Navroop Mitter:

[00.00.03.15–00.00.30.12]

Hello, this is Navroop Mitter, founder of ArmorText. I’m delighted to welcome you to this episode of The Lock & Key Lounge, where we bring you the smartest minds from legal, government, tech, and critical infrastructure to talk about groundbreaking ideas that you can apply now to strengthen your cybersecurity program and collectively keep us all safer. You can find all of our podcasts on our site, ArmorText.com, and listen to them on your favorite streaming channels. Be sure to give us feedback.

Matt Calligan:

[00.00.32.14–00.00.57.16]

Welcome to The Lock & Key Lounge, the only podcast dedicated to new ideas and perspectives you can use today to build a more resilient cybersecurity program. I am Matt Calligan, your host for today, and we’re going to be talking today about a risk most cybersecurity teams rarely think about, even if you’re a utility. And that is how extreme weather is becoming a cyber risk multiplier.

Matt:

[00.00.57.18–00.01.27.01]

So, like when hurricanes or wildfires, major storms—they knock out power. They flood data centers. They force evacuations. Cyberattacks can actually easily be timed to hit during these disasters when resources are stretched thin to make that attack more disruptive. And this isn’t just a theory. It’s actually a growing reality that impacts everything, every industry, from healthcare to data centers, financial systems, even our electric grid.

Matt:

[00.01.27.02–00.01.41.02]

So, joining us to help make sense of this new world that we’re living in is Sunny Wescott. She’s Chief Meteorologist and Federal Emergency Response Official at DHS. Sunny, welcome to the show.

Sunny Wescott:

[00.01.41.02–00.01.43.06]

Hi! Thanks. I’m happy to be here.

Matt:

[00.01.43.08–00.02.13.02]

Yeah. Yeah, absolutely. It’s always good chatting. For those listening, Sunny Wescott is a Federal Emergency Response Official, and as I said, Chief Meteorologist at the Department of Homeland Security. Sunny runs the National Extreme Weather Hazard Forecasting for public and private sector stakeholders, with a focus on how climate-driven disasters actually intersect with infrastructure resilience, with supply chains, even cybersecurity risk.

Matt:

[00.02.13.04–00.02.43.16]

Sunny was a former lead meteorologist in the US Air Force and has supported military operations, DHS crisis response and disaster recovery for nearly all critical infrastructure sectors. Her expertise spans climatology, emergency management, and homeland security, and today, she helps critical infrastructure operators prepare for the growing convergence of cyber and physical threats by flying all over the country and giving speeches when she’s not doing new analysis.

Matt:

[00.02.43.18–00.03.07.14]

Sunny, we’ll go ahead and dive right in here. Just a quick topic overview again for the listeners. When the forecast is calling for things like hurricanes, flood, wildfires, even heat waves, most organizations are focused on the physical risks associated with it. And the question we have today is, what happens when cyber risk actually kind of rides shotgun with these events?

Matt:

[00.03.07.16–00.03.31.23]

So, in today’s episode, we’re going to explore how extreme weather events don’t just disrupt operations. They create windows of opportunities for cyberattacks. Attackers are increasingly timing ransomware, DDoS attacks, and other campaigns to coincide with these disasters, specifically because resources and attentions are focused elsewhere. So, tell—Sunny, you ready to dive in here?

Sunny:

[00.03.32.03–00.03.53.12]

Yeah, absolutely. And, just as a real quick disclaimer, I am speaking as Sunny the scientist subject matter expert in this realm, not as a prescriptive on the side of DHS or on the side of the Cybersecurity and Infrastructure Security Agency (CISA). So, these are going to be statements from a subject matter expert background and my militaristic training.

Matt:

[00.03.53.14–00.04.15.14]

Absolutely, absolutely. Let’s start high level, then kind of connect the dots. We always like to start with sort of with the listener in mind—what’s in it for me, right? So, what is the link between extreme weather and cybersecurity? Why should the forecast matter to CISOs and CTOs?

Sunny:

[00.04.15.16–00.04.46.01]

Yeah. So, we actually have a really intricate discussion on this across all sorts of aspects of operations. So, it’s everything from the physical infrastructure site in and of itself. So, if you’re operating a building or you’re reliant on an end office for telecommunication connectivity, a substation for energy connectivity, or any of these actual housing areas for your servers, your ability for your staff to show up on site—any of these physical sites—all of those aspects of the physicality come with threats from storms.

