Voiceover: Welcome to the Cyber Risk Management Podcast. Our mission is to help executives thrive as cyber risk managers. Your hosts are Kip Boyle, Virtual Chief Information Security Officer at Cyber Risk Opportunities, and Jake Bernstein, partner at the law firm of K&L Gates. Visit them at cr-map.com and klgates.com.

Jake Bernstein: So Kip, what are we going to talk about today on episode 118 of the Cyber Risk Management Podcast?

Kip Boyle: Hey, Jake. Thanks for asking. Today, we're going to do something really cool. We've got a guest today. We're going to look at the relationship between business and cybersecurity in a way we really haven't done before, and I'm so excited because our guest is Peter Hitschler, he's the chief operating officer and general manager of an organization called Tri-Tec Manufacturing that's actually located not too far from where you and I live here in the South Seattle area. And Peter's just got this really fascinating situation going on, and we're going to hear about how he uses his cybersecurity program in his business. I think it's going to be just fantastic. Peter, thanks so much for being our guest. Welcome to the podcast. Would you tell us a little bit more about you and about your company, Tri-Tec, please?

Peter Hitschler: Sure. Good morning, Jake. Good morning, Kip. Nice to see you here this morning. Yeah, Tri-Tec Manufacturing is a unique outfit, a company that exists since 1972. So we've got 50 years under our belt. It started out as a very much family-owned company from Mr. Buss, Senior and Juniors, and I got two guys that are still with us, actually, as of today. And we are in actually a company that manufactures equipment for Navy only, and these are actuators, valves, things of that nature that go on the ship from all the way up to the captain. So basically, they are putting everything in there that is transporting fuel and regulates fire extinguishers, these kind of things that we are manufacturing.

So our customer is, like I said, the Navy, and pretty much shipyards around the country. There's other companies that like Austal, inaudible, the Engles family, the Newport News shipyard. There is a whole slew of them. I can't even name them all. There's eastern and the south, there's San Diego and there's Bremerton and so on and so forth. And we are a provider of actuators since 1972, as I said, and these are cool little things that are manufactured. They look like a little metal box, and you wouldn't think that there's a bunch of regulators, electronics in there that keep things flowing in case there's a fire. They transport fuel. They make sure that all the required things such as water go through the ship and the system, and we build these things, and it's fascinating to look at them. I mean, they go in from the submarine into the aircraft carrier. So we are servicing a broad spectrum there.

Jake Bernstein: Wow. And the ships won't leave port without these things, so this is critical. I mean, you could say that this is a critical component of the defense industrial base.

Peter Hitschler: That is correct. You have this completely right, Jake, because some of these features, they have to be tested thoroughly for flash. They have to be tested in real time before a ship can leave the port, like fire extinguisher systems. They have to be fully tested and make sure that they're working. They have to make sure that the fuel supply can be transported from A to B, from a tank one, tank two, tank three into that diesel or any other engine type. I won't speak too much of it what is on the chips because I would violate certain rules and regulations, and I don't want to get in trouble with the guys and the three letters and come and visit me here after the meeting. I mean, these are important things. I mean, these ships, it usually takes a year to 18 months before they truly see if they're seaworthy, so to speak.

Jake Bernstein: And I think what you just said was quite interesting, is that you've got information that is probably at least ... I mean, it's at least confidential in the civilian sense of the word, but you may have classified information. You definitely have what's called controlled unclassified information, which is anyone who's listening who deals with CMMC and 800-171 would definitely know that that phrase. Interestingly enough, I am working on a deal right now where these things are all involved. So I guess to steal Kip's question, you're the COO, chief operating officer, and the general manager. So how are you involved in the cybersecurity program? Because with all of this information, I assume you have one.

Peter Hitschler: I do. Thanks for bringing this up, and yes, I mean, we are dealing at a lot of facets of clearance levels, starting with confidential, secret, tops secret, and then there is a Q level, which we are in the process of getting for facilities since we are going to land a contract coming forward in the first quarter, where this will be required to have certain people in our company having Q clearance. So it is important, and how do I get involved in IT? To go back to your questions there, Jake, how did I get back to this? I started in this company as their, initially, director of operations and general manager last year in spring, and I came on board in a very peculiar time, so to speak, because they went through ...

