← Back to Blog
Podcast Transcript

Government Cyber Security Breaches, Trust, & Why Many Systems Are Designed to Fail | Alexander Rogan

Alexander Rogan discusses critical cybersecurity issues in government and public systems. From data breaches to systemic vulnerabilities, Alexander reveals why many government systems are designed to fail and what innovative approaches can actually protect sensitive information and rebuild public trust.

Government Cyber Security Breaches, Trust, & Why Many Systems Are Designed to Fail | Alexander Rogan

Watch the full episode: YouTube

Episode Summary

Alexander Rogan discusses critical cybersecurity issues in government and public systems. From data breaches to systemic vulnerabilities, Alexander reveals why many government systems are designed to fail and what innovative approaches can actually protect sensitive information and rebuild public trust.

Key Topics: cybersecurity, Alexander Rogan, government security, data breaches, public trust, system vulnerabilities, information security, Abatis, technology policy, digital infrastructure

Conversation

Evan Meyer: 00:01.817 Hello everyone, welcome to another Meyerside Chats. And during this holiday season, I have a wonderful guest with me today, Alexander Rogan. Welcome to Meyerside Chats.

Alexander Rogan: 00:17.144 Good evening or good afternoon Evan, depending on our time zones, but great to be here.

Evan Meyer: 00:23.779 Great to be here too. I only talk about the holiday season because I have this holiday seasonish plant behind me. I don't think our conversation will revolve too much about the holidays. Let me give you a quick AI assisted introduction with some of my own personalizations. And then we'll get a little bit into your background and some of your amazing insights and stories.

Alexander Rogan: 00:34.488 Probably not. Probably not.

Evan Meyer: 00:54.837 Alexander Rogan brings a rare mix of 15 plus years living inside Russia, first-hand exposure to Russia's security services, and early experience surviving a coordinated insider cyber attack. His background gives him a geopolitical lens few cybersecurity founders have. He's now leading Abatus, a military-grade patented cybersecurity technology used by governments and critical infrastructure for 20 plus years with zero breaches.

Unlike detection tools, a beta stops attacks before they execute, saving organizations billions wasted on reactive solutions. On Meyerside Chats, we spend a lot of time talking about trust, how it's built, how it's broken.

and how hard it is to restore once people lose faith in institutions. One place that trust quietly lives and quietly erodes is inside the digital systems governments rely on every day. When those systems fail, citizens feel the consequences, identity theft, disruption of services, and fear, to name a few. In today's conversation, we're going to explore all of this and its relationship to improving our public systems and our democracy. Alexander, thank you for being here.

Alexander Rogan (02:09.12) It's a pleasure, Evan.

Evan Meyer: 02:11.747 Why don't we start, just give me a little more background about yourself and the biggest problem you're trying to solve right now with regards to your cybersecurity company.

Alexander Rogan: 02:22.477 I was fortunate enough to buy Abatis Security Innovation Technologies, GmbH or GmbH, three years ago. I was introduced to the company by my brother in

2017 and then over a period of time I got closer to the organisation and finally June 2022 I was able to become the new custodian of Abarthis.

I was attracted to the business because of its impeccable history, its track record. I don't think there's a security software solution out there that's never had a reported breach. I just don't think it exists. Yet despite being deployed protecting critical national infrastructure in Europe for two decades, up against

fierce interest from, you know, not just criminals but also nation-state, nation-state attackers, it's very much stood that test of time. So I was very, very pleased to be able to invest in the company. And now...

We've democratised it I suppose, it's not now just for military or for governments or for critical national infrastructure, we've made it easier to work with. We spent two years in a laboratory improving it, improving what was already I think the strongest security solution. So we can actually start delivering this to enterprise and to the end user, which is what we're doing now, that's the market that we're in now.

Evan Meyer: 04:26.607 So what kind of government security breaches are we talking about that you help protect? And are there some examples that have happened that you think are noteworthy that people haven't understood or know about or know the implications of?

Alexander Rogan: 04:39.725 Well, I can talk about attacks that have happened that had a Bartis been deployed, then we would have stopped. One of the most notorious was the SolarWinds hack, where Russian intelligence hijacked

SolarWinds code and then was distributed amongst I think just about every federal agency that there was in the US and then they were sat inside those agencies for a number of years. Abartis

is fundamentally different to traditional cyber security technologies. Abartis will stop an attack before it starts. Our competitors are operating with a...

managed detection or response model. So the problem with that is you kind of have to have a breach before you start doing your work. So the bad guys get in, then you eventually identify that there's been a breach, you try and see patterns, things that are going on within your IT infrastructure that shouldn't be happening. And then you go hunt the bad guy.

When you found the bad guy, then obviously you can fix the problem, can write the patch and you can sort plug that hole. But the problem is how long are they in there for, how much damage are they doing, what are they doing in there, are they exfiltrating data, if it's a spy organisation, if it's a criminal attack, they could be encrypting your data for ransomware, things like that.