Sunny:

[00.04.46.01–00.05.04.08]

That’s to include flash flooding, lightning strikes, tornadic activity. Hail, in and of itself, is incredibly damaging. The heat waves, which cause cooling issues. But heat can also degrade the material that you sit on—your site’s foundations, the sidewalks around you, the handles going in and out of your building, the cars that you need to operate to go to and from work.

Sunny:

[00.05.04.10–00.05.28.21]

All of these aspects of the physical—the cabling themselves, the power cables, which sag in extreme heat or can spark—all of these can cause outages, site degradation, evacuations. All of this disrupt in that aspect. On the cyber side of the house, when you lose power, you lose patch capability. You lose the ability for real-time monitoring. Sometimes, you lose data saving, depending on how long that outage goes for.

Sunny:

[00.05.28.21–00.05.52.02]

So, there’s an immediate interdependency loss. When you go down through one of these weather events and you see hospitals go down, power plants go down, the telecommunications side of the house takes a hit—and we’re hustling to move search and rescue teams. We’re trying to save the people, get the people back up and running first, and then we move into how do we get back to normalcy in the new normal for this area.

Sunny:

[00.05.52.07–00.06.05.10]

So, you have supply chain delays. That’s everything from new equipment coming in to rations to clothing to linens, which are a surprising thing that pops up at the back end of a disaster. So, it’s everything.

Matt:

[00.06.05.13–00.06.24.05]

Yeah. How—you talked about—yeah, I think it was one of your—the speeches that you gave recently about these weather events creating chaos windows, right, for attackers. Can you walk through some real incidents, like kind of how those kind of scenarios might play out?

Sunny:

[00.06.24.07–00.06.53.00]

100% So, taking the California wildfires is a really good example. A couple of years ago, there was a notion that came to my desk that people were buying surplus military vehicles—surplus emergency response vehicles—in order to assist with emergency response, like wildfires, evacuations. All of this, which was an immediate concern. Oh no. What if a bad actor sees this and realizes there’s an immediate vehicle into an area that’s now been evacuated, and that ended up playing out.

Sunny:

[00.06.53.00–00.07.14.11]

After advocating as a concern specifically across California, I advocated that we need to be watching the fire trucks. How do you credential somebody during a disaster? So we had a false fire truck show up, which was individually purchased and was able to gain access to evacuated areas to do looting. That was an immediate concern ‘cause now you have to worry people are going to show up on sites.

Sunny:

[00.07.14.11–00.07.32.01]

What if they gain access to your systems because you’re not there? You have the fraud side of the house. People are now using AI in order to draft better fraud schemes, to be able to—

Matt:

—Oh yeah.

Sunny:

—create fake QR codes, put those out physically in places. Hey, if you need resources, scan this. That’s a major concern as we go forward.

Sunny:

[00.07.32.07–00.07.52.05]

And then, of course, we have the added chaos window, which is just the overlap of should anything else happen to compound with this weather event at the surface, that we’re going to run into an issue of our emergency responders are spread thin, our resources are spread thin, and just the general wear and tear of operating at this greater tempo going forward.

Matt:

[00.07.52.07–00.08.26.07]

Yeah, yeah. With the cyber attackers they—they’ve—we’ve already—I know—we all know they coordinate around holidays, long weekends, when folks are out, and shifts are light, and stuff like that. It seems like weather events, especially as to the points you make in a lot of your presentations—the extreme edges of them happen more frequently and in wider areas for longer periods of time. Is weather really just that next logical step? How easy is it?

Matt:

[00.08.26.07–00.08.36.04]

I remember you saying there’s—it is easy to kind of predict these events and take advantage of them. How easy is that? It seems like that’s just a logical next step there.

Sunny:

[00.08.36.10–00.08.54.19]

Yeah. If you put yourself in the mind of an attacker and you say, if I wanted to do as much damage as possible, how would I go about doing that? What do I need to take into consideration? So, we often advocate that you play both sides of the aisle. When we’re looking at weather events, the predictability of a heat wave can go out about two weeks.

Sunny:

[00.08.54.21–00.09.15.20]

You can predict a tropical cyclone about a week out from where it’s going to be impacting, just in the generalities, and then refine it down. But it allows time—one, for resources to get moved, but two, for emergency plans to be advocated. Those show up on the news. Evacuation stays in the news. Power outages are immediately televised as they occur.

