When the Hacker Changes a One to a Zero

[Transcript]

[00:00:00] Jan Griffiths: This is the Auto Supply Chain Champions Podcast. We are on a mission to bring you real conversations with the leaders who are transforming supply chains in the automotive sector. These leaders are true champions of manufacturing, and we're here to share their stories. I'm Jan Griffiths, your host and producer, and I'm joined by my co-host, Tom Roberts, Vice President of Strategic Industry Development at QAD.

[00:00:30] Tom Roberts: Great to be here, Jan. What I see every day is simple: manufacturers don't have a data problem, they've got an execution problem. This show is about how artificial intelligence, systems of action, and empowered teams can help close that gap.

[00:00:45] Jan Griffiths: Let's get into it. This podcast is powered by QAD RedZone.

Hello, and welcome to another episode of the Auto Supply Chain Champions Podcast. Let's check in with my cohost, Tom Roberts. Hey, Tom, how you doing?

[00:01:01] Tom Roberts: Hi, Jan. Great to talk to you. Great to see you. I am really excited about today's podcast. How do you protect systems, people, partners? Very excited about this one.

[00:01:14] Jan Griffiths: I know, I know. Now, we gotta put our audience outta the misery and let 'em know what we're talking about here. We are gonna talk about cybersecurity. There was a point in time when cybersecurity was all the rage, if you will, and that's all we talked about. And then, it's kind of gone a little bit quiet, but is more important now than ever.

And that is why we are thrilled to have a very special guest on the show, but before we bring him on, I want our audience to think about this, imagine someone hacks into your shop floor not to steal the data, 'cause that's always the big fear, right? That it's gonna be some massive breach, but to make a robot do something it's not supposed to do or to quietly change a one to a zero in your quality system so you still passes inspection, but shouldn't. That's the world that our next guest lives in every day.

Klint Walker is co-founder of Rule of Three Security. He has a tremendous, tremendous experience in federal cyber leadership, protecting critical infrastructure across the southeast, 20 years, spanning Federal DOD and private industry. He has a master's from the Naval of Postgraduate School in Homeland Security and Defense. He knows where the holes are, he most definitely does, and he's here to tell us what supply chain leaders need to hear before it's too late. Klint Walker, welcome to the show.

[00:03:01] Klint Walker: Thank you so much for having me. It is my pleasure to be here today. I always enjoy these conversations, so thank you so much for letting me be a part of this.

[00:03:10] Tom Roberts: Glad to have you. Klint, I think, as we set a baseline here, I'm just gonna start out with a question. What is cybersecurity? What is it?

[00:03:21] Klint Walker: That's the million dollar question now, isn't it? I mean, that's what we pay consultants in order to come in and define for us. And in my opinion, in my career, I've seen so many different answers to that questions. And when we talk about that there are 16 sectors of critical infrastructure across the United States. Every critical infrastructure sector is going to say something different to that. We're all using that word cybersecurity, and it means something different to everybody.

On the basis of it, it comes down to three key components: It's confidentiality, availability, and integrity. But what those three things mean to your organization varies from organization to organization. So, that is a great question to start with as we get into these topics and these discussions about what are you really trying to defend? Because I think that's what every company wants to know is am I spending my money in the right place? Am I really trying to keep something confidential, keep other people from knowing what my secrets are, whether that be intellectual property or the financial data. Am I trying to keep my data available so that people can continue to make things based on my schematics or my roadmap? Or am I trying to keep the integrity of that data so that one is really a one and that zero is really a zero? So that amount of money in my bank account is what it really says it is. What are you really trying to defend?

[00:04:44] Tom Roberts: Yeah, that's great lead in. Great answer. In the prep call for this podcast, when we were talking to you, the thing, and Jan, I think, alluded to this a little bit, it isn't always necessarily a Denial of Service or some big hack to steal all the Bitcoin or something in an organization or the financials in organization.

Sometimes, it could be competitive issues, it could be nation state issues, where they come in, where someone intrudes in the network and actually changes data and actually changes one small thing. And I think, the other thing you talked about was shop floor systems were never really designed to be hooked up to the internet. A lot of 'em have been in manufacturing companies for decades, and there's no real security development profile, I guess, that was really assigned to these things in the early days when they were built. Talk a little bit about that and how some of that exposure could create some real issues for manufacturing companies on the shop floor.

