and then we can just think into our network. We won’t be zooming, we’ll be, I’ll just blink twice, and I’ll be connected with John Riley, because that’s who I was thinking about.
Cool. Are you sure you want that?
No, I don’t know, but I think it’s coming. If you just look at the progression, I think increased connectivity is inexorable. It has massive benefits, but also massive dangers.
The Future Of Cybersecurity: AI, Quantum, And Human Vulnerability
Talking about that, putting chips in, and that type of thing, what emerging trends do you believe will have a huge impact on cybersecurity in the near future?
AI because you can code through it. If you say, “Okay, chatGPT, we’re going to break into Amazon Web Services today. How do we do this?” It might actually answer you. That’s what I’m worried about. I was having an argument with somebody about this. Remember Isaac Asimov’s Foundation series and the three principles. Plug that into any chatbot, any of these AI bots, and ask them do they adhere to eyes as a most three principles. They’ll all say no because we have human oversight over what we’re doing. A, I don’t believe it. B, I don’t trust it.
The thought of artificial intelligence becoming more human-like it’s going to have all the problems that humans have. It’s going to go insane. It’ll be bipolar schizophrenic. Some of it will become sociopathic. It will be doing it much faster on a much greater scale than any one person could do it. It’s dangerous. I think Musk and Sam Altman they’ve all said AI is the end of the world. Remember, in Oppenheimer, he set off the bomb. He said, “Behold, I’ve become Shiva the destroyer,” or something like that. It’s possible.
That, along with Boston Robotics, are the robotics things that are happening. They had AI. We’ve got an interesting future. I’m looking at it.
Look at Nvidia right now. Nvidia is arguably the most powerful company in the world. It’s got Nvidia. The single company has a greater market cap than the entire market cap of the United Kingdom, than the entire market cap of Germany, and than the entire market cap of France. It is a nation unto its own, and it’s run by one guy who feels that there’s no problem selling chips to China. He’s perfectly happy with that. I disagree with them.
Believe he’s Singaporean, correct?
He was born in Taiwan, I believe, and then raised in the United States.
Now I think it’s Singapore.
Yeah, because it’s a 17% tax there.
AI is going to be a big one. The one right after that is if you take AI and you give it unlimited quantum computing. Where are you? Even with our cryptographic, the way that we do cryptography, the quantum computers are able to break that. What would take 300 years takes five minutes.
How long are your passwords?
It won’t matter.
I know it won’t matter.
It’s going to be blazing through.
Cyber Risk: How affiliated do your people feel with your organization? If they feel clued into the mission and appreciated when they show up for work, they’re more vigilant than if they’re just a cog in the machine.
Who amongst us generally uses passwords of more than 8 or 10 characters? Very few passwords are more than that. Biometrics, you see it on television. The detective holding the phone up to the dead man’s face to unlock the phone. Every system is crackable.
The beard has some issues with facial stuff. I don’t know, half the time I can unlock my phone with my face, but that’s okay.
I just had this experience. I was skiing on Svalbard in May, and I had a ski accident and my ski flew up in the air and came down on my face and sliced half my nose off. For three weeks, I couldn’t open my phone with my face. I’m up in Svalbard, you cannot reset your Face ID unless you’re at your home location for Apple. It’s a security feature. I was out of my phone for a couple of weeks. Not my phone per se, but some of the apps that are facial open with your face.
If I need laughs, and that thing probably. That would be rough. Glad you made it through. That’s good.
The Cyber Insurance Maze: Navigating Mispriced Protection
The other thing that I think CEOs should be doing is looking into insurance for this, and there is an insurance market. It seems to me to be very mispriced. You’re smiling at me because you’re agreeing, I think.
They’re learning. They’ve been offering cyber insurance now for a few years, for 5 or 10 years. The rates are starting to come in line with what the actual risk is. I guess it’s a good way to put it.
Yes, but I think they have a very hard time differentiating the risk for you versus the risk for me. They’re pricing to the average. Some people, risk pooling is a subsidization exercise, but I think there’s a mispricing of that subsidization going on. If you’re a high-risk person for cyber intrusion, now’s the time to buy cyber insurance. Get it for as long as you can.
Buy the multi-year policy if you can even get it. Usually, they won’t do it. They’ll do a one-year, every renewal, every year because they’re recognizing the risk and they’re reevaluating.
They’ll cap the risk now, too. It becomes exponentially expensive as you go up the liability reimbursement level.
