Hey, everybody, it's Patrick Escolas with another Banyan Technology's Tire Tracks podcast. We are bringing you an installment of our impact of AI and freight procurement. And today I have not just one, but two special guests. I've got Joe Ohr and Artie Crawford of the National Motor Freight and Traffic Association, most commonly called the NMFTA. Hey guys, how are you doing today? 

Doing great. How are you? 

I'm doing awesome. 

Joe, you were the first victim to talk. Joe, who are you? Why are you in logistics and why should we listen to you? And then Artie, make sure to take notes because I'm going to hit you with the same thing next. 

Sounds great. 

And I do love your haircut more than Joe's. I'm just going to put that out there. No bias. 

Well, I used to carry it just the way you did until my wife told me to try it longer. 

Oh. I got questions about that. We'll go back to that one. Joe, go ahead. Why logistics and where did you come from? Just because everyone I've talked to, there's usually about three paths. Either you're born into logistics, raised in the truck or in the back of the warehouse or the pickups, or you found it some strange way, or somewhere along the way, somebody said, "Why not logistics?" And you decided, "I never want to leave." How did you get to this place, Joe? 

Yeah, it's really the third. I always grew up around into logistics. And when I say that, into technology, but I was also into cars, into vehicles, anything with wheels, anything with speed. I was a car guy. 

The local troopers knew your license plate and profile, I would assume. 

Yeah, they did. And that's a whole different story. But yeah.

Don't worry. I have similar problems, but we won't go into that. 

Yeah, the car could not go up and down the local streets. And I told my now wife, girlfriend at the time, "Yeah, you can't take the car downtown." She learned the hard way. I was telling the truth. But that's a whole different story. 

They pull her over and they go, "You're not Joe. Where's Joe?" Yeah. 

Yeah, exactly. And so I always had that passion. And then I was doing a career change and taking some classes and somebody said, "Hey, do you want a summer job at Eaton Technologies? We're doing logistics and transmission work." And they started a division that was focused on telematics. 

Okay. 

And I was like, "Trucking." And then we really started getting in – 

You're like, "I guess there's engines in that." 

Yeah. And so I started really looking at a lot with the ECMs and the telematics. And it was kind of a combination of several passions. And then I started going to a lot of the conferences and working a lot with the carriers. And it's strange to say, but it gets into your blood. 

It does. It does. 

It's crazy. It's 25 years ago. And so I worked at Qualcomm and just – I've been doing the logistics, telematics, computers, IT for the last 25, 30 years. Done a lot in private fleet, and then over the road, last mile. But it's been a combination of the IT, the logistics. Really, I tried two weeks to do something other, then went right back to it. 

No. And that's an awesome story. I like that one. For whatever reason, and all the people I’ve talked to, it hasn't been gearhead to logistics yet. You're the first one for that. And what is your title with the NMFTA right now, Joe? 

I'm the CEO, the Chief Operation Officer. 

Okay. You make everything go. 

Yeah. I focus on cybersecurity, the operations that includes the development and the classification changes in SCAC and obviously, like I said, the cybersecurity. Really focused on the day-to-day of NMFTA. 

Yeah, I love that. I love that. Now, Artie, I hope you took good notes. You came up with something exciting. But Artie, same thing. How'd you get into logistics? And then start with what is your current role at NMFTA and how'd you get here? 

Oh, I'm the director of cybersecurity. Working for Joe, right? And NMFTA. 

Okay. We'll be quiet when we have comments about Joe. 

Right, right.

Yeah, yeah. 

That's exactly right, yep. My path here is not mere as eloquent, and fun, and interesting as Joe's. 

They aren't always, but you got here, right? That's what's important. 

Yeah. My path comes through the government. 

Okay. 

I was a communicator in the Marine Corps for over 27 years. 

Really? 

Now, in the logistics side, fascinated about how we loaded ships, how we took stuff off ship, how we kept count and make sure that we didn't lose anything. That part always fascinated me. 

I was going to say, I grew up an army brat, and I think the one thing – there's a lot of things they'll tell you when you're an adult, like when you're happy that you got a new pair of socks. But one of them is you stop looking at the war campaigns and the soldiers. It's like, "Man, the combat." You're like, "How did they feed those people?" The logistics of getting everybody where they need to go and getting them everything becomes, "Wow, who's behind all that?" Please continue. But that's always been such an amazing feat. 

You're absolutely right. And being a communicator, the first people that wanted up on the net were the loggies, right? They wanted to know where their stuff was. Everybody wanted to know where their stuff was. Of course, they wanted to know where chow was as well, right? Along that path, I stayed in the government. I did intelligence in the government, kind of made my way around the different federal systems integrators, right? 

Ended up at Microsoft and started doing some really interesting projects in logistics, helping FedEx come up with some really out-of-the-box ideas of how to deal with the last mile. Helping Maersk and helping Delta move people at a cheaper cost through enhanced logistics. But those were just kind of side projects inside of Microsoft while still working the intelligence side of the house. 

You got to love when FedEx, Maersk and Delta is just this thing. 

Right. 

Don't let Maersk take you away from the big picture here. All right, Artie? 

Right, right. Exactly. Exactly. But the work was interesting. How to avoid pirates? Do wave conditions, mean stuff. How much fuel do I put in a tanker? How much fuel do I put on an aircraft? 

Right, what's the buffer? How much weather is going to affect how much extra fuel I got to have versus how much travel time? And what's the gap versus when they get what they need? Yeah, that's a lot of equations. 