They had a virus intrusion. Call it that. So there was somebody trying to hack into the system that placed a virus, put the entire system in jeopardy and shut it pretty much down. And I came in after the fact. Everything was reported as we should have been. It was reported to DOD, the Navy, NCIS, and so on and so forth. But we had higher different companies and IT folks that supposedly knew a lot about cybersecurity, and I'm coming from the world of cybersecurity all in all. I worked for companies like Lockheed, I worked for Goodrich Landing Gear, and was participating for many years in the F-35 program in the developmental phase since 2009 through 2013, when the first 40 aircraft were basically airworthy and ready.

And over there, there was a big thing about cybersecurity, and I'm not sure you or anybody in this podcast is listening to has heard about it, but 2012 Lockheed faced a big crisis because they had a breach in security and cybersecurity and things started to wander off to countries we all know about. There's mainly one, and I don't want to bring it up too much, but everybody is pretty much aware of that. I basically walked into it, and I saw there was a little disarray. So go back to our company, Tri-Tec, and the people that they were engaged with to solve the issue just started to look at spending a lot of money without really addressing the problem of cybersecurity, which is actually something that needs to be brought in the forefront because there's firewalls, there's switches, there's boxes, there's all kind of things that need to be addressed and secured.

The internet is quite open. As we know, there's a bunch of folks out there that are trying to get information enter or break into a cyber system or IT systems in order to garner information and possibly sell them to our enemies. God knows. God forbid it happens. Anyway, we protected ourselves and we were actually, after we established a new firewall, new equipment, we were pretty well protected at the end. However, we did not have good protocols, good rules and regulations as they're required by CUI in general and CMMC rules and regulations. Not that we are level five, which is nuclear, but we are actually at level three. This is where pretty much everything ends in the normal world, so to speak since we are not a nuclear power plant, call it this. Even though they step into now some programs that require some Q clearance, as I said, in the initial, in the onset.

Once that is all established, we had a company again go back to this and that took charge of cybersecurity, which was, in my opinion, after discussing it pretty much in our weekly meetings, insufficient in my book. So we decided to take it in our own hands, and I engaged with my IT manager, Norbert Wells, who was the broadest guy in IT that I could have encountered. The man knows a lot, and he knows people, and so he helped us to really get into it and close the gaps that we had, close the breaches that were available to the outside to break in. So we basically shut down the curtain, put some good locks on it, and made sure that those events, like cyber breach, cannot happen again. So we are very engaged in that because we do want to keep our customer bases with just the government, the US Navy, and if you have vulnerabilities such as cybersecurity that's not totally inactive, you may not end up with contracts and you may as well shut your doors down. So I have to make sure that these things are being addressed.

Jake Bernstein: I mean, this is the highest level of seriousness when it comes to the government contractors and cybersecurity. I mean, Kip, you're right, we haven't talked a lot about this on the podcast, somehow, after over 117 episodes.

Kip Boyle: Better late than never?

Jake Bernstein: Better late than never, yeah. There's a lot. I mean, I'm just seeing a lot of news and industry attention being paid to ... I don't know how long it's been called the DIB, the defense industrial base, but I've certainly been seeing that a lot recently, including with CMMC, which stands for ... What is it? Cybersecurity Maturity Model Certification or something like that.

Peter Hitschler: Management Certification, yeah, yeah.

Jake Bernstein: I know there was a version one and now there's a version two. And I follow some guys, shout out if you're listening, you know who you are on LinkedIn, who talk a lot about CMMC, and there's just a lot of ... Controversy is not the right word. It's more of confusion, I think, within the defense industrial base about CMMC, what the different levels mean, how it interacts with NIST 800-171 and 853.

Kip Boyle: Well, even DOD is struggling to figure out-

Jake Bernstein: And even DOD is struggling, yes. Correct.

Kip Boyle: "What is this program? What's reasonable?" Because you've got a lot of organizations that are on the smaller side. Lockheed Martin is enormous. Then you've got Tri-Tec and other companies that are not nearly as big as Lockheed Martin, and how much can they really afford to spend on protecting secrets. And in the case you said, Jake, it's sensitive but unclassified, right? Which is really, I think, the target. And so there's a lot of confusion, because even the DOD doesn't really know. This is all nascent. They're trying to figure it out. Peter, what's that like for you to be somebody who is being asked to comply with the program that is either constantly shifting or completely in the gray zone all the time.