One of the large shipping companies, this was a few years ago, they got ransomware and took down the entire system for days on end. They made their insurance claim, which was promptly denied. When we’re talking for, I don’t know, $100 million was the claim because the ransomware was coming from Russia, they claimed that it was an act of war. It was not covered under their cyber insurance claims. That made its way through the courts. Honestly, I’m not sure how it ended up at this point. It still might be going through the courts based on numbers and such.
When it comes to things like that, where do you think attacks come from? That’s what happens. Is it an act of war? Probably not, but maybe, I don’t know. That’s beyond my pay grade. Let me ask you this. As a CEO, what do you think that cyber disaster looks like post-mortem for a CEO? You realize you wake up one morning and you find out that you’ve been. All your data has been taken/ You’re getting ransomware.
There are a couple of levels to it. It’s how does it affect your business operations? You’re just your ability to communicate and operate within your normal business environment, but it goes well beyond that. What if they hack your HR database and they get into your employees’ data, and then they raid your employees’ retirement accounts or something, or customer data, and then they use that data to do nefarious things with the customers. Your reputation shot. You have reputational risk on top of operational risk, and that’s why you need insurance.
That’s why you need practice. I mean, that’s what I say.
Depending on your industry, literally, people could die. If you run a life support system in a hospital network, and they figure out how to turn off the electricity somehow. Those machines have batteries for maybe four hours. The clock’s ticking. You’ve got four hours before people start dying.
Beyond Cyber: Geopolitics, Innovation, And Saving Lives In Ukraine
That’s when you need generators and other plans. Perry, tell us a little about who you are. You’re the CEO of MITS Capital, but there’s more than that. Let them talk.
I’m a morally outraged person. I am very upset that I’m a big believer in freedom, tolerance, democracy, and a liberal rules-based order. I was actually retired. I retired five years ago. Russia rolled into Ukraine in a full-scale invasion. I waited for the US to uphold the security guarantees to Ukraine for about two weeks and realized, “They expect Ukraine to fall. They’re not going to do anything to help Ukraine.”
What I realized it was the end of the world that I knew. You’ve got a few gray hairs, I can tell. During most of our lives, the world got better. The trend was up and to the right. Yes, we had some oil shocks and inflation cycles and things, but more people live longer, fewer violent deaths, and more leisure time. Everything got vaccines. Everything got generally better for the world. I don’t think that’s true for the next generation.
I’m very concerned. I’m hoping AI turns out to be really good for the next generation, but there’s a lot that can go wrong. We broke the global world order where the US was the guarantor of international peace is over. We’re going from five people with their fingers on a nuclear trigger to 35 people with their fingers on a nuclear trigger. This is not good. I decided I was going to get in the fight, and I logged onto the internet, looked up the International Legion Ukraine, and applied to fight in Ukraine.
They wisely rejected me as unfit for service, but bothered to look me up on LinkedIn. The embassy of Ukraine and DC contacted me and said, “Listen, we have a higher, better use for you. We need money. You seem to know something about money. Can you just bring as much money as possible into Ukraine any way that speaks to you?” I found a couple of Ukrainian partners, and we set up this defense technology company.
It has been hard. It has been hard to get people to invest in Ukraine. It’s starting to happen now. If you look at Europe, and now that they’ve woken up to the fact that the security architecture that they thought was going to protect them might not protect them. Love Trump hate Trump, but he has gotten NATO countries to increase their spending for defense. What are they going to spend it on? They don’t know. That’s what we’re helping them with. Abrams tanks are obsolete. Everyone who was shipped to Ukraine was taken out by a Russian drone.
There are only four left, and they keep them in storage because they’re afraid to lose them. There’s a new way of battlefield war, and it’s based on information. It’s based on innovation. You’re reading the New York Times articles, everything’s about drones. Yes and no. I mean, it’s still about people, and it’s still about systems. You could drop a million drones in the United States Army, and it wouldn’t work because they haven’t hired the right people and trained the right people for usage of drones. They haven’t integrated drones into their tactics. They haven’t changed how their platoon-level organization is. There are a lot of lessons to draw from Ukraine, and just saying it’s drones is simplistic and naive.
Very much so. There are a number of changes that are happening. They’ve been happening throughout. Whenever there’s a war theater, that’s where a lot of the changes come from. Wars are not fought the way that they ever were before. We’re not too far past July 4th. If you think about the reason that the Americans won the Revolutionary War is because they didn’t meet them on the battlefield. They beat them behind different trees.
That’s what the Ukrainians are doing. It’s very analogous to that situation in that we were organizing militias. Ukraine has a national army, but they have many armies. They have a national guard. Have their equivalent of the FBI has its own army. Each one of these units can recruit independently, can arm itself independently. They do. That drives the innovation. The distance between the factory and the front line has never been shorter in any country than it is in Ukraine today.
