From Arab Spring Frontlines to Cybersecurity Frontiers: A Naval Officer's Journey with Terence Bennett

Secure Talk - Terence Bennett

Justin Beals: Hello, everyone. Welcome to SecureTalk. This is your host, Justin Beals. For those of you that know me, you'll know that I'm an avid sailor. I spend a lot of time on the water around the Puget Sound area where I live, and there's nothing that I enjoy more than exploring the islands and waterways in the area.

Early on in my sailing adventures, I had a delivery that I was responsible for. We were moving a sailboat between Virginia and South Carolina along the Atlantic coast. When we set out at that evening, we looked to have a fairly docile overnight sail, with a nice arrival before lunchtime at our destination.

Over the night, we begin to notice the wind pick up, and the waves pick up, and the storms begin to build around us. By the time the morning broke, we were in a difficult situation. Six to seven-foot seas crashing over the deck. A wet and bedraggled crew and concerned about their safety. And we fought for another 12 hours in winds on the nose to drive the boat towards its destination.

We did arrive safe, everyone intact, and the vessel unharmed. But it was a dangerous situation and not one that we would want to repeat. One of the things I reflected on after the sail was what had led to the challenge. I went back and looked at my preparation and realized that I had misread the weather reports for the following day and missed an important frontal system that was going to move through the area while we were out sailing.

It helps me realize something that's really important that I think our guest really highlights as well today. And that is that good intelligence makes good decisions possible.  Without the proper intelligence the proper ability to understand a situation, we can make really poor decisions. 

And so today, we're going to talk about that power of good intelligence. And we're also going to talk about how some of the AI technologies that are in the marketplace can help us build more secure products. 

Today, we're going to meet Terrence Bennett. Terrence is a startup leader, a cybersecurity expert. A veteran and a volunteer. He is currently the CEO of Dream Factory Software, which is an API code automation platform with a heavy emphasis on cybersecurity.

Previously, he managed operations at Integrate. io and was a member of Google's Offensive Security Red Team. Terrence served in the U. S. Navy as a Naval Intelligence Officer with NCIS and as a Surface Warfare Officer. during Operation Iraqi Freedom. He is a Certified Information Systems Security Professional.

Terrence also serves on the Board of Directors for the American Red Cross for Northern California Coastal Region and is also on the Board of Advisors for Shields and Stripes, a non-profit organization that assists veterans and first responders dealing with PTSD. I hope you join me in welcoming Terrence Bennett to our podcast today.

Terrence, thanks for joining us on SecureTalk. We really appreciate it. 

Terence BennettThanks, Justin. Happy to be here.

Justin Beals: Right on. Well, let's dig in. I think, as I was looking at your background and some of your areas of expertise, your time in the Armed Forces has factored large in some of your contributions, and we always like to hear a great origin story from our guests and how they got to become experts in what they do. So, how did you get interested in joining the Armed Forces? 

Terence Bennett: I was interested in the service from a young age, I got active in Boy Scouts. I mean, at a very young age, I was a Tiger Cub, which is like, I think, first grade. And I think it was kind of through that, something about the idea of serving others, serving something bigger than yourself really appealed to me.

And then in middle school age ish, I got active with Sea Cadets. There's actually like a predecessor to Sea Cadets called the Navy League Cadets or something like that. So from a young age, I sort of was attracted to that. And I've always kind of been one to like seek things out and just kind of do it, even if I had to like grab a ride from a friend's parents or something. 

And so, you know, when it came to high school and, and, and university, I was really attracted to the service academies. I applied to both, both West Point and the Navy and got into Navy actually through like what's called the prep school.

So it's sort of a prep year and it, um, yeah, it's, it's something that kind of just felt right from a very young age. 

Justin Beals: I got through life in Boy Scouts and getting the eagle thing was a big knockdown drag out fight with my parents. Actually. I think I won that one. I think that's why they were like, fine, we're not messing with it anymore.

So you must've been growing up near the ocean to be interested in sea cadets, that type of thing. 

Terence Bennett: Yeah, I grew up in Florida, South Florida. So a few miles from the water and definitely, definitely kind of looked across the ocean as a young kid, spent a lot of time at the fishing pier, spent a lot of time at the beach.

And so, yeah, it was definitely attracted to the ocean. Never really got a huge chance to spend time on boats. So you have to be made up for that later on 

Justin Beals: Exactly because of course I'm gonna dive into an area of my interest So you grab it graduated US Naval Academy in 2010, but you were on the varsity offshore sailing team I'm a fellow sailor. I must have been some awesome Racing and adventures to go join it. 