[00:05:45] Klint Walker: Certainly, you know, always fun to talk, start with that topic because what we're looking at, like when I've been doing this for so long, so going back to the 1990s when we were called computer security, because most organizations you had a mainframe and you were securing that one computer from something bad happening to it.

And then, we started networking things together, so we became network security. So, we were protecting not just the mainframe, but all the computers or all the substations that were connected to that mainframe. And then, we said, hey, we're not just protecting the computers themselves, were protecting the information and the flow of information. We became information security and then information assurance for a short standpoint.

And then they came up with this term cybersecurity, and it's not just a buzzword, it wasn't just because we felt that there needed to be a new word out there to describe us. It was because we were doing more than protecting information technology. We started putting operations onto the internet. We started interconnecting our operational capabilities, or we call our OT systems, so operational technology with our IT systems, and then this new thing called the Internet of Things.

So, we had IoT, OT, and IT all converging together to make information go from just being something that was moving across a data network but into actual operations. So, a kinetic effect from IT infrastructure. And that is where we use the term cyber, 'cause it's bringing all of these things together. The original design of OT systems was that they were standalone systems. They were never designed to be on a network. The whole security around them was because they were self-contained. If you weren't physically at that device, you couldn't gain access to.

And so, once we put the world of convenience, and I've always said that convenience is the opposite of security, if you build something into convenience, you've bypassed security for it. That's what you're looking at is we built a world of convenience so that we can now remotely manage these OT systems, but that comes at the cost of security. And what we're talking about is, as you kind of said, the news stations, they like the flashy, so they're always gonna tell you about the Denial of Service attacks or the person that hacked into these things.

The real threats out there might actually be what we call the integrity attacks. These get no love in the media, but these are where the threat actors are going in and they're manipulating data. They're manipulating things so that they can change a one to a zero. They can make something less safe within a facility or within a safety control. They can make something like, if you're manufacturing, a girder or steel or some type of component, they can make it actually degrade or be less effective than it should be by manipulating the numbers. And a lot of times this might go unnoticed, especially as we become to rely more and more on robotics and artificial intelligence to do our checks and balances for us, that might not go noticed by those systems.

[00:08:33] Jan Griffiths: I gotta admit, Klint, when we talked about this earlier, and that's why I put it in the intros because I had never thought about that. I hadn't. And I was terrified when I think of all the manufacturing plants that I've worked in and been around and all the things that could go wrong with a very, very subtle change.

[00:08:53] Tom Roberts: A press or something, yeah.

[00:08:55] Jan Griffiths: I mean, good gosh. It's just terrifying. Have you actually seen something like that happen that you can talk about without naming names?

[00:09:05] Klint Walker: Well, I mean, there's lots of things that you can look out there, and I won't name names out there, but just to go through a few of these. I mean, if you look at some of the events that have happened around water treatment plants and stuff like that. You can get in there, think about all the things that we've automated in the water treatment plant, or think about the risk there is to a water treatment plant. If a threat actor, whether that be a nation state, or whether that be a script kitty or just somebody who's curious, gets in there, and starts manipulating the amount of fluoride or the amount of fluorine that's going into the water system. You're talking about a potentially kinetic effect based on the way that somebody can manipulate numbers within a system.

Now, luckily, most water treatment plants have eyes on, so they have the computer controls, but then they also have physical eyes on chesting. So we've always had these checks and balances between human interaction with machine and so that's a great thing, but not every industry has those manual checks to make sure that everything is really there. So that's what you have to look at.

Imagine, and this is a case that we actually did see, imagine that there's a threat actor out there. So this group, they understand that there's a bank, we'll just use a bank as a good analogy here, that they see this bank and they know that this bank backs up its data every night, I will say at 1159. And then they do their validation of the accounts shortly thereafter. And so, what they do is they get in and they manipulate and they create three bank accounts, and they put a million dollars in each of these bank accounts knowing that they're not going to be able to get through the validation process, but then they hit 'em with ransomware just before the validation hits.

So, what's that organization going to do? They're gonna restore from backup, so they're restoring from backup. And they hit, they created those accounts at just the time that they're gonna be restored to the backup. So, this company could restore those from backup and then say everything that we restored from backup is gonna be trusted data. And they don't take it back through account validation or account verification. Those accounts would now just be considered to be truthful accounts.

