In this episode, we talk with Samant Khajuria, VP of Cyber and Quantum at Terma, and Jeffrey Saunders, CTO at Denmark's National Defense Technology Center. They break down the realities of today’s cyber threats, from sophisticated attacks on critical infrastructure to the impact of AI and quantum computing on cybersecurity.
Learn how these evolving threats are reshaping the way we think about defense—and what you can do to stay ahead. Hear why trust and collaboration are more than buzzwords; they're your best lines of defense.
00:04 Introduction to Cyber Threats and Evolving Defense Strategies
01:38 Definition of Cyber Threats and How it’s Redefined Today
05:21 Shift from Closed to Open Systems in Defense
08:29 Direct vs. Insider Threats: Evolving Challenges
12:17 Mitigating Risks in National Cyber Responsibility
16:08 Importance of Private Sector Collaboration
19:02 Understanding the Diverse Motivations Behind Cyber Attacks
25:44 Emerging Trends: AI and Quantum Computing Threats
This podcast is brought to you by Terma, https://terma.com
This podcast is produced by Montanus, https://montanus.co
Mikkel Svold (00:04):
Hello and welcome to Allies in Innovation. Today we are talking about cyber threats. We are talking about cyber threats and defense and how those threats have evolved over the last, I would say like five, ten, maybe even a bit more years, because a lot has happened and a lot is going to happen. And that is something that we will try and dive into today. We'll also look at what are some of the complexities that cyber threat is today. What does it mean that cyber threat is also part of, I guess the modern warfare with hybrid wars and with critical infrastructure playing a big role in warfare. To enlighten us on this we have two guests with us today. And we have the first one, Samant Khajuria who is the vice president of cyber and quantum at Terma. Welcome to you, Samant.
Samant Khajuria (01:03):
Thank you, Mikkel.
Mikkel Svold (01:06):
And then also joining us is Jeffrey Saunders, who is the chief technology officer and strategic advisor that is at the National Defense Technology Center in Denmark. Welcome to you.
Jeffrey Saunders (01:16):
Thank you so much, Mikkel.
a
Mikkel Svold (01:18):
I think a good place to begin would be first of all looking at what is a cyber threat. Because although it seems like a trivia question, I think it's good to have those basics down. And maybe there's some new we can learn here. Jeff, what do you take on that?
Jeffrey Saunders (01:38):
Well, thanks for the question. It's one that's rapidly evolving. Traditionally, we would've talked about it as an unwanted or unauthorized intrusion into networks to disrupt operations, to gain insight into intelligence, disrupt command and control, maybe damage assets and critical infrastructure. And now it's evolving to being something much more than that as digital transformation of assets and technology means that we're having a greater penetration of connectivity into different types of assets. It's evolving into a conversation around influencing decision-making not only of things through the internet of things and intelligent assets, but also how we as individuals make decisions. So we start getting into how the general population understands the world around them, how do you do influence campaigns, things like that. And then it gets into a course who has access to certain types of information and what they could do with that access. So your insider threat. So it's a massively evolving challenge.
Mikkel Svold (02:59):
Just to get that right, the cyber security in defense today is not just in defense. Is that correct?
Jeffrey Saunders (03:07):
That's correct. It's evolving. And it's one of those aspects where we're having to redefine... And this is a longer-term discussion about what does that truly mean. Whereas defense was something that was extraterritorial with the cyber threat. Because it's evolving the integration of our assets, critical infrastructure, key sectors of the economy that are now vulnerable to external actors regardless of geographic distance or geography no longer means anything. How do we protect and defend that and who ultimately has roles and responsibilities for that protection is something where there's a lot of discussion about where that responsibility lies.
Mikkel Svold (03:52):
Samant, how do you see that evolution from the chair that you're in?
Samant Khajuria (03:59):
It's evolving as Jeffrey rightly put. So to understand the cyber defense, our cyber security it's important to understand cyberspace. So what is a cyberspace today. And today in the defense world we call cyberspace as the fifth domain in addition to land AOC and space. And even if cyberspace is the vertical that supports this land AOC in space or use for the situational awareness and all these different things where we can leverage digital technologies to support the nations. But it's also something that is horizontal, because in order to realize land AOC in space, we have the digital part in this that is being realized in this. And that cyberspace comes as a vertical as well as horizontal. So the threats that comes in that comes into and from the vertical perspective as well as from the horizontal perspective.
Mikkel Svold (05:08):
And has this changed over the last 10 years? Obviously there are more devices connected to the internet now. I have several more devices in my own home connected to the internet.
