WEBVTT - Kopi Time E123 - Control Risks’ Nicolas Reys on Cybersecurity 0:00:05.940 --> 0:00:08.939 Welcome to Kobe Time, a podcast series on Markets and 0:00:08.949 --> 0:00:12.090 Economies from DVS Group Research. I'm Pam Rebek, chief economist, 0:00:12.260 --> 0:00:17.709 welcoming you to our 123rd episode. Today's episode is a 0:00:17.719 --> 0:00:19.719 function of popular demand. 0:00:20.090 --> 0:00:24.260 Uh whether at work or at home concerns on cybersecurity 0:00:24.270 --> 0:00:27.879 are on the rise and elevated to say the least. 0:00:28.079 --> 0:00:31.299 Uh Here in Singapore stories on cyber scams, ransomware are 0:00:31.309 --> 0:00:35.099 rife and perhaps they are an underestimate given that many 0:00:35.110 --> 0:00:36.549 of such crimes go under reported. 0:00:36.889 --> 0:00:39.799 Uh and there is cyber threat at the corporate and 0:00:39.810 --> 0:00:42.950 government levels, which is a whole different ball game. So 0:00:42.959 --> 0:00:45.419 let's talk about all this with an expert. I'm really 0:00:45.430 --> 0:00:48.849 pleased to have Nicholas re from control risk with me. 0:00:48.860 --> 0:00:52.439 He's a partner there uh with control risk, digital risks, 0:00:52.450 --> 0:00:57.069 America's and global threat intelligence practices. Nicholas specializes in the 0:00:57.080 --> 0:01:00.200 provision of threat intelligence to public and private sector organizations 0:01:00.240 --> 0:01:03.349 as well as leading and delivering complex threat intelligence and 0:01:03.360 --> 0:01:04.309 security projects. 0:01:04.790 --> 0:01:10.010 Nick regularly advises fortune 100 executives on digital transformation, cybersecurity, 0:01:10.019 --> 0:01:13.789 emerging tech risks and threat intelligence matters. Nick Race. Welcome 0:01:13.800 --> 0:01:14.720 to Kobe Time. Thank 0:01:14.730 --> 0:01:16.260 you very much. It's a pleasure to be here. 0:01:16.269 --> 0:01:16.510 You 0:01:16.519 --> 0:01:19.029 just happen to be in Singapore. That's happen to want 0:01:19.040 --> 0:01:20.940 to do this thing. So, I'm really grateful that you 0:01:20.949 --> 0:01:21.709 could make the time. Yeah. No. 0:01:21.720 --> 0:01:24.099 And I really appreciate the invite. I know the firm 0:01:24.110 --> 0:01:26.459 has been a long listener to the podcast and there's 0:01:26.470 --> 0:01:28.769 been lots of people that have been very excited about this. 0:01:28.779 --> 0:01:30.470 So I'm glad to meet you and glad to be 0:01:30.480 --> 0:01:30.970 in Singapore. 0:01:30.980 --> 0:01:31.769 Fantastic. 0:01:32.089 --> 0:01:35.819 Nick. Maybe we can start by going over the three 0:01:35.830 --> 0:01:40.269 kinds of cyber threats, you know, the state sponsored ransomware 0:01:40.279 --> 0:01:42.849 and the whole idealistic quote unquote activism 0:01:42.860 --> 0:01:43.339 stuff. 0:01:43.349 --> 0:01:45.639 Yes, I think that's a good place to start. And 0:01:45.650 --> 0:01:47.389 for a lot of listeners, I'm sure this is going 0:01:47.400 --> 0:01:50.360 to be something they're relatively familiar with because it's been, 0:01:50.500 --> 0:01:52.930 you know, over the past decade, something that's now made 0:01:52.940 --> 0:01:56.080 the mainstream news media. We're starting to hear about these 0:01:56.089 --> 0:01:57.790 things and we can talk about the 0:01:57.903 --> 0:02:01.024 political aspects, we can talk about the financial aspects. But 0:02:01.033 --> 0:02:04.783 when we think about threat actors, we usually classify them 0:02:04.793 --> 0:02:07.583 in those three categories. So at the very, very top 0:02:07.594 --> 0:02:11.934 of capabilities and sophistication usually linked to states, whether military 0:02:11.944 --> 0:02:17.164 or civilians, we have those intelligence units, those apts as 0:02:17.173 --> 0:02:20.373 they're often called advanced persistent threat groups that are very, 0:02:20.383 --> 0:02:23.464 very highly resourced and that usually will work on the 0:02:23.473 --> 0:02:23.634 back 0:02:24.018 --> 0:02:27.127 or at the behest of a government, they will do 0:02:27.138 --> 0:02:31.968 things like large scale espionage operations, disruptions linked to conflict. 0:02:31.977 --> 0:02:34.367 And that's certainly something that we're looking at more and 0:02:34.377 --> 0:02:38.507 more as we come into this geopolitical arena in 2024 0:02:38.518 --> 0:02:41.566 that's going to be very challenging for businesses. And we 0:02:41.578 --> 0:02:44.566 also see some of these groups leverage these capabilities for 0:02:44.578 --> 0:02:47.427 financial gains. And that's something that in the banking industry, 0:02:47.438 --> 0:02:49.447 we've talked for a long time about no 0:02:49.591 --> 0:02:54.090 Korea very famously has deployed state level capabilities to target 0:02:54.102 --> 0:02:58.131 financial institutions and the financial ecosystem as a whole. But 0:02:58.141 --> 0:03:02.472 that's the broad family of sort of nation state level operations. 0:03:02.481 --> 0:03:05.792 And then we have next to this is organized criminality 0:03:05.802 --> 0:03:09.891 and sometimes heavily disorganized criminality because it's not just very, 0:03:09.901 --> 0:03:12.932 very well resourced and capable groups. It's also at times, 0:03:13.272 --> 0:03:15.332 people who just want to make a quick buck 0:03:15.436 --> 0:03:18.796 and who have discovered that cyber is a great way 0:03:18.805 --> 0:03:21.636 to do this. It's a very low risk operation. You 0:03:21.645 --> 0:03:25.076 rarely get arrested on the streets for doing a cyber crime. 0:03:25.085 --> 0:03:28.655 And certainly that's both a function of law enforcement resources 0:03:28.666 --> 0:03:32.175 and the multi jurisdictional and transnational nature of the risk 0:03:32.186 --> 0:03:35.906 for organizations. But it's also because of the ease of 0:03:35.916 --> 0:03:38.936 anonymisation online. And that's been a big trend over the 0:03:38.945 --> 0:03:41.175 past few years. You know, Cryptocurrency 0:03:41.279 --> 0:03:44.369 have helped a lot in the space. But more broadly, 0:03:44.380 --> 0:03:48.339 we've seen these criminal groups of various degrees of sophistication 0:03:48.350 --> 0:03:51.729 share one thing in common. They're motivated by financial gain. 0:03:51.839 --> 0:03:55.339 So whether we're talking about ransomware extortion, the ability to 0:03:55.