How long do I have to sit in the port? How many cranes does the port have? All of that ended up a really cool side gig while I was in micro science. Then I moved back over to the government for a little while, and I actually spoke at a couple logistics-types trucking conferences. And Joe actually came to me and he said, "Hey, I love the way that you're putting this information out there. I love the way that you're speaking it in a common sense, no cyber words." 

Right. You're not dropping jargon and acronyms that people got to get another degree to figure out what Artie is saying up there. 

Right, right. Exactly. And Joe said, "Hey, why don't you come and work for us?" And kind of the rest is history. And now that I've gotten over here to NMFTA, seeing the mission in the transportation industry is just an immense, vast mission that we have taken on the challenge of not only educating the transportation industry in cybersecurity methodologies and best practices, but also in how to reduce cargo theft through whether it's generative AI, whether it's understanding the complexities of it. How do we fold all of this stuff together in order to support the industry? And what a fun run it's been. 

And I think fun is a great word to say. I might use different ones as I think about it from not being in your shoes. But first, let's start with what is an NMFTA's goal or mission when cybersecurity and technology is involved there. And the second follow-up to that is you say fun, but we're not in the stone ages within the logistics. And by the way, call them loggies might be something we need to do industry-wide. I really like that term for anybody in logistics. But you're bringing and you're talking of cutting edge, either threats or solutions to some people who outside of Excel and email aren't playing a tech space. Where is NMFTA positioning themselves? What is their goal? And then how do you do that? Or what is the challenge in talking to an industry that is not entirely technologically advanced? We have it on some sides, but on others it's still chucking a truck, and that still works. 

Yeah, I think if Joe would let me, I'll start off with more of the tactical level and then Joe can kind of expand it up strategically. If you're okay with that, Joe?

Joe says as long as you make him look good, it's fine. 

Yeah, go for it. 

That's always the goal, right? Is to make Joe look good. I think our primary objective when we came into the organization was kind of take a look across the organization and start to dispel some of the myths, right? 

Okay. 

The myths being that we're too small. We're not a target. We use a different operating system than the common operating systems that are targeted. And kind of dispelling all of those myths from right off the bat. And we developed something called the road to resilience, which kind of broke fleets down into three different sizes, actually four. But we're not going to teach FedEx, and UPS, and those guys a whole lot about cybersecurity, right? 

You're going to touch base with them every now and then and make sure what you're saying is kind of what they're doing. 

Yeah, exactly. You're exactly right, right? And then as we do that, we're starting to talk about the convergence of security, operational security, and physical security. Not that we play in the physical security game, but we do play in the convergence of all of those aspects. 

Right. 

So we have this road to resilience that kind of said, "Okay, look, you got to do these core controls to make your business safe." Because to dispel those myths, you are a target, you are small enough or big enough. Because these targets are a function or an exponent of what your value is when you become a target. The operating systems that you use, yes, they're 30 years old. We got it. Right? But they're still targetable operating systems. 

Because you might not be the biggest name and you're thinking use different system. It doesn't mean that somebody else isn't evaluating what they want to go after based on the ease or the lack of resource. If you're using something that nobody used in 30 years, probably hasn't been updated, and someone can get in there a lot easier than something that's being patched day in and day out. 

You're absolutely right. And that's what we're kind of – no, not kind of. Let me be very emphatic. That's what we are seeing, right? 

Okay. 

And as we see more of these – and I'm going to actually go into a little bit of a specific. As we're seeing more of these ransomware-as-a-service type of attacks in business email compromises, which mostly are all done through social engineering, just so you are aware, right? Because AI is so good, and I know that's the topic we're on. And we'll kind of get back to that as we fold through this episode, right? But as these targets come about, it's more of a shotgun with a flock of birds going over and just seeing if one gets knocked out of the sky. And then there's a whole lot of backend work that gets done by the bad guy, right? He pulls your financials. He pulls your HR. He pulls this. Are you hiring guys that have drug convictions that they've not passed their last medical test and their CDL is still valid? Some reputational-based or some financial-based motivation for you to pay them. 

Man, it's a shame these guys are on the wrong side of it because these guys would be awesome BDRs. I mean, it's funny you say that. It's the shotgun approach of the birds. And all I'm thinking of my early outreach in sales coming in and having a similar approach. And you're seeing what sticks and then what to focus on. And then based on those results you get, how you're going to pivot that game. Mine was how to get someone time for 15 minutes. But you're talking about how do I get access to your system? How do I get into something that I shouldn't have? Or what are they grabbing? What is it they want? Is it just one more password or one more username? Or is it the whole kit in your boodle? Or does it vary? 

It varies across the board, right? If I can get an admin set of credentials right off the bat, I'm golden. I don't need to go any further. 

Right. 

But a lot of times I got to traverse, and work, and lie in waiting, so to say, so I can find the right password, I can find the right person, that I see doing something that I need to see them do that may or may not give me elevated privileges or may move me up to the next level. And that's pretty much what we're doing at the tactical level is making this education across the board. And I think, with your permission, of course, pass it over to Joe and let him talk about what we're strategically. 

Please. 

Yeah, and I'll start kind of in the beginning because I've been here almost two years, and I know I went to the website because I knew NMFTA, but I knew them for certain things, but I really didn't know much for cyber. 

I know until I got into the TMS space, I had heard the NMFTA. But cyber and that did not go hand-in-hand, not at all like Reese's with peanut butter and chocolate by any means. 

Exactly. And so I saw that they were doing some cyber stuff on LinkedIn. And I'm like, "How does cyber fit in?" And so what they explained in the interview was, "Well, we started doing digital standards." And I was like, "Okay." And they said, "And what we found is as people transition to digital standards, they really didn't know anything about cyber and trucking. And we saw it as an opportunity as a give back to this industry to help with cyber." 