Samant Khajuria (05:18):
Exactly.
Mikkel Svold (05:21):
But in my mind defense technology, space technology, those kinds of pinnacle technology. It's really high-end stuff. Has that not been online for years on years already? Or no?
Samant Khajuria (05:37):
I can take that. I mean, if we look at the history, the systems that we used in the defense to a large extent. I mean we cannot say all the systems, but the systems to a large extent were closed systems. They were built as closed systems. Any or any link to these systems were through classified networks or very secure networks and so on and so forth. What has changed over the period of time is how important data has become, how important situational awareness has become. This means that we are not only leveraging assets that are for defense, but we are also leveraging assets that are in critical infrastructure, are part of the national infrastructure and so on.
Mikkel Svold (06:26):
What could that be examples of that?
Samant Khajuria (06:28):
So example could be if we take a radar system in a critical infrastructure protection, or if we take the sensor systems that are at the airports, for example, or something that is protecting our coasts, different sensors and so on. So all this information what you were saying that this part what we call it going towards the IoT part of the systems and which are inherently built for a civilian sector, but it is out there that we can leverage to get a superior information. So, yeah. Jeffrey.
Jeffrey Saunders (07:10):
No, I mean what you're raising is this... Particularly when we started talking different types of systems and traditionally defense has been an enclosed environment. What we had to think is we have various layers of interacting technologies. And so you had closed systems that were controlled and had a great deal of security protocols, but at the same time you're carrying a number of devices with you. That's also what the soldiers and operators in the field have a number of different technologies that they have on them privately acquired. And what we're seeing-
Mikkel Svold (07:42):
They have them with them?
Jeffrey Saunders (07:44):
They can and they do. And that's one of the big challenges in OPSEC or operational security is that what devices are people carrying with them and when are they carrying them with them? So you have aspects around evolving cyber threats of what are people doing with all the apps, the technologies that they're using. So it could be the mobile devices that they're carrying with them, their telephones. It could be their smartwatch that they're using to track their fitness, but it could also be what vehicles are they using to drive around and access the base? We're all driving cars and vehicles with different degrees of autonomy. They have different types of scanners, LiDARs, reporting systems.
(08:29):
So it could be, when we talk about the evolving cyber threat, a direct intrusion which is an intentional act by a threat actor. That could be a nation state. That could be a criminal organization. That could be a terrorist group. Or it could be an insider threat. If you want to take that where someone's disgruntled and decides to share a bunch of information about the company or about the military that they no longer approve of or whatever. But it also could be an unintentional act.
(09:01):
So you had situations where you had the outline of classified forward operating bases being disclosed, because you had operators with their Strava watches and apps tracking their fitness running in circles around the base. And all of a sudden you say like, "Oh wow, there's a bunch of really fit people who are operating in this area of likelihood that this is." And they're American or they're whatever. That all of a sudden highlights, "This is a place where we have an operation going on." That's unintended cyber threat. And the same thing could be happening with new modern digital vehicles or digitally enabled vehicles and how they access bases. All that information is pouring out there.
Mikkel Svold (09:44):
How do you control that? Do you have to scan everyone coming into the base and make sure they don't wear a watch and a phone and a fitness ring or whatever device that you can now get?
Jeffrey Saunders (10:01):
Samant can speak also to this, but there's a number of different layers to the response where you have depending on the type of activity you're doing and degree of classification that's constituted with that. You have a, "You cannot bring this device with you." Of course there's a degree of trust. And in some places they do have scanners that can detect if something's pinging out or searching for a wifi or a mobile network. But you do have those elements where you have to check at the door or wherever the entrance point will be. You have discussions of banning certain types of vehicles that are produced, for example by China from entering certain facilities or places like that.
(10:50):
These are all types of conversations that are ongoing, because the threat landscapes evolved. The type of assets can be turned off or turned on in ways that the user doesn't know about. The apps that they have installed on their phone. This conversation around TikTok in the United States has been a big issue. All those things change the threat landscape and impact the operating environment for the big threats to soldiers operating on both sides in the Ukraine conflict and also in the Middle East is that the devices that they carry with them as soldiers operating in the field has made them vulnerable.
Mikkel Svold (11:32):
If you're sitting in national defense you have the responsibility for safety on the base for instance. How do you make sure not on the base, but you have the responsibility for the technology. You have the cyber responsibility basically. How do you mitigate that risk that is now not just from people trying to hack your actual defense systems, but also trying to hack the whatever, the cameras on the vehicles, the TikTok or whatever. And some of them it's not even just hacking and not hacking, it's just getting access to. How do you take up that challenge?
