September 26, 2024
September 26, 2024
For reporter, editor and media entrepreneur Paul F. Roberts, technology is far more than a day job, it’s a passion – as evidenced by his nearly 30 years in the industry. During that span, he has held various titles, including everything from technical writer and industry analyst to editor, contributor, organizer and founder.
Roberts has edited reputable cybersecurity publications like InfoWorld.com and ThreatPost.com, and he’s contributed to outlets like Mother Jones, The Christian Science Monitor, Forbes and MIT Technology Review. In 2012, Roberts used his years of industry and journalistic knowledge to establish his own news website, SecurityLedger.com, which explores the intersection of cybersecurity with business, commerce and politics. Roberts, who’s taken a keen interest in the Internet of Things (IoT) over the years, says Security Ledger reports on “topics that matter in our IP-enabled homes, workplaces and daily lives.”
Since December 2021, Roberts has also served as the Cyber Content Lead for ReversingLabs, a Cambridge, Mass.-based malware analysis and threat hunting vendor with a focus on securing the software supply chain. He is also a recognized advocate for the “right to repair” (RTR), serving as a board member for The Repair Association, a coalition of repair industry professionals. Additionally, he’s the editor-in-chief of the “Fight to Repair” Substack, which covers grassroots RTR efforts.
We recently caught up with Roberts to discuss his many endeavors, plus some trending security topics and the rise of generative AI. What follows is an edited version of our discussion:
To kick things off, what are some of the trends Security Ledger is focused on right now?
Things are shifting in cyberspace: Threat actors are now going after infrastructure – including IoT networks – and not just laptops or servers. IoT is the future of the cybersecurity industry and the future of computing. As an industry, though, we haven’t learned the lessons of the last 30 years. That’s an area I continue to cover.
I’ve also covered the shift left in security – or moving security earlier in the development life cycle. That’s evolved into a bigger question about risk in the software supply chain when developers also become the target. Development pipelines are being exploited to launch attacks, which is definitely something I’m interested in.
What are your thoughts on generative AI? Are you using it in your work, and if so, how?
I’m using it a little bit, mostly to do scut work – for instance, creating summaries of blog posts. I do think ChatGPT can be useful for reporters and anybody doing thought work by helping to accelerate the early planning stages of any reporting or book project. It’s clear that it can be helpful to focus inquiries and connect you to sources of information that may not occur to you. That work is usually done in reporters’ minds.
In terms of writing copy, it’s more complicated. People often talk about, ‘Oh, let ChatGPT churn out a rough draft and then the human can polish it up.’ But I was listening to [New York Times columnist and podcaster] Ezra Klein, who talked about the first draft as the stage where you do most of the brainwork, and it’s in this stage where you might ask yourself: ‘Is this the story I actually want to write?’ The work that your brain does to get to that first draft is difficult and it’s important, and it stimulates you to generate thoughts you may not have had otherwise. Tasking ChatGPT with that work won’t allow writers to have those revelations.
I think in journalism, more broadly, AI will take on the nuts and bolts – financial reports, sports scores, earnings, etc., essentially copy that’s more formulaic. But with cyber, it’s still a niche topic, so ChatGPT can’t yet write a decent cybersecurity story. You need domain expertise.
<split-lines>"The work that your brain does to get to [a] first draft is difficult and it’s important... Tasking ChatGPT with that work won’t allow writers to have those revelations."<split-lines>
What are some of the security concerns attached to generative AI?
The implications for cybersecurity are tremendous. We’ve long seen malicious cyber groups accelerate their development of new attack methods. And we’ve seen that cybercriminals are incredibly willing to embrace new technology and aren’t quite nostalgic or conservative; they’ll toss something out and embrace it. If they’re successful, they’ll never look back. Defenders are more conservative by necessity, but I expect to see them use generative AI technology, as well. That might be in filtering through the noise of firewall and IDS [intrusion detection system] reports. I can see it being hugely helpful for SOC operators.
It’s already being used by GitHub and GitLab to analyze source code to identify vulnerabilities and risky dependencies. It’s doing a lot of grunt work of sifting through millions of lines of code. So, I think you’ll see it accelerate the development of threat-hunting and threat identification tools. It’s truly an arms race.
<split-lines>"Defenders are more conservative by necessity, but I expect to see them use generative AI technology, as well."<split-lines>
Can you cite an example of an important story that isn't being told right now?
We’re living in an environment of epidemic threats, attacks and data breaches – all of which have been occurring for years. There’s been no policy-based response to them. I actually think we’ve reached a tipping point. Now, federal security officials like Jen Easterly [director of the Cybersecurity and Infrastructure Security Agency, or CISA], are talking in more strident terms about manufacturers and software companies needing to do a better job securing their products. So, one trend to watch moving forward would be whether policymakers move past the ‘pretty please’ stage and draft regulation and standards for companies selling software not just to governments (we’ve seen that), but also to consumers and businesses. I personally believe more regulation is needed and that it will come down eventually, but it’s hard to say when.
In terms of trends, I think the cybersecurity story is ‘moving on’ from ransomware, and I’m interested to see what the next ‘big trend’ will be for cybercrime. Ransomware was a great business model, but new methods will soon emerge.
<split-lines>"One trend to watch would be whether policymakers move past the ‘pretty please’ stage and draft regulation and standards for companies selling software not just to governments...but also to consumers and businesses."<split-lines>
Lastly, as we mentioned, you’re very active with The Right to Repair Movement. How has that work been going of late?
I got involved four or five years ago. I’d heard complaints that companies were essentially using cybersecurity to scare people off from the right to repair products. I took it upon myself to use my connections to cybersecurity leaders and created a group, Secure Repairs (securepairs.org), so that the cybersecurity community could speak with one voice and inform lawmakers about the true nature of cyber risks to IoT, smart devices and so on. That won me a position on the board of The Repair Coalition.
The right to repair fascinates me. It’s a cybersecurity topic – yes – but it’s also about sustainability, economics, the drive for a more circular economy, smart-device ecosystems, and frankly, how technology can amplify the tendency of companies to want to extract as much money as they can from customers through agreements like subscriptions.
After years of defeats, we’ve begun to score some victories. In 2022, Colorado passed a wheelchair-related right-to-repair law. A few weeks ago they followed that with an agricultural equipment right to repair law. We’ve seen more general legislation passed in New York around electronics and making repair information publicly available. At least one additional state may pass a similar law this year.
And while a lot of proposals nationwide may still die because of industry lobbies, more are getting to floor votes, which is encouraging. Many could be filibustered, but there’s been more activity, and the dominoes are starting to fall. It’s great to see, and I’m continuing to write about it and shine a light on it.