And so, first of all, that's the way we see it, is it is a give back. We do a conference every year. It's at the end of October. It's in Austin. And it's the only trucking – yeah, it is. And it's the only trucking-specific cyber conference. And the reason that we do it is – yeah, and I looked that up, I thought, "Is this a marketing slogan? Is this real? And it really is. 

I mean, that's impressive because it's a huge industry. 

It is, but it's also – to add what Artie said, I've been in the industry for 20 some years and it was probably six years ago that – was six or seven years ago, it was the first time, and it was one of the biggest carriers in the United States that I walked in and they said, "I want to know about your cybersecurity posture on your telematics." And I was like, "Ooh, I've never been asked this question before." And I thought, "Okay, this is going to be about a 15-minute meeting." Three hours later, 20 people walked in and just absolutely drilled me. And that's when I really started thinking about a lot of things already said. But also, the asset side of this. 

And so one of the things that NMF TA is really also focused on is research on the asset side. If you think about the truck, there's so many connection points. And if you think about the trailer, there's so many connection points. 

And more every day. 

And more every day. And we just attended something, and they're talking about new AI technology that scans the trailer. It's like, "Okay, how does that pass the data? What if somebody got control of that?" 

Right. Where's the truck equivalent of HIPAA, right? 

Right. And there really is none. And so it's not just a matter of rerouting the truck, but it's derating the truck and taking control of the trailer. And so we've done demonstrations when things like that are possible. And really, what we want to do is we don't want to blast that stuff out and say, "Well, look what can happen." We really want to work with the providers and say, "Hey, this is what you could do." And so we went to our members and said, "What do you want us to do? What would help you?" And they said – 

Right. Because you're member-based at the end of the day. You got to make sure that what you go to do matches with what they want. And I think if I paraphrase what you're saying, instead of preaching on fear, being proactive at a level before fear is involved, just, "Hey, we shouldn't have these things this open. Who's thinking about that?" 

Right. To go back to the first question, that's really why we liked Artie because it wasn't – 

We liked. Past tense. Now you know it. 

Well, we weren't wise like Artie. Because it wasn't a fear-based conversation. 

Yeah. 

And a lot of times, when you talk to government, it is. And so it wasn't. And so it's all about education. And we want to educate. And so we want to research, and then we want to educate on the asset and the non-asset side. And so strategically, really, what we want to do is we want to develop this curriculum, right? And we want to do this education. And it doesn't matter. You could be an owner-operator, or you could be the biggest trucking company in the world. We can learn from you, or we want to teach. It doesn't matter. We want to work together. It used to be that somebody was hacked. They don't want to talk about it. 

No. Yeah, that was why there was such a strange – not strange. It made sense because it was one of those, "I got burned. Do I really want that out there?" Letting someone know that my reputation get hurt by this. But at the same time, you're not the same while you're hacked or after you're hacked. Without saying it, all of a sudden, you've shifted policies or you've shifted how you do business. And everybody from the outside looking in just thinks that someone had an erratic decision or a bad day. 

Yeah. And I think to Joe's point and your own point, last year's conference was the first time that we actually got two courageous carriers to come up on stage and give us their lessons learned, right? 

Right. That's awesome. And that's real. That's your people in your exact industry telling you how it happened to them. It's not theoretical. It's not another industry. This is happening. And here's how it happened to me. Don't let it happen to you. 

And I think by putting that out there that, A, cyber is a team sport. 

I like that. 

B, it's not part of your P&L. So share your lessons learned. Share your good, your bad, your ugly. And that way we, all across the industry, can kind of shape and grow from those cyber. Because there's no cyber plan or processes in place that are part of your secret sauce as a business, right? They are all part of keeping the business in business. 

And I think I'm getting a taste of why Joe, how you talked about things, because cyber is a team sport is something I've never heard. But it immediately comes straight to the top of making sense and going with it. And just as well to the point of when the ransomware attacks happen and people didn't hear about it, that behooves the attackers, all of those on the other side. Because the less you know, the more that these things stay in the shadows, the more you can adapt to whatever worked. And they can keep using the same strategy over and over again, just jumping their targets without having to change or get better or people knowing what to look for. 

That's absolutely correct. Go ahead, Joe. I'm sorry. 

Yeah. And in this industry, I mean, I think it's such – I mean, one of the things that attracted me to the industry is, number one, it's a tight industry. 

Yeah. 

Number two, it's funny, they talk, they share, but cyber was the only thing they didn't talk about openly. 

I was going to say, if you've met anybody in logistics, trucking carriers, they are the first people to tell you exactly what they're thinking about just about everything. When they're quiet on something, that's almost as loud as what they're telling you. 

Yeah. But the one thing is a lot of them use older technology. A lot of the things, the devices in the truck have older technology. And if you would get 500 of them in the room, a lot of them use the same technology. And so if one gets hacked – 

It's one street using the same garage door opener, and you can just go up and down and press on the button. 

Exactly. If one gets hacked, you better raise your hand and say, "This is how they got in. You better fix it." And so that's one of the things we're trying to do is, "Hey, let's get the stories out so that people can learn from you." And so that's one of the things that we're doing. And we, yeah, we're a membership organization, but we also believe in the industry. 

I got to say, it's inherently for the good of the industry. Because as long as you have more than three members, then those members represent the industry in a way. Yeah. 

Right.  And we subscribe to some feeds. And if we see somebody in the industry, I don't care if they're members or not. If we see them on a ransomware site, we'll call them, "Hey, do you know?" 

Right, that's awesome. 