Jeffrey Saunders (12:17):
I mean, you need a holistic response to this. So you need to have the experts who have the technical expertise on the evolving cyber threat. And that's people with different types of specialties and network design, network protection, things like that. But you also have the experts who are dealing with the more human side of elements. Who has access to what? How should they have access? What type of devices that you need to have? And the people who are specialists in both areas need to and should be meeting on a regular basis to adjust their risk and threat picture and make adjustments on the fly. So that would be the basis for operation. The question is how do you roll that out to more sectors?
Samant Khajuria (13:05):
Yeah, and I think what we are touching here is very much more bigger problem than only in defense. It is also about the people and the citizens of the countries that are using this. So I think past few years we have talked about these kinds of things from a privacy perspective of people. Who has access to your information? And have you given the responsible disclosure to what access do you have or not? So it goes on a way much more bigger scale, because it's about regulations. And we are definitely not mature enough today in the regulations when we talk about these of things. Especially when we are talking about now Jeffrey had mentioned about the cars and the cameras. And it's not about getting access to it. Access is already there. And who has access to it and how can they exploit it? So it's way much more bigger that needs to be handled at the government level, policy level, at the European level. That need to be further unfolded.
Jeffrey Saunders (14:13):
And it's also at a cultural level. What should we be talking about? What does it mean to be digitally engaged? And what should and shouldn't we be disseminating? That's part of the reason why we're having these campaigns around, "Be cognizant of what you share. And do you have permission to share the information that you're sharing?" So Telenor has been doing those. And they're doing it on the level of, "Do you have the right to share this picture that you may have done or video in a private setting?" Which you don't think is dangerous to somebody, but all of a sudden compromises them maybe from a job perspective. So those are some of those things that of the issue of how to engage as a digital citizen is something that's a behavior in your workplace. But it's about all these elements that we're talking about to avoid unintentional cyber breaches.
Mikkel Svold (15:05):
I want to come back to one thing, Samant that you mentioned because we just briefly touched upon critical infrastructure, but I really think that it must be one of the really complex areas in a national cyber defense. Because talking about what happens at a military base and you can more or less control what's coming in and what's not coming in and you can have really strict rules, but when you're talking about private sector airports you're talking about wind parks, environmental parks, all those kinds of things, energy parks that are not a national thing it's a private entity. But it has a big impact on the country and the nation. Well, the survivability basically of the nation. How do you mitigate that risk? What do you do? How do you involve the private sector? People?
Samant Khajuria (16:08):
Yeah, I think in the past these were two separate things. So defense was something different from the critical infrastructure. Now we do see that there is a merge or the conversions where we have the know-how and the competencies from both the sectors sit together to come up with for a common way of doing things. So we have a common operating picture. How do we secure our crown jewels in that sense? So meaning when we are talking about hybrid warfare or something. So these critical infrastructures that provides us basic necessities to the citizens in terms of water, light, electricity and so on and so forth, traffic systems. These are seen that being hit if something bad happens towards the nations.
(17:08):
And having the common cyber resiliency and having a common cyber way of doing things helps handle some kind of things. In the past that was not the case. Whether this comes from a combined way of doing the requirements or the policies and procedures for these infrastructures and network, giving them the same importance what we give in defense systems. So I mean, defense is not a problem if you ask me when we talk about after a certain level. So when we are talking about classified systems. And there are very good and strict and very mature set of policies and procedures that are put in place. And there are issues when we start using new technologies. How do we handle that in that arena? But critical infrastructure, which was not something under threat in past few years have definitely come under threat. This means that it needs to be handled at the level higher level than how we handle it.
Mikkel Svold (18:17):
Does that mean that the private sector now needs to look towards defense or to early defense security and then implement that at the same level and strictness?
Samant Khajuria (18:29):
Not necessary because I don't see that we need to mimic anything from anywhere. But it's a different level of maturity. There are certain frameworks in US, in Europe, and other places. There are frameworks that have been implemented for critical infrastructures for operational technology out there and so on. I think it's more than mimicking from each other, it's more important to talk to each other and collaborate.
Mikkel Svold (18:57):
Okay.
Jeffrey Saunders (19:02):
I think it's an aspect of one of recognizing, I think more and more people have recognized is that the threat is out there and we're all an interesting target. Particularly if you work in a critical infrastructure environment. And that's because a lot of the trends that we looked at around automation, around elements around hacking as a service, things like that mean that the cost to commit a hack is very, very cheap. Or to commit an attack is very, very cheap. So that even if you think you're a relatively low threat, the cost of attacking you versus how much it costs to rectify it or to pay out. That balance is in the favor of the attacker. So it changes the dynamic.