Now, the banking industry has controls against a lot of that, but imagine the smaller bank might be, you may be able to get away with it, but now think about that from the standpoint of any critical manufacturing that if I got an in, let's take the money part out and let's say I'm creating accounts. When do you do account validation? If you're restoring from backup, I'm hitting you with the ransomware attack to make you restore from backup. I don't really care that you pay the ransom. I want you to restore from backup because I put things in your backup that you're gonna trust those to be legitimate accounts, and I'm gonna make those things happen in your organization, or you're gonna trust that data that comes back through from your backups because it's your backup.

And so, you're restoring the things I want you to restore in the manner that I want you to restore them, and you're gonna treat that as trusted data. And so, that's what an integrity attack might look like as well as the manipulation, but imagine you're trying to file for a new patent or you're trying to look at your intellectual property and somebody can start manipulating your intellectual property, all the different ways that they could make a contract go haywire or that they can change the verbiage in something.

[00:12:10] Jan Griffiths: So, Klint, this whole situation, I mean, I'm terrified. Every time I talk to you, I get a little more afraid. But now with the onset of AI, oh my gosh, this has gotta make life so much more complicated, does it or not?

[00:12:26] Tom Roberts: And Quantum, too. Talk about it, talk a little bit about, 'cause I think you said we can't talk about AI without talking Quantum as well, Klint.

[00:12:33] Jan Griffiths: So, bring it together there, Klint, AI and Quantum. First of all, clarify what it is from your perspective and then talk to us about it from a cybersecurity standpoint.

[00:12:43] Klint Walker: Well, let's just start with artificial intelligence and artificial intelligence is a tool, and that's the first thing that I wanna say is that it is a tool. There are multiple camps out there. I mean, we could say the sky is falling. There's the doomsayers out there about artificial intelligence, and we could have a whole talk about super intelligence versus artificial intelligence.

But in actuality, on the good guy side of things, artificial intelligence is a game changer. I've been working in both my government career as well as my private sector career, I worked very closely with the Institute of Human Machine Cognition and the way that they can say that humans and machines should interface. Artificial intelligence is a game changer in helping us to develop things that are so much nicer.

Humans do something really well, machines do something really well. If we can pair the two of those things up together, then we can talk about all the great things that we as a society can do, but you also look at that and say, we're not all good in society either.

There's a lot of bad actors out there, and the bad actors always, because they don't have to follow laws, they don't have to follow moral or ethical avenues of things. They can sometimes innovate faster than the good guys can. So imagine that you have an artificial intelligent being that can be programmed to target some, an entity or an organization. And it doesn't eat, it doesn't sleep, it doesn't breathe, and it never stops learning. So, it might attack you, yeah, it's going to keep attacking you and every failed attack is just teaching it what doesn't work against you, and it's gonna keep doing things.

I got to see a demonstration from an organization showing some of the tools that they've seen the threat actors use, and it was able to, they were able to type in the name of an organization, so let's just say Company A, Huge co., and it says, hey, based on everything I can find on the internet and social media, here's every employee I know that works with Huge for Huge co. Here's what their role with Huge Co. is, here's what all their interests and thoughts are. If you're gonna build a social engineering campaign, here's how you would do it. Here's every device I can see that's attached to their network. Here's any open port that it might have, and it's pulling all this from other data sources, so it's not scanning the organization directly yet. It's doing all this from all the web crawlers or all the previous scans that are out there.

So, what used to take me back when I was doing pen testing, you know that first stage of pen testing is reconnaissance, what used to take me hours or days, sometimes weeks in reconnaissance, I can now do in 15 minutes with artificial intelligence and have a much better attack routine and have it go ahead and generate those emails for me, all the social media ones, and it's gonna say, hey, the best way to social engineer this organization isn't to go at 'em through their official website. Let's hit them up on LinkedIn, let's hit 'em up on Facebook. Let's hit 'em up on Pex. Let's do all these different avenues. Let's try and get our way into the organization using the other platforms that they use, whether that be ServiceNow or whether that's PeopleSoft or whatever else that they're using. Let's find all the different ways that we can talk to them and get them to trust who we are, and it's a much more reliable type of attack.

Once again, all they need is one thing to fail, one control, to not catch them, and they're in the network. And then from there, they're using artificial intelligence to help them stay undetected. That advanced persistent threat shifts to that environment.

Artificial intelligence can be a great tool on the good guy side, but it's an even better tool right now on the bad guy side, too. But we're at that point too, where only artificial intelligence can keep up with the speed of defense against an artificial intelligence attacker.