And we've done a lot of those calls, and sometimes they'll say, "Yeah, I know. How did you guys find out?" 

"Don't tell anyone, please."

Yeah, and sometimes they'll say, "Yeah, what do we do?" And sometimes they'll be like, "Oh, you're kidding me. What do we do?" But a lot of times, it's just, "Hey, here's some steps to take." And again, it's for the betterment of the industry. Because, back to AI, the bad actors are able to get better and better. And there's a false sense of security that, "Oh, I'm a small company. I can't get impacted." But there's a method now that they can hit. And drivers are a target because they have INCAP technology that connects via Wi-Fi. I always say it's an office on wheels.

It is. 

And a lot of times, they're not included in the cyber training. All this great stuff that Artie's talking about, they're not included in that training. Cyber's a team sport that the drivers aren't included on. 

It's that Achilles' heel. You're dipped in vulnerability everywhere else, but you've got this piece that's just as exposed as anything off the street. And as long as it hits it, it's just as good as anywhere else. 

Yeah, and the same with the maintenance shops. I mean, I don't know how many maintenance shops I've been in and they'll pull out the laptop running Windows 98 or Windows 2000 and they'll be like, "Hey, I can't update it because it's running –" I don't want to call out something. "But I got to update the data bus, and I can't update it because it's running this whole program." Then they plug it into the network to download the firmware for the ECM. I'm like, "Oh boy." 

I was going to say, those are some targets. And before logistics, I came from soft IT, as in copiers, and printers, and that kind of thing. And one of the things I found most interesting was, sure, nobody wants to talk about copy and printers. And I was one of them even as I sold them. But they were the back door at the beginning of it because it was the last place anybody put security. And now a maintenance shop and the driver itself, as far as the social engineering, and just the fact that maintenance shop probably has to have a lot of universal, "I need to be able to hook this up and figure out what's going on." And also, how many different assets it's going to touch in a given timeframe as a great target that I wouldn't – and again, I'm not the person putting policy out – wouldn't think about. 

Yeah. And a lot of times they don't go through proxies. How many times do they connect through the open Wi-Fi at the truck stop? 

Right. Oh, there's another big one too. Artie, I think you had something there. 

Yeah. I worked with a driver. He'd been in the cab for over 30 years, right? And he had just recently – the week before that I came and hung out with this organization, right? He got his first cybersecurity lesson or training. 

Sure. 

The company included him and they were making the right steps. And he got me in the cab and that's all he wanted to talk about. He's like, "Even open my phone anymore because just the things that they taught me that I explained to my wife was like, "Oh my God. Should I even log in and check my email on my personal phone?" 

It's a little intense on the opposite way, but that's opening his eyes to everything he's got in there has some sort of communication aspect to it, whereas he never thought about it before. It was just the truck and he was getting it from A to B at the simplest form. 

And there was no tin hat moment. There was no, "Oh my gosh. I'm part of some secret society now," or anything like that. It was him connecting the dots one by one with each question that he asked, "Wow, this is incredible how interconnected everything is."

Yeah. And I want to go back to AI in a second, but I think just on the fact of cybersecurity within the industry as a whole, I'm going to stop here. And this is just one man looking out, and there's plenty of reasons for this, why don't we turn the trucks into little mini-Faraday cages? Is that how we lose all this visibility that we're touting to everybody? Or is there a bigger loss than that of why we can't lock everything down into this black box, Faraday cage? 

That's a great question. And I think there's a – 

If you don't know a Faraday cage, go back and watch Gene Hackman in Enemy of the State with Will Smith, because that's where I learned it from, and that's probably where most people did. 

Well-versed. Coming out of the intel community, understand the Faraday Cage reference, right? Especially off Enemy of the State, right? With the 10 hatters of Gene Hackman in that movie, right?

Exactly, exactly. 

I'm with you. 

Yeah, why can't we do that? 

We have some technologies that do that logically, so to say. But those technologies to incorporate are so expensive through encryption or the way that the trucks connect because the truck is so interconnected. And I'm going to break this one piece out, and Joe can go into much bigger and deeper details than I can, right? 

That's why they pay him the big bucks. 

Peterbilt builds a truck, and that truck has some sensors on it that only feed Peterbilt, right? 

Okay. 

Peterbilt puts a Cummings engine in it or a Caterpillar engine in it, and Caterpillar has some sensors on that engine that only feed Caterpillar, but some of them feed back to Peterbilt. 

I'm starting to see this. 

Allison puts a transmission in this truck that some of those sensors feed Peterbilt, Cummings and/or some of them just feed Allison. The problem lies – and then you add in the trailer sensors, the brake sensors, the reaper sensors. Whether the door was opened or closed sensor. What is the weight of the truck sensor from the other type of telematics devices that are on the truck? 

And we haven't even talked about the quality of life I want an update on where my stuff is sensor. This is all of just the interconnected talking safety, security monitor. 

Right. And the governance piece of it. The ELDs as well. 

Yes.

When you start bringing this all together, there are ways to do it, but the level expense takes that 3% to 5% margin that a trucking company has and puts it in the negative 10% to 20%. 

Oh. And if you're not making money moving goods, then you're not logistic anymore. 

It's kind of a risk reward and how much risk am I willing to take on? 

It's a sliding scale. 

It is. It truly is. Go ahead, Joe, please. 

Yeah. And it's really already said, that there's a lack of standards. And so because there's a lack of standards, what you want to do is that much more difficult. And in the standards that are out there, as far as communications of a trailer, very, very old. It's like 20-plus years. 