(19:56):
So when you start talking about critical infrastructure, they are a target. Whether it's from a national state actor that wants to threaten Denmark or whether it's a criminal organization that wants to use it for garnering revenue. These are the things that are quite important to have that awareness. And then the question is, "What do we need to do about it?" And as we're talking about there's a lot of frameworks from either the US or from Europe around, "How should we go about protecting that?" Those are things to begin following. It's about the collaboration and knowledge sharing about, "How are you being attacked? What are the threats that we're facing? And what are the things that you've done to mitigate those in getting those basic standards in place?" So it's about that knowledge sharing and it's about that stepwise approach to addressing those issues.
Mikkel Svold (20:47):
And Jeff, do you see also a change in... Because in my head a hacker is someone... I'm guessing I still have that old school kind of picture with a hooded guy and a cellar drinking lots of decaf coke or something like that. Is that still the picture or has that developed with the threat scenario as well?
Jeffrey Saunders (21:12):
All of this has evolved. I mean, of course you're going to have that classic hacker who's motivated by the challenge of, "Can I do this or not?" So you have that type of hacker. But then you have, of course given the threat environment that we have now, a lot of organizations that are interested for national strategic perspectives of disrupting operations within a country because it weakens arrival or potential arrival. That's a motivation there as well. But then you've had the aspect around so many things have been put online.
(21:52):
There's such a huge target of opportunity out there. So if you are looking to make a quick buck, which many organizations are, it's much easier now to go about disrupting. So on the dark web you have whole services that offer hacking as a service. And even have help desks not only to help you figure out how to pay the ransomware that you need to figure out, but also to help would-be hackers utilize the technologies to their advantage. So this is a whole market and ecosystem out there that is enabling. And we have to recognize that we're still catching up as to how the threats are evolving. There's a regulatory environment. There's a criminal prosecution environment. And our structures in society is still built up around physical acts in the physical world where it's still slowly catching up to digital acts in a digital and hybrid world where these two interfaces meet.
Mikkel Svold (22:58):
And now we all sit in Denmark, which is my guess would be one of the more digitalized nations in the world together with probably a couple of other. But has this transition... I'm guessing that of course the threat must follow also how much digital you are as a nation. Is it only possible to keep digitalizing? Or are there some things that you'd recommend? I guess this is a little bit off topic from what we discussed before the interview, but still. Is there anything that you think should be not digitalized? And can you do that or is the train already rolling?
Jeffrey Saunders (23:44):
That's a question about your resiliency and redundancy. So on the one side there's huge... And there still is huge economic potential around digitization. There's things that it enables you to do. So it augments and provides a lot of abilities with situational awareness with all these factors that provide great benefit either economically or tactically or operationally if you talk in a defense environment. But you need to at the same time be cognizant of your resiliency and redundancies so that if something happens, what can you do about it? So you have instances where you start thinking about, "Is there the need to sometimes technologically degrade in your backup?" So what are the alternative communications. So retraining people how to do morse code and signals is something that has been talked about as an example of some redundancies.
Mikkel Svold (24:44):
Oh, really?
Jeffrey Saunders (24:45):
Sometimes communicating via paper and typewriters is something that's come back. Fax machines and things like that. Because you start thinking about those are elements that if in a worst case scenario we could still communicate with each other. So that element yes, but there's so much benefit to be had from the connectivity. The question is again, how do we bring the best of that efficiency and effectiveness and augmentation while protecting it to the degree as possible? And recognizing that disruptions will occur. So how do you have your resiliency in place?
Mikkel Svold (25:25):
So you're talking about you're actually degrading learning how to use the typewriter again. But if we are to look a little bit ahead what emerging trends are you guys seeing right now in the cyber landscape? What is the new thing the coming five years?
Samant Khajuria (25:44):
Many new things are coming and will count with the evolution of technology. And the motives of people how to use that technology. So for example, if you take an example of artificial intelligence it's a very good example where from one side of it we have only seen the good side of the use cases. Meaning that where we have to train people for 10 years, 20 years to find a needle in a haystack. And it has been extremely difficult. But use of artificial intelligence, we are able to do those kinds of things very fast without having trained people and so on. So we can train the models and all that.
Mikkel Svold (26:30):
So you can train the models in your favor, so to say as a defense system.
