WEBVTT 1 00:00:00.210 --> 00:00:02.700 Anna Delaney: Hello, I'm Anna Delaney, and thank you very much 2 00:00:02.700 --> 00:00:07.200 for joining us for episode 100 of the ISMG Editors' panel. Can 3 00:00:07.200 --> 00:00:09.720 you believe that it's almost been two years since we began 4 00:00:09.720 --> 00:00:13.200 our editorial discussions, and thank you so much for being with 5 00:00:13.200 --> 00:00:16.320 us on that journey. To commemorate this special 6 00:00:16.320 --> 00:00:18.960 anniversary, we are bringing back the panelists from our very 7 00:00:18.960 --> 00:00:22.050 first episode, you know them well. Yes, it is senior vice 8 00:00:22.050 --> 00:00:25.530 president of editorial Tom Field, our executive editor of 9 00:00:25.560 --> 00:00:28.170 DataBreachToday and Europe, Matthew Schwartz, and our 10 00:00:28.170 --> 00:00:32.370 executive editor for the EU, none other than Tony Morbin. 11 00:00:32.880 --> 00:00:35.160 Congratulations team and happy anniversary. 12 00:00:35.610 --> 00:00:37.890 Tom Field: Indeed! You know, it strikes me, Anna. When we 13 00:00:37.890 --> 00:00:41.460 started this almost two years ago, four of us had never met, 14 00:00:42.000 --> 00:00:44.340 personally, in person. Now we have. 15 00:00:44.820 --> 00:00:46.920 Anna Delaney: That is true. Though, I had met Tony. 16 00:00:48.210 --> 00:00:49.500 Tom Field: I'd met Matt. So there you go. 17 00:00:49.830 --> 00:00:53.610 Anna Delaney: Yeah, exactly. So the four of us ... it's great. 18 00:00:53.610 --> 00:00:57.090 And I wish we can do that again soon. Tom, you're in the sky? 19 00:00:57.420 --> 00:00:57.780 Are you not? 20 00:00:58.680 --> 00:01:01.650 Tom Field: Yes, this is the view. As you know, I'm flying 21 00:01:01.650 --> 00:01:04.530 out of a very small airport. It has like six seats in the 22 00:01:04.530 --> 00:01:07.950 airport, eight seats on the airplane. And this is just 23 00:01:07.950 --> 00:01:11.940 taking off from the airport and a couple of weeks ago. So just a 24 00:01:11.940 --> 00:01:15.870 sunrise and the view over the snowy landscape. 25 00:01:16.140 --> 00:01:20.970 Anna Delaney: Something which we were not doing two years ago. We 26 00:01:20.970 --> 00:01:24.660 were only dreaming of it. Mathew, is it raining outside? 27 00:01:24.000 --> 00:01:28.770 Mathew Schwartz: Sadly, yes, Anna! It's bucketing as it were. 28 00:01:28.950 --> 00:01:33.240 So this is through the Plexiglas of a bus stop, waiting for a bus 29 00:01:33.510 --> 00:01:35.520 on a winter day in Scotland. 30 00:01:37.110 --> 00:01:40.020 Anna Delaney: And Tony, bringing us a dose of history as always? 31 00:01:40.980 --> 00:01:43.410 Tony Morbin: Yes, I'm afraid it's a very gloomy sign here as 32 00:01:43.410 --> 00:01:48.720 well. The Berlin Wall, the Cold War, and back to the Cold War. 33 00:01:50.220 --> 00:01:52.410 Anna Delaney: And I'm going to heat things up. I'm in 34 00:01:52.500 --> 00:01:55.800 Amsterdam, celebrating our centenary. And I was in the 35 00:01:55.800 --> 00:01:59.730 beautiful city, as you know, earlier this week to help host a 36 00:01:59.730 --> 00:02:03.330 roundtable. And it's just beautiful. I mean, it's just 37 00:02:03.360 --> 00:02:07.740 stunning architecture, great to walk around. And the only thing, 38 00:02:07.740 --> 00:02:12.120 as a pedestrian, I had to sort of try and dodge the cyclists 39 00:02:12.300 --> 00:02:16.680 coming at you from all angles. I think it seems to work actually. 40 00:02:16.680 --> 00:02:20.610 But as a non-local, was a bit disconcerting at first. 41 00:02:21.180 --> 00:02:23.250 Tom Field: I suspect we'll have virtual backgrounds for weeks to 42 00:02:23.250 --> 00:02:23.490 come. 43 00:02:23.510 --> 00:02:27.920 Anna Delaney: Well, yeah, I got a few. Well, Tom, you started 44 00:02:27.920 --> 00:02:30.470 off the year discussing the state of cybersecurity 45 00:02:30.470 --> 00:02:34.190 investments in 2023. And this is obviously something of great 46 00:02:34.190 --> 00:02:37.520 interest at the moment. It's sparking a lot of conversations 47 00:02:37.520 --> 00:02:40.340 and opinions and predictions as to what will happen to the 48 00:02:40.340 --> 00:02:42.770 market. Tell us about your conversation you had with 49 00:02:42.770 --> 00:02:45.080 industry veteran Alberto Yépez. 