Terence Bennett: It was so the Naval Academy has a really interesting program because The school is sort of a nonprofit in a sense, right? And so there's a foundation attached to the sailing program that gets donated boats. So we get these incredible boats that people were essentially looking for a tax write-off on.

So I got to sail, it used to be the King of Spain's boat. It was a FAR 53. I was sailing Nelson, Nelson Merrick 53, 53. It's been, it's been a few years. And some other incredible boats, obviously, Navy 44 as well. So, um, sailed on the team for three years, got the race from Annapolis to Newport. We have to do a bunch of the big boat, uh, regattas up in Black Island and actually got the sail with the Spanish Navy across the Atlantic.

So sails from Baltimore to Bilbao, Spain, which is about 30 days at sea. Yeah, I've seen incredible experience. Needless to say. 

Justin Beals: Yeah, that is amazing. You know, I've, I've chipped away at it a little bit. We have a boat, and we race in the Puget Sound area. It's beautiful. But I think our longest distances are 40 hours straight.

It must be just kind of an incredible set of teamwork. It's also a sport, right? You're competitive, you're fighting to win. It's also dangerous, as both you and I know. We've probably lost people at sea. I know that I've had tragedy happen on the water, not on my boat, but on fellow racers' boats in the past.

It's a different type of attention to detail, I think. It must resonate from a military forces perspective, that work. 

Terence Bennett: Absolutely, and, you know, a big part of it is there's, there's protocols and their systems and their safety equipment. And there's really very, very little room, zero room for error when it comes to these, right?

Oh, I remember very vividly an old time, a long time sailor, I think he had 40, 50 years at sea. This is a gentleman out of the Annapolis area who went topside for something while doing a routine transport of a boat. They were like 40 miles offshore,  didn't put his harness on at night, you know, weird wave hit the boat and he was gone, right? And you know, someone who, who, who took, you know, this, the seriousness of, of being at sea for granted. So, yeah, I mean, there's a ton of parallels that, that, that carry over. The literal ones are literally, if you know how to drive a sailboat, driving a warship, although different and slower to respond.

It's a breeze, right? But then there's obviously, there's more sort of soft skills as well, like I mentioned. 

Justin Beals: Yeah. And that was another big part of your naval career was, marine security. You were deployed on a vessel in some areas of conflict, I believe. 

Terence Bennett: That's right. I deployed it, uh, aboard the USS Paul Hamilton.

It's an Arleigh Burke class destroyer. It's a home station in Pearl Harbor. We sailed to the Northern Arabian Gulf in 2011. And it was actually during sort of the wind down of a lot of operations in Iraq. And so we did, maritime patrols of Iraqi waters and the A Bot and K Bot oil platforms. Another incredible experience.

I actually got to spend a lot of time on the, on the platform because I was a qualified boat officer and rescue swimmer. And so sort of captain, I guess. He sort of thought he got a twofer having me out there. And so it was actually, I mean, it was a lot of fun as well. Right. You have to spend a lot of time with the world Marines.

The British were in charge of the, the platform at the time. We were actually there for the transfer to the U S  but we were much more serious. And we were. On r and r, we were in Port Bahrain during the Arab Spring. And we were in the Gulf during the Bin Laden raid. We were in the Gulf during the launch of sort of initial sort of wave of missiles into Libya and that sort of NATO campaign.

And then, and then the occupation of Bahrain, if you wanna call it that, by the Saudi. So a lot going on and you have to see, I sort of got a front-row view of it, if you will. 

Justin Beals: Yeah. And very pragmatic, you know, kind of experience. I think that front line view of so many critical situations had to have a big effect on how you thought about your career post the military and the types of things that you wanted to do.

Terence Bennett: You know, at that point in my career, I wasn't really thinking post-Navy, the initial commitment after the Academy is five years. So, I was at sort of the year mark, if you will. I was still kind of a very junior officer, but it became very clear to me that I wanted to spend more time sort of at the, at sort of the strategic level as an intelligence officer.

So that was around the time I made up my mind to make the switch over to intelligence. The Navy sort of a numbers game when it comes to manning. And so I, I really lucked out because making that, that transfer, what they call lateral transfer from one community, you know, that can be difficult. And the numbers just kind of worked out for me, but I at the two-year mark, I put in my lateral transfer package to Intel, and I got picked up.