Alexander Rogan: 06:33.949 IBM said recently that the average time to identify and mitigate against an attack is 250 days. And in the IT world, I mean, that's a lifetime. So, Abarthis' great strength is to actually stop that attack before it starts.

Evan Meyer (06:49.26) yeah, might as well be a decade.

Alexander Rogan: 06:58.421 So the cost savings that we bring are manifold. mean, it's just, you know, we de-stress environments. just, you know, when I talk to a risk owner, the question I ask is, you know, do you want to stop an attack before it starts or not? And, you know, who's going to say no? Who wants to go play whack-a-mole with bad guys?

Evan Meyer: 07:18.351 Well, who does say no? That's a good question. That's good follow-up question, really, is why would someone say no to something like that, other than cost, you know, barrier to entry being cost or something?

Alexander Rogan: 07:26.317 If it's the risk owner, he will absolutely agree with me. You don't want to say no. You want to stop an attack before it starts because of the pain. If it's...

government agencies then we don't just stop bad guys, stop anybody getting into a computer system by default. people who want to watch what's going on in computer systems, not necessarily the bad guys. It could be the good guys as well, just doing something perhaps they shouldn't be doing, that you don't want them to do. So I've had some interesting conversations with people in government who absolutely don't like what we do, what we're capable of.

but it will protect.

Evan Meyer: 08:15.555 why don't they like it? I must know why a government, knowing what's at stake, how much could be at stake, right, from, we're talking about constituent level, government level employees.

Alexander Rogan: 08:23.321 I think, Evan, I think that there is a school of thought out there that a good offense trumps a good defense. And they do not like the fact that you can stop people arbitrarily getting into your computer system. There is no defense, practically no defense against

what's called a zero-day attack or an unknown. If the bad guys or the good guys turn up with your computer system and you're using traditional antivirus, traditional cybersecurity tools, if your traditional cybersecurity has not been introduced to the technology that the bad guys are using against you, it will not stop it.

That's a zero day. A Bartis will stop a zero day in the same way that we will stop a forced update from your vendor or indeed from Microsoft. I mean, Microsoft issue patches.

you probably want to test the patch before you deploy it. just don't allow anybody to just upgrade your computer system. Always test it first and test it in pre-production. So our code doesn't differentiate between a bad actor, a threat actor, or a forced update from your IT provider. Both can be equally damaging.

In fact, up until when we were, last year I think it was, CrowdStrike, one of the biggest, most successful cybersecurity companies, had a very, very unfortunate incident where one of their bad updates crashed like eight and a half million computers globally. Billions of dollars. Yeah, mean, everybody, yeah, I mean, think the airline, yeah.

Evan Meyer: 10:26.439 yeah.

Cloudfare? Was it Cloudfare?

Alexander Rogan: 10:31.277 Yeah, no, no, no, no, that's another that's another now. This is crowd strike Cloud for Cloudflare was more recent. Yeah, that's a more recent one. Everything well a third a third of the world's websites went down Which is another?

Evan Meyer (10:34.22) That was the other one. okay.

That was the more recent one where like, it was like Adobe, Adobe was down, Yeah. Yeah, I remember it impacted me like three things I used were down. I was like, this is wild.

Alexander Rogan: 10:52.493 Yeah, well my marketing team was saying, you know, we can't use Canvas, can't, know, Zoom's down, you know, we can't do this, we can't do that. I mean, was just the problem, sidetracking slightly, the problem there is you've got, there's no decentralization anymore. Yeah, you've got such a concentration of services in a very, very small group of companies. And that's dangerous.

Evan Meyer: 10:58.009 Yeah, right. Yeah.

Evan Meyer: 11:02.701 Someday.

Alexander Rogan: 11:18.061 And so is trust. We operate, propagate, push, zero trust. Don't trust anybody. You can't. You can't outsource your risk.

Evan Meyer (11:18.36) Right.

Evan Meyer: 11:32.398 Right.

Alexander Rogan: 11:32.469 So if you're the risk owner, it's your company, it's your business, you cannot outsource that risk. So why on earth do you trust, whether it's Microsoft or AWS or CrowdStrike or anybody else, any of the others, why would you trust them with your business? Read their SLAs. Yeah, so.

Evan Meyer: 11:50.127 Yeah, of course, or with your, or just to bring it back to government with your constituents and with your information or why would you...

Alexander Rogan: 12:00.491 Yeah, no, look, you're right. you've got, you see these dreadful situations where entire cities have been knocked over. Yeah, because they've got a problem as well because they're told by the industry, you're running legacy equipment, you've got old IT equipment, you've got a junkie old by the new, then we'll make you safe. It's a fallacy, it's complete rubbish.

Evan Meyer: 12:29.229 Yeah, that's pretty, is there, so are there maybe incentive structures that need to change? it, you know, in order to understand the full impact of what you're talking about, what needs to happen within government? Is it, do they have to hit rock bottom? Do they have to have some, you know, especially now with how fast AI can, you know, AI hacking or like,

Alexander Rogan: 12:30.326 Yeah.