[00:16:16] Tom Roberts: Yeah, I can remember from previous experience for phishing attack simulation, about eight to 12% would click on the thing they weren't supposed to click on in a phishing email, and probably 10% of those would put in credentials. Some of these things are getting really, really advanced, like you said. I mean, if you now have AI to figure out exactly what kind of thing people are interested in or working on, or are gonna be hurried on. It's amazing that potential risk vector.

How about quantum? So, talk to us about quantum, 'cause I know quantum can, it'll be able to disrupt a lot of the, I don't know, it's 256-bit encryption and all of those. So you could break those things down very, very quickly. I think, you know, Kurt Klint, and you'll have to tell me if that's the case. I've heard that it can break those things down very quickly and actually bypass 'em entirely, once these things start getting in place. What are you seeing? What's the reality there with Quantum and where we're at right now?

[00:17:16] Klint Walker: Quantum is the new arms race. I think that every nation out there is trying to be the first to get past that quantum threshold and it's every day there's new advances in quantum computing. And quantum computing is going to be a great thing for humankind. I mean, being able to, the medical and just the scientific capabilities of quantum computing is going to be astronomical, being able to get down to the genome level and the massive amounts of data that you're going to be able to use with quantum computing.

But as you said, the other side of that is that it's going to be able to break what we've known as standard encryption. And so, if your encryption in your organization right now is not quantum ready and you're waiting to replace that once quantum computing, that'd be like saying, hey, I'm not gonna buy fire suppression systems for my house until my house catches on fire. That's the thing. You need to start looking around, and that, in my own experience going in and doing work with a lot of these industries, a lot of organizations, most of them don't even know where they're using encryption. Encryption has become something so normal for us, they don't even know where they're using it because there's data at rest encryption, there's data in transit encryption. There's encryption that you're using outside of your own perimeter. There's encryption you're using within your perimeter.

So, do you know if all of the encryption. Do you even have a catalog of all the places that you have encryption and whether that encryption is quantum ready or not? That is usually the big thing that we're trying to get out to organizations is that, hey, is this something you need to start thinking about now? Whether you start acting on it or something, that's gotta be a business risk decision that you make, but you should at least have a catalog of every place you're using encryption, every tool in your organization that is using encryption, especially for data at rest and saying, okay, are we ready for post-quantum reality? So, that is a big, big issue in my opinion.

[00:19:03] Tom Roberts: So, Klint, say that I am a C-level at a multi-billion dollar manufacturing company. I have what I have, right? So, I've got antivirus and network segmentation and intrusion detection, all the stuff that people buy as companies, what would you say I need to be doing? Like what are the first five things I should be doing right now? Reviewing what I have. What, should I acquire something? What should I be doing to make sure that I'm reducing my risk level? I can't eliminate it, right? Everybody has either been the victim of an attack or they soon will be, and it's just how they deal with it. What five steps should I take right away?

[00:19:45] Klint Walker: That's really hard question to answer because for every company, those five steps are gonna be completely different. But I would say, if you're in a C-suite position for organization, the first question you have to ask is the question that we began this whole show with. Is have you defined cybersecurity for your organization? Do you know what it is?

The number of organizations that I go into, and I say, when was the last time the board of directors or the C-Suite was briefed on the state of their cybersecurity program? And the number of them say, we've never been briefed about our cybersecurity program. We just get told if we have a deficiency, if we need to spend money. And that's the thing I think most board of directors or most C-suite look at is saying cybersecurity costs a lot of money and it can, depending on what your risk tolerance threshold is, but 70% of cybersecurity is policy, processes, and procedures. It's about making sure that everybody has the same understanding of cybersecurity in the organization, that you're all working toward a common goal.

I used to have fun back when I was doing pen testing. Once again, I'm gonna use banking 'cause most people can get their mind around banking a little bit better. But I would go into a bank and before they knew who I was and stuff like that, and when I was just doing some auditing and just some general conversation with 'em. You walk up to a bank teller and you look at the bank tell, and you say, what is the most important thing that this bank does? And that bank teller who engages with the public every single day, they're gonna be like, personal banking is our bread and butter. That's what we do at this bank. We need to have the reputation of being the best personal banking around there. We need the trust of our customers, so I'm gonna protect that.

Then you go up to the branch manager and you say, what is the most important thing this bank does? He's gonna say, oh, our business banking accounts, that's where we get most of our stuff done. Or our home loans, we do so much business with those, that's where the real money comes in. So, that's what he wants to protect.