50 00:02:45.530 --> 00:02:47.540 Tom Field: Indeed, as you know, he's the managing director of 51 00:02:47.540 --> 00:02:50.570 Forgepoint Capital. And we've had a good relationship for a 52 00:02:50.570 --> 00:02:52.940 number of years now as things were going up, as things are 53 00:02:52.940 --> 00:02:56.360 stabilizing, as things are in question. So I sat down with him 54 00:02:56.360 --> 00:03:00.440 just a few weeks back to talk not just about the state of 55 00:03:00.440 --> 00:03:03.980 cybersecurity investment based on the economy. As you know, 56 00:03:03.980 --> 00:03:08.240 we've seen mergers and acquisitions, we've seen public 57 00:03:08.240 --> 00:03:12.140 companies go private, we've seen massive layoffs, so much going 58 00:03:12.140 --> 00:03:14.960 on. So I did want to ask him about the state of the economy 59 00:03:14.960 --> 00:03:18.440 and the state of cybersecurity investment. But also, what does 60 00:03:18.440 --> 00:03:23.570 this mean for innovation? Because as you know, we've seen 61 00:03:23.570 --> 00:03:27.110 broad layoffs in the industry. What haven't we seen, we haven't 62 00:03:27.110 --> 00:03:30.050 seen the adversaries layoff anyone. If anything, they are 63 00:03:30.080 --> 00:03:32.990 hiring, they're bringing on new people, they're adding new 64 00:03:32.990 --> 00:03:36.620 automated tools. And so they're putting additional pressure on 65 00:03:36.620 --> 00:03:40.580 enterprises with automated and just relentless attacks. So 66 00:03:40.940 --> 00:03:43.760 you've got to respond somehow. You can't not spend on 67 00:03:43.760 --> 00:03:47.180 cybersecurity, you can't not look into innovation. So I asked 68 00:03:47.180 --> 00:03:51.260 him very specifically, what does all this mean, about the market 69 00:03:51.530 --> 00:03:54.290 and the mindset for innovation? Do you mind if I share his 70 00:03:54.290 --> 00:03:54.830 response? 71 00:03:55.520 --> 00:03:56.000 Anna Delaney: Please do. 72 00:03:56.690 --> 00:04:00.650 Alberto Yépez: Again, I think it's nonstop because the 73 00:04:00.650 --> 00:04:04.280 established companies and the maturing sectors will drive for 74 00:04:04.280 --> 00:04:08.510 consolidation, but the new areas that are emerging that you know, 75 00:04:08.540 --> 00:04:11.960 are becoming top of mind, and you're not going to get that 76 00:04:11.960 --> 00:04:16.790 innovation from established businesses. You know, many 77 00:04:16.790 --> 00:04:20.120 people asked us questions about what are the sectors that you 78 00:04:20.120 --> 00:04:22.250 are trying to focus on? And I'll just give you a quick 79 00:04:22.250 --> 00:04:25.640 illustration from one of our decks. This shows you while 80 00:04:25.640 --> 00:04:28.310 cybersecurity - the core - is about protecting information, 81 00:04:28.310 --> 00:04:32.210 applications, devices, networks, we're moving towards how do you 82 00:04:32.210 --> 00:04:36.500 enable more payments and fraud? How do we protect privacy, AI 83 00:04:36.500 --> 00:04:40.130 software being treated as black boxes and open source? You know, 84 00:04:40.130 --> 00:04:43.430 who knows that somebody has put a backdoor and I stopped where 85 00:04:43.430 --> 00:04:46.160 it can stop in the stock exchange firm we're doing. So 86 00:04:46.370 --> 00:04:49.460 they are enabling technology of blockchain. How do you deal with 87 00:04:49.490 --> 00:04:52.970 insurance that you see a couple of the first wave of insurance 88 00:04:52.970 --> 00:04:55.310 companies trying to underwrite hybrid policies, but they 89 00:04:55.310 --> 00:04:58.730 realize they didn't do it right. They didn't use analytics, they 90 00:04:58.730 --> 00:05:01.070 didn't use the appropriate stuff and now out there stepping back 91 00:05:01.070 --> 00:05:04.250 and saying, hey, what do we need to do about it? And then when 92 00:05:04.250 --> 00:05:09.680 you look at the productivity of the developers in the migration 93 00:05:09.680 --> 00:05:14.420 to cloud, which is not as simple as one color, one flavor or the 94 00:05:14.420 --> 00:05:16.970 other. It's going to be a multi-cloud hybrid environment. 95 00:05:17.000 --> 00:05:22.130 So how am I going to get my arms around? So we view this as a lot 96 00:05:22.130 --> 00:05:26.090 of adjacencies. And you can see that, I would say, tell me one 97 00:05:26.090 --> 00:05:28.070 company that is really established as the leader, not 98 00:05:28.070 --> 00:05:30.380 many emerging ones, and there will be the ones that are either 99 00:05:30.380 --> 00:05:34.220 going to complete somebody else's stack to be able to do 100 00:05:34.220 --> 00:05:37.580 that. So it just gives you a little bit of a bit of "how do 101 00:05:37.580 --> 00:05:41.090 we think about it?" So we develop investment thesis in 102 00:05:41.090 --> 00:05:43.460 each one of the areas, we kind of looked at the companies that 103 00:05:43.460 --> 00:05:46.490 are emerging, and we proactively reach out to them to be able to 104 00:05:46.940 --> 00:05:49.490 work with them. I hope that answers your question. 