Alexander Rogan: 12:56.781 They're at the bottom now, Evan. Yeah, they're at the bottom now. Yeah, without a doubt. I mean, that's not to say it won't get worse, but we're just going to get more of the same. Yeah.

Evan Meyer: 13:08.067 We'll use a DMV. Let's start with the DMV, just because it's relatable to everybody, Traffic tickets and the DMV. And taxes, IRS. IRS DMV. Two acronyms, everyone in America knows really, really well.

Alexander Rogan: 13:24.831 Everybody loves, yeah. They're going to be really upset when they get hacked, aren't they?

Evan Meyer: 13:28.855 Well, so let's dive into that because the DMV, you know, I've worked at the Senate before. I've seen, been privy to some information around bills and how the DMV works, moving traffic citation bills, for example, and what that has to go through and how hard it is for the DMV using their old, I think it's Oracle.

I just remember seeing something that I was like, all right, to make this traffic citation change in the policy, we need, it cost half a million dollars or something to make the change, the impact of the fight, fiscal impact to make that change. So you have to wonder, what's going on at the systems level at these computers?

Alexander Rogan: 14:12.343 Well, I can be a bit of a cynic and I can't remember who it was in Washington who said follow the money, but there is always, you know, there is a lot of unnecessary spend going on, propagated, I think, by our industry. I mean, our industry...

Evan Meyer: 14:16.163 Yeah.

Evan Meyer: 14:37.763 Security industry.

Alexander Rogan: 14:39.115 Yeah, but the cyber security industry, we're worth, I don't know, you see anything between 200 and 400 billion a year dollars spent on cyber security. It's a huge ticket. And yet, the damage that's done, the damage that's done to the global economy is greater than the Japanese GDP. It sits just behind China. So last year,

Evan Meyer: 14:41.145 Snipers good.

Alexander Rogan: 15:07.521 The cost to the globe was $10.5 trillion.

Evan Meyer: 15:12.043 in terms of mitigating attacks or in terms of...

Alexander Rogan: 15:14.721 Mitigating, clean up, damage, businesses failed, governments having to set in and support industries, it's absolutely huge, colossal number. So you're spending 400 billion and you're not stopping 10 and a half trillion dollars worth of damage. The companies who are doing the invoicing, they're doing the billing, they're collecting the money from the clients, are spending more money on sales and marketing than they are on research and development.

Evan Meyer: 15:20.141 Wow.

Evan Meyer: 15:24.323 Yeah, devastating. Wow.

Evan Meyer: 15:44.075 I wonder if it's because they can't feel it directly sometimes, right? If the impact to them is like, it impacts other people and we don't get enough complaints. Is there political will even to move the needle?

Alexander Rogan: 15:53.677 You're absolutely right and that is questionable.

I kind of sometimes, know, depth of despair is you think the industry needs like a Michael Moore moment, you know, somebody to come along and make one of those dreadful movies like Michael Moore did in the past with, you know, pharmaceutical or tobacco industries. Because I, there's 400 billion reasons out there not to make a change. 400 billion reasons not to fix a problem. And what we're seeing in the industry is old

Old ideas are being rehashed, they're sticking an AI prefix on there, putting a couple of zeros on the end of the product, pushing it out, and they're telling people that you're going to be safe. And it's patently not true. Organisations are not safe against the current threats that are out there with the current security methodology that's being used.

Yeah, you used to have...

Evan Meyer: 17:01.209 So let's go, I want to use the DMV as an example. all right, take me through, and by the way, I think all DMVs should be hot pink. I think they should paint the whole building inside and out hot pink. I think it would make a way better experience at the DMV. I've always envisioned that, you walk in, it's just, know, like Barbie land.

Alexander Rogan: 17:04.815 Okay.

Alexander Rogan: 17:24.747 Well, they're going to walk in with a smile, aren't they?

Evan Meyer: 17:28.203 That's the whole idea. People don't really smile at the DMV. I feel like if the whole thing was hot pink, it would be the happiest place on earth, instead of a place people generally don't want to go. But let's use that as an example. Sorry. Quick tangent. I want to use that as an example. Let's say what could happen and how a betus could prevent something, would prevent something.

Alexander Rogan: 17:51.937 Well, what could happen is a number of things. Best case scenario, I guess, is the threat actors get in there and they ransom the data. Yeah, so they deploy a malware. DMV has not seen this before. And the bad guys get behind the security defenses and they encrypt the data.

And then they hold the DMV to ransom for an awful lot of money. That's probably the least worst situation. Ratchet at upper scale. Look at, what's going on that's going on in other parts of the world. Look at some of the previous examples of large scale attacks. Bad guys could deploy wipers and just destroy the data.

or they could be really innovative and they could change the data.

Evan Meyer: 18:55.583 man, yeah.

