Ransomware, Security Readiness, and Resilience

Guest: Ted Harrington
EPISODE 10: THINK BAD, DO GOOD

Ransomware, Security Readiness, and Resilience

Jonathan Reiber, Senior Director for Cybersecurity Strategy and Policy, AttackIQ

In this episode, Jonathan speaks with Ted Harrington, best selling author of the book Hackable: How to Do Application Security Right, about the way attackers think, readiness and resilience, and how to live a purposeful career in leadership and public service.


About Hackable: How to Do Application Security Right

If you don’t fix your security vulnerabilities, attackers will exploit them. It’s simply a matter of who finds them first. If you fail to prove that your software is secure, your sales are at risk too.

Whether you’re a technology executive, developer, or security professional, you are responsible for securing your application. However, you may be uncertain about what works, what doesn’t, how hackers exploit applications, or how much to spend. Or maybe you think you do know, but don’t realize what you’re doing wrong.

To defend against attackers, you must think like them. As a leader of ethical hackers, Ted Harrington helps the world’s foremost companies secure their technology. Hackable teaches you exactly how. You’ll learn how to eradicate security vulnerabilities, establish a threat model, and build security into the development process. You’ll build better, more secure products. You’ll gain a competitive edge, earn trust, and win sales.

Additional Resources

Ted Harrington

Ted is the author of Amazon’s best seller Hackable: How to Do Application Security Right. He is also the Executive Partner at Independent Security Evaluators (ISE), the company of ethical hackers famous for hacking cars, medical devices, and password managers. He’s helped hundreds of companies fix tens of thousands of security vulnerabilities, including Google, Amazon, Microsoft, Netflix, and more. Harrington has been featured in more than 100 media outlets, including The Wall Street Journal, Financial Times, and Forbes. His team founded and organizes IoT Village, an event whose hacking contest has produced three DEF CON Black Badges.


Transcript

Jonathan Reiber:
Hello, everyone and welcome to Think Bad Do Good. We are immensely pleased to have Ted Harrington with us today. Hey Ted, how are you?

Ted Harringon:
Good, man. Thanks for having me. Excited to be here.

Jonathan Reiber:
It’s great to have you. We’re not going to mention that you just got back from vacation in Mexico, which doesn’t make anyone on the Internet feel any envy at all. Ted Harrington, not only is he the author of Hackable, which is recently out… Ted, when did your book come out?

Ted Harringon:
It came out December 2020.

Jonathan Reiber:
That’s really recent. So we’re not yet at a year, so we’ll say it just came out.

Ted Harringon:
Yep, yep, definitely.

Jonathan Reiber:
Yeah, it’s a great title. I wish I had gotten to it first, but lo and behold, Ted did. Ted’s an expert in cybersecurity strategy and insecurity assessments, and as a psychology major and a human, but more really like a psychology major and a cybersecurity expert, he’s an expert on how attackers think, which is really cool. For viewers who’ve listened to more than just this episode, it’s Ted and I, in talking about this discover that we grew up 10 minutes away from each. So, this is a happy reunion in many ways.

Ted Harringon:
Indeed.

Jonathan Reiber:
Again, thanks Ted, for joining us. Ted, I want to drill in, as a psychology person, it makes sense to me naturally you want to talk about how attackers think about ransomware and what they’re after, and therefore also how victims and defenders should think about ransomware and prevention. I just wondered if we could dive into that, and since the world tends to think about external behaviors first, why don’t we talk a little bit about external actors to get us started? How should we think about this, Ted?

Ted Harringon:
Maybe where we start is by asking the question more broadly, not just about attackers who are interested in ransomware, but more broadly how do attackers think? How do they operate? Because this is one of the things I’ve noticed, is its very rampant misconceptions around how attackers think, and the attacker mindset is one that it’s very difficult I think for the average person to sort of put their brain into that mode because it’s sort of the opposite way of the way that most people think.

The way that most people think, like normal people, we look at a system and we try to understand how it works so that we can comply with the parameters of that system. That’s a very fancy way of saying, if we used as a metaphor maybe a line to get into an event, most people will say “Okay, here’s a line, once you get through the line you get yourself into the event. I go to the back of the line.” That’s the way the line works.