Then you go up to the district manager and they go, oh no, commercial and real estate stuff. That's what we do. That's where a lot of our stuff is, our ATM Services, so that's what he wants to protect.

And then, you go all the way up to the C-suite, and the C-suites are like, all of our futures and our investments, that's where actually 90% of our money comes from. Everybody else who is the frontline warriors for cybersecurity for that organization, they're all protecting the wrong thing because nobody has defined what they should be protecting. Nobody knows what's going on.

And on the same slant of that, you can go into an organization and most organizations are not IT organizations, most of them are manufacturing or they're doing something else, but you walk into their IT shop and if you look at their IT people and you say, what does this company do? If their IT people cannot tell you what the company does, then you know that they're not building IT solutions for that company. They're building the IT solutions that they want to build and hoping that they can shoehorn the objectives of that company into what they built rather than building something for the needs of that organization, so you have this disconnect.

So, that's the first thing that organizations can do is define cybersecurity for the C-suite and for the employees, and then be engaged in their cybersecurity program. The first question I ask audiences when I'm on a large stage is, who does cybersecurity in your organization? And everybody will be like, oh, we have a cybersecurity team. You know, blah, blah, blah. And I say, no, they manage your cybersecurity program. They're the ones who are making sure that you have the tools and the training to do, but everybody else in the company, that's who actually does cybersecurity.

And if your organization doesn't have that philosophy, if cybersecurity is not a culture of your organization, then it's just an add-on. And as my first mentor told me, salespeople gotta sell. What he meant by that is a salesperson will get fired if they don't meet their sales goal, but a salesperson will not get fired if they have a cybersecurity violation. So guess what they're willing to do in order to meet their sales goal? Violate every cybersecurity policy you have in order to make the sale.

[00:23:43] Jan Griffiths: Wow. Yes. And this gets even more complicated with AI. Just from a personal standpoint, Klint, there was a time when, remember, we wouldn't trust the internet and we didn't like to order stuff online. Remember those days? And we were all very reluctant. Now, I mean, our credit cards are embedded in our phone and pretty much everything is online, but now with AI, we're putting so much more data into the AI tool. If somebody got into the middle of that and started to figure all that out for a company, oh, that could get ugly.

[00:24:22] Klint Walker: AI is such a long comment. We could have a whole other show just around AI, and the number of organizations that I go into, and I talk to them and I say, are you using AI? And they all say, yes, we're using AI. And I look at them and I say, okay, do you want to be using AI? And I remember them say, no, we really don't want to, but we also don't wanna fall behind because everybody else is using AI.

But they never developed a business need for AI. And if you don't containerize your AI, if you don't tell it, what it heck should have access to, if you're not, for me, if you're not treating your AI like an employee, if you don't tell it what it can touch and what it can't touch, I walked into an organization recently and we were working with them and one of their IT people said, let me show you what I can do based on our AI instance here. They were using, and I won't name names on this, but they were using a certain AI product within their environment and he said, hey, AI, I want you to create a document that shows who is most likely to get fired in our organization and what the current executive salaries are for our organization, and the AI said, oh, here's a memo that's in draft in this person's email box right now, which happened to be their CEO, that showed what their downsizing process looked like for the next year, and what executive bonuses and executive salaries are because they never, nobody ever told AI that it shouldn't touch that data or it shouldn't distribute that data.

They were able to actually pull draft documents from other people's mailboxes or inboxes in order to do things. So, containerizing your AI, not trying to, you can't just buy AI and say, this is a one-size-fits-all for the entire organization. You might need separate instances of AI for every different operations within your organization just to make sure that data is not corrupting the other data.

I'd talk to a lot of organizations and say, do you even know what AI you're using in your organization? Because a lot of your vendors might have AI embedded in their stuff, and guess what? Their AI might be poisoning your other AI instances if it's feeding them bad data or if you haven't told it, hey, don't trust the data coming from this AI instance. Do you really understand how AI is working within your environment?

So, I tell everybody, if you don't have a business need for AI, if you haven't defined what you're trying to do with it, because remember, you should never be looking at AI as a job replacement. It should be a job enhancement. AI help makes experts smarter, and it helps makes the average person into experts. That's what AI should be doing is it should be helping everybody else with their job rather than trying to replace a person who actually does that position, at least in my opinion. And the organizations I've seen that are using that approach to AI, they're the ones who are actually finding the best benefit to AI right now, thinking of it as a job enhancement.