And that was, that decision was in large part because of what I saw at the Arab Spring, you know, we were really caught off guard. I remember those, those briefs coming out of the COCOM sort of AOR, the like strategic level sort of briefings were kind of underplaying it all at the time. And, you know, needless to say, the last decade-plus has been a tumultuous period, and a lot of it feels like it kind of kicked off with the Arab Spring from a geopolitical standpoint, right? 

You know, you can, it's not always useful to look back history in order to predict the future sometimes you need sort of take a more holistic view bigger picture view of it Also, yeah, it was a fascinating time and it was a period for me to do a lot of Kind of real reflection on the state of the world, the state of politics and, and, and take, take into account the fact that the world is changing in a pretty significant way.

Justin Beals: Yeah, I, I think there's two emotional responses to situations like that. One is it's like when you feel swept by, the current. Almost. You're like, I want to figure out how the current works, you know, what is, I don't like being feeling out of control as this geopolitical environment is changing.

And I'm not aware, you know, the fundamental reasons. And then secondarily, It feels like there's a service emotion, like you and your team could have felt more confident or been more impactful had you had the right intel on what was happening around you. 

Terence Bennett: Oh, 100%. Yeah, I remember I'd get into arguments with our intel specialist who was on the boat at the time.

So I'm just a SWO. I'm a very junior SWO at that, a recent graduate. I kind of, uh, I think It's only natural as a young, recent grad to kind of be a little bit cocky, a little bit, you know, overly confident in yourself. But I remember sitting in that office, arguing with him, and I think I said something along the lines of, you know, You will look back and remember the day that Libya fell, that Egypt fell, that Bahrain fell. Like these are not, these are not sort of small dominoes. These are significant events that are going to echo through history. And I'm not even sure that's definitely true, but I remember being very sort of convinced of it to your point though, about getting kind of swept by the currents.

For me, it was a sense that we were operating from the wrong playbook, right? I think frameworks are really powerful because, like the human mind, the brain. Is sort of a tool that's always looking for shortcuts and those shortcuts from a cognitive standpoint are frameworks, right? And we were operating with a series of outdated frameworks, right?

At the Naval Academy, we read guys like Fukuyama, right? The End of History, these sort of, these theories about sort of the Pax Americana sort of future that was going to not include conflict. If you call like the golden arches theory, right? That every. Every country with a McDonald's hasn't gone to war with another country with a McDonald's, right?

Like, you know, there's actually been a lot of sort of reflection on Fukuyama and those theories because they just, they were very accurate for a very sort of specific chapter in time, but they've proven to just not hold war long term. And for me, it meant really looking back at history and trying to ask the question of like, what framework should we use? How can we look at history in a way that sort of maps more accurately to what we're seeing? 

Justin Beals: I think, you know, also that those theories certainly supported what people wanted to believe about the work they were doing as well. You know, they were self-reinforcing in a way. Yeah. And so I have to imagine that especially when you joined naval intelligence, that everything was digital already. Like you, you walked into a digital space, essentially a computer science issue, 

Terence Bennett: with intelligence. 

Justin Beals: Yes. 

Terence Bennett: I wish that was the case. Yeah. There's a lot of big printers on the watch floor. Well,  yeah, you know, My first job actually at the Office of Naval Intelligence was on the IT side. Sort of, it was during sequestration. And so they, it insourced actually a bunch of roles. They sort of moved them from contractors to sailors. And, and I was, I was leading that team doing frankly, a lot of stuff that wasn't really Intel, it was more like a kind of IT, which I guess it worked out well for me, in the end, but. It was, it was interesting, right?

The fact is IT and tech and the technology really is going to always flux to the needs of the end-user or the decision maker or the person who writes the checks. 

Justin Beals: Yeah.

Terence Bennett: And in this case, the admirals and the captains and people in charge, they wanted paper briefs. It was only at the very end of my tour that we even started to have serious conversations around putting a lot of these briefs on in a sort of digitally native format.

I'm sure that's changed since then. But then I'm sure this is a lot of a lot of practices that are that are still sort of paper. And that's just because, like, you know, if you think of it from the kind of a media-rich environment or media theory, sort of point of view, like, these are people who are just trying to consume as much information as possible.

You don't want to sort of try and force them into a new set of formats, a new set of protocols and how they're going to consume that information. And so that's changing over time as, as leaders change naturally and there's turnover 

Justin Beals: That resonates a little bit with some other conversations that I've had with colleagues and friends that may operate in a secure environment situation, like a skiff, whether they're still pulling paper, you know, information for analysis, it's just the most secure way.