Sunny:

[00.09.15.20–00.09.44.17]

You’re able to track it in real time. We made—

Matt:

—Yeah.

Sunny:

—so much effort to make this information publicly available that we actually accidentally created a risk margin—and a new paper that came out from Johns Hopkins’ side of the house on the engineering team. I love that they did this. I’m also upset that they did this, ‘cause one of the statements in this sort of double trouble paper says that you, if you do an attack—a cyberattack—in the wake of a weather event, that you can increase the impact three times more than if you had done it as a standalone.

Sunny:

[00.09.44.17–00.10.13.02]

So, if I read that, I would immediately say, oh, I’ve been doing it wrong. I should be buddying it up in order to cause greater impact—to get my name out there, to get the name of whatever it is that I’m doing, or the initiative, out there. So, the problem is that you’re able to see these better forecasts. As we get better with forecasting from various technological advancements, as well as just better forecasting overall—better lessons learned—we’re going to see that they’re able to take advantage of these situations.

Sunny:

[00.10.13.02–00.10.17.19]

Their goal is to be disruptive. And this is an amplifier to that.

Matt:

[00.10.17.21–00.10.46.02]

Yeah. Yeah, I mean, if just anecdotally, I—obviously all of our clients, because we’re an out-of-band collaboration tool for IR, all of our clients are in this space all the time, and some have shared screenshots of their intrusion detection systems when there’s a weather event happening. And they spike. You can literally see these suspicious IPs pinging at a much higher volume right around the same window.

Matt:

[00.10.46.04–00.11.11.05]

So it’s just—to your point it… They’re just going to get better and more refined at doing this as more information is more available. Let’s talk about the physical-digital interdependence here. One of—a storm takes out or damages facilities, and I know you’re more on the physical side, but you—explain what you’ve seen to what happens on the cyber side.

Matt:

[00.11.11.05–00.11.20.13]

How does this amplify the risk for a—whatever might be out there—your data center or your critical infrastructure or your financial systems—things like that?

Sunny:

[00.11.20.15–00.11.36.12]

Yeah. So, a lot of people—there’s a two-fold here—a lot of people understand one side—”Oh, the site’s gone down because of a power outage or damage to the site or evacuation.” And so, there’s update delays. So, your software is not going to get the patches when it needs the patches, ‘cause it doesn’t have power and it’s not connected to the internet.

Sunny:

[00.11.36.14–00.12.02.17]

You’re going to see—

Matt:

—Right.

Sunny:

—that your vulnerability goes up because of that. And they’ll know it because, again, it’s televised. Your compliance gaps are going to be in there. So, your system, when turned on, is going to immediately try to be doing all of this background work to get caught up. And you’re going to see that these unpatched systems are just going to be easier targets at the same time that you’re risking your personnel being that weak link, where they click on something about “Hey, your home has been damaged. Reach out to FEMA. Here’s the link.”

Sunny:

[00.12.02.17–00.12.21.15]

And they’re not even going to know. So, you’ve run into a recovery issue where you’re doing all of this catch-up, you’re doing all these updates. You’re trying to keep your personnel on file at the same time that you’re looking at what does this mean going forward? So, let’s say we have a heat wave, which is often underappreciated for how much damage it can do.

Sunny:

[00.12.21.17–00.12.37.06]

So, when you have these heat waves, as we’re going through now with these high humidity levels, you lose evaporative cooling. So, which data centers rely on evaporative cooling? Step one. How much do you rely on that data center? Step two. Step three—what does it look like in a couple of years if we continue to see this trend?

Sunny:

[00.12.37.06–00.12.56.21]

But what does it look like the rest of this year? We saw what happened with Oracle in 2022, in the UK during a heat wave, where they went down for just a couple of hours and there was global impact. 

Matt:

Yeah.

Sunny:

So when we’re talking about Virginia’s heat waves, next week we’re going to be seeing temperatures at 103, with heat indices up at 110, 112 for multiple days.

Sunny:

[00.12.56.21–00.13.18.21]

And that puts us in that threat margin immediately. And we thought we had way more time to plan for this than what we do, ‘cause these changes are coming fast. They’re coming hard. India’s feel like just a couple of weeks ago, in New Delhi, got up to 126. What does it mean to operate? You showing up to work, you getting in your car, you being on site—your HVAC system goes down, you’re not going to operate there.