Peter Hitschler: Well, Kip, you're touching a very active point that I'm thinking of pretty much every day. How can we make this whole thing better, listening and reading about all these variances these people are bringing out there. Even as you said, the UD doesn't sometimes appear not to really be totally in tune with what is CMMC, what is NIST, what does it really mean? I mean, they put it into the D Force inaudible, it's all spelled out, but there is always an addendum to this, and there's another addendum coming out and so on and so forth. So you're basically in the constant education status. So you have to read up on it, you have to make yourself smart about it, and it is a challenge on a daily basis.

If you are not on top of it, you'll be the one losing at the end of it because to be established in NIST as well as CMMC, you spend quite a bit of money, and it goes into the six figures. I mean, I'm not saying because we spent a little bit in the higher end due to the fact we were involved in one of those breaches. We had to spend a humongous amount on replacing some of our hardware, et cetera. But in general, for somebody that is up to par with the entire equipment, it's going to cost six figures, and you have to train people. You have to create training videos that are going into separate classifications, say it that way.

So people have to be educated. So the machinists will have to still utilize IT, but they're not going to be that deep into CMMC or, respectively, NIST. People like an engineering department and the senior leadership, like myself, we have to be turned with everything that's going on out there. And I'm very adamant about that we are compliant 100%. It is imperative to us to be on top of everything, and I make it my daily mission that this needs to be done the right way or just don't do it at all.

Kip Boyle: I'd love to talk about that a little bit more. So Peter, lots of our other customers delegate this responsibility. A senior decision maker, such as yourself, would delegate this and would not be as involved as you seem to be on a daily basis. But you believe that it's important to be involved on a daily basis. Is that related to reputation, or how would you describe your concern that would justify you spending so much time, personally, on data protection and cybersecurity?

Peter Hitschler: It is my responsibility as an executive of this company. Number one, I have to protect the company at all costs, so to speak, and I will do everything to make that happen and not fail. This is one. It is important that I'm involved because I can delegate all kinds of things, like my team manager can do a bunch of things, or I can delegate to HR for training purposes and the video that we have created for the cybersecurity. But again, I want be in the middle of it and want to make sure we cross our T's, dot our I's. So I do go out there, talk to my peers that are working for us here and ask them, sometimes, some questions. So how's your cybersecurity going on? What are you doing with your email here and there? Because we do have a firewall. We do have a system that gives us messages if something is suspicious.

So I do have some control functions out there because they show up on my morning screen on the computers. I am getting my firewall up and see what happened in my barracuda and things that have been flagged, and I'm going to go and talk to these people. "Why are you doing X, Y, and Z?" I mean, it never happens anything difficult or complicated or illegal, but there's something that can trigger intrusion. So if you go to certain websites and they have not been blocked by a firewall, for instance, and I find out, I'm going to make sure from my end that the entire company is aware that this is a potential for intrusion from the outside. So I have to make sure they're aware of it. So there's going to be memos coming out that are being directed towards my IT manager/HR. Those two get together, put memos out to the company, and employees that are pertinent to that information, and they will receive that, and they have to follow those obligations. Does that make sense?

Kip Boyle: Oh, absolutely. I think most people in your situation would probably feel that way. What I think is remarkable is just how hands-on you are.

Peter Hitschler: Yeah. I mean, it's part of me. I've seen Lockheed Martin struggle in 2012, and it's just still in front of my eyes still. It may have been 10 years from now or from today. Ten years is a long time. However, I mean, I've seen so many things happen out there in real life that just make me be very mindful and cautious.

Kip Boyle: Yeah, so this is a top issue for you?

Peter Hitschler: It is a top issue. I mean, security and cybersecurity is a top issue because without cybersecurity, I can't protect our Navy, I can't protect our products that we are selling. We do have militarized equipment that has certain softwares, I can say that much, on there that I do not plan on sharing because this is ... I mean, protected. It's IP, international property, as well as security for the Navy that's been given to us by the Navy. We have to implement it in the system so they can connect internally their entire systems to our product to make sure it is controlled and being viewed as secure.