What they’re trying to understand is where’s the back of the line? Is this the correct line? Do I have to pay something when it gets to the end of the line? That’s the way most people look at systems. The way attackers look at systems is they ask those first few questions, which is what is this system? What’s the goal of it? What are the components to it? How does it work? Where am I supposed to go? Then they look at it and they say, how can I make through something different? That really is sort of this fundamental overarching theme the way attackers think, is they first try to understand how something works, and then they try to break it. They try to undermine it or make it work in a way that wasn’t expected or anticipated.

That’s where it gets really difficult as defenders, is because what we have to do is we have to, as we’re building something and we’re integrating into that build process our own assumptions about the way the thing will work, we then also have to do the exact opposite and say what’s the thing I’m not expecting someone to do? That could be really, really hard because we all have our ways of thinking, we’re sort of set in our modes, we assume people will A, B and C, and that’s really the first defining trait, is that what an attacker does, they look at a system, identify how it’s supposed to work and then try to say can it do something different?

Jonathan Reiber:
Yeah, how would you put that practically when it comes to ransomware if you’re a defender particularly in the healthcare sector?

Ted Harringon:
Ransomware is interesting in its own right. I feel like whenever I talk about ransomware, I make it sound like this glorious thing because I’m an entrepreneur and I’m really fascinated by innovation. I think ransomware is such a beautiful type of innovation, even though obviously it delivers really, really bad things and I’m definitely not celebrating in way people who attack systems. But it’s really fascinating, but the idea of ransom existed for a very long time.

The idea of malware existed for a very, very long time. The idea of encrypting whole systems existed for a very, very long time. It’s a beautiful piece of innovation, to take all of that and make it work together and say how can we encrypt a system in a way that we command a ransom in order to decrypt it? That’s fundamentally-

Jonathan Reiber:
It’s the peanut butter and jelly of cyber attacks, in other words.

Ted Harringon:
Yeah, it’s rad, yeah. We think about whose motivated, whose interested in that type of attack, it’s certainly going to be primarily the type of attacker whose motivated by profit. It’s pretty clear to see why. They want to attack a system in order to extract money out of that attack. That’s fairly straightforward. There are other types of motivations though for why an attacker would go after a system, and I don’t know of a case that I can point to specifically, but it has to exist and if it hasn’t existed yet, it will exist where somebody will attack a system leveraging via ransomware, but the profit that would be generated isn’t the goal.

The goal is the ransomware is intended as misdirection, and the goal is something else like maybe it’s a nation state actor who wants to disrupt some sort of system and they want to make sure that it’s attributed to someone else. Fundamentally, that’s what’s interesting about people who are pursuing ransomware as an attack method is that in most cases they’re trying to actually make money.

Jonathan Reiber:
Yeah, you know what’s really interesting as you were talking, folks talk and think about this all the time in national security, but if you’re Vladimir Putin directing his various cyber capabilities, it’s in your interest to have these ransomware gangs within Russian territory wreaking havoc by doing things like Colonial Pipeline because of the simple fact that his intention is have the public get distracted, is to have not only the American public but also the people in charge in Washington to be distracted by this problem.

Just on the basis of trying to get into Vladimir Putin’s head using what you just talked about, we should probably think about what else is he trying to do?

Ted Harringon:
Yeah, I don’t know if that connection exists. I’m certain that it must. I can’t point at any data that definitively confirms what you just said. I’m sure that type of thing exists. I love the way that you asked the question because what we really do need to be thinking is about why would a given attacker type do certain thing? In the case of a nation state, certain it’s to gain some sort of geopolitical advantage.

One way to do that, is of course just like you said, to create distractions or misdirections and things like that. There could be an attack where they don’t even make it known at all. These attacks actually are underway all the time, where a nation state compromises some system in another nation state and then just sits there and listens, and just sees what’s happening. They don’t take any systems offline. They’re not trying to disrupt it. That’s obviously a very different outcome than if you are trying to disrupt the system.

I’m surprised we haven’t seen yet, and we will see at some point. Maybe it’s happened and I just don’t know about it, but is the combination of a traditional attack by sea, air or land combined with a cyber attack. For example, if someone could deploy an attack that makes the first responder system unusable, so the first responders can’t respond, at the same time that maybe missiles are landing somewhere. Something like that.