Terence Bennett: Yeah. And ONI is just a giant skiff, right? So that's exactly the case. And yeah, exactly. You're talking about cross-domain. Like sometimes, it's actually, it's more time consuming. To try and transfer files across air gap networks. And it's just a printed and put it in a, in a folder and walk it across the hall. You know what I mean? 

So you're absolutely right. I mean, some of that stuff's been solved, and obviously, this information is a bit dated, right? It's been about a decade since I've worked there, but yeah, it definitely was surprising at times to see how things got done. I mean, quick anecdote, like as a, as an ensign on a ship, I was still routing message traffic through the chain of command on a floppy disk.

Justin Beals: Wow. Yeah, 

Terence Bennett: that was in 2011. 

Justin Beals: What size floppy disk? 

Terence Bennett: 3 ½.  If you had the five and a quarter, I'd be really concerned because I make those jokes to my team now. And I sound like Grandpa.

Justin Beals: Speaking of your team now, did you, you know, you're the CEO of DreamFactory. Tell us a little bit about what DreamFactory does. 

Terence Bennett: Yeah, it's, it's, it's been a really fun and, uh, interesting job. DreamFactory is, uh, an API automation platform. We call it sort of API generation, and it's a really unique tool.

There's kind of one or two similar tools out there, but what we're doing is we're. We're connecting directly to an organization's local databases. So this is an on-prem tool.  I mean, it could be in the cloud, right? But they're sort of infrastructure, right? And we're actually mapping that data schema from the database layer.

And we're projecting those objects, those tables, views, stored procedures forward as REST one points that you can activate, apply role based access to generate keys against, and then apply rate limiting and apply all sorts of logic. And then expose wherever you need them. So, you know, these aren't, this isn't, you're not going to build the Facebook API using DreamFactory, but what it's really powerful for is very rapidly and securely making any organization's data available via REST API for moving across, sharing across an organization, connecting to existing systems, new systems, exposing to partners, and so, you know, the only other way to really do this is with traditional API development. So. it's kind of fits in that, that sort of automation kind of next-gen space. 

Justin Beals: Yeah, you know, it stands out to me or some of the commercialization features and of course, along with that comes securitization features, you know, in developing that because it's one thing to say, Hey, I can look at a database and write a crud style API against it but it's another thing to say, we're going to rate limit it. You're going to understand who's accessing it. You know, you're going to understand what data is available. Yeah. 

Terence Bennett: Exactly. You know, you hit the nail on the head, right? And that's what a lot of organizations have done, whether directly with their own development resources or third party have done.

And often these APIs, they're not encrypted properly. There's no real authentication layer. Once again, there's no logging. There's no monitoring. Rate limiting can be very, very challenging to implement. And so this sort of just makes all that sort of point-and-click kind of an afterthought. And it's also auditable as well, right?

Because it's all sort of living in one place. 

Justin Beals: Yeah. So I'm, I'm a little curious about, I think, a technical architecture that I wanted to chat with you about, you know, I've been doing a restful style web services or even the soap stuff for a long time. We always had authentication or some method of authentication.

And we liked that because I've felt like there was always good network separation, right? between the two systems that each system had to design what they were willing to talk about. And but the other thing we've seen lately from some systems is more agent-driven deployment, where it's like their code lives inside your space.

And I think we made some decisions for security about that, but I get concerned with it, you know, and I think the CrowdStrike outage is a perfect example, but there are a lot of others. You just don't know. There's no, it's not a zero-trust architecture, right? 

Terence Bennett: Yeah. I think you hit the nail on the head, right?

People talk about zero trust architecture and then they, and then they install agents throughout their network and system is quite the opposite of zero trust. So you're, you're actually sort of inadvertently creating a bunch of back doors, which we saw with the trade with some recent sort of breaches, but then also, you know, you just, you know, it can cause all sorts of outages and issues across the board. Zero trust is hard. And, you know, I come at it from a very weird and unique perspective because I spent two years on Google's Red Team. And if there is a single organization on earth who can really build a model, you know, monolith infrastructure completely with their own tech without relying on anyone else, it's probably Google, right?

I mean, AWS isn't even anywhere close to that, right? Like so much of what they actually made available via the cloud is stuff that they built first on their own, right?. Realities was, was Borg for like a, almost a decade beforehand. Right?  So, I sort of approached it from a bit of a weird angle, but we, we still saw that kind of stuff all the time.

We saw third-party tools and services as sort of the open door for attacks. Right? And red teaming, for those who don't know,  isn't just pen testing. What it is is actual adversarial simulation. So you, you pick a potential adversary, like let's say an APT that you know exists and is operating, and you come up with what you know about them from a geopolitical standpoint, you come up with, a realistic target, and then you mimic that actor through the entire attack scheme with underlying assumptions about who they are and what they are to the point where you would actually use their toolkits in the attack to try and mimic what we know that they are sort of using and capable of, right?