105 00:05:49.000 --> 00:05:51.910 Tom Field: In fact, it did answer my question. It spawned a 106 00:05:51.910 --> 00:05:55.600 number of others about specific areas of investment and in the 107 00:05:55.600 --> 00:05:59.110 market for innovation and continued growth. So fascinating 108 00:05:59.110 --> 00:06:02.230 stuff. It's a long interview, but I recommend that people sit 109 00:06:02.230 --> 00:06:05.890 down for an informed view on what the marketplace looks like 110 00:06:05.890 --> 00:06:06.250 this year. 111 00:06:07.150 --> 00:06:09.370 Anna Delaney: Yeah, absolutely. It's a thoughtful and 112 00:06:09.370 --> 00:06:12.820 encouraging interview. And more generally, Tom, what are you 113 00:06:12.850 --> 00:06:16.330 hearing from CISOs at roundtables about their thoughts 114 00:06:16.330 --> 00:06:18.010 about the state of the economy? 115 00:06:18.510 --> 00:06:20.250 Tom Field: You know, it's a consistent theme. I've been 116 00:06:20.250 --> 00:06:26.520 hearing this since late last fall. Cybersecurity budgets and 117 00:06:26.520 --> 00:06:30.120 investments aren't down, they might be flat in some cases. But 118 00:06:30.120 --> 00:06:34.290 the growing in a lot of cases, where you're seeing budget cuts 119 00:06:34.470 --> 00:06:39.450 is in technology, in refreshes, I think that you're going in new 120 00:06:39.450 --> 00:06:43.500 investments. IT departments are having a hard time getting 121 00:06:43.500 --> 00:06:46.500 budgets, cybersecurity organizations are not. And that 122 00:06:46.500 --> 00:06:49.320 has been a pretty consistent theme. Now, if you're the 123 00:06:49.320 --> 00:06:53.670 cybersecurity leader, that's having to continue to support 124 00:06:54.210 --> 00:07:00.300 and defend in plug legacy technology, you got continued 125 00:07:00.300 --> 00:07:01.890 issues. I don't see that going away. 126 00:07:04.020 --> 00:07:07.110 Anna Delaney: And as Alberto said earlier on, doing more than 127 00:07:07.110 --> 00:07:09.780 less is definitely a theme that he's hearing. 128 00:07:11.190 --> 00:07:14.190 Tom Field: I'm not sure if the Chinese have to do more with 129 00:07:14.190 --> 00:07:16.200 less in the new year, but if they did, this would be the year 130 00:07:16.200 --> 00:07:17.250 of do more with less. 131 00:07:18.200 --> 00:07:22.580 Anna Delaney: All the criminals. Well, Matt, last week, we 132 00:07:22.580 --> 00:07:26.510 discussed the disruption of the Hive ransomware group by the FBI 133 00:07:26.510 --> 00:07:29.720 and international partners. And we were talking about the fact 134 00:07:29.720 --> 00:07:32.000 that there were no arrests or whether that actually made a 135 00:07:32.000 --> 00:07:36.140 difference in the long run. This week, we're actually focusing on 136 00:07:36.320 --> 00:07:39.380 an arrest of a notorious hacker. So tell us more. 137 00:07:40.290 --> 00:07:42.000 Mathew Schwartz: Well, it's a notorious hacker, and we're 138 00:07:42.000 --> 00:07:45.870 oftentimes not allowed to say that because until someone's 139 00:07:45.870 --> 00:07:49.080 been proven guilty, you're not going to refer them as a hacker. 140 00:07:49.200 --> 00:07:52.470 Except in this case, we have a suspect who's suspected of doing 141 00:07:52.470 --> 00:07:58.320 crimes, who's already been found guilty as a hacker. Hacker named 142 00:07:58.410 --> 00:08:04.170 Zeekill, also known as Ryan, and I'm going to mangle his Finnish 143 00:08:04.170 --> 00:08:08.790 name. So my apologies to my Finnish friends out there. But 144 00:08:08.790 --> 00:08:16.170 we've had the arrest recently of Aleksanteri Kivimäki, a 25-year 145 00:08:16.170 --> 00:08:21.360 old. This isn't his first brush with the law. He was arrested 146 00:08:21.360 --> 00:08:26.700 when he was around 15-years old. Actually, he was 15 or 16 years 147 00:08:26.700 --> 00:08:31.170 old when he committed crimes. And that's below the age of 148 00:08:31.170 --> 00:08:35.820 adulthood in Finland, which is 18. And so in 2015, he was found 149 00:08:35.820 --> 00:08:39.180 guilty of carrying out - not one, not two - but more than 150 00:08:39.210 --> 00:08:43.770 50,000 distributed denial-of-service attacks under 151 00:08:43.770 --> 00:08:49.170 the banner of the notorious DDoS gang, Lizard Squad. They were 152 00:08:49.170 --> 00:08:53.220 disrupting everybody, it seems left, right and center. You 153 00:08:53.220 --> 00:08:56.010 might remember in the early 2010s, it seemed like there was 154 00:08:56.010 --> 00:08:58.830 a DDoS attack every Christmas, certainly against gaming 155 00:08:58.830 --> 00:09:04.560 websites, but just against everybody. And so he was one of 156 00:09:04.560 --> 00:09:09.360 the youths, pretty much typically