Jonathan Reiber:
Yeah, exactly. In terms of the practical work of application security, I think the psychology of attackers is important I think for war gaming, like you just talked about. How would this kind of psychology play out in a practical sense within a network attack?

Ted Harringon:
Those are I guess maybe two slightly different questions, about talking network attack versus application security. One thing that I definitely think we should point out, is this idea that I believe, and there’s… It’s more than a belief, I guess, but is that software really runs the world. Every system, in every company, every country are leveraging software in some-

Ted Harringon:
… System in every company, every country are leveraging software in some way. In that regard, application security is really all security. Now, of course, it’s a subset of cyber security, no doubt about it, but application security even intersects with network security. The way we want to be thinking about AppSec is that fundamental basis that there’s that sort of software element to every single system, and to truly defend a system, we need to understand all the different ways it could be attacked. Software is just one of those ways, the human certainly is another way. The network is another way. There’s plenty of ways we can think about it. The application aspect is just one, but software runs the world, and we have to be thinking about the fact that this is where attackers are really focusing today.

Jonathan Reiber:
Yeah, yeah, yeah. Particularly, coming out of solar winds, right, being one of the best examples of an application-enabled attack. One of the things we’ve been thinking about a lot at AttackIQ is two words, readiness and resilience. There’s a difference between the two. We think about how to achieve both, obviously. I’d love to talk to you about this from your perspective, as somebody who thinks about attackers and does application security, how do you think about these two concepts of readiness and resilience?

Ted Harringon:
I know there’s obviously very formal, specific definitions to these two terms, but the way that I think about them when in their most simple sense is this idea that readiness is really about, are you prepared for an attack? Have you done the things in order to essentially prevent an attack being successful? Resilience is, in a sense, it’s a verification of that readiness effort. What happens in the attack? How well did you actually fend it off, or how well did you bounce back, or how well is the extent of the impact actually mitigated and minimized? They’re are two related ideas. They are slightly different, but they’re both related. The way that I’d like to think about these is that we really need to have them both. Then there’s, of course, the element as well, which is how do we respond? There’s, how do we prevent an attack? How do we detect it’s underway? Then how do we respond once it is underway?

Jonathan Reiber:
Yeah, these are all good questions. What are some steps that you would recommend for achieving optimal cybersecurity readiness?

Ted Harringon:
Well, if we can think about it in the context of the original question that you started the interview out with, which is how do we think like an attacker? I mean, that’s where I’m always advocating that we start, which is to look at a system and to really apply that sort of malicious thinking to essentially first answer three really important questions. The first question is what do we want to defend? In every organization, there’s some tangible things you want to defend. Maybe that’s literally money or data. Then there’s some intangible things you want to defend too, like reputation of the brand. Really enumerating, what are all those things we wanted to defend? That’s the first question every organization needs to answer.

The second is who do we want to defend against? That’s where we think about, well, who are the different attackers? We started talking about some of the external attacker types. There’s also the insider threat. How are each of these different groups, even within these subgroups? How are they motivated differently with different resources they have? Who do we need to focus our energies on? Because you can’t defend against everybody all the time. That’s the second question. Who do we want to defend against?

Then the third question we want to answer is where will we be attacked? This is our collection of attack surfaces, which is a fancy way of saying, where can someone or another system interact with the system? Once we identify those three things, what it does, or once we answer those three questions, what we’re able to now do, is we’re able to prioritize where to invest resources, time, effort, money, person, power, et cetera. Because as I mentioned a moment ago, we can’t defend against everything all the time. We really have to be selective and we have to prioritize. That’s what it helps us do, and that’s where I want you to start.

Jonathan Reiber:
Do you have any stories about customers or clients of yours that you’ve seen achieve cybersecurity readiness and what were some of the takeaways you had from that experience?

Ted Harringon:
Yeah, certainly. It’s funny because the hard part about security is if you do it right, the story is typically not that exciting, right? It’s like, and then nothing happened, unfortunately, but the way that I think you can measure the absence of a bad thing is when you found things before the attacker did. Here’s an example, maybe of one specific story, but this type of story plays itself out every day with the type of companies that we’re in the fortunate position to serve. They were building this particular software system that it doesn’t matter what the system did, but the point is that there was a combination of issues that we found were problematic in the system. What was really interesting was that it was the combination of the issues that made it really a problem.