So, if you're mimicking a lower sort of a less advanced actor, you might use the kind of less advanced tools and have more of a kind of smashing grab type attack versus a more sophisticated one. Right? And anyway, what I'm getting at is, you know, from an architectural standpoint, Google's a very weird place and almost no other organization looks like that.

But what I'm, what we're seeing again and again with DreamFactory is organizations are using, are looking at ways to close as many of those holes as possible and to really try and build that zero trust. And DreamFactory is one way because it can sit behind your firewall. In many cases, it's behind multiple firewalls.

And it's purely on-prem and you've control over how that data gets moved and secured. And I can be honest, it's, it's not a great business model because we can't see the customer's usage. Right? It's, it's entirely trust based. They can lie to us and tell us what they're doing, what they're not doing, how they're using it, how they're not using it.

But we made a decision early on. It's the best case of the customer and it's a key sort of value proposition for them to have that kind of control. And so it's what we've done. 

Justin Beals: I think I get that you and I probably would agree on this. I get that in your product design, you may give up some intelligence on, for example, utilization or where to optimize.

But there's a fine line between like improving your product with data and what we've seen companies do with their customer's data. And I, I hear in my conversations with potential buyers more and more. That they are buying based upon the fact that we've developed a product that's secure by design. We thought about how they use it.

We thought about how we use it when they have, but I have this security concern We can talk to them about what our tactics are around that security concern, and I think this is a growing desire from buyers. 

Terence Bennett: Oh, absolutely, without a doubt. Yeah, and you know, It's interesting because, like we've inadvertently kind of moved up market Because some of the organizations that are most concerned about that and are most deliberately looking for tools that meet those needs are the large, large enterprise.

We have a Fortune Five company as a customer who you assessed, you know, applied massive resources to assess a ton of different tools and landed on, on us because of exactly that, right? It was almost, in a way, the deliberate lack of sophistication of what we were doing. The fact that we don't have telemetry, and we're not trying to sneak data out, sneak usage out, is a huge, you know, plus for them.

And yeah, it is really interesting. You're right. It's, I think what used to be seen as sort of a bug is now a feature. 

Justin Beals: Yeah, I think they want to find that we're thinking about good security. I don't always want it in the way of executing their outcome, but certainly, one of the things we've tried to do in our product development, for example, is we, whenever we have an AI feature, we always host the models.

I never want to just be shipping data off to a third party model. I don't, I don't trust what they're doing. And I don't want my customers to have to fear about that stuff as well. Yeah, you know, you talked about red team a little bit. I think it is a common misconception that red teaming is penetration testing, but added certainly at like a nation-state, like the naval intelligence, there's a different concept.

You know, red teaming is something that goes deep in warfare games, right? And being able to test that out. But even at a, you know, we've talked to folks that are like the corporate landscape is the front line on cyber defense right now. And I'm a little curious about how Google invested in red teaming or how you felt the support was for probably the second largest employer other than the U.S. military where you, where you worked with them. Yeah. 

Terence Bennett: Yeah. I mean, Google security is, is, is, is top notch. And there's actually been a lot more talked about it recently. Since I left, there's actually like a mini-documentary. Put out about the red team as an organization. But a lot of it dates back to 2009 when there was a massive breach affected, actually, I think, like 10 different large corporations by a Chinese actor.

And it was essentially one large campaign that individually attacked a bunch of large companies. And it was so broad and so comprehensive as, and with such totality, I don't think Google fully even knows what got taken. What it caused was a complete and total rethink of security at Google. You know, I think 2009, this is we're going back a few years, and this is sort of what a lot of people consider the early days of Google and Sergey Brin sort of famously kind of in the weeds, co-founder actually like took a desk in the security sort of office, right?

I had a friend who sat next to him for a while. And said he would leave his vibrant five fingers in the top drawer, and they'd get real stinky and otherwise, he was a good, a good office mate. That's great. It was like, you know,  all hands on deck, buckle down, let's let's figure out how we're going to do.

And they really completely rethought security from the ground up using first principles. And out of that came a bunch of, um, key things, a lot of the larger organizations that exist today, and it created the predecessor of the red team, which was actually called the orange team. And orange was just kind of used as like almost like a tongue-in-cheek name because it wasn't like a full-time red team. It was, it was an opportunity for engineers to take a week or two off and just, um, explore some security vulnerability that they had been kind of bugging them. It'd been in the back of their head for a while, right?  and Google's famous for doing this kind of letting people kind of explore 20 per cent projects and stuff like that.