The innovation cycles are very short. In the United States, to get a program of record takes five years. Once you’re a programmer of record, you’re pretty good for the next ten years. The Ukrainian government won’t give anybody a long-term contract because they don’t know whether what they’re buying today will work tomorrow. It’s not about a military defense industrial complex that Eisenhower warned us about.
It’s about how we defend our homeland? How do we defend the guy standing to the left of me? It’s a very personal situation, and it’s really hard to replicate that mode of thinking if you’re not engaged in the situation. We’re talking about cyber risk, but it’s risk management. It’s creating asymmetries between you and an adversary. It’s anticipating how the adversary is going to find a wormhole into your system.
All the things that you do in cybersecurity, you do in the battlefield. Communications have been a huge area of insecurity. You launch a drone, how do you keep it from getting spoofed by the Russians? Fiber optics. “Now we have fiber optic cutters. Eventually, we’re going to have microwaves that can take down whole swarms of drones.” It is literally an arms race. We use that word as a colloquialism, but this is actually happening, and people’s lives are at stake.
It’s the same on the cybersecurity side. It’s there’s an arms race that happens. The antivirus gets better, the viruses get better. That’s what’s happening since the very first days of computers and how they started. Let me ask you this. What are you currently working on that you’re most excited about?
There’s not the most excited, but one of my side projects in Ukraine is a 3D biological bone printing company. Ukraine sadly, is one of the world’s capitals of amputations. They have incredible expertise in prosthetics now. They have the superhuman project in Odessa that’s just incredible. What if you could prevent the amputation in the first place? What if you could print a custom bone replacement for that person of a biologic material that will be replaced by that person’s own bone structure?
What if you could do that at the field hospital? We talk about the golden hour, like you have one hour from someone being wounded until they die. It’s called the Blood Hour. It’s really twenty minutes, by the way. I don’t know why they call it the golden hour, but if you can get whole blood into them and you can get them stabilized, and instead of lopping off a shattered forearm, you can replace the ulna and radius with a custom-printed bone from the other arm, like you just mirror it. That to me seems like a very positive outcome by comparison.
Obviously, you don’t want the person getting blown up in the first place. We’re way past testing on this. We’re in certification of it right now, and we should have this available at field hospitals by January. That to me is really exciting. My toast that I give to everybody is here’s to good Russians. There are some good Russians, and then the Russians that we deal with, the best ones are the ones who are no longer living. We say here’s to good Russians. We also want to save Ukrainian lives. It’s the principle of asymmetry. We want to get the highest return on our human capital possible.
Very much so.
I’m excited about it.
Action Item: Think Like An Owner, Not An Agent
Honestly, I have a personal reason for being excited about that too, but we can talk about that at another time. We’re coming to the end of the show here, but I mean, as far as you know, I’d like you to give our audience an action item. What’s one piece of advice you’d give them for reducing the regulatory cyber risk? What would you suggest?
You just said regulatory cyber risk, which is the thing that just annoys the hell out of me. It’s if there is a compliance standard, people will secure themselves to the standard, and then they’ll think they’re done. Think like an owner. My advice, think like the owner, not the agent.
Love that. Is a great way to look at it. There’s more to it than just doing the checkbox theater, as we would call it. How would somebody find you, I mean, if they want to get in touch with you?
You can find me, Perry Boyle, one word at MITS.Capital or my phone number is 208-806-1305. One of my approaches to security is to be radically transparent and make sure I have redundancy everywhere.
Perry, I appreciate your time. Thank you very much for being on the show here. I’ve learned a few things, and it’s always good to chat with you.
Thank you, John.
For our readers, thank you for reading. I hope you’ve learned something. Maybe you laughed. Maybe I hope you didn’t cry, but maybe you did. Tell someone about this podcast. There’s been another great episode of Navigating Cyber Risk with your host, John Riley, and our guest Perry Boyle. Thank you, Perry.
Thank you, John.
Important Links
- Perry Boyle on LinkedIn
- [email protected]
- MITS Capital
- MITS Capital on LinkedIn
- MITS Capital on Instagram
- MITS Capital on X
- MITS Capital on Facebook
About Perry Boyle
He is a Co-Founder & CEO of MITS Capital, LLC
Has been in the defense industry for 2 years. But have worked for 35 years in Finance.
During his free time, he loves to go mountain hiking and biking, and during winter, he loves skiing.