often youths, mid 157 00:09:09.360 --> 00:09:13.230 teens that were found to be carrying out these attacks. So 158 00:09:13.230 --> 00:09:18.030 he didn't serve time, he was a child. He did have to have his 159 00:09:18.030 --> 00:09:21.990 internet use monitored for a while. He's turned up again, 160 00:09:21.990 --> 00:09:28.590 though. He is suspected by Finland, of being at least one 161 00:09:28.590 --> 00:09:34.140 of the people behind two data breaches involving a mental 162 00:09:34.140 --> 00:09:39.210 health services clinic based in Helsinki, which had about 25 163 00:09:39.240 --> 00:09:44.460 different clinics around Finland, privately run. And 164 00:09:44.940 --> 00:09:47.910 there was a huge amount of fallout from these data 165 00:09:47.910 --> 00:09:53.340 breaches. One of the fallouts and certainly not the worst one, 166 00:09:53.460 --> 00:09:58.260 but one of the fallouts was the clinic declared bankruptcy. So 167 00:09:58.260 --> 00:10:01.380 apparently it suffered a data breach In November 2018, 168 00:10:01.860 --> 00:10:05.100 suffered another data breach in March 2019, which is right 169 00:10:05.100 --> 00:10:09.480 before it got sold to some investors by its founders. And 170 00:10:10.560 --> 00:10:16.860 when these data breaches later came to light, because this data 171 00:10:16.860 --> 00:10:22.800 was being used to blackmail, not just the clinic, but also 172 00:10:23.550 --> 00:10:28.650 hundreds of thousands of its patients. This came to light 173 00:10:28.650 --> 00:10:31.980 after the clinic had agreed to get sold to somebody else. And 174 00:10:31.980 --> 00:10:35.070 they turned around and said, you lied to us. Somebody inside the 175 00:10:35.070 --> 00:10:38.190 clinic knew there was records from an investigation that was 176 00:10:38.190 --> 00:10:40.740 done. Someone inside the clinic knew about these data breaches, 177 00:10:40.740 --> 00:10:44.010 and you failed to disclose those to us when we offered you 178 00:10:44.220 --> 00:10:48.570 millions of dollars to buy it. So the founder who had founded 179 00:10:48.570 --> 00:10:52.440 it with his parents, and then sold it said, look, it wasn't 180 00:10:52.440 --> 00:10:56.670 me, it was these two guys I hired who, unbeknownst to me had 181 00:10:56.670 --> 00:11:00.120 been convicted of computer crime, which little only later 182 00:11:00.120 --> 00:11:03.810 came out. So you've got this crazy story, because this whole 183 00:11:04.290 --> 00:11:08.970 saga that's continuing, and it's unusually a case in which a data 184 00:11:08.970 --> 00:11:12.570 breach or in this case, two data breaches, has led to the 185 00:11:12.570 --> 00:11:15.840 bankruptcy of a company. It needed to declare bankruptcy 186 00:11:15.840 --> 00:11:20.790 because of the attacks and its loss of value, and was also 187 00:11:20.820 --> 00:11:25.650 belatedly fined by Finland's data protection watchdog. It was 188 00:11:25.890 --> 00:11:29.340 fined about 600,000 euros for multiple data privacy 189 00:11:29.340 --> 00:11:33.120 violations. When you dig into what was being done, patient 190 00:11:33.120 --> 00:11:36.960 records, people sharing their innermost thoughts, we're 191 00:11:36.960 --> 00:11:40.290 talking drug use, adultery, all sorts of things, people with 192 00:11:40.290 --> 00:11:44.160 mental health problems, very vulnerable people, their records 193 00:11:44.160 --> 00:11:48.240 were entered into a SQL database. And it was very poorly 194 00:11:48.270 --> 00:11:51.600 protected. The people who came in to do a data forensic 195 00:11:51.630 --> 00:11:54.510 investigation said you could have driven a truck through all 196 00:11:54.510 --> 00:11:57.300 of the lives that were here. And that's what the data privacy 197 00:11:57.300 --> 00:12:02.520 watchdog found as well. So huge problems with how this data was 198 00:12:02.520 --> 00:12:06.780 being stored. Who is to blame is a very long and detailed story 199 00:12:06.870 --> 00:12:09.840 that has been chronicled by others. Wired did a great report 200 00:12:09.930 --> 00:12:14.760 in 2021 into this, looking at all of the faults that were 201 00:12:14.760 --> 00:12:18.600 allowed to occur basically, under the watch of the Finnish 202 00:12:18.600 --> 00:12:23.160 government, which heavily regulates how mental health data 203 00:12:23.160 --> 00:12:27.150 is handled, if it's the National Health System, but psychotherapy 204 00:12:27.150 --> 00:12:32.010 was in a kind of a gray zone. And it seemed to escape the 205 00:12:32.040 --> 00:12:37.320 amount of attention that it should have been receiving. So 206 00:12:37.320 --> 00:12:42.360 crazy case, and within the last week, we've had French police 207 00:12:42.390 --> 00:12:47.130 acting on an Interpol Red Notice also European arrest warrant. 