Jake Bernstein: And one of the things that we often hear, maybe not as much right now, but certainly in the past was, "Oh, we don't have anything that anybody would want. So why do we have to be so careful?" Now, you arguably know that there are countries out there that want this information and want the IP, want to understand this stuff. Does that affect how you approach cybersecurity? I mean, obviously it will affect how you approach cybersecurity, but maybe how do you use that to really hammer home the importance to all the staff? I mean, I think that's one of the tricks with cybersecurity is having an overall security-based culture, and in a lot of companies, that's challenging. Have you found that to be challenging in the defense industrial base, or are people like, "No, we get it."

Peter Hitschler: I see both, and it's pretty much a 50/50 split here. I mean, certain people, like you said, Jake ... Well, I don't if I have anything here that is really of interest to anybody. You have no idea. There may be a little widget of whatever those folks out there that make something out of it, they get a whiff of something small that you think is not pertinent, and you may not realize that that particular widget goes into some defense module, defense equipment, weaponry, whatever it might be, or radar systems.

Jake Bernstein: Oh, that's a good point.

Peter Hitschler: And they have no idea.

Jake Bernstein: That's a good point right there, is that you just might not know.

Peter Hitschler: Correct, because you're selling it to some Company X. I mean, I may be a buyer or something from a company out there that buys certain computer chips, and they're thinking, "Oh, that's just a computer chip or whatever. It's nothing fancy." But if you see the whole picture and you take the 30,000 feet view of this entire thing, then you say, "Wait a minute, this thing can go into a PCB board." This PCB board goes into a stick with actuators. This may control certain operations within the actuator, and it gives messages to the control boards over all the computer system on a ship, on an aircraft, on a tank for the head matter, and then you are stuck with it. And if this thing goes out, you jeopardize security in general.

To me, there's nothing more important than to secure armed forces, make sure the sons and daughters that are out there, our daughters and sons, come home the way they left, in one piece. Because I don't want them to be hared and be a part of this big conglomerate, call it, of suppliers that helps our government to stay secure. And I think that is my utmost responsibility to make sure everything that we produce is 100% safe, 100% secure, and bring some kids home.

Kip Boyle: It reminds me of the Stuxnet, where there were some computer controllers on the Uranium Enrichment Centrifuges, which were manipulated, which caused them to fail or to not achieve the purity of the enrichment that they were going for. And really, it was plumbing. It was the electrical-mechanical aspects of running the centrifuges that was manipulated. I would think, conceptually, that's what you're talking about, Peter, right?

Peter Hitschler: That is correct. You've got this exact right, Kip. Because if these little things can't interrupt an entire nuclear power plant, a little something they get their hands on, and can intrude from the outside, manipulate it in that way that there's software created, there's some way for them to, call it hacking, and they can start taking over controls and just go and run with it, and they basically can interrupt everything, and they can make life living hell for that particular country, for that particular animal that you're trying to intrude, the ship, the sub, the aircraft. And that can bring these things down, and that can cost lives. And I think it's nothing more precious than life of our soldiers, and we need to protect that. Again, I have to come back to that. That's part of me. This is why I'm so engaged and involved.

People think I'm overdoing it sometimes, that I'm so involved in it. And I said, "You know what? I don't care what you think. I think, to me, and to the company, it's important that I've evolved because I'm a chief executive here that has responsibility, and I don't like the boys and girls from the three letter company show up at my doorstep, flash their golden badges, and say we're in an orange jumpsuit." I'm not planning on doing that.

Kip Boyle: Right. That's great.

Jake Bernstein: Well, and just listening, I think, to this conversation, sometimes I feel like there's a lack of seriousness in the world right now, just around all sorts of topics. Everything is, to some degree, a joke, whether it's politics or the economy or COVID-19, and I think that it's important to remember that a great deal of the world remains very serious, whether we want to take it seriously or not. And for the defense industrial base, cybersecurity is no joke. It is of the utmost seriousness because you're exactly right.

I mean, I think the Stuxnet example is great because those were little actuators, right? We're talking about almost the same type of thing. And if you think about what happened with Stuxnet and just the risk that is run, I mean, if we automatically could just know all the potential ways that these items could be misused, that would be handy, wouldn't it? But the fact is that, by definition, attacks like that are built off of vulnerabilities and possibly zero days that, by definition, nobody planned to have those there. That's why you have to remain vigilant. That's why you have to have the processes and the policies and to always follow them.