The first issue we found is what’s called information leakage and that’s where a system gives up information that it shouldn’t. In this case, it meant that any user of the system could identify any other user of the system. It’s not really that bad of a problem. You can even directly exploit it. It’s just like it sounds, like information leaking, but where the problem comes into play is when there was a second issue we found, which is where the authorization model is broken. Now, authorization is essentially when a system verifies is someone or something allowed to do a certain thing? In this case, the way that it authorized whether or not a user could change permission, so change passwords, it would ask for information. Just like anytime you’ve ever changed your password, right? Usually you have to supply your current password to get the new one, but that’s not the way this system worked.

The way this system worked was to change your password, you had to supply your user ID. In theory, every user only knows their own user ID. Thus, you can’t change someone else’s. When you combine these two issues, because of the information leakage, it meant that an attacker could enumerate every user, and then use that information to change every user’s credentials. The combination of those two, what that essentially means is that any user of the system could completely dominate the entire system, take over every single account, do whatever they wanted with the whole system.

These are the kinds of things that there’s not really a great tool. There’s no tools that can automate how do you connect those types of dots? You need sort of a creative problem-solving human to connect those dots. This is the kind of stuff that attackers are always looking to do, is they’re trying to say, well, the system’s supposed to do a certain thing. Can I make it do something else? This was a great example of where, because this particular organization had invested the time, effort, and money to try to find those types of issues, they were able to now find it and actually eradicate it.

Jonathan Reiber:
When it did actually happen, you mean? When the intruder broke in, they had already prepared for it and they were ready to stop it.

Ted Harringon:
Well, they made it so that no one could break in. I mean, that in a way, that is part of readiness, right? As part of readiness, can you remove, or let’s … Maybe let’s use a metaphor. If there’s a building and you’re worried about a thief breaking into the building, you want to say, how many of these doors can I get rid of? Can I literally with bricks, make it so that this is no longer a point of access? Then other points of access, we have other types of defenses because they still need to be points of access. That’s the way we want to think about readiness. Can we narrow the ways that an attacker can get in and then focus our energies to make sure we’re prepared when the attacker tries to get in there.

Jonathan Reiber:
Good. No, I like that. Now flipping to resilience, so let’s assume that … Well, rather than me leading the witness, tell me about how you think about resilience practically speaking from an investment standpoint, a capability standpoint, or a strategy standpoint?

Ted Harringon:
Yeah, so as I mentioned before, resilience is this idea of how well a system can actually withstand an attack. The idea that I think is really important around resilience has to do with defense of depth. For any members of the audience are familiar with this, defense of depth is essentially where you add layers of defense in order to do two things. You want to first minimize the likelihood that an attacker is successful, and then two, reduce the impact in the event that they are successful. What’s really cool about defense in depth is that it’s often lamented that for the attacker only ever …

Ted Harringon:
The attacker only ever needs to be right once. And the defender needs to be right every single time. But defense in depth sort of flips that on its head because now it says, “Well, the attacker needs to be right every single time in order to evade detection. And the defender only needs to have a flag triggered once in order to stop the attack.” And so, I think the metaphor here, if we think about something like, imagine a medieval castle. We’re all familiar with medieval castles, whether we’ve been to one or we’ve seen one on something like Game of Thrones or something like that. And you’ve got the moat, you’ve got a drawbridge.

Jonathan Reiber:
Or we live in one in my case. I mean, that’s how I know about it.

Ted Harringon:
If we’re lucky enough to live in one. Who knows? Sir Jonathan.

Jonathan Reiber:
Thank you.

Ted Harringon:
You’ve got archers on the turrets and you’ve got interior perimeter walls and you’ve got the guards themselves. You’ve got all these defenses that make it that much harder for an outside attacker to actually kill the king. And that’s really what defense in depth is like. And the point of resilience, if we use this castle metaphor and we extend it a little bit, this would be like the enemies have attacked the castle. They actually broke down the drawbridge. They got across the moat. They got into the castle walls and they even killed some of the high ranking nobles, but they didn’t get to the king because the king was in his special fortified compartment. And he had a special private guard around him. So they couldn’t quite get to that. So it didn’t completely eliminate the success of the attack. People did still die and the perimeter was still breached.

But the most valuable thing, which was in this case the king, in my completely made up metaphorical situation-

Jonathan Reiber:
It’s good. It’s working. We’re with you.