208 00:12:48.810 --> 00:12:53.400 Arrest of Kivimäki, who as I said, is known to law 209 00:12:53.400 --> 00:12:57.030 enforcement, and in fact, had been the subject of this arrest 210 00:12:57.030 --> 00:13:02.970 warrant. So he has been posting on Reddit and Twitter saying, as 211 00:13:02.970 --> 00:13:06.240 this has gone on, as these charges were unveiled in 212 00:13:06.270 --> 00:13:09.840 October, and his restaurant was issued, he said look, no secret 213 00:13:09.840 --> 00:13:12.330 why I am happy to have a telephone conversation with the 214 00:13:12.330 --> 00:13:15.090 police and tell them why I am innocent. Well, that wasn't good 215 00:13:15.090 --> 00:13:19.380 enough for the Finnish police. You have the arrest warrant, and 216 00:13:19.470 --> 00:13:25.260 although the suspect said that he was living in London, it 217 00:13:25.260 --> 00:13:29.310 transpired that when he was arrested, he was in France and 218 00:13:29.430 --> 00:13:32.460 there was this domestic disturbance in an apartment that 219 00:13:32.490 --> 00:13:36.330 alarmed someone's housemate. They phoned police. And as they 220 00:13:36.330 --> 00:13:39.510 were getting ready because no one had answered the door to ram 221 00:13:39.510 --> 00:13:42.810 the door and stormed the premises. The young woman who 222 00:13:42.810 --> 00:13:46.890 had phoned him open the door and said that her young housemate, 223 00:13:47.430 --> 00:13:50.220 young adult housemate Frank had brought back this guy from a 224 00:13:50.220 --> 00:13:54.660 nightclub. He was super belligerent, really scaring her, 225 00:13:54.780 --> 00:13:59.250 so they wake him up. He comes out and shows them some ID. He's 226 00:13:59.250 --> 00:14:03.360 Romanian. They look at this 6'3", blond-haired, green-eyed 227 00:14:03.420 --> 00:14:07.920 guy. They're like, I don't know. And they look at France's 228 00:14:07.950 --> 00:14:12.240 database of known suspects and boom, they get a match. So we're 229 00:14:12.240 --> 00:14:15.510 going to see some extradition, I'm pretty sure how long that'll 230 00:14:15.510 --> 00:14:19.140 take to happen is unclear. But isn't it fascinating that this 231 00:14:19.140 --> 00:14:25.470 guy who when he was 15 years old, all his DDoS attacks have 232 00:14:25.470 --> 00:14:28.620 come back onto the radar 10 years later and been charged 233 00:14:28.620 --> 00:14:33.150 with what is one of the worst, I think, medical data breaches 234 00:14:33.150 --> 00:14:37.380 we've seen. I don't know if I mentioned but the victims were 235 00:14:37.380 --> 00:14:39.780 not just ... I did mention the victims were not just the clinic 236 00:14:39.780 --> 00:14:44.100 but also the patients were being extorted. Their records were 237 00:14:44.100 --> 00:14:49.230 leaked as well. So really horrific crime. Again, people 238 00:14:49.230 --> 00:14:52.020 very vulnerable already. And they're finding all their 239 00:14:52.020 --> 00:14:55.470 secrets getting spilled on Torrent data sharing websites. 240 00:14:55.470 --> 00:14:59.850 So horrible. It's good to have a suspect. Obviously he's innocent 241 00:14:59.850 --> 00:15:03.510 until proven guilty, but we'll see how this case continues to 242 00:15:03.510 --> 00:15:04.050 unfold. 243 00:15:06.090 --> 00:15:09.870 Anna Delaney: Crazy case, I mean, over 50,000 computer 244 00:15:09.870 --> 00:15:13.050 crimes in itself is crazy. And you say in your article that 245 00:15:13.050 --> 00:15:17.880 this data breach was a watershed moment in how Finland use 246 00:15:17.880 --> 00:15:19.560 privacy. What was the impact? 247 00:15:20.200 --> 00:15:22.510 Mathew Schwartz: Well, the impact was the accountability 248 00:15:22.510 --> 00:15:26.050 that was missing in terms of how this again, psychotherapy data, 249 00:15:26.290 --> 00:15:30.760 it was a bit of a perfect storm. Most mental health data would be 250 00:15:30.790 --> 00:15:35.290 restricted, or maybe wouldn't be entered into the electronic 251 00:15:35.290 --> 00:15:37.510 health record system. The one used by the National Health 252 00:15:37.510 --> 00:15:40.060 Service is very robust, apparently. But the guy who 253 00:15:40.060 --> 00:15:43.480 started up these clinics didn't like it, it didn't have what he 254 00:15:43.480 --> 00:15:46.930 thought was necessary for a psychotherapy clinic. So he 255 00:15:46.930 --> 00:15:51.250 created his own. As we know, so often rolling your own security 256 00:15:51.250 --> 00:15:53.650 can be an afterthought. And there's been a lot of finger 257 00:15:53.650 --> 00:15:58.090 pointing about who is to blame. But data privacy was definitely 258 00:15:58.090 --> 00:16:01.180 in the spotlight here. So too was mental health. I think it's 259 00:16:01.180 --> 00:16:03.520 not something that's often talked about in many countries. 