Sunny:

[00.13.18.21–00.13.40.21]

So, you have this problem of your actual servers are now at risk, at the same time that just operating on the back end of a disaster—going through a disaster—the increase of the cyberattacks, and then crypto mining as a whole with the data centers. So, when we’re talking the—

Matt:

—Yeah.

Sunny:

—totality of cyber, we’re looking at cryptocurrency mining as a water concern going forward.

Sunny:

[00.13.40.21–00.14.01.06]

So, in these droughts, with these high heat events, with the direct sunlight during the in-betweens of these major storms, what does it look like to be able to continue doing any level of crypto mining when it’s getting banned in certain countries due to the water consumption and the energy consumption? At the same time, AI needs that same water, that same energy, at the same time.

Sunny:

[00.14.01.06–00.14.14.00]

Our grid growth needs it. So, we’re fighting for sharing the same resource, which unfortunately is the one resource that the Earth is struggling to maintain normalcy with, which puts us all at risk.

Matt:

[00.14.14.02–00.14.38.05]

So, when it comes to more specifically, like cybersecurity teams and these—the infrastructure operators—they have to, based on obviously your recommendation as Sunny Wescott, not a DHS employee, about factoring in extreme weather into even threat modeling and incident response plan. So, what’s—what would be advice that you would give to somebody who’s like, how the heck do I do this?

Sunny:

[00.14.38.07–00.15.03.05]

Yeah, absolutely. So, we have an issue when it comes to these big disasters, where when we try to exercise it, people immediately try to beat the exercise. Their immediate goal is to say, “This wouldn’t disrupt me.” They’re in bye, I win. I don’t have to advocate to people that I would be injured by this event. So, what I advocate to everybody is, if you’re going to do an exercise, to do as much hands-on, obviously, as possible. That makes it way more fun.

Sunny:

[00.15.03.07–00.15.27.13]

But, when we’re looking specifically at cyber, it’s all about trying to stay up in a time when everything around you is going down. So, looking specifically at backup generators—when someone says, “Our backup generators should be able to stay online for three to five to two weeks”—there’s a lot of assumption that goes on there. Have those specific generators for that specific site when utilized in an attempt to showcase that.

Sunny:

[00.15.27.15–00.15.48.08]

And what does it look like to have somebody on site who doesn’t know how to turn on the generator? Should there be an issue, or clean it out if there’s some sort of jam, who do you call in an emergency? Should your generator fail when you need it most? There’s a lot that we fail to factor in when it comes to, how would I operate if this happened in the least ideal situation?

Sunny:

[00.15.48.08–00.16.13.14]

All of your leadership’s on vacation. Your middle management maybe had an emergency that day, and their invites gesture your general workforce. Do they know where those plans lie? Do they know what to do? Can you transfer operations smoothly if that site goes entirely down? 

Matt:

Yeah.

Sunny:

A lot of these conversations with the security team—specifically when you’re talking about this risk—you’re annotating it solely for the site.

Sunny:

[00.16.13.14–00.16.37.12]

But what does it look like if that person’s family has to evacuate, and they want to go with them and be gone for a week and a half? Can you operate with them off-site for that long? And a lot of this comes from what events have happened historically in the past, in other areas, that—if it were to happen in your area—would be damaging, disruptive, or lead to degradation of operations.

Matt:

[00.16.37.13–00.17.03.16]

Yeah, it’s an interesting idea—the concept to your point—like you hear these—the tabletop exercise card games and various ways of sort of gamifying a tabletop. But it is about the focus becomes about winning the game, right? And the idea should actually be to highlight areas that would cause failures, like sort of design these exercises to fail, right?

Matt:

[00.17.03.17–00.17.23.10]

To highlight the most extreme scenarios and how to respond to those in a suboptimal way. Yeah, that’s a—that’s an interesting idea. Where, when organizations are putting these things together, where’s the most common place you see them fail in factoring in these kinds of things?

Sunny:

[00.17.23.12–00.17.45.04]

So, when we’re doing is specifically electricity. And again, no shame to any countries on this. But, looking at what happened in Spain with the power outages that occurred there, and the immediate cascading effects of each industry, seeing what does it mean to truly go dark? Did they maintain a book of, “When we lose power, XYZ happen?”

Sunny:

[00.17.45.10–00.18.02.11]

We are missing what I lovingly refer to as a database of damage. So, if I give you a forecast—it’s going to be extremely hot—the question is always, “Is it hotter than usual? Is it going to last longer than… What does it really mean for ops?” And my response has to be, “Well, against the climatological norms, it’s this.”