Samant Khajuria (26:34):
Yeah, exactly. As a defense system. But then comes the other side of it where the models can also be trained for the offense systems. Where models can be used as agents in other people's network or infrastructure or so on to find the vulnerabilities and so on and so forth and exploit those vulnerabilities. And we do see that in certain cases. The trends are seeing from there. Jeff mentioned dark web. And dark web used to be where you could learn how to write a malware to today you can buy the full-blown root kits to exploit whatever you want to exploit with the use of artificial intelligence at the price of probably $500,000. Not more than that. So now people don't need to know how to do that, but rather we just pay for the state-of-art technology and use that technology.
(27:39):
Another example is also quantum. So we have been seeing that there has been many. If you take an example of cryptography. So cryptography is a very good example because we have encrypted our classified information in transit or in storage with what we have today as an encryption solutions and all that. Given the way the technology is evolving in not very far from now, that information can be decrypted by the computational public.
Mikkel Svold (28:14):
Can you explain that. Why is that?
Samant Khajuria (28:18):
So today's encryption solutions are based on large prime numbers. And the whole complexity is factoring those prime numbers. And given our computational power we'll not be able to do that today. That's what we call it the hard problem that cannot be solved today. Given the use of quantum or supercomputers or in that direction, we can see that these computers will be able to do that. So this means today what we have as an encrypted information which is supposed to be encrypted for next 20 years and someone grabs that information and keeps it for next five years might to decrypt that information that should not be decrypted. But that's also the side of the technology. And there is a fine balance between, "When should we move from what we are using today towards the use of the future?"
Mikkel Svold (29:20):
Do you think the timing is possible?
Samant Khajuria (29:24):
Timing? It takes of infrastructure, it takes lots of things. It takes lots of know-how. And that's where we are at the tipping point making those decisions where it makes sense or where it doesn't make sense.
Jeffrey Saunders (29:38):
Right. And that's going to be something that's when you get into the whole question about when and how should we transfer into a post-quantum based cryptographic system. Which what Samant is talking about. I mean, that's one of those questions that again, will be a fundamental transition. Because if we look about how we've moved from a analog to a digital environment and the decisions that were made and the vulnerabilities that were put into place. When we think about transitioning critical infrastructure and even elements of defense from a one cryptographic standard and environment to an entirely new cryptographic standard environment there's going to be a lot of choices. And I think those are some very interesting areas to study about how do we choose to make those choices? Where are the trade-offs? How are organizations contending with those trade-offs? Because you're going to be having issues of cost, all the things that have motivated decisions before. And then what technical challenges then emerge from that when you're in this hybrid world as we're making that move onto it. It's going to be a key aspect.
(30:46):
There's another element around the cyber threat which I think is quite interesting, which is the future outlook. Which is related to the conversations around artificial intelligence, machine learning. But it's the whole aspect of around trust. Who do we trust the information that we trust? So we have on a large scale around polarization in society, election security, the question around proliferation of disinformation online. That's an emerging threat that's being exacerbated by deepfakes, things like that. So how do we have trust around what's going on in the world around us? But one of the things that we start getting into with cyber threat is not just into penetration and intrusion, but can I trust that the sensors that I'm using to make sense of the world. And that could be everything from radars to GPS to all these elements that give a sense of where I am, where am I trying to get to and all those elements and positioning, navigation and timing. But can I trust the quality of the sensors that I have?
(31:52):
And that's one of the things that's becoming incredibly challenging. Not only in the societal question, but in operation environment. And how do we utilize those technologies to make sure that the data that we're collecting from the world around us is something that we can actually trust in decision making? So you have this cyber as the fifth domain in warfare. There's actually a sixth domain that people are talking about, which is the cognitive domain or the decision-making domain about how do we utilize information coming from all these sources to make decisions for ourselves, for our societies and for our defense organizations as they're operating in the field.
Mikkel Svold (32:35):
And I think the whole trust issue also talks into, of course collaborating with different partners and also collaborating with software developers and all kinds of developers. And that's something that we are going to talk about in the next episode and our time's actually up now. So I'm going to take that segue with the trust. And I think that's a really powerful thing. We have to be I'm guessing really careful who we trust, but also of course we still need to trust each other to get anything cyber defense out the door.
(33:08):
Samant Khajuria and Jeffery Saunders, thank you so much for joining. And to you out there listening if you like this episode hit that subscribe button. And yeah, share it with a friend or a colleague, someone you think would be interested in listening to this as well. If you have a question or something that you think that we should talk about on this podcast do reach out to us on our email that you can find us on podcast@terma.com. That was podcast@terma.com. And I think that's it for now. Thank you so much for listening.
Samant Khajuria (33:39):
Thank you.
Jeffrey Saunders (33:39):
Thank you.