Alexander Rogan: 18:56.685 Right, now you used a DMV as an example. Now, you imagine if they got into the Department for Pensions, pensions payments. You want to cause a catastrophe in a country. The guy that gets paid $5,000 a month on his pension, you pay him $500. And the guy that only gets $500, you pay him $5,000.

Evan Meyer: 19:21.804 Yeah, just update the database to change the numbers that people are expecting. Yeah.

Alexander Rogan: 19:26.013 Yep, and that's you know that that that that's just a switch I mean that's you know that's something that would be relatively straightforward now these are This is something that would either be done by anarchists or nation-states hell-bent on causing disaster Yeah If people don't get the money they expect what's going to happen? Yeah, you'd have

Evan Meyer: 19:47.929 So what's stopping them right now? What's the layer right now that's preventing those things? We don't hear too much about that. I'm guessing things have happened in government and they don't tell us because it's not good if they were to, you're right.

Alexander Rogan: 19:59.455 Yeah, I am sure and I'm not privy to what they're not telling people about so I understand when they do because it comes out, it's public and it's pretty bad. Look, you've got dedicated people out there doing the best that they can.

Evan Meyer: 20:05.955 Me neither.

Alexander Rogan: 20:18.847 with tools that are not fit for purpose. mean, our biggest challenge is education, I think that's the biggest thing we need to do. We need to educate people that there are different ways of fixing a really bad problem. So you've got a lot of dedicated folk out there who working really, really hard using the tools that they've got. you know, they've got to get lucky every single day and the bad guys have only got to get lucky once. Yeah. And then they're in and then you've got, you have these examples that we've seen over and over.

you know, whether it's a city that's gone down and now all of a sudden everything's having to be done on paper or facts or something like that. Hospitals that are taken down, all of a sudden they can't do operations. In Europe we've had people die on the table because the hospitals have been ransomed. yeah, these are really, you know, the people who doing this are pretty despicable. Real stories, real stories. Berlin, university hospital in Berlin.

Evan Meyer: 21:07.556 man.

Evan Meyer: 21:11.149 Real stories. Yeah.

Alexander Rogan: 21:17.229 Three or four years ago there was a ransomware attack and a on the table, he died on his way to the other hospital. It was just a horrible situation. So these are life or death situations that are going on now. These are real problems.

Evan Meyer: 21:36.227 Why are they doing this? The bad guys. What is in it for the bad guys that makes them want to create this kind of havoc?

Alexander Rogan: 21:45.159 In the case of the hospital attack, it was purely financial. So they were looking to achieve a return on investment. And they're businessmen. I mean, they're despicable people, but they're still business people. They're looking for return on investment. If you look at...

attacks against US critical national infrastructure. Christopher Wray gave a speech, I think, to US Congress February 2024, I think it was. He was the former head of the FBI, or certainly a senior FBI officer. He talked about how Chinese APT, Chinese Advanced Persistent Threat actor

had got into critical infrastructure in the United States and had been in there for over five years. And the type of attack that that was is the next example because this wasn't about ransomware, this wasn't about data exfiltration, this was about waiting to turn the lights off. So if you had a situation where

Evan Meyer: 23:00.164 Hmm.

Alexander Rogan: 23:05.249 Hypothetically, China decides it's going to invade Taiwan. And it's worried about Uncle Sam coming and helping the Taiwanese fend off an attack from China.

from the People's Republic of China. So what do you do? You cause massive, massive disruption at home. You turn off your telecoms, you turn off your water, you turn off your power, you make sure the banks don't work, the food supply closes down, the trucks can't go, there's no fuel in the fuel stations, all of this kind of stuff. You can absolutely do that with a cyber attack, totally. It's a flick of the switch. And using the right...

malware it's not difficult to do. There is very very little people can do against attacks that they've not seen before. If you turn up with malware that's new, that's original, you can't, if you're using traditional methodologies you cannot stop again. It's highly highly unlikely you'll stop it. And people come back, they'll push back Evan, they'll push back but look at

Evan Meyer: 24:05.443 Yeah, well and.

Alexander Rogan: 24:10.825 Look at SolarWinds. The Russians were in the White House for two years, for God's sake. They were in the cameras watching the prison. For two years, nobody realised what was going on. You can't accuse the White House of not having the right sort of budget and the right guys to actually have the right level of protection. The White House is probably one of the most protected IT infrastructures in the world.

But the bad guys were able to get in there because their methodologies were better than the defences. And that's your problem. At the moment, everybody's playing catch up. The bad guys are ahead. And I think it's just a case of whether a Russian or a Chinese nation state attacker

want to do damage to a given country's critical national infrastructure and get caught doing it. Yeah, because that becomes an inactive war, doesn't it? But it's very, very difficult to actually attribute the people behind the attack.

I mean they'll look at the clock, they'll look and see what time these attacks are going on, you when the bad guys are doing things within the IT infrastructure. And they'll say, that implies the guy got to work at 9 o'clock Moscow time, started work 9.15, clocked off at 1 o'clock for lunch, started again at 2 o'clock Moscow time and went home at 5.30.