When I was in the cloud organization, I sat next to an engineer who had this theory about how there, there, there were a series of dependencies that if. Exploited properly, could like take down all of more or less all of Google, right? Like foundational layers, sort of databases. Right. And he got permission to spend like six months, like reverse engineering and re architecting it to, to, to defeat that.

So the orange teams lasted a whole decade, more or less, before the red teams got kicked off. But there's this real sense that yeah, we can, we can build and assess and analyze, but we also have to sort of actively look for those vulnerabilities, right? 

Justin Beals: Yeah, and the fact that it's about exploiting a hack and not just testing a network interface is that deep difference between certainly penetration testing is a part of it, but it's a lot different than how a red team might try and gain access through a variety of measures.

Terence Bennett: I totally missed it as well. There's also the blue team aspect, right? The red, a good red team, is the best sparring partner for a detection response or what we call blue team, right? So we had a whole protocol for alerting the blue team of a, that we were the breach that they were investigating, right?

So what would happen is there are a few PGMs who were all sort of in cahoots. And, if they had an active breach that they were investigating, they'd come to us before they alerted, like senior, senior management. They wanted to make sure it wasn't; it was actually what they thought it was. But there's, there's a period of like 24, uh, 12 to 24 hours where there's a serious pucker factor where blue team engineers thought they'd actually had a real, you know, real, real intrusion, and then they were actually, you know, playing cat and mouse with, with the real thing. Now it created sort of a funny dynamic because, at the time, these teams are in different buildings now, but we were on the second floor, and the blue team was on the fourth floor. We would see them in the elevator and stuff, right?. 

And there were a few of us who'd sort of gone back and forth between the teams. And occasionally I would meet up with the PGMs for the blue team in like one of the MKs, one of the little, little sort of snack areas. And we would just be shooting the shit having coffee and like the blue teamers would look over, and their teamers would look over and try to figure out like, but based on like, you know, what was said in mannerisms of, of like, if, if we were discussing work or just like shooting the breeze.

Yes. Very, very cool. Sort of obviously a team and a lot of fun around that. 

Justin Beals: It reminds me of those old Looney Tunes cartoons with the rooster and the watchdog clocking in and out as they go to work. No, one thing that  is really interesting. I'm curious if you have some thoughts about it; we were talking with another guest about some of the web, the stores, they're not really stores, but they're essentially a place to download plugins for the browser and, like the Chrome browser, is one of them and I know Google, you know, it's been a struggle right in this kind of shared spaces with the public and what code they can develop, and Google has been trying really hard to push frameworks that are more secure, but there's, you know, a lot of resistance to change. It's got to be attention inside the building on some level. 

Terence Bennett: Yeah, that the organization that that's doing those code reviews is actually sort of adjacent to the red team literally when I sat there, but also figuratively speaking, because there's a lot of crossover, frankly, between them. There's a lot of automated code review but there's a lot of, you know, kind of rolling up your sleeves and having to like, you know, really poke around and figure out what's going on here. Why is this. You know, why is all this here is this clean or not? Right. It's a good way of putting it. Yeah, it's a huge struggle and there's been some very, I don't know if they're high profile or, or not.

I mean, I guess in the security world, they're probably pretty high-profile examples of malware found in Chrome extensions, and you know, the way that Chrome it's, it's this constant battle between security and convenience, right? Like it's really nice to log into a new computer and have all your bookmarks and all your Chrome extensions preloaded.

But like, if you're, if you've been breached. And, you think that they just had local access, and you go to a new computer and you load up Chrome, and you log in, chances are, they probably put a rat in your browser, and you just infected your new computer. You know what I mean? Like you're like. There's some of the most effective ways to move laterally and to hold onto your footing right during a breach.

So, I mean, yeah, it is, it is sort of the most classic of, of battles that sort of balance between trying to make the user's experience good, because the fact is like people are notorious for doing whatever is easiest and, and obviously just trying to keep them secure. I mean, one other anecdote about this, I was there when they rolled out the security key program, it's called Advanced Security Program, Advanced Protection Program, APP for like journalists and politicians and stuff. Just huge, huge rollout. The training education team within the security org put months of work into it, you know, kind of buttoned it down, had all the content they were like ready to go for the absolute deluge of, of signups and, and the support questions and everything else, and they hit go.