260 00:16:03.700 --> 00:16:06.970 That was the case in Finland with a great health service. But 261 00:16:07.090 --> 00:16:09.790 I think it brought out into the open just how many people were 262 00:16:09.790 --> 00:16:13.930 seeking mental health services - politicians, well-known figures 263 00:16:13.930 --> 00:16:17.500 in the community, besides them as well. So there's a lot of 264 00:16:17.500 --> 00:16:20.500 soul searching going on, and hopefully, a lot more data 265 00:16:20.500 --> 00:16:21.730 security since then. 266 00:16:23.500 --> 00:16:27.070 Anna Delaney: Well, let's see how and if he serves time, and 267 00:16:27.070 --> 00:16:30.220 how long for but obviously, that's the case to watch 268 00:16:30.250 --> 00:16:33.820 closely. Thank you, Matt. Tony, you are discussing a topic we've 269 00:16:33.820 --> 00:16:36.520 focused on a fair bit throughout these episodes, and that is 270 00:16:36.550 --> 00:16:37.750 cyber war. 271 00:16:38.650 --> 00:16:43.000 Tony Morbin: Cyber war and offensive cyber, so in case 272 00:16:43.000 --> 00:16:46.090 anyone hasn't noticed, the gloves are now off on ongoing 273 00:16:46.090 --> 00:16:49.600 cyber war against criminals and autocratic regimes that shield 274 00:16:49.600 --> 00:16:53.290 them, all those who attack us directly. Our political and 275 00:16:53.290 --> 00:16:57.310 criminal adversaries have long been overtly and covertly using 276 00:16:57.310 --> 00:17:01.600 offensive cyber, such as ransomware gangs after our cash, 277 00:17:01.630 --> 00:17:05.050 states undertaking intelligence and espionage. I mean, there's a 278 00:17:05.050 --> 00:17:08.560 host of examples to choose from, but includes 2020 SolarWinds 279 00:17:08.560 --> 00:17:11.800 hack attributed to Russian intelligence service SVR, 280 00:17:11.980 --> 00:17:16.000 Chinese military hackers indicted for the 27 hack of 281 00:17:16.000 --> 00:17:21.070 Equifax reported 1.2 billion in crypto thefts attributed to 282 00:17:21.070 --> 00:17:24.040 North Korea, and there had been numerous attacks by Iranian 283 00:17:24.040 --> 00:17:29.560 hackers on Israel among others. But of course, you know, you can 284 00:17:29.560 --> 00:17:34.480 ask, don't we use offensive cyber? Well, yes, of course. The 285 00:17:34.480 --> 00:17:38.350 use of offensive cyber by the West is not new. It's not one 286 00:17:38.350 --> 00:17:42.880 way traffic. I mean, the Stuxnet worm on Iran's Natanz nuclear 287 00:17:42.880 --> 00:17:46.480 power station back in 2010, was probably the most dramatic 288 00:17:46.480 --> 00:17:49.510 example, and reportedly conducted by the U.S. and 289 00:17:49.510 --> 00:17:52.540 Israel. And then there were a host of activities of the NSA 290 00:17:52.540 --> 00:17:57.700 and U.K.'s GCHQ revealed by Snowden. Israel has its infamous 291 00:17:57.700 --> 00:18:02.650 Unit 8200 Army Cyber unit and a strong surveillance industry. 292 00:18:02.980 --> 00:18:05.620 While the U.K. also now has the National Cyber Force 293 00:18:05.770 --> 00:18:08.800 specifically authorized for offensive cyberattacks against 294 00:18:08.800 --> 00:18:12.130 hostile powers. And let's not forget the assaulted cyber 295 00:18:12.130 --> 00:18:16.390 warriors that have arisen attacking Russian assets on 296 00:18:16.390 --> 00:18:17.560 Ukraine's behalf. 297 00:18:18.670 --> 00:18:19.960 Anna Delaney: Tony, what's different now? 298 00:18:21.010 --> 00:18:24.100 Tony Morbin: Well, what's changing is that open, 299 00:18:24.220 --> 00:18:27.850 acknowledged, in fact, publicized cyberattacks are 300 00:18:27.850 --> 00:18:31.360 becoming part of the stated playbook of Western powers, not 301 00:18:31.360 --> 00:18:34.840 just as deterrence, but both as a cyber response to cyberattack 302 00:18:34.930 --> 00:18:38.230 and even preemptive action to prevent hostile activity. And 303 00:18:38.230 --> 00:18:42.190 this is becoming stated policy. I mean, you know, as Matt has 304 00:18:42.190 --> 00:18:44.290 said, you know, we've had takedowns of criminal 305 00:18:44.290 --> 00:18:47.050 infrastructure by law enforcement before, but you are 306 00:18:47.050 --> 00:18:50.860 now seeing an uptick. And the example that, you know, his 307 00:18:50.860 --> 00:18:54.280 report - the takedown at the ransomware group Hive, which he 308 00:18:54.280 --> 00:18:58.540 covered on this program last week, where the FBI plus German 309 00:18:58.540 --> 00:19:01.540 and Dutch law enforcement