I'm not surprised. But at the same time, yeah, what do you do? Because even with that com – that's an industry-wide thing. If it ain't broke, nobody bothered fixing it. And we're still getting things from A to B. 

Yeah. And that's one of the things that we're doing is we're really trying to partner with – at the end of the day, well, we partner with carriers. Because I get it, right? If we go directly to the OEMs and we say, "Hey, you got to do this, this, and this." 

All of a sudden, truck prices get real, real high and you put another barrier. 

Right, it's equipment. This increases price of the truck. Why do I want to do this? But if you go to the carriers or you start working with maybe some of the folks that can help make increase – I'll call them the standards. I know they're not always the standards, but the standards, and they say, "Hey, this is table stakes." Or the carriers start – the people that are spending the money start demanding it, then you'll start to really get some response. I know we've spun our wheels a couple of times, literally. Well, literally figured them out. 

Well, I was going to say, what a great turn of phrase for our – 

I didn't mean to say, but it's true. We've spun our wheels. 

As a person who BS is on the phone and corporate talk between logistics talk, that's one of my favorites. But it's amazing how relevant it is to this conversation. 

It is. Trying to get some things done. And Artie knows I get really frustrated because I'm like, "Oh, we're trying to get this done, and we can't. And we've got to." And so we're trying to do it in a different way. And we're starting to see a little bit of better response from a couple of places that we think can help us do that. That's one of the things we're focused on. 

And also, kudos to – one of the OEMs actually came to our conference and sat there. Number one, they took all our questions, we should say. Pretty good. Number two, they've got a really good vision for cybersecurity. And they're developing that platform within their truck to address cybersecurity. 

Good for them, because that's something that needs to happen. Plus, first one there gets the value add and the name rap. To have that is another separating or value add form. Again, salesperson in me. And as you talk about that with that OEM coming and trying to change things and maybe the lack of standards, but with NMFTA being who you are, and I know you're member-based, but maybe it's just the alphabet soup in it, I would think that you as an organization would drive some of those standards. What gets in the way of that? And is it just because you can't agree on a language because it's such a fragmented world of logistics? 

I think that we're getting traction. It's getting better and better. I think in the beginning, it was just about leverage. And there's a little bit of – 

Not enough people felt the pain. 

And not a lot of people – some people believe, "Is this real?" It's a matter of taking maybe what people believe can't happen, or proving that it can't happen in a very responsible way. 

I was going to say, that doesn't mean you stopping outside of their building and just deactivating their tractors as they go by, you know? 

No, no. It's really demonstrating, "Hey, this is possible. And this is what you got to watch out for." And then really working with the carriers and getting the backing of some of the big carriers and then creating the right partnerships. I know we had struggled to create those right partnerships. But I think we've actually had some people reach out to us because of the things that we've put out recently. And we feel like we're starting to really create those right partnerships. 

And also, kudos to some of the agencies out there, because they're starting to see, "Oh, transportation is a weak link we have to pay attention to. And again, back to AI, this is something that could get hit pretty quickly because it can be a weak link because they can hit fast with AI. 

Yeah. And with being able to hit AI, making it that much easier for – we'll call in the bad guys or the black hats in this situation. How are you or how can you see – how could AI be used to help combat that? How do you fight fire with fire? 

Artie, you want to take that one first? 

Sure, absolutely. There's a lot of good in AI, right? 

Yeah. 

And the good that comes out of AI is helping you produce better routes, helping you save fuel, helping you load stuff on the truck properly so it's less forklift drives on and off the back of the truck. 

A lot of that data analysis for a better pattern or process moving forward. 

Right, absolutely. But on the combating cyber-enabled anything, AI has some good uses of recognizing patterns. What is outside the norm of a pattern? Does an email look like it's been generated from AI versus – maybe I put certain typos in my emails. I.e., I typically spell the word some in the wrong order, right? 

I'm an 'e' before 'i' guy. If it wasn't for a spell check, I'd had that error. Somehow, all of the exceptions of that rule, I have to use that word way more than I should. 

I get it. When you start using generative AI and the large language models to look at what's coming in and out of your network. I don't normally receive a message from Patrick. Why am I receiving a message from Patrick today? Right? He's a once every six months type of guy. We do have a relationship. 

Ironically, I just saw that on somebody's reply on an email because it wasn't my system, but somebody else's system says, "Hey, why is Patrick emailing you?" And I took a little offense to it until I realized that was his firewall, making sure like this isn't the guy that you're communicating with regularly. Are we sure this is someone you should talk to at all? The answer is yes, talk to me. No.

And then you can look and go a little bit further is why is Sally getting into the HR files when she's actually in accounting? 

Oh, okay. 

It might not actually be Sally looking in the HR files for the accounting. Or vice versa, why is Jimmy, who's a doc loader, looking at the P&L statements? These are type of things that AI can be used for to pick up on anomalies of people not acting according to what their job title is, their skill set, or something outside the norm for the organization. And that's the good part of AI. 

Okay. 

The downside or the flip side of that AI is, is now non-born English-speaking people. And I'm from Kentucky, and we fall into that category, right? 

Well said. Well done. Well done. 

It can help us craft a better message for a business to email compromise, for a social engineering event that looks more real. 

It's no longer that print saying, "Hey, I want my $9,000 bank closed –"

He gets a square on the Artie bingo card. I use that all the time. Absolutely. Right? Cats on Roomba. Princes that have billions of dollars to bring forward. Right? Those things do not exist in real life. But we're past this. Now we're crafting emails from the bad guy, from the bad actor standpoint that says, "Hey, look, we've made some changes in our accounting firm. And please reroute your next payment to this routing number and this account number." 

This thing that, if you're not looking, it could have been – yeah. 