Well it's very, very easy for me to put my clock to three hours ahead and I'll start work and I'll pretend or I'll work to a Russian clock. It doesn't mean that it's the Russians that doing it. You don't know who's doing it. That's the problem.

Evan Meyer: 26:01.709 Right, right, right. So let's jump a bit into the AI components of this. How does AI make these attacks easier and how are those prevented? How can those be prevented?

Alexander Rogan: 26:23.831 This is where we get to the point of where we are pretty low on the scale at the moment. This is where it's starting to become very, very dangerous.

AI is a massive force enabler for the bad guys. So we've had examples recently where bad guys have trained AI to go hunting for vulnerabilities, to write the code on the fly, and

successfully attack infrastructure. So that's happening now. There was reports last month about the Chinese using Anthropic, so which is what, is that Claude? And so they used a public accessible AI tool at scale and went off and created Carnage. So you've got that situation.

Evan Meyer: 27:24.687 Mm-hmm.

Alexander Rogan: 27:32.437 You've got situations where in the past if a vulnerability had ever been identified in code, whether it's on a firewall or in a server or even in your AV, you used to have, you go back a couple of years, you probably had two weeks to issue the patch, test the patch, deploy the patch and make your environment secure.

That two weeks was the time it took the bad guys to take the same information that's been made privy to me, because I'm using Fortin out, I'm using Cisco, I'm whoever it is that's got a Citrix, whoever's got the problem with their system. I get the information, I know that I need to fix it because I use that operating system or I use that kit. The bad guys got the information at the same time.

So the bad guys will then sit there with their coders and they'll write the code to try and weaponize what they've got from the researchers that are telling them all about the vulnerabilities. used to take two weeks. Bad guys are now using AI and they're weaponizing a published vulnerability in minutes. Yeah? So that patch problem that you used to be able to solve, you cannot solve that now.

Evan Meyer: 28:47.971 Yeah, yeah. That's wild.

Evan Meyer: 28:57.743 So now I imagine you'd have to use the same, at least understand the same tool that they're using. So say it's Claude, you would use Claude's LLM API, whatever, to protect from the things that it's finding to find the vulnerabilities. Something like that. At least for Claude. Right. Yeah.

Alexander Rogan: 29:11.886 Which is, which is...

Alexander Rogan: 29:16.726 Right, yeah, and you'd think that would make sense, wouldn't you? Except you've got a number of issues here, yeah? We're the good guys, so we teach our LLMs in an ethical way. We train it on data that's ethically sourced. It's like...

It's like I'm playing by Queensbury rules for boxing and I'm getting in the ring with an MMA specialist.

or taking a knife to a gunfight. mean we are just completely, completely out, out manoeuvred. The bad guys are training their LLMs on anything that they can get their hands on. And we, as the industry now, and it's not my company, but just the industry generally, is playing catch up. The problem you've got is it's the same old reactive model.

waiting until there is an attack, but the problem you've got now is that with the advent of LLMs, the attacks are coming in so much faster that people don't have time to issue patches, to do regression testing on the patches. They're having to take risks with their IT estates that they just don't want to have to do.

Evan Meyer: 30:45.551 Sure. Believe it or not, think it's even, I mean, and this is massive, but I'm going to call it a microcosm in this context where if this political systems, and this is I talk about like incentives and policy, like something needs to change because government right now can't make policy change in any nimble fashion, right? Places take, you know, California, I'll give an example. You know, it's every year.

Right? You can make policy changes. You can't just change the California Constitution. It goes through a process. So, let's, you know, and I don't believe there's anywhere that any state, think they all follow some similar sort of structure, right? Where they can, it goes through committees. I mean, it's a big process to get something turned into a law for the right reasons, at least for the last few hundred years. But now we have something that is so fast that if, if,

Alexander Rogan: 31:17.858 Yeah.

Alexander Rogan: 31:21.602 Yeah.

Alexander Rogan: 31:32.908 Yep.

Yeah.

Evan Meyer: 31:44.959 and is gonna change so rapidly, whether it's security attacks or decisions that need to be made around policy. My opinion is that the political system needs to become agile, like software development, at the speed of AI. Or cyber attacks are just sort of the beginning of the issues. There's just no way to keep up to what's needed at a legislative level.

Alexander Rogan (32:08.79) You're never going to beat, in my opinion, you will not beat an AI driven threat actor using AI. Because you are reacting and you are still...

having to pattern match, still having to look to understand what the bad guys are doing. They are now operating at machine speed. So they are able to find vulnerabilities that you do not know about to get in. They're able to change their code, the malware that they're using, polymorphic malware. This is malware that will rewrite itself. It'll hide itself, it'll obfuscate itself, it will get into the target environment.

and your AI is looking for the pattern, it's looking to recognise a family of malware. Well if it's not seen it before, doesn't matter, it just won't see it. What you need to do is to re-architect your IT infrastructure.

Evan Meyer: 33:15.267 You won't

Alexander Rogan (33:31.05) at the base, absolutely at the base, at foundation level and just absolutely refuse any changes to that operating system unless you actually give it permission, use the risk owner.

And that's what ABATIS has done for the last 20 years and it's protected military civilian nuclear facilities, protected air traffic control systems, it's protected government databases, it's protected pharmaceutical companies, railway networks.

All of these organisations that deployed it did not suffer a breach in the environment that's been protected by Abartis. Because you can absolutely do that. It's just, it's not popular because from the industry's perspective, once you deploy Abartis, that's it. We're not going to come back next week, next month, next year and say you need to buy a new version of Abartis because the bad guys have raised their game.

Abarthis does what it does. It stops these changes at the operating system level. It's a fit and forget solution. The return on investment is immediate. And that's something that our challenge is getting through the noise that's made by the industry. If you imagine these companies are spending hundreds of billions a year on marketing.

They're going on these road shows, they're making these outrageous claims about the security that they're supposed to be providing, which they're not. And that's evidenced by the damage that's being done to the world. Our challenge is getting through that, but I do think, and I think you sort of said about how things are changing. I think things are changing because things have to change because things are so bad.

Evan Meyer: 35:30.191 Yeah. Well, don't, yeah. Yeah.

Alexander Rogan: 35:31.522 Yeah, they are. it's, you know, it's, and if, you know, if the director of the FBI turns around and complains that the Chinese have been in US critical national infrastructure for five years, that's pretty damn, that's pretty serious. And they're still there.

Evan Meyer: 35:45.901 Yep.

Evan Meyer: 35:54.607 Well, I guess because it's reactive, I guess my, to debate it a little is like, aren't they doing it now? Like, why doesn't the state of California do that now? Is it job retention? Is it, there's gotta be a reason why.

Alexander Rogan: 36:16.142 I don't think, no, I just don't think they know. They're not aware of what the possibilities are. And I think we're promoting the methodology. We're talking to people about the methodology. And genuinely, I've had so many times I've spoken to people and they've said, why is this not being used everywhere?

Evan Meyer: 36:23.161 as Yeah.

Alexander Rogan (36:43.18) Now why is it not absolutely everywhere? Well, it's an easy answer. The company was small, the company was under resourced before we bought it. And the guy that ran it ran it his way. And he was very pleased doing what he was doing. But he wasn't out looking to protect the world. And I'd like to do that. Yeah, look, we could...

Evan Meyer: 37:04.483 Yeah, you have a bigger vision around what's possible. Yeah.

Alexander Rogan: 37:10.582 A Bartis can go on anything with an operating system. So that's ITOT and IOIOT, Internet of Things. It's probably got the lightest touch on the planet. It's under 100 kilobytes in code. It's absolutely tiny. So it can go on your pacemaker.

Evan Meyer: 37:19.289 Hmm.

Evan Meyer: 37:32.633 Mm, yeah, wow.

Alexander Rogan: 37:33.826 Yeah, you can't, you know, it can go on a security camera. It can go on the HVAC. It can go on the air conditioning unit in a smart building. It can go traffic lights. I mean, these are all attack vectors that the bad guys are using that traditionally you cannot protect against. Point to sell devices, ATM machines.

and it will protect all of the old equipment. And that's just not popular. Microsoft, them, are pushing for the world to landfill Windows 10 machines. Why? Because it fits their business model. Because they don't...

They don't want to provide security for old equipment. They want people to buy new machines. That's their business. That's their business model. That's how they make the money. They get you to buy new equipment every two, three years. mean, look, we've seen this. The cell phones, know, I'd go back like 10, 15 years. Your cell phone would probably last you five years.

Now it starts to break up at like a year and a half and at two it's dead, you've got to buy a new one. I mean it's built in redundancy isn't it? That's the model that's out there. you you can't, I'm not picking on Microsoft but there's nothing wrong with those machines. You could deploy a Bartis on those machines, you don't need to rely on Microsoft for security and you can run those machines until the hard drives turn to dust.

Evan Meyer: 38:47.405 Yeah. Yeah.

Alexander Rogan: 39:09.196 and before they turn to dust you migrate your operating system onto a VM and then you can run it forever.

Evan Meyer: 39:15.565 Yeah, well I'm guessing governments are running on it at most. They're not putting the best machines there right now.

Alexander Rogan: 39:21.708 No, well, yeah, I hope the DOD and places like that are using a really modern kit, but yes, certainly, you you go into your local city, they will have a lot of legacy equipment, and the guys who are running the security there will be worried.

Evan Meyer: 39:37.388 yeah.

Evan Meyer: 39:43.151 Yeah, and they're using legacy applications too. I know, you at my time, think they were, you know, they're using Windows. I forget what it was, but it was old. The new one was 10. It was like three or four generations old. Outlook was, you know, not even the latest.

Alexander Rogan (39:53.9) Yeah.

Alexander Rogan: 39:57.454 Yeah, yeah. Well, we go back on the shelf without having to compile code or write anything else off the shelf all the way back to NT4. That's 1996. Yeah. We've had some interesting requests. I mean, we're writing code for some machines that look like...

Evan Meyer: 40:09.965 Yeah. Yeah. Wow.

Alexander Rogan: 40:19.232 coffee dispensers, mean these things are huge, these spinning discs are like that big, it's old Unix machines and things like that. You shouldn't bin it, you shouldn't destroy it, get rid of it, if you can keep using it.

Evan Meyer: 40:24.876 Yeah, yeah.

Evan Meyer: 40:44.173 Well, with something like a Betis, sounds like it doesn't really matter if it's old or not. it fits. Yeah.

Alexander Rogan: 40:49.006 It doesn't matter. the older the equipment, the bigger the use case, I guess, because you can't put modern cyber security architecture on old equipment. It won't fit. You'll cause the operating system to fall over. It's too complicated. With us, 100 kilobytes of code, it just doesn't matter. It'll sit nicely in the operating system and do what it does.

Evan Meyer: 41:08.793 Sure. Yeah.

Evan Meyer: 41:17.935 So do you think that politicians should be looking at cybersecurity as like a core pillar of their platforms and building trust similar to public safety in a sense?

Alexander Rogan: 41:23.746 hugely.

Alexander Rogan: 41:27.374 Yeah, yeah, look, it's everything. I totally agree with you. The world is digitizing. Yeah, I mean, it's just, you we've got this fourth industrial revolution that people are talking about. You look at Web 3, you know, the speed that the world is adopting.

the latest technology, the connectivity that's coming to the world, the Internet of Things. I mean, it's phenomenal. What it can do for good is absolutely amazing. But as fast as we're running to develop this, we seem to be forgetting that we need to make it secure. So I think if politicians were actually responsible for this,

for a solution or delivering a solution, then I think we probably wouldn't be in such a difficult place as we at the moment.

Evan Meyer: 42:35.737 Sure. Well, finding accountability and taking responsibility with politicians is tricky because, for a lot of reasons, but we'll just start with the news being so far removed from the source information that you can sort of craft any story at this point, throw it into the social media machine, and you'll have some people believe it.

Alexander Rogan: 43:00.184 Yeah, and then maybe say sorry later, but it's too late, the damage is done. Yeah. Yeah. Yeah.

Evan Meyer: 43:06.969 They're already onto the next thing. Like things move too fast, right? Like we're already just like every day is a new, now we're, you know, what's today's big thing? Minnesota's fraud. This is a fun one. It was in the last, you know, this is an incredible, an incredible thing to watch the news go crazy on and see all sides of this and, you know, money being spent improperly.

Not fun. Not fun to watch that play out, especially when you see, I've seen some of this firsthand. I've seen, you know, you go, boy, that's a lot of money that's thrown into the garbage or given to things that the public didn't expect. And as I'm trying to think of, you know, ways to double down on keeping people safe, you know, what you're offering here is a really, a really important piece of that equation.

Alexander Rogan: 44:03.598 Yeah, yeah, absolutely. And you know, there's environments where, you know, we really want to get out there and help, you know, be altruistic about this, yeah. So, I mean, the healthcare systems are taking an absolute hammering. Yeah, the...

Evan Meyer: 44:04.367 So.

Alexander Rogan (44:28.27) the problem that they've got and this is life and death, life or death, we've seen this in Europe. The education system, these are all soft targets because if it's local healthcare as opposed to some of the big insurance backed players then they don't have the money.

and they take shortcuts so then it becomes a problem. Schools, again unless they are well funded, are probably under resourced on the security side.

They're not of great interest to the big security firms because the money's not there. it slides. We'd like to help those guys.

Evan Meyer: 45:20.633 Sure.

Evan Meyer: 45:24.331 You know, reactivity.

which is how security systems are often thought of, we're discussing, is part of the model of generally, very often capital expenditure or any financial expenditure, like in a government organization or whatever. You can't spend recklessly, you get in trouble. You don't want to spend on things you don't need. You don't generally have a lot of money. You're given a very restricted budget very often, a lot of these systems. They're in a tough situation. And things like security,

you know, just from a small organizational standpoint, you know, it's something you don't think about until you need it, right? Similar with like an HR department. Not the first thing, you don't generally start with an HR department in your startup company, right? HR departments are something that come, I don't know what number, 10, 20, person number 10.

in a software team, what number is the HR person, right? You need enough people to warrant having an HR person, right? Where it becomes very important, but at some point it becomes an administrative burden and you need someone dedicated.

Alexander Rogan (46:26.51) Yeah, very important.

Evan Meyer: 46:36.129 And I'm sad to think that security fits in that category because of how catastrophic it could be. But I fear there's a psychological barrier there or an organizational barrier that has become habitualized in how we think as people and how organizations are built.

because you don't see it until you need it and that could be too late, you're not gonna spend the first million or half, whatever, know, in the beginning and then you're like, uh-oh, it happened. I don't know how to work, how do you work your way around that?

Alexander Rogan (47:14.36) You need to get the risk owner to understand the reality. And the risk owner needs to ask the right sort of questions. A lot of enterprise are like sheep. They'll ask the vendor, who else uses your security tool? And if...

that if there is a lot of take up for a particular security company, you're a retailer, maybe your competitor uses them as well, then you're happy. And you can say to the, the CISO can say to the CEO, well, it's an industry standard. Everybody in retail uses the same organisation. That's risk deflection. The question should be,

where, at what point does your security actually fail? And you won't get an honest answer. The CISOs need to understand exactly what it is that they're bringing on board, who it is that they're trusting with their IT infrastructure, and what have the failures been in the past. And don't take the metrics.

the KPIs that are given to you by the vendor because you can't trust them. Of course they're going to make it look good. They're there to make a sale.

Evan Meyer: 48:47.599 Of course, another funny conundrum that affects the whole world and all of its parts of sales, right, Mike?

Alexander Rogan: 48:57.326 Yeah, yeah, it's all about the sale, not about the security.

Evan Meyer: 49:06.499 Yeah, that could be an incentive structure issue at the sales level, right? The sales employee level, if the company's not mission oriented in the right way, if they don't structure the incentives with the mission, in a sense, know? There's a lot of ways in the cultural building of the organization maybe that can help with things like that. I don't know about secure it, but at least help.

Alexander Rogan: 49:34.926 Well I think, I would say to the risk owner is look at the service level agreement that you are signing with your security vendor and look at it properly. I won't name names but there was a very large cyber security company quite recently who had a big problem with their product that caused a lot of harm.

and one of my colleagues in Germany sent me the local service level agreement and in that it said, words to the effect of, if you are mission critical, if you've got any data that is valuable, if you think that losing your data or losing your operating system could have an adverse effect upon the running of your business, do not use our software.

Alexander Rogan: 50:29.134 And that was, that was, that's part of the service level agreement. Yeah. So the security vendor was saying, we're not fit for purpose. Do not use us in hospitals, do not use us in the military, do not use us in critical national infrastructure within the SLA. At the same time, they're out selling very, very hard into all of those environments.

Evan Meyer: 50:43.727 Yeah.

Evan Meyer: 50:50.212 Yeah, sure. It's all those. It's a protection clause, obviously, if they ever have to go and they go, well, we told you, you shouldn't, even though.

Alexander Rogan: 50:58.062 And that's exactly what they use. this is actually being changed because organizations, software companies in Europe are going to be made responsible for their software. Now, that's going to be really interesting because if you look at, take Microsoft as an example, so every month they come out with patches.

Evan Meyer: 51:13.754 Yeah.

Alexander Rogan: 51:22.638 I mean, most recently, there's a horrendous number of problems that they had to fix. So it means that they're selling a product that is porous, it's leaky, it really isn't good enough. And it's not me just saying that. I Congress really gave Microsoft a hard time talking about the quality of their code writing and the problems that they've got with their code.

Evan Meyer (51:28.27) Mm.

Evan Meyer: 51:42.608 Mm-hmm.

Alexander Rogan: 51:47.672 But the same organization is making billions of dollars a year providing cyber security for a problem that's got, for software that's got problems. So, there's a business model problem here. Yeah.

Evan Meyer (51:52.41) Sure.

Evan Meyer: 52:01.936 Right, right, right, the models, it's deeper, it's at a lot of levels. I wanna respect our time for today. We have a lot of for today and obviously it seems like we could do this for hours, but that was an easy, easy conversation to have with you. I'm grateful for the great work you're doing to protect people.

Evan Meyer: 52:30.928 Hopefully it protects a lot of people and I hope it makes you a lot of money in doing so. The magic of finding the right thing is helping people and making money all at the same time. If you could do both, you've figured out and loving what you do. You have a very important role that you're playing in protecting the new world we live in, right? So thank you. My pleasure.

Alexander Rogan: 52:54.082 Yeah, thanks for that Evan. Yeah, no, you're right. we've got a big job to do, but we've got the right product and you're right, I'm enjoying doing it. So it's good.

Evan Meyer: 53:06.042 Good, good, good, good. It was a pleasure having you on today. Thank you so much. Talk to you soon.

Alexander Rogan: 53:12.078 Likewise, It's good to meet you and thanks for the opportunity to meet and talk.

Evan Meyer: 53:19.256 A pleasure. Happy holidays.

Alexander Rogan: 53:21.324 Happy holidays and have a great new year.

Evan Meyer (53:24.26) and a wonderful 2026. Take care.

This transcript has been lightly edited for clarity while preserving the authentic flow of conversation.

E

Written by

Evan Meyer

January 2, 2026

#cybersecurity#Alexander Rogan#government security#data breaches#public trust#system vulnerabilities#information security#Abatis#technology policy#digital infrastructure
← Back to All Episodes