agencies infiltrated the gang's 310 00:19:01.540 --> 00:19:04.450 infrastructure, seized their servers, and prevented the 311 00:19:04.450 --> 00:19:07.990 transfer of $130 million of ransomware payments, or even 312 00:19:07.990 --> 00:19:11.350 this week, police in the Netherlands, Belgium and Poland, 313 00:19:11.560 --> 00:19:14.650 raided 80 addresses after intercepting and then decrypting 314 00:19:14.650 --> 00:19:19.870 messages on the Exclu encrypted messaging app. But the big 315 00:19:19.870 --> 00:19:23.440 change really is at the state level. For decades, the West 316 00:19:23.440 --> 00:19:25.870 thought that economic liberalization would not just 317 00:19:25.870 --> 00:19:28.660 lift Russian and Chinese citizens out of poverty, but it 318 00:19:28.660 --> 00:19:32.230 would pay some political change towards the true multiparty 319 00:19:32.230 --> 00:19:35.500 democracy. I mean, that hasn't happened. And if anything, their 320 00:19:35.500 --> 00:19:37.840 attacks on the West have actually increased and become 321 00:19:37.840 --> 00:19:41.080 more blatant to the point where they couldn't be excused or 322 00:19:41.080 --> 00:19:45.250 ignored, but had to be responded to. The last straw was probably 323 00:19:45.250 --> 00:19:49.780 the Colonial Pipeline attack in May 2021 by the DarkSide crime 324 00:19:49.780 --> 00:19:52.990 syndicate, not just because of its impact on the critical issue 325 00:19:52.990 --> 00:19:56.860 of U.S. fuel supply, but also because at the same time, the 326 00:19:56.860 --> 00:19:59.950 world's largest meat producer JBS got hit by ransomware, 327 00:19:59.980 --> 00:20:02.890 driving up food prices and Ireland's health system was 328 00:20:02.890 --> 00:20:06.370 brought to a near standstill from a ransomware attack. That 329 00:20:06.370 --> 00:20:10.090 brought up the whole issue of safe havens for gangs being 330 00:20:10.090 --> 00:20:12.610 protected from international law enforcement, particularly by the 331 00:20:12.610 --> 00:20:17.140 Russian state, which potentially was even colluding with them. At 332 00:20:17.140 --> 00:20:20.830 the same time, or actually, it was a week earlier in the U.S., 333 00:20:20.860 --> 00:20:24.460 an 81 page report combating ransomware was delivered to the 334 00:20:24.460 --> 00:20:27.880 Biden administration written and compiled by top executives from 335 00:20:27.880 --> 00:20:31.150 cybersecurity technology firms calling for an international 336 00:20:31.150 --> 00:20:34.480 coalition to fight ransomware criminals. Among its 337 00:20:34.480 --> 00:20:38.980 recommendations was the execution of a defend-forward, 338 00:20:39.100 --> 00:20:41.680 sustained-aggressive, whole government, intelligence-driven, 339 00:20:41.770 --> 00:20:44.890 anti-ransomware campaign. Some of the fruits of which we're now 340 00:20:44.890 --> 00:20:48.820 seeing. Sometime over the next couple of months, we're going to 341 00:20:48.820 --> 00:20:52.990 be seeing the new U.S. national cybersecurity strategy. And as 342 00:20:52.990 --> 00:20:56.590 our colleague Steve King at CyberEdBoard has reported, it 343 00:20:56.590 --> 00:21:00.220 imposes mandatory regulations on American industries and 344 00:21:00.250 --> 00:21:03.670 authorizes U.S. defense intelligence and law enforcement 345 00:21:03.670 --> 00:21:07.030 agencies to go on the offensive, hacking into the computer 346 00:21:07.030 --> 00:21:09.520 networks of criminals and foreign governments in 347 00:21:09.520 --> 00:21:13.150 retaliation to and/or preempting their attacks on American 348 00:21:13.150 --> 00:21:17.530 networks. So organizations are being explicitly authorized to 349 00:21:17.530 --> 00:21:20.710 adopt the hit back, hack first battle tactic. 350 00:21:22.090 --> 00:21:25.060 Anna Delaney: But Tony, aren't there a few dangers associated 351 00:21:25.060 --> 00:21:27.880 with that approach? Not least on how can you be sure of 352 00:21:27.880 --> 00:21:30.280 attribution when it's so easy to spoof? 