Peter Hitschler: Yeah. Spot on there, Jake. I 100% agree. And not to forget, if something happens to this company, the reputation, not only mine, I don't care so much about myself. I care about the reputation of a company. If something happens and we deliver product that has been put on the spot or something has been brought onto a ship on the motherboard and one of our products and it goes out there and we lose a ship in the sea, out in, let's say, in a crisis, the reputation of Tri-Tec is down the toilet. Forgive my blunt language on this, but I believe it's important that everybody in the position similar to mine makes it their utmost and foremost responsibility to preserve reputation, preserve security, and make sure that the product that you deliver is 100% secure and not jeopardize or create havoc in any final product that was delivered that's going to be on there, and then we jeopardize lives, or we may lose a war, or whatever that might be including.

People may think I'm overthinking this a little bit. Hey, that's their opinion, I think. But I make sure we are safe, our reputation is not in jeopardy over here, and we deliver a sound product that is second to none. That's important to us. And that secures employment for 60 families in here that are working for me, and I have to make sure that I can deliver their paychecks. Subsequently, they get food, and we have a product that we send out there to the Navy, and the Navy is, in my book, from our end, at least, I can say secure.

Jake Bernstein: Yep. Kip, do you want to ask about the team sport concept here? I think it's probably a good time for that.

Kip Boyle: Well, actually, I think you already did a great job of prompting Peter on that note. What I was actually interested in is the False Claims Act, because we recently did an episode on the Lincoln law about how the federal government is using the False Claims Act to sanction defense contractors that are not telling the truth about how well they're protecting the data. I just figured as the attorney on the show, it was your first right of refusal to ask that question.

Jake Bernstein: Oh. Well, I didn't scroll far enough down the script here. But I mean, we just saw a major company, it was Aerojet Rocketdyne. Is that the of it?

Kip Boyle: Yeah. Yep.

Peter Hitschler: Rocketdyne, yeah.

Jake Bernstein: I mean, their products took us to the moon, literally. So they've been around a long time. Peter, the False Claims Act is probably going to come up more and more, and I don't know how familiar you are with it, but essentially, it allows the federal government or private individuals to blow the whistle on anybody who's selling things to the government. It doesn't sound like you need that additional motivation. I think you've got that down. But it is worth pointing out that when you're a government contractor, there is always the False Claims Act out there, and that's one of the things that's going to be used for it, is being used for, is you're supposed to have this level of cybersecurity. You said you did, which is generally what happens.

I mean, let me put it this way. You're not going to get the contract if you say, "Oh, actually, we're not really secure. We're not ready for that." And hopefully most companies are honest about that. And the thing about cybersecurity is they may believe they're honest, or they may not fully know. And I think that's really the scary thing about cybersecurity with the False Claims Act, is that people think that it's a false claim, so therefore, you must have known you were making it. I don't think that's always true, and there's not really an intent factor here. It's "What was actual reality?"

Peter Hitschler: It's hard to prove, yeah.

Jake Bernstein: It is very hard to prove. It's very hard to prove. I'm just curious, do you have any strong thoughts about the use of this Lincoln law?

Peter Hitschler: Well, the Lincoln law is a whistleblower act, whichever way you want to call it. It's an important feature out there. I believe folks that know about something that has been ... or companies that make a statement, "Hey, I'm secure. I'm cyber secure because I believe so," it's not enough. And if somebody knows in my company that I have a loophole somewhere and they're not talking to me about it, then I'm making a statement out there, "Hey, I'm cyber secure." On SBRS, I'm listed. I got my CMMC level three, et cetera. It's all on there. They're called basic. It is there because I have to re-certify every year. I have to be sure that I do what I say and say what I do. And if I have somebody out here that tells me, "Peter, you're in jeopardy because this and this is a loophole that you can be intruded by, or jeopardizing your cybersecurity," I will take action. And if I don't, then I am as guilty as charged that I'm making a false claim, agreed, and that puts me in jeopardy. And I will raise hell if I ever do that.