Sunny:

[00.18.02.13–00.18.26.09]

But I need the engineering side, too. I need to know what your material can and can’t handle. What does this mean if your HVAC system goes down? Because those interconnected parts, from the meteorological side, through the site engineer side, through the general operators side, are all missing as an interconnect. So, if I say there’s going to be four inches of rain, you say, “That doesn’t sound like a whole lot,” but I say that the storm drain can only handle two.

Sunny:

[00.18.26.11–00.18.45.07]

So, you’re going to see flooding. Are you the lowest lying location in your area? And your response is, “I don’t know.” I wouldn’t know either. And that creates the immediate issue of, how do you plan for the information I can’t give you because we don’t have that repository still? How can we—

Matt:

—Right.

Sunny:

—make that repository? Can you share it with other industry?

Sunny:

[00.18.45.07–00.19.05.20]

To say, “We realized we were the lowest lying area. We bought into a flood mitigation system—a pop-up deployable flood barrier. We chose this one. It did this. And we win at the end of that. Instead of it being exercise-driven, the best practices side of the house in that realm would be far more useful to reverse-engineer, to say, “What was the problem?”

Sunny:

[00.19.05.20–00.19.17.23]

What broke you? Was it lightning, hail, flood, wind, fire, heat? All of these categories, I would prefer to have so that I can refine my forecast to be damage-specific instead of just numbers.

Matt:

[00.19.18.01–00.19.45.03]

Yeah, yeah. Are there, from the standpoint of like FEMA, DHS, and the emergency management side of things from you regarding to weather, are there lessons that cybersecurity leaders should borrow? When thinking about resilience, right—not just recovery, not just winning the game, right—but even continuity during the crisis. And what kinds of lessons should they factor in when—from a planning perspective?

Sunny:

[00.19.45.08–00.20.15.08]

100%. So, we have this fantastic data set that’s available to everybody through just, if you know where to look, it’s there. We have international problems sets of these things already happening. So, even if it hasn’t happened to your industry, your location, your region—doesn’t matter. You can find it internationally. A great example—China, India, Ireland—all three of them have faced recent risks in the last two and a half to three years of extreme heat, drought, and flooding to their major data center racks.

Sunny:

[00.20.15.08–00.20.33.20]

So, when we’re looking at what does it mean for these massive areas to be taking hits—and massive in the sense of how much data they move—if they’re taking a hit from X, Y, or Z, can we look to them and say, what took them down? How long were they down? And then, look at what did they do about it and bring that information back in.

Sunny:

[00.20.33.20–00.20.56.08]

So, on the FEMA, DHS, emergency management cybersecurity side of the house, always be willing to go find that pain point, exploit it from somewhere else where it’s already occurred— 

Matt:

—Yeah.

Sunny:

—bring to the table and say, “What would you have done differently?” and make them walk through it, not just, “We’re more robust.” That’s not 100% applicable. Data centers and the creation of a lot of these material types—are the composites the same?

Sunny:

[00.20.56.08–00.21.23.19]

Are the cooling capabilities the same? Is—even if the temperature threat matrix doesn’t 100% line up, the goal is to say, if we built our bridges all with the same general aggregate, what does it look like if the bridges all failed in India from the monsoon? Are we worried about our bridges over here? Are we—

Matt:

—Right.

Sunny:

—worried about the matching problem sets? And are we able to reach out to them—to invite maybe their team over, or go get a visit to one of their sites specifically?

Sunny:

[00.21.23.19–00.21.46.04]

Ireland would be a great comparable, because it’s even further to the north and would match a lot of our northern entities across the continental US, up in Alaska—that we’d be able to tap into that buddy-up relationship. Australia—same concept. I think we just really missed the opportunity to better engage because we let our pride and our ego about our industry carry us too far forward.

Matt:

[00.21.46.06–00.22.17.19]

Yeah, yeah. Obviously, with—on ArmorText, we’re big on the communication side. And I was—the—actually the event you and I were just at out in Denver—an IT director came up to me, and she works for a an electricity company in the Carolinas, and she said, “We’re looking for—we got hit by Helene—and we’re looking for something that can be resilient even when there’s no electricity or data, right, like zero. We need some.”

Matt:

[00.22.17.19–00.22.39.14]

None of our people could communicate because every tool we had assumed that we’d have power and internet. And then I saw your speech, and it made me start to think about, like—and even local teams that have to respond to an incident—cybersecurity teams have to respond.