Ted Harringon:
The king did not lose his life. And so, that would be a very successful example of where this system was resilient against attack, because the thing that they care the most about, the system cared most about protecting, successfully protected that. And that’s the way that we want to think about it.

Jonathan Reiber:
That’s really interesting. I’m going to push back a little bit on this notion because I’ve been caught between these two words, readiness and resilience, with the exact capability that you just described. I used to think of it as a resiliency capability, but now I think of it, because I’ve adopted sort of assumed breach, post-breach investment scenario, I think about that defense in depth much more within a readiness narrative.

And the way I extend the resiliency story, and it’s a little bit of theology here, so it kind of doesn’t matter. But the way I think about resilience is just two points. One is, I remember having dinner with an executive from Google and an executive from Facebook in 2016, back when I still used Facebook, actually, I still use Google. And we talked about resilience and they talked about how they’d back up all their data, at least then, on laser desks and put them into cold storage every night, which reminds me of the ending sequence in, I think it was one of the Indiana Jones movies, definitely. Raiders Of The Lost Ark probably, where they find the ark and then they put it in this really dark warehouse. So imagine every night, some poor person that these two companies backed… So when I think about resilience, it’s like data’s gone, it’s finished, it’s been attacked. And now we have to do cold storage, laser discs.

And the other way that I think about resilience is from a military standpoint. Because as you know, I worked with the military for a long time in cybersecurity. It’s like Admiral Rogers, who used to run Cyber Command. He trained his submarines in the ’80s, that there was an EMP that knocked out all communications, he was ready to have this sailor sail blind. And so, when I think about resilience, I go to this sort of all defenses have failed story. And so, I have a kind of, to mix metaphors, I have a little bit of a firewall between those two words when it comes to defense capabilities. But again, I think it’s probably a matter of theology on that.

Ted Harringon:
Well, I think there’s a really fascinating example that we could use to describe it as the way you’re describing it. And I’m not so married to the specific definitions on these two terms, but I agree with the way that you described it too. I have no issue with that, but we think about-

Jonathan Reiber:
I’m trying to create drama here, Ted. We’re two guys from this… Basically, let’s step down.

Ted Harringon:
Let’s fight it out.

If you think about what happened with Maersk during the NotPetya attack, I think that’s a fantastic example that illustrates what you just described, where Maersk, I think they’re the largest shipper of goods in the world, their whole system was down for some indeterminate period of time, but they were able to get back online because they had one site that not intentionally was offline. There was a power outage or something. So for whatever reason, that system was unavailable amidst this attack. The whole rest of the company became completely unusable. But because of this one system that they had unintentionally essentially backing up the whole company, they were able to rebuild from that and then operations were able to get back on track. And so, they were able to rebound from that attack way, way, way, way faster than had they had to deal with the entire company being down. So it’s a good example, I think of what you’re saying.

Jonathan Reiber:
Yeah, I love that example. And of course now, the history books and cybersecurity storytellers all over the place will be like, “Folks, please at least have this sort of capability backed up.” My favorite example actually from this comes from fiction, which is the opening of Battlestar Galactica, when the Cylons attack. Now, I’m really narrowing the audience’s attention span on this, is the Battlestar Galactica at that point was about to become a museum. It was kind of like the USS Enterprise in the carrier strike group. It was so old that the systems were out of date. And so, the cyber attack that the Cylons conducted against the fleet didn’t work on it because it was so old.

But I think this is companies like Rubrik and others, have backup capabilities. And cognitively, this is just as I’ve been thinking about this over the last couple of months, I’ve tended to bundle sort of backup into the resilience universe, but I’m looking for more to populate it. So this is something maybe we could circle back the wagons and think about it at some other point.

This is a fascinating conversation. Now, the one thing I want the audience to hear about is… so you majored in psychology. Obviously, you graduated like last year, of course, from college. But tell me how did you get into this field and what are some lessons that you’ve gained outside of just how the attacker thinks from your studies in psychology, in the field overall?

Ted Harringon:
Yeah, I think people are often really surprised when they find out that I studied psychology because they’re like, “Wait, don’t you have to study computer science in order to be in the field of ethical hacking?” And many people in ethical hacking do study computer science. I studied psychology because I was always and continued to be really fascinated by why people make the decisions that they do, what motivates them. And so, I really specialized in my study of psychology and actually abnormal psychology, studying criminal psychology and stuff like that, because I feel like if you can understand sort of the outliers or the people who go against sort of societal norms, that it maybe helps you understand society a little bit better.