That's one thing I will never do, is make a false statement because I hate orange jumpsuits. Trust me. I'm not into that. So I don't want to engage lawyers. And on that particular set, I'm engaging in having drinks or play golf or whatever, in case anybody wants to. And I have a bunch of lawyer friends, and this is why I'm very mindful that whatever I say has to be the truth and nothing but the truth. And I have nothing against people that go out there and play the whistleblower because their bosses may be rejecting the reality that they are in violation of that law, call it that. And then they should pay the consequences. That's my opinion.

I mean, people may think I'm a little brutal. Fine. Be it, then I am. But I'm willing to put my head on the table for this company because I can say for certainty that we are cyber secure, and if there is something that is not 100% right, I'm shutting the system down and fix that particular problem until I'm 100% certain, "Hey, I am cyber secure again," because if I don't do that, I am guilty as charged, and I might as well forget everything because my values go out the door. And I have values that are more important to me than anything else.

Kip Boyle: Well, I don't think there's any questions about where you stand on the False Claims Act. Peter, thank you so much for weighing in on that. As we come to the end of the episode, I had one more question for you, which is, and I think you've talked about this, but I would love to just hear a straightforward thought from you about the benefits of a strong cybersecurity program and your level of involvement with it. You had said to me before that it really frees you up to focus on the business goals if you have a strong cybersecurity program. Did I hear you correctly? And how does that work, from your point of view?

Peter Hitschler: Well, cybersecurity is one of the base holds that I have to have in place, measurements to make sure this company can survive and live. In order to be successful in the business with working with the government, you have to have cybersecurity. It's one important item to make a stool stand up straight, so to speak. If that leg is missing on my stool, I'm going to fall. I'm going to fold, fold the company, and I'm not playing on doing that. So it is important to be successful in a business.

I have to have a cybersecurity that wakes me up and makes sure that I am legit, that I am secure, and I can deal with the government and everything else without having to think, "Oh, wait a minute. Did I do this thing? Or is there something maybe that I'm missing here?" So I don't want to have second guesses or doubts about something. So I have to make sure to have my security in place, my cybersecurity, that is, as well as all security, but that's for a different day, maybe, to talk about. And then I can say my product and whatever we deliver is 100%.

Kip Boyle: Yeah. So you'll have confidence, you'll have peace of mind, you'll know that you're representing the products that you sell accurately. Yeah, that makes a ton of sense to me. Well, Peter, thanks so much for agreeing to be our guest on the show. Really appreciate your perspective on this topic. If somebody wanted to connect with you, if a listener of the audience wanted to speak with you or just find out more about Tri-Tec, how would you like them to do that?

Peter Hitschler: Well, they can always reach out by our website. We have www.tritecmfg.com, and then we also have the phone line. I have a phone line. I'm also on LinkedIn. You can reach out to me at any time. Send me an email to phitschler, P-H-I-T-S-C-H-L-E-R, @tritec, T-R-I-T-E-C mfg.com, and I'm happy to assist. If I can answer questions, anytime, please feel free to reach out.

Kip Boyle: That's super generous of you. Thanks so much. Jake, did you have any last questions or comments for Peter?

Jake Bernstein: No, I think this has been a great episode because I think it's a little different perspective than we often bring. And I think the viewpoint from, first of all, having a government contractor, but also just a business leader who's also so heavily involved in cybersecurity is really refreshing, and I think that going forward into the future, it's likely to become a requirement. Whether it's a practical requirement or a legal requirement, that's probably not clear yet. But I do think that the days of, certainly, the board being able to not worry about cybersecurity have ended.

Kip Boyle: Yeah, yeah. And I'm so glad, Peter, you joined us, because I really do think you're a model for what senior decision makers are going to have to do in the future with respect to data protection and systems protection. So I just love that we got to share you with our audience.

Well, that wraps up this episode of the Cyber Risk Management Podcast, and today we took a look at the relationship between cybersecurity and business in a way we've never done before, and we did that with our guest, Peter Hitschler. He's the chief operating officer and general manager at Tri-Tec Manufacturing. Thanks so much again, Peter. Hey, everybody. We'll see you next time.

Jake Bernstein: See you next time.

Voiceover: Thanks for joining us today on the Cyber Risk Management Podcast. If you need to overcome a cybersecurity hurdle that's keeping you from growing your business profitably, then please visit us at cr-map.com. Thanks for tuning in. See you next time.