And it was like. You know, they had less than 5 per cent of the adoption rate they expected, you know, and it's like people just, you know, they don't appreciate what the threat is, or they just don't care. And I think. I think it's somewhere in between. I'm not really sure. 

Justin Beals: It's hard because I, I think people are more sensitive today.

I mean, sometimes I guess you need to be personally impacted or wonder what's going on with your data when someone stole it to be like, Oh, I, I want more protection, but maybe to our point, you know, as we talk to buyers that are buying products that are secure by design,I think some lessons have been learned, you know, in a way.

I mean, at least, my thing with the Chrome extensions was is one of the things I get is that DIY type thing. Like if you don't like something about how your browser is doing, you can write some code and change it. To me, that's quite interesting, right? Like I like that availability. At the same time, it opens up this huge avenue for like, you have no idea what's running, you know, as an engineer, we see this with software dependencies.

I don't think we think about it even in our own personal, you know, web browsing in a way. Yeah.. 

Terence Bennett: It's, it's challenging, right? Cause you want to make it, you know, the DIY sort of capabilities available. But the problem is like that, at the end of the day, accounts for maybe like one or 2 per cent of users.

Most of the users are looking for a quick hack of how to do X, Y, or Z. And they stumble across a Chrome extension and without even reading anything about it, they just start installing them and seeing which one works first, never even going back and uninstalling stuff. And I'm actually guilty of that, right?

Like, I went through this period where my inbox was a complete disaster. And I, it was like, I couldn't write how many times I tried. I couldn't unsubscribe from emails. And so I used a bunch of these sort of like out of the box unsubscribed services. And I'm giving it like carplotch access to my Gmail.

And I'm like, I just don't care. Like the, the pain threshold is so high. I just need something to help me fix it. And I think for a lot of people, that's like a normal state, right? That they're just. They're just trying to get through the day, and like, we're also, I think, inundated with this idea that, like our data isn't secure anywhere ever.

And so, you know, the alarmism that's existed around cyber security, although well placed. Has created this sort of numbness, you know, 

Justin Beals: I think it's, it's so fluid this information and we see it pop up around us in advertising and all over the place that it is hard to imagine that you've got a secure situation.

I had another question for you. I don't think this one is fraught. You know, you spent a fair bit of time in naval intelligence dealing with geopolitical situations and certainly obviously some experience right next to changing environments. Change marches on; things are always changing. And of course, we have a new administration, although, we've had Trump as president prior.

And I'm just a little curious, you know, as you look forward to cyber warfare, what do you think is kind of emerging? Is there things that the current U. S. administration might have an impact on? The one that has just come into office, then also geopolitically, maybe broader on a global scale. What, what are you? You know, most concerned about or what do you think the front lines are being drawn? 

Terence Bennett: Yeah, it's, it's interesting. I mean, as much as the election of Trump is significant geopolitically, the trends sort of, you know, before November, whatever election day was 7th or something and after, like, don't really change that much.

Right? You've got. A very assertive, a very aggressive Russia that's sort of acting like a sort of a pit bull in a corner. I won't get into like the geopolitics of it all, but like, this is in many ways sort of their, the last opportunity of the sort of the Russian empire, the Russian state to try and sort of preserve itself in any sense of status quo for a number of big reasons, largely, population and demographic, and economic.

And then, of course, you've got China in the East, which is an old saying when someone tells you what they think and what they intend to do, you should probably just trust them. Xi Jinping has made it very clear that he plans to take Taiwan one way or another. And, and I personally think he's, he's telling the truth.

And so the question is, you know, where does the U S actually stand on that? President Biden said multiple times, we'll defend Taiwan. I think it will be interesting to see how the Trump administration plays it out. It used to be you had general consistency from a national security standpoint and geopolitically across administrations.

That's not, that's not the case with Trump. There's really good and bad there though. What we saw with his first term was that he was such a wild card that it actually let everyone just sort of stop and just like wait and watch and see what happened where, you know, sometimes wars happen because folks are overconfident in what they think, or, you know, adversaries or nation-state leaders are overconfident in what they think is going to happen because they think they've sort of seen this play before.

Kind of like what I was talking about, the Arab spring, there's an overconfidence in the people and the players and the factors at play. And, you know, in the case of Russia, I think it actually meant that they overplayed their hand with the invasion of Ukraine, sort of a good example, but there's a lot of examples of this in history.

I think no one thinks they know what Trump's going to do. That's like the one consistency, right? And you might end up seeing that it sort of weirdly stabilizes things because everyone sort of hits pause and waits and watches. So that's kind of a non-answer, but China, Russia, I think ageneral sort of, um, collapsing of, of sort of the, the neoliberal sort of post cold war kind of what, uh, even Bremer calls like G zero, right?