But at the time, I didn’t know that was what was going to lead me to this incredibly fulfilling career in the ethical hacking space. But definitely having that I guess, mindset that looks at things the other way, where I wanted to kind of look at things in the opposite direction. I mean, that is the way ethical hacking works. So I ultimately got into security.

In a sense, I feel like my life was guiding me to it, in a way. I mean, I have a few guiding principles that guide my various decisions that I make and they’re things like, “Do hard things that matter in the service of others and work to get better every day.” And that’s security in a nutshell. And when I got introduced to the guy who is now my business partner, and we started talking about security, this was like 10 years ago. It was a no brainer that this is what I wanted to do. And so, that’s how I got into it.

And I like sharing that story, especially when I speak to students. So whether that’s undergrads or even high school students, because almost anybody who thinks about ethical hacking as a career and isn’t already in it, they generally think the ship has already sailed. They’re like, “Oh, I can’t, it’s too late. I don’t have X, Y, or Z.” And I’m like, “Well, let me tell you a little of a story about a guy who didn’t get into security [00:26:30] until 10 years ago. And then fast forward, wrote a best-selling book on the topic. You can do it. It’s just a matter of can you learn something. It’s definitely not too late.”

Jonathan Reiber:
Yeah. Well, I think I loved hearing about the values that you said. The first, do hard things, in service to others, and the third one was, I want to say excellence, but that wasn’t it. What was the third one?

Ted Harringon:
Get better every day.

Jonathan Reiber:
Yeah. I mean, if you’re following those principles and you’re heading into a field like this and you have a positive attitude like you do, things will work. So those are good lessons to students. So you met someone 10 years ago. You met…

Jonathan Reiber:
So those are good lessons to students. So you met someone 10 years ago. You met your current business partner 10 years ago. Now, was that your first job in security?

Ted Harringon:
Directly in security? Yep. Yep. And now we’ve been building this company for 10 years since actually just this weekend. I literally get on a plane tomorrow, fly to Baltimore, we’re bringing the whole company in from where everybody is, and there are disparate, we’ve got offices on the West Coast as well as in Baltimore and then people are remote too. And we’re having a big pool party on Friday to celebrate 10 years since we started doing what we’re doing right now.

Jonathan Reiber:
That’s wonderful. And obviously I would add a fourth point. Although if you add four, you have to add a fifth because otherwise nobody will remember four. It sounds like you’ve sought out good people.

Ted Harringon:
Oh, I like that a lot. Yeah. I might have to add that. Yeah, definitely. I mean, I felt like, I don’t know if this has been the experience for other people in other career fields or not, but I had this really intense, emotional response to graduating from college. I think most people who, if you enjoyed undergrad, you probably have an intense, emotional reaction to it. But I remember having this really intense vivid sadness, not just that it was like, “Oh, the party’s over.” But more like, there was that, but also that the academic experience. When you’re surrounded by incredibly smart people, it’s very intellectually stimulating and it forces you to grow because you see how smart everybody is around you. And then I graduated. That’s what college felt to me. And then I graduated and I can’t say that I felt that way about the broader world. I was like, “Oh man, the real world. Where’d all the smart people go?”

And I don’t mean that in an insulting way to anyone that’s, I’m not trying to insult anyone, what I’m trying to say is like the density of the academic experience I didn’t feel it anymore. But then fast forward to when I discovered security as a field and I found that academic intellectual stimulation again, and I was like, “Yes, this is where I’m now want to be. These are my people.” Because they’re surrounded by such smart people, constantly pushing to get better. And this is bigger than just ethical hacking. I think this is most corners of cybersecurity and I don’t know why I’d want to be in any other field if you get to be around smart people all day, every day.

Jonathan Reiber:
Yeah. Man, I love this. I love this conversation. I think this is extremely rich, and it’s really about purpose. I remember also when I graduated college, it was the sense of, if you’ve been a diligent, service-focused person, you self-selected into a group of people in college because it’s tailor made for you. There’s a bunch of other people trying to figure out the world. But then when it ends, there’s no immediate path, which is probably why people start thinking about graduate school, probably too quickly when they graduate? It’s like they’re looking for another mission, sense of purpose. But the hard work actually is finding out how you yourself align your values with good people, if you’re a public service minded to help solve hard problems.