353 00:21:30.270 --> 00:21:33.478 Tony Morbin: You're absolutely right. In all types of warfare, 354 00:21:33.543 --> 00:21:37.340 there will be a danger of mistakes. If you've got missiles 355 00:21:37.406 --> 00:21:41.465 firing at you, you can generally identify and fire back at the 356 00:21:41.531 --> 00:21:45.263 source. When you're under cyberattack, you can of course, 357 00:21:45.328 --> 00:21:49.256 just suffer it. Or you can use the intelligence available to 358 00:21:49.322 --> 00:21:52.399 make a judgment based on probability, including 359 00:21:52.464 --> 00:21:56.131 motivation. And if you believe that there's overwhelming 360 00:21:56.196 --> 00:22:00.059 evidence, this new doctrine endorses action. Yes, there are 361 00:22:00.125 --> 00:22:04.249 other problems, adversaries will use this policy for false flag 362 00:22:04.315 --> 00:22:08.439 attacks. There is also going to be the possibility of offensive 363 00:22:08.505 --> 00:22:12.302 cybersecurity tools being obtained and reused by malicious 364 00:22:12.368 --> 00:22:16.231 actors as we've seen in the past. And there's also a danger 365 00:22:16.296 --> 00:22:19.373 of offensive cyberattacks triggering a cycle of 366 00:22:19.439 --> 00:22:23.432 retaliatory and escalatory tit for tat strikes. So, you know, 367 00:22:23.498 --> 00:22:27.623 it really is a danger of are we going into a new Cold War, even 368 00:22:27.688 --> 00:22:31.682 going to world war three? Well, certainly we are going into a 369 00:22:31.747 --> 00:22:35.086 new form of Cold War. Specifically, it's an ongoing 370 00:22:35.152 --> 00:22:38.949 cyber war. It's actually been happening for some time, but 371 00:22:39.015 --> 00:22:42.878 we're only really acknowledging it now. And escalation is a 372 00:22:42.943 --> 00:22:46.675 genuine concern. And we are effectively going back to the 373 00:22:46.740 --> 00:22:50.865 days of relying on the concept of mutually assured destruction. 374 00:22:50.931 --> 00:22:54.728 But as one commentator Matt Turpin observed, a cold war is 375 00:22:54.793 --> 00:22:58.263 far preferable to two alternatives - capitulation, or 376 00:22:58.329 --> 00:23:00.359 hot war between nuclear powers. 377 00:23:00.000 --> 00:23:02.810 Anna Delaney: It was a fascinating overview, Tony and 378 00:23:02.882 --> 00:23:06.844 obviously we're living an interesting times, and I know 379 00:23:06.917 --> 00:23:11.096 Matt has done a lot on cyber warfare this year as well and 380 00:23:11.168 --> 00:23:15.347 you'll be coming out with a report looking at the one year 381 00:23:15.419 --> 00:23:19.526 anniversary of the invasion of Ukraine by Russia. So that 382 00:23:19.598 --> 00:23:23.705 obviously plays into this as well. But in the interest of 383 00:23:23.777 --> 00:23:27.812 time, because I know, you've opened a can of worms here, 384 00:23:27.884 --> 00:23:32.351 Tony, we want to explore but I know we're coming to the end of 385 00:23:32.423 --> 00:23:36.890 our 20 minutes. So to lift the mood slightly, and because it's 386 00:23:36.962 --> 00:23:41.502 100th episode, we are going to party because everybody has good 387 00:23:41.574 --> 00:23:45.320 music and good singing of course. What would be your 388 00:23:45.393 --> 00:23:49.500 cybersecurity karaoke or even party song or piece? Go on. 389 00:23:49.000 --> 00:23:53.830 Tom Field: "Next phase, New Wave, dance craze, anyways…It's 390 00:23:53.860 --> 00:24:01.060 Still Rock & Roll To Me." Everything old is new again in 391 00:24:01.060 --> 00:24:01.930 cybersecurity. 392 00:24:02.830 --> 00:24:05.020 Anna Delaney: That is really well-thought out. How long does 393 00:24:05.020 --> 00:24:12.040 it take you to come up with that? Very quick. Matt? 394 00:24:12.910 --> 00:24:14.980 Mathew Schwartz: I am going to spare everybody by not singing 395 00:24:15.130 --> 00:24:19.000 but Gloria Gaynor's "I will survive." I just think if you're 396 00:24:19.000 --> 00:24:20.890 going to do incident response and you're goingt to have a good 397 00:24:20.890 --> 00:24:22.510 attitude, you need some disco. 398 00:24:23.080 --> 00:24:24.970 Tom Field: I think I would like to see you perform this, Matt. 399 00:24:24.000 --> 00:24:30.630 Tony Morbin: And I've certainly been criticized for my singing 400 00:24:30.630 --> 00:24:34.680 so I can't sing. So I'm going to show my age, first band I ever 401 00:24:34.680 --> 00:24:38.220 saw - The Who , and "Won’t Get Fooled Again" and I'm 402 00:24:38.220 --> 00:24:40.140 repurposing it as an anti-phishing song. 403 00:24:40.000 --> 00:24:45.520 Anna Delaney: The Bee Gees ' "Stayin' Alive?" because that's 404 00:24:45.520 --> 00:24:49.090 what we're doing. We strive to stay alive, but like I will 405 00:24:49.090 --> 00:24:53.080 survive. So here we go. We've got great four tunes. We can 406 00:24:53.080 --> 00:24:56.380 play them on loop. It will be a wonderful party. 407 00:24:56.470 --> 00:24:58.060 Tom Field: And no one at the age of 30 knows them. 408 00:25:00.130 --> 00:25:02.860 Anna Delaney: Well, Tom, Matt, Tony, it's been an excellent 409 00:25:02.860 --> 00:25:05.440 discussion and an excellent couple of years; so, thank you 410 00:25:05.000 --> 00:25:07.520 Tom Field: To the next 200. 411 00:25:05.440 --> 00:25:05.950 very much. 412 00:25:10.850 --> 00:25:12.860 Anna Delaney: Thanks so much for watching. Until next time.