We do it because it's Patrick's broker. And we've been doing business with Patrick for  – it must be good to go. Patrick sent the email to me. And now I've sent you all the money. Not only the money for the payment. I've given you our bank and routing information. Now you can go in and drain my bank accounts. 

And so this phishing has gotten so much better by the sound of it. And is this still the most – I don't want to say dangerous. But is that still the biggest gap because the social engineering and being able to – I don't want to put it too negatively, but dupe somebody still the easiest way in?

I still believe in people, right? 

And that's one thing that's very common to everybody I talk to. No matter how much technology we get. And obviously, Banyan and myself, or TMS. Logistics is a relationship-based industry at the end of the day. 

Exactly. Still believing in people, right? You have to believe that Sally's trying to do the best for her company. She's not going to call Patrick's brokerage and say, "Hey, Patrick, by the way, you asked me for an account number change." And she's got six other things going on that she needs to get done before Friday at three o'clock when she's allowed to punch out, she just makes the payment. And she thinks she's doing the right thing for Patrick's broker and the right thing for her organization, because she's got to get these other things done as well. And it's unfortunate that she has been – 

And there's more and more of us doing more with less people. That just adds to that pressure. 

That's the good and the bad of AI, right? Now, on the other side of this, it has increased the threat landscape, right? And that threat landscape comes in so many forms, whether it's generative AI and I'm producing a video or I'm producing a phone call that says, "I'm Joe Ohr." Right? And I get a phone call from Joe. It comes from Joe's phone number. And it says, "Hey, look, I'm locked out. Can you make sure that Chad changes my password for me so that I can get back in?" "Hey, Joe, I'm all over this." Right? Because I want to be a good employee. I call Chad, "Hey, reset Joe's, Joe's password." And it was actually a generative AI bank. 

That's iffy. I mean, luckily – I like it in that example. Because if that's you, you're just going to call Joe up and be like, "Joe, you're the head of our cyber and you forgot your password? Come on, man. What's going on?" Yeah. 

But it happens. You get locked out. I mean, I had to call the help desk this morning because I did a system upgrade, right? And then, all of a sudden, nothing works. So I have to call the help desk and say, "Hey, look, you guys need to log into my box and get me fixed." 

And their support at the end of the day, and how many times are they going to ask you too many things that push you away when they're supposed to be service-oriented to you as a customer or a client? 

Right. An internal customer and client. 

Right. 

Yeah, absolutely. 

Yeah. Just last night – and I haven't even talked to Artie about this one. 

Oh no. 

I not bad. I got an email. And typically, I know, A, this is junk. But I got an email and it copied our executive director. And I'm reading on my phone. And we're doing some updates. And it looked real. It's like, "Hey, attached is –" and it came from HR and it said, "Attached is the updated employee handbook. Take a look at it. Let me know if you have and questions." I'm like, "I don't remember us talking about an update in the handbook." And I'm looking at it and I'm thinking, "Man, this thing looks real." 

Yeah. 

I texted HRD. I'm like, "Did you send –" and she like, "No. I'm at church." I'm like, "Okay." So then I called the IT guy, I'm like, "Who got this email?" And he said, "Oh, it blocked the executive director, but somehow yours got through." And I said, "Hey, figure out why it got through. Up the security and delete it. But scan it." I mean, this one was – I didn't click on it, but it was good enough that I – 

Thought about it. 

Yeah. And I thought, "I'm going to have to text somebody because I can't –" I mean, on my phone. Now I got back to my computer and did some stuff. I'm like, "Okay –"

Right. But that's a great point to bring up too. As we do more and more business, not just in this industry, but across the world on the phone, you don't have the same screen of you. You don't have the right click options that – I mean, I don't want to say this. I won't date my way as far as you guys, but I also grew up in I can right click on everything my way through the properties and figure it out. I'm on a phone now, and I got about two different options. It's either I do something about it or I push it aside. And when limited to that, and it's a 50/50 shot, people are going to make the wrong choice a lot more. And on the phone, it's faster too, because I'm doing three or four things. I'm trying to make a call. I'm trying to figure out where I'm going. And I got this that says do something immediately. And it's got a button for me to press right in the link. That's so tough to combat just from a process, not even from a technology side. 

Exactly. And they use AI also. How did they get our information? They use AI to look at our website, to know my title and Debbie's title on email. 

Yeah, scrape everywhere you can. Yeah. 

Right. I've seen it where they used AI to scan our LinkedIn. They picked up a press release where we hired a new employee. I was having lunch with the employee. They sent him an email saying, "Hey, Joe wants you to get some –"

Wants you to get some Amazon gift cards. 

Exactly. 

I know that one because I got that text or email at 3am at one of my first big boy jobs. And it was just late and early enough, and I was just new enough that waking up the next morning, I damn well thought I needed to go get some Amazon cards until I stumbled in the office and be like, "Hey, Mr. CEO, you didn't need me to get Amazon cards." Like, "No, I barely know you. And I have somebody to do that kind of –" I'm like, "Yep, no reason I asked that. Going to my desk now." But yeah, especially the new hire has to be another big opportunity for this. 

And like you said, AI can scrape and find them as soon as they're on. They think they're getting an onboarding packet and a few things to do. And sure, they don't know all the emails. It's a brand new email they've just been given from a bunch of emails at a new company they're with. How can how can they tell the difference? 

Yeah, "Oh, I want to do the right thing." 

Yeah, I want to be a go-getter and show them why they hired me, right? 

Yeah. 