And that, to a degree, the internet has given a generation of people a mission. Like when I first started, I was in the 9/11 generation. So 9/11 gave me my first mission. And then as the internet expanded and became more vulnerable, that was kind of a second mission. And now for kids graduating now, obviously they’re thinking about public health, demography, pandemics, things like that. But that’s what this sounds like when you’re talking. It’s like you found a purpose and a good group of people and you could pour yourself into it.

Ted Harringon:
Yeah. I mean, I practice gratitude every morning. And one of the things that I constantly am reminding myself how grateful I am is that I have been able to find a career that’s really defined by a passion. I do feel that what I do matters and we are solving hard problems and I get to be surrounded by other people trying to do that as well.

And I hope that in other industries, other career fields, I hope that people feel that way too, but I don’t know if that’s true or not. But I can know that if I look around, go to a wedding, and you start talking to the different people who now you’re meeting for the first time, because you’re all brought together, not because you’re friends, but because of the bride and groom. And you start asking people what they do and you can see the people who have that sort of spark in their eye. They’re like, “I’m doing something bigger than myself,” and the people who are like, “I get a paycheck.” And I think that for myself, definitely, and I feel like a lot of people in security, it’s a mission or it’s a passion.

Jonathan Reiber:
Yes. Yeah, Ash Carter, who I used to work for before he became Secretary of Defense. I worked for him when he was the Deputy Secretary. He used to say, “You need to tie yourself to something bigger than yourself.: And he’d started out as an astrophysicist, not an astrophysicist. He was a physicist, and he was working on like theoretical physics or missile defense physics. And he got brought in to study one of the ballistic missile defense capabilities that the Defense Department was working on in the ’80s. And when he did that he thought, “I can apply my knowledge to something bigger than myself.” So I like that phrase. And I think that’s something [00:32:00] that people should always revisit when they’re having lulls in their career. What’s the next thing that I can tie myself to that extends me beyond my narrow field of vision?

Ted Harringon:
Yeah.

Jonathan Reiber:
Cool.

Ted Harringon:
And I think we’re lucky, you and I, it almost feels like a privilege to be able to say that, because going back to that maybe painting the scenario of you’re at a wedding and you meet the person next to you and that person maybe isn’t that excited about their career. Once you’ve found your passion or your purpose, it’s easy to say, like, “Yo, be excited about it, whatever,” but I can totally put myself in the shoes of that person who maybe they’re moderately to very well compensated, but they just hate what they do. And they’re like, “Well, I do have bills to pay. If it was fun they wouldn’t pay you. And so I get that that’s kind of hard to maybe break out that rut, but maybe if there’s something that someone can take away from this conversation that you and I are having it’s that you can actually be compensated well and enjoy what you’re doing and feel that you’re pursuing a larger mission. They’re not mutually exclusive.

Jonathan Reiber:
Yeah. That’s a great point. I mean, we are privileged, we’re extremely lucky in many, many ways. It’s pretty obvious by looking at us and hearing us talk, but that’s a great parting shot, I think, or a parting comment for anyone who’s listening. And it’s hard work too. The first project you try to find that gives you a sense of meaning and purpose may not be the first thing, but you got to keep at it.

Ted Harringon:
Totally. Yeah.

Jonathan Reiber:
Awesome. Well, it’s great, great to have you on. I really enjoyed it. And thank you for speaking to us through Purple Hats and then joining us again. I don’t have a copy of your book because I’m at my mom’s house, but here’s Hackable, everyone. Go and buy it on amazon.com.

Ted Harringon:
I might have one. I should have one. Here we go.

Jonathan Reiber:
Yeah, you should. Wait, you’re the author.

Ted Harringon:
There we go.

Jonathan Reiber:
There it is. Good work. Look at that. There’s no purple on there, which we can forgive you for this time.

Ted Harringon:
Maybe a special edition or something we’ll put some purple on there.

Jonathan Reiber:
Yes. Oh, there it is. Sign us up. Thank you everyone. Ted Harrington, good to see you.

Ted Harringon:
Yeah, thank you.