Matt:

[00.22.39.14–00.23.07.19]

They have to communicate. They have to communicate with physical teams—physical security teams. Communication is a really, really essential part of any emergency or crisis response team’s ability to execute on whatever plan they have. From with what you just said, what lessons should somebody begin to factor in about impacts to just communications? What have you seen externally that, like—hey, we should worry about this when it comes to just the ability to communicate?

Sunny:

[00.23.07.21–00.23.34.09]

Yeah. There’s—every different group has different exposure rates. So, the Carolinas are a really good example. The forecast had them highlighted. We knew the totality of the rainfall that was going to come down. And we knew the window of time. We knew the general intensity. What we didn’t know was just what that meant to the community. We didn’t know all of what was in that area either and the inability for there to be a pass-on of the mission for some of these industries.

Sunny:

[00.23.34.11–00.23.52.20]

So, looking very specifically at the saline—right there was that the conversation of the saline factory there as a major distributor. There’s only two. One is down in Florida, which took a hit from Milton, almost. And then we had the one that was in the Carolinas that took a hit from Helene. That caused immediate panic across the emergency management community.

Sunny:

[00.23.52.20–00.24.20.10]

On what does it look like to not have IV bags during this disaster, during the coming disasters? What are we looking at for delays in supply chain? How would we shore it back up? How do you communicate that risk in a more timely manner? ‘Cause we didn’t know until we were told—after that group managed to get communications, there wasn’t an immediate lean forward where somebody just had that piece of information at the emergency operations—able to say that’s one of two, and they’re in by an immediate crisis.

Sunny:

[00.24.20.12–00.24.42.06]

So, we need to have better parent-child homing. If site goes down, if the substation goes down—who goes down with it? Is it your only telecommunication tower for your area? What does it look like if you don’t have that? And with that parent-child homing, you can exercise that. Once you create that sort of map of it, you can—if this goes down, then this goes down.

Sunny:

[00.24.42.06–00.24.49.00]

If this goes down—but we hardened this one a year before—there’s a cost-benefit matrix you can throw in there as well.

Matt:

[00.24.49.02–00.25.16.23]

Yeah, yeah. So, we’re looking ahead. I mean, obviously, we’re dealing with the reality on the ground—and in most of these scenarios, right? This isn’t—these are not theoretical weather events and environments that we have to worry about someday. They’re already happening. But, what’s, from your perspective, with all this information, what’s the thing that keeps you up at night, right? Where we’re—where do you see us being most unprepared?

Sunny:

[00.25.17.04–00.25.33.02]

Yeah, there’s definitely a lapse in the general comprehension of the physics of what’s changing at the greatest side. Right? Everyone thinks, “Global warming—there and by, the globe must be warming.” So, if we have a really cold winter, the globe can’t be warming. 

Matt:

Right.

Sunny: 

So, you have to explain. You have to take it back a couple of steps.

Sunny:

[00.25.33.02–00.26.02.05]

And the real issue here isn’t necessarily the warming, although the warming is the impact driver. What we’re actually looking at is the uneven distribution of heat, because now we’re producing heat at the surface. Everything from the generation of energy, to the creation of materials, to the driving—creating friction—all of these things at the surface that weren’t creating heat hundreds of years ago, are now producing heat from the surface, which is amplifying a lot. But it pushes our tropopause.

Sunny:

[00.26.02.05–00.26.27.01]

So, our troposphere is where we all live, breathe, operate. It’s where all of our weather happens. The tropopause is continuing to go up from the abnormal warming that we’re propagating from the surface. So, what that does is it starts to push on all the other spheres of Earth. Now, that’s something that is a very large concept to comprehend, but it allows your thunderstorms to get taller, which allows them to produce more lightning, more heavy hail.

Sunny:

[00.26.27.01–00.26.53.03]

So—the heavier hail, but more of it as well. So, you have this two-fold of trying to explain the physics, what’s changed, all the cascading impacts on the weather side. Then, you have to explain what would this look like in 25 years for building new energy sites, new data centers, new systems? When we’re looking at technological advancement, we need to be looking at what material is housing it? What shape are we building? And why are the data centers all in the shape of a giant sheet cake?

Sunny:
[00.26.53.03–00.27.14.23] When we know that squares and rectangles are the weakest structures that we can build, why aren’t we looking at doming things out more? Because we know domes can withstand the wind, the hail, the breeze when it comes to blowing embers on the back end of a fire. We know that flood water moves around it. So, we look at these known improvements, but we look at the way in which we do things, and they don’t always line up.