Ah. And so within this – and we talked standards, and we're talking about the social engineering and how AI is making this phishing kind of super-charged. What's this zero trust as far as the standard? And does that mean trust nothing? Does that mean nobody's – what does that mean? Because I've heard it a few times. I've got it written down here. Someone told me to talk about it. What does that mean to Artie, and Joe, and the NMFTA? 

I love that, that somebody told you to talk about it, right? 

I was volunteered for this position as podcast three, four years ago. Don't get me wrong, I love doing it, but it's one of those everybody else step back kind of thing. 

Zero trust is a framework and I'll just kind of lay it out there in layman's term. It's a framework. 

Good, because I am a layman, and I think most people listening are laymen. 

Okay. Well, that's great then. Zero trust is this framework. It's nothing more, nothing less than a framework, right? That says, "Hey, look, everything out of your network, I'm not going to trust you from the point you logged on." Right? At that point you logged on, you logged on as Patrick, and that's that. And in most networks, you are trusted to do whatever you have access to inside of that network. 

Okay. 

Inside of a zero trust framework, when you go to click a word document, it's going to say, "Are you really Patrick? Is this really the box that Patrick's supposed to be working on? Oh, it is Patrick. Okay. I'm going to give you access to the document." And you're going to end up – 

And is this admin credential type conversation happening in the back? Or this is AI looking at it? Or a person looking at those things. 

No. It's actually just the way that your network is set up. 

Okay. 

Each session of each thing that you do will receive a token that says it's you. 

Ah, I know about tokens. 

And when that session is concluded, the token goes away. 

Okay. 

You close your browser, the token goes away. It's not like a cookie. Cookies are a little bit different, right? But then when you open your browser again, it wants to make sure that you're still Patrick. It's going to come back and interrogate for – token, or a session token to go into the admin portal, or a session token to go – it's going to verify. And then let's say you move from inside the building Wi-Fi, you go out into the maintenance shop Wi-Fi. "Whoa, hold on. Is that really Patrick?" 

Yeah. 

"Is that really Patrick? And is that his laptop?" Both things are going to get interrogated to make sure that you're on the device that you're supposed to be on, that you're using a device that's been registered to the network – 

And you're the person. 

And you're actually the person, right? 

That makes a lot of sense. But is that something that makes it inherently harder to do business? That's just the nature of the beast in today's world. 

It's actually hard. It's slightly complicated to set up, but then you don't do it anymore. 

But much like the apartment next to Yale. You get used to it after a while. 

Yeah, but there's not even any extra stuff to do. All the works on the IT side to start with. It's like setting up a multi-factor authentication, right? 

Yeah. 

Okay. That has a little bit of uniqueness to it. And there's a slight bit of zero trust with that, right? And MFA is part of that framework. 

But there's still some generalization assumptions within just two-factor by itself. 

That's right. 

That whenever you get to that number, it's always going to be you and okay. Or whenever you put these credentials in, it's okay to do this two-factor aspect. 

That's right. Whereas in zero trust, I'm constantly going to ask – 

Each of those points. Should I even be thinking I should do – okay? 

That's correct. 

It's technology-driven technology skepticism. I like it. Yeah. No longer cynicism just for the humans. It's for technology, too. There we go. Finally. 

My computer finally gets to interrogate me, instead of the other way around. 

We're talking AI, so I have to ask this one before we – guys, I've loved this conversation. 

Yes, I believe in Skynet and iRobot will take place. 

Yeah. Cyberdyne University. And Miles loves that. But what I was going to say is, recently, one of the AI inventors or even just owners of – it's either ChatGPT or one of the other LLMs had said, "The amount of resources being burned by people saying please and thank you to the AI is astounding. And stop doing it." Are you guys thanking your future robot overlords? How do you deal with it? I treat it too much like a person. And it's funny because I'm like, "I just want to be –" they're doing something nice for me. 

I find myself accidentally doing it. I do. Because it's like, type in an email or an IM and I'll find myself saying, "Can you please?" And I'm like, "Why am I doing this?" 

Wait a minute. You never do that to me. 

Yeah. Well, he knows you already. The AI could be anybody. 

You do that to AI. But I don't get a please or a thank you. 

Well, it's interesting that you say that because, yeah, is there somewhere where we can just tell it, like, "Hey, I want to say thanks." I don't know how not to. But you don't have to respond to that. Like, that's okay. 

I pat mine on the head. 

Well, I was going to say, is it any surprise that we're trying to humanize technology when we talk to plants as if they're our friends and family, right? And the car, I know it was always – I got a name for every car I've ever had, and that's her name. It's almost the ships of the old age where every wooden ship had a name and had the woman carved out in the front. Because, otherwise, you're just going to trust a bunch of dead wood to get you across the ocean? No, no, no. This ship has a personality. 

That's right. 

And you said her, so it's always a female. 

For me, I go by the old ship ways. Yes, I go by the old ship ways that I name it after the female there. I don't know what pirate movie got that into me at an old age back before I had my first '92 Plymouth Laser who – Lisa. It was always something kind of based on the kind of the name of the car. But yeah. I think Sheila was a Contour. No. Connie was the Contour. Makes sense. And then, also, Mercy became the old Mercedes that I finally got well after it was past its prime. 

And just because I want to bring this back to somewhere that's near and dear to my heart, we're talking AI, but then API and communication. I'm with a TMS company here. And API and the inner communication between carrier systems, broker systems, TMS's both from the shipper side and from freight forwarders and everybody that wants to get that flow of information back and forth as fast as I type it in and getting it back. How is AI making that a possible threat? And how is AI making API even better. 