Or you've got just a lot of sort of turmoil. I'm a believer in the fact that we're probably in like, uh, some sort of late-stage capitalists, kind of economic environment and so, you know, you've got sort of a lot of tension economically, societal and economically in the United States, obviously, just resigned in large part over a lot of economic issues, iInflation home prices. Same France and Germany, right? So it's there's a lot of instability. And it's, it's anyone's guess on how things play out. 

Justin Beals: I have been intrigued with the Russia-Ukraine conflict just absolutely continue to be very interested in how it progresses. And I'm surprised that the changing face of warfare and that conflict with drones and intelligence, you know, battlefield intelligence, really allowing Ukraine to step up against a much mightier military power.

Terence Bennett: Have you ever read about the Russo-Japanese War, 1898?

Justin Beals: Only briefly, but I am aware that it took place. Yeah. 

Terence Bennett: Yeah. Sorry. That's sort of a, that's an unfair question. 

Justin Beals: Not at all. That's a very fair question, Terence.

Terence Bennett: We're not familiar with that conflict. I studied it at the war college. I do, you know, to your credit, like I, I'd never read about it at all.

You know, coming out of the U S civil War, there was a lot of technological advance that hadn't really been applied in conflict until the Russo-Japanese war. There was sort of two pieces of that conflict. There was, There was the conflict on the actual Korean peninsula, uh, and there was the, the sea conflict as well that in many ways, I think maps to maybe what we're seeing Ukraine, where it's sort of the first conflict of a modern age, where you've got the use of modern weapons and the development of modern techniques.

And sort of, I apologize to the listener if it sounds kind of crass and, and sort of analytical and calculating to talk about because there's a lot of sort of, there's a lot of carnage and bloodshed and misery. In warfare, but as sort of put my analyst hat on and take a step back, you're seeing the broad deployment of electronic warfare weapons, obviously drones, all sorts of new technology in the battle space that we've never seen.

And you're seeing the rapid and iterative,adaptation of tactics around that. And I think the roots of Japanese war is a really interesting way to compare the two. There's obviously no. Well, actually, there was a naval component to Ukraine. What am I saying? The naval component to the Russo-Japanese War, though, is fascinating.

You had a significantly larger fleet, the Russian fleet, that converged on, on Japan. It was both the Pacific fleet and the European fleet, the European fleet, um, sailed all the way from the black sea all the way around, and they were met by a much smaller but more agile and better trained. Russian, Japanese Navy and in a single evening, the, the Russian or the Japanese Navy sank the more or less the entire Russian fleet.

And it turned out that the Russian fleet was, had been ill maintained, underfunded. A lot of vessels had the wrong caliber ammunition for their, for the weapons. And so when it came to actually fight, they were in complete disarray. The Japanese had bought a bunch of recent, very fast, very modern frigates from the British, were incredibly well trained, apply that sort of like classic Japanese efficiency and sort of precision. And yeah, in an evening, just, just sink the entire fleet and overnight,  the balance of power in the Pacific shifted. And that was, you know, that was the precursor for the invasion of mainland China and the ultimate sort of expansion of the Russian empire leading to World War II.

I'm not sort of trying to foreshadow some larger conflict, but what I'm saying here is There's a lot of passing parallels. Absolutely. 

Justin Beals: Yeah. I definitely think you see a group working with a lot of precision well trained. That is, it's just interesting that Russia is once again involved. I think that's the greatest parallel

Terence Bennett: Definitely. Definitely a factor. 

Justin Beals: Terrence, this has been just an absolutely fascinating conversation. Congratulations on all the great work at DreamFactory and we really appreciate you bringing your expertise today to SecureTalk. I know I've learned a lot about naval intelligence and had a great time talking about some of the cyber security things that we did today.

Terence Bennett: Yeah, thanks, Justin. It's been a pleasure. Happy to come back. If you ever want to go deep on another sort of global conflict from 100 years ago, careful. 

Justin Beals: I'm always curious. Yeah. Although next time you'll have to give me a book to read. I'll come well prepared. 

Terence Bennett: I think it's called The Tide at Sunrise, but there is a very good book on the topic off to find.

Justin Beals: We'll put it in the show notes for the listeners as well. Thanks so much. Terrence. Absolutely. Thanks. Bye.

-------

Note:

Book: Warner, Peggy: "The Tide at Sunrise: A History of the Russo-Japanese War 1904-05"  Routledge, 2004.