Sunny:

[00.27.14.23–00.27.37.11]

And the problem that we’re going to see going forward is, not everywhere is viable. You can’t just say, “I bought this land, so I want to build X here.” In the worsening future, some areas are going to face a need to build into the risk, if you’re going to build there at all. And what that means is your data centers, your sites, your houses should not look the same going from one region to another.

Sunny:

[00.27.37.11–00.27.59.21]

You shouldn’t be able to find the same city landscape that you see in Minneapolis down in Texas, over in California, in Florida, in Massachusetts—they should all be structurally different to face the threat of that area. And I feel like we really missed our calling with the uniqueness of each of our cities. And instead, we adopted this cookie cutter so that we could create building codes, best practices. But— 

Matt:

—Yeah.

Sunny:

[00.27.59.21–00.28.20.00]

—through that, we actually created a weaker structure in whole. So, when we’re talking about overusing materials, it’s because we’ve created a key reliance on that sole material now going forward. So, what does it look like to break off of that and to go back into the creativity side? We talked about the same thing with phones. All phones look the same now.

Sunny:

[00.28.20.00–00.28.37.16]

But you remember back when they first came out. There were so many different choices, and everybody was competing, and that led to an industry surge because it was this cool thing to have a different phone. And now we all have the same ones, but we want them to be slightly different from each other. So, where does it look like to go back to the uniqueness of variation?

Sunny:

[00.28.37.16–00.29.01.15]

And that yields us our best practices. This variable worked better. How do we integrate that and continuing to leapfrog into the future? So, I think the big problem is that—what keeps me up is the lack of knowledge of the big problem set, and the application of that knowledge to each industry. Because I’m a creature of comfort by nature, I was born into the world as it’s been built.

Sunny:

[00.29.01.17–00.29.23.01]

And what that means is I don’t want to look at what this world looks like without the bridges, the major building landscapes, being able to fly from one side of the US to the other. And when you talk about changes at this scale, you have to look at if we do nothing, it will get harder to operate. Not that everybody dies at the end of the story but that your comfort levels will be in flux.

Sunny:

[00.29.23.01–00.29.49.09]

And we— 

Matt:

—Right.

Sunny:

—don’t want that. We don’t want to have to be in recovery mode constantly. We’ve obviously, as humans, have lived through far worse conditions before—right way back before the medieval era even. We’ve lived through plagues. We’ve lived through different disasters—massive earthquakes, tsunamis—and the people continue to persist in general, but not in a comfortable way way back when. We talk all the time about how far we’ve come. We want to keep going far.

Matt:

[00.29.49.11–00.29.57.02]

We don’t want to go back to those times. Yeah, exactly. Well, what—Sunny, any final thoughts?

Sunny:

[00.29.57.04–00.30.20.16]

Just, there’s research on everything and anything. Nothing is novel in the way of weather in the sense of this is a brand-new weather event that’s never happened. The Earth is a closed membrane, so it can only do so much. It’s just discovering what that means to you, your industry, sharing that research, making sure that we’re talking about it—even if it’s a hard talk to have—that you don’t stray away from it.

Sunny:

[00.30.20.16–00.30.53.09]

I tell people all the time, I love conspiracy theories. I think that those individuals are the best storytellers, and you have a ton. You can learn from them on how to communicate better, on how to be passionate about your topic, on how to build a background from one nugget on all of these interconnected aspects. And I do think that there’s something to be said about, instead of shaming them and leaving them to their own pocket, folding them in, educating them, sharing those data sets. Lean into the research that’s out there, pick something that you know nothing about, and just dive down that rabbit hole when you have time, and investigate.

Sunny:

[00.30.53.11–00.30.55.16]

That’s a—

Mattt:

—Yeah.

Sunny:

—big advocation on my side.

Matt:

[00.30.55.18–00.31.06.19]

Yeah where can folks—obviously this is a shortened, sort of condensed version of a lot of the stuff you touch on—where can folks find more, if they want to kind of unpack some of this stuff?

Sunny:

[00.31.07.01–00.31.33.02]

Well, we have some fantastic scientific communities that have popped up who are just doing 101s on all the climatological information, all of these impacts. Emergency managers make a ton of their exercises available on YouTube. You just have to know what you’re looking for to be able to find it. But it’s out there. I do as much as I can to put out information constantly, so I have a Listserve where I just send out insane levels of just paragraph, and then here’s a link.