We develop APIs also. And I know the thing that we're really looking at is we've got to look that the AI can do things quicker, and it can also look to do things, not from a cyber perspective, but do things that can cause denial-of-service attacks and do things that humans can't. We really look at things that humans can't do. 

We've got several things in place that look for scraping things that are constant connections, things where they disconnect and reconnect. We look for patterns. And that's one thing. The other thing is a lot of companies aren't really good about retiring old APIs. Make sure you retire your old APIs. Also, how you're authenticating, but also security by design. Those are kind of some of the basic things that we are recommending. But some of these, they have these API libraries that are so huge and they don't retire the old ones. Therefore, when they update the security, of course, the old retired ones don't get in, and that's where the bad actors come in. It's through the old and tired APIs. 

Artie, anything to add there? It's okay if you don't.

No, I think Joe covered that one great. 

No. That speaks to me as we're a company that is either reacting to API updates or updating pieces of our own. Yeah, that you can't just duct tape new security to an old communication method. You have to revamp the communication method to match with the security that's going to keep you secure. And as we're coming to an end here, not because I don't want to talk to you guys. But, apparently, they can only record me for so long without the mirrors breaking. But what do you say to all of these people listening that want to use as much technology as possible, don't want it to break their margins, and at the same time, don't want to be more open to these attacks? What does someone do? Is it find someone like the NMFTA and work hand-in-hand with that? Do you start smaller than that? And I've done this on other topics, is just asking these questions maybe the first step? 

I think that there are several steps in the process. 

Okay. 

One is talk to that vendor. Understand what their cybersecurity practices are, right? That is paramount. Whether you already have a list of questions or don't have a list of questions, start to think about that, right. The second one is understand what you're updating and what you're getting, right? What they're bringing into your system. How was it built? All of the things that go along with that. 

Yeah. 

Then remember, and this is a big deal, cyber's a team sport. Period. It's absolutely a team sport. 

Can I get you guys jerseys? On a cyber team. 

If you have questions, reach out to NMFTA and we'll guide you through some of those problems, processes that you may have along the way. We have some researchers on staff, then we have a couple engineers on staff, and we've got people that have been doing this for a long period of time. And our only goal is to help you help yourself. And truly, when we talk about cyber being a team sport, it truly is a team sport, and it will help you do that. 

And that message is to everyone listening, not just NMFTA members. 

That's absolutely right. 

Yeah, absolutely. 

You'll figure out how to make a members eventually. But on the onset, you don't have to be. 

Right. And shameless plug. It's nmfta.org. 

Please. We're all about shameless plugs here. I have no shame. So please. 

Nmfta.org/cyber. And we've got a plethora of resources out there that you can tap into, whether that's our road to resilience, or whether it's our intelligence articles out there. There's more than enough stuff out there to keep you busy, or help you fall asleep at night if you really start reading it deeply. 

And before we get into Joe's take on this, or his kind of closing words, I got to know, Artie, why is the hair got to come out now? You were a Marine before. Did you have some long locks in between there that really she bought into? And then she's like, "I'm looking at you, and where's the hair I fell in love with?" 

No. Never. Never. I was always as bald as you are, and kept it that way. 

Yeah. Saving money on shampoo every day. 

Exactly. And she came in one day while I was trimming it up, and she says, "Why don't you just grow it long and see what comes back out of it?" And I'm like, "Are you talking like a professor ponytail?" And she's like, "Oh, hell, no." 

I was just saying, we'll get you a tweed little sweater with the elbow pads and everything. Professor Crawford. 

Nope. She asked. She says, "Why don't you try growing it?" And I was like, "Well, but I've never done that." 

And I have to say, it's much more beautiful than – and people have heard that have listened or just know me, my wife told me – we met when I was 33. She goes, "You weren't meant to have hair." And I go, "Honey, I had hair for 29 years." She goes, "I know." And I'm like, "That's hurtful. Very true. But hurtful." 

That's right. Absolutely. 

And Joe, coming off that comedic relief there, what's your message? Whether it's from NMFTA, to everybody listening, to the members, or just on cybersecurity and AI within freight as a whole. Here's my soapbox and platform. Take it away. 

With AI, I think a lot of people think AI is a solution to everything. I think with AI, you want to take it slow, do your research, ask questions. AI is not the solution for everything. With your vendors also, really ask the vendors during the RFP process, make cybersecurity a big top priority. You want to create partnerships. Your vendors are going to be your partners, especially during a cyber incident. 

And then also, when it comes to cybersecurity, it's almost like the change that we saw with safety I'd say about six or seven years ago. It's got to become a culture. It's got to become part of your culture. Make cyber part of your culture just like safety has become part of cultures within the trucking industry. That's the key. 

That's a great note to end on. I like that. You practice that one. Artie, Joe, fantastic talking to both of you. Loved everything you had to say. Love some of the stories. And like I said, we call logistics people loggies for a while now, because I love that. And also, I don't like too many syllables. 

But for everybody else listening, thank you so much. This has been another one of our episodes on the input of AI in freight procurement. Specifically, we've been talking to NMFTA. And as they said it, cyber is a team sport. You need to start thinking about it now before it burns you. And don't let it be scary. And make sure that the people you're working with and have a relationship are talking about it with you together, and you know what to do when something goes wrong. Because you don't want something to go wrong and then figure it out. 

And for everybody listening, please subscribe, engage. Tell me how good my hair looks. Tell Artie that he should keep it short, keep it long, whatever. We'll take anything in the comments. We'll fire back. But thanks, everybody, for listening. Wait to see the next one. And happy to be doing this. And thanks again, guys. Really appreciate it. 

All right. Thanks, Patrick. 

Thank you. 

You guys have a great one.