Because that's what the threat actors are doing. The threat actors are looking at AI to say, hey, I can turn an average person into a cyber warrior now, into a threat actor. The AI is the one that has all the knowledge on how to attack something. Now, you can just tell AI what to attack. You can make anybody into a cyber expert on the attack front just by giving them an AI tool. So that you now multiplied the number of threat actors out there because they now have artificial intelligence acting as their expert for them. You need to do that same thing on your side saying, how do I turn all of my users into AI experts or into cyber experts with the data that I have in my organization?

[00:27:52] Jan Griffiths: Well, now that we've sufficiently terrified our entire audience, right? I wanna bring this back to the rule of three. Klint, you talk about confidentiality, availability, and integrity. Those are the three pillars, and I'm assuming that's where the name of your company came from, is that right?

[00:28:14] Klint Walker: That is where the name of the company comes from, because that is the cornerstones of cybersecurity, is those three things. And we wanna make sure that all three of those pillars have an adequate visibility within your organization or that you've defined what those things look like.

A lot of the great standards out there for cybersecurity want you to understand the difference in those three things. One of the things I like to tell everybody is, have you ever thought about what those three things mean in a vacuum? And then what those three things mean together? And what I mean by that is you sometimes have to determine what is more important than something else.

So, let's assume that I work for a government entity and I've been told I have this server, and that server contains information that is so classified that if you're not read into the program, you should never, ever be able to see that information. That information also needs to be available to every single person that needs to be read into that program. So the availability of this, you can never have any downtime with this particular server. It always has to be available because this information is critical to the right people at the right time.

The last part of that is that data always has to be correct. The integrity of that data is of utmost importance. Now, imagine that there's a critical fall in that server, and it's not just that server, but all the redundancy that you built into it, everything. And that server is going to fail if you don't get somebody to work and fix that server. The only person that you have that can fix that server is not read into the program. What is more important? The confidentiality of that data by letting an uncleared person see the data on that server in order to fix it, or the availability saying that I'm willing to let that happen so that I can keep that data available. That is not a decision you want to be making during a time of crisis, like the imminent failure of that server. These are incidents that I've lived through where I've had to determine in the split second whether confidentiality was more important than availability, whether integrity was more important than confidentiality, what am I willing to sacrifice?

And I can tell you that during the time of crisis, during a ransomware attack, during a cyber incident, that's not when you want to have the discussion about what's the most important to our organization. And that's the big rule of my company, Rule of Three, is tabletop exercises. That's why if you're not exercising your cybersecurity program, you might not be having the answer to those questions at the time that you need them in order to make that happen.

[00:30:48] Jan Griffiths: So, the key is to be proactive, to be ahead of it and think about it ahead of time. Don't wait to be in that moment. That's what I hear you say, Klint.

[00:30:57] Klint Walker: Exactly, ask the hard questions and, you know, that you want to say what are the, what are our stress points? Everybody talks about that they have a risk management framework to business operations, and in my experience, when I really pose the risks to them in a realistic fashion, most of them say, wow, we've never thought about risk in that particular fashion before. We're not prepared to answer that question. It's like, well, right now you have the luxury of being able to think and to talk and to call meetings about that, but in the time where it's a pay or no pay situation or a shutdown or no shutdown situation, you don't have time for that meeting. You don't have time to get everybody's thoughts or inputs on it. That's a discussion you should have had six months ago.

[00:31:37] Jan Griffiths: Well, Klint, we could talk to you all day long and pull stories out of you all day long, but we are gonna have to bring you back. But I sense that perhaps some of our audience may wanna reach out to you to do some of those tabletop exercises and go a little deeper on this subject. So, we'll make sure that the links to contact you are all in the show notes. And would you be open to coming back and talking to us later in the year?

[00:32:01] Klint Walker: It would be my pleasure. I truly do enjoy this show and all the shows in general, so thank you for having me. This has been a great pleasure.

[00:32:09] Jan Griffiths: Thank you, Klint.

[00:32:11] Tom Roberts: Thank you so much.

[00:32:12] Jan Griffiths: We wanna hear from you, our listener. Tell us what are your challenges right now? What conversations do you want to hear across the airwaves on this podcast? Drop us a comment on our podcast website. The link is in the show notes.