Sunny:

[00.31.33.02–00.31.53.10]

Paragraph. Here’s a link, Here’s a cool graphic. And I try to share everything I find so you can find other people like me. I’m not the only one out there doing this. You can go on LinkedIn. You can see who’s communicating with who, find a favorite scientist, friend all of their friends, go through that rabbit hole of just getting passionate about it and then— 

Matt:

—Yeah.

Sunny:

—tapping into it however you can.

Matt:

[00.31.53.12–00.32.25.02]

Absolutely. All right, so the fun question here we always like to ask. So the scenario is, you just spent 72 hours helping coordinate a response to cyberattack that perfectly overlapped with a once-in-a-century weather event. The grid’s finally coming back online. The hotline call inbound calls are slowing down. What is the libation of choice that you would go after a successful disaster recovery response situation?

Sunny:

[00.32.25.04–00.32.43.01]

Yeah. So my secondary is actually epidemiology, because weather and disease go hand in hand. So any time that I go to drink, and I’ve done a lot of work or I’ve been around a lot of people, I’ll try to find something with lemon juice to clean out the bacteria in my throat, ‘cause I’m a nerd like that. Honey to help soothe the throat from having talked—likely so much—‘cause if I’m not talking weather, I’m talking to socialize, ‘cause I love talking.

Sunny:

[00.32.43.01–00.33.07.00]

Some of the other things that are in there—candy ginger, which is just great for the general body. And then, of course, Scotch—or you can do any of your other favorites, like whiskey. You could change it up if you really want to, but I prefer that kind of intricacy in my drink, so I feel a lot better at the end of drinking that. 

Sunny:

[00.33.07.00–00.33.10.13]

In the winter, a hot toddy will also do it. So I’m not super picky.

Matt:

[00.33.10.15–00.33.14.19]

Yeah, yeah. Yeah, do you have any preferred scotches or whiskeys?

Sunny:

[00.33.14.21–00.33.36.00]

I really like sampling whatever the area I’ve been sent to has. So, I’m a huge on trying new things. So, if I ask them—I’ll ask the bartender what their favorite one is. Which one is the most sold in that area? I like to just really embed as much as I can so that—

Matt:

—Yeah.

Sunny:

—I can feel more connected as I travel, as I interact, as I learn as a person.

Sunny:

[00.33.36.00–00.33.38.11]

Because there’s nothing but learning out there.

Matt:

[00.33.38.12–00.33.43.16]

Yeah, I tell you—you missed a good whiskey tasting in Denver. That one night—that was good.

Sunny:

[00.33.43.17–00.33.54.02]

I know I did, and I was really sad. And I looked at the map, and I was like, well, it’s a really far walk, and there’s a thunderstorm coming in, and I don’t have an umbrella. And I had all these excuses, and I wish I had gone.

Matt:

[00.33.54.04–00.34.00.20]

There were some good stuff. I was impressed. And it was all Colorado whiskey, so they did a really good job.

Sunny:

[00.34.00.21–00.34.04.14]

I did get a sip of one of them at the end of the night so I feel a little accomplished there.

Matt:

[00.34.04.14–00.34.17.05]

There you go. Well, Sunny, hey listen—it’s always great talking. I do appreciate you taking the time ‘cause I know you’ve got a million of these you got to do. So, always appreciate your time here and helping us out.

Sunny:

[00.34.17.07–00.34.23.23]

Absolutely. I appreciate the ability to be on here with you. I think this is a really good effort. And I’m happy that you picked me.

Matt:

[00.34.24.01–00.34.52.10]

Yeah, yeah. Well folks, thanks for joining us here on The Lock & Key Lounge. Remember, whether it’s malware or meteorology, you can never be too prepared for the storm. So until next time. Be welll, stay curious, and do good work. We really hope you enjoyed this episode of The Lock & Key Lounge. If you’re a cybersecurity expert or you have a unique insight or point of view on the topic—and we know you do—we’d love to hear from you.

Matt:

[00.34.52.12–00.35.14.02]

Please email us at lounge@ArmorText.com or our website, ArmorText.com/podcast. I’m Matt Calligan, Director of Revenue Operations here at ArmorText, inviting you back here next time, where you’ll get live, unenciphered, unfiltered, stirred—never shaken—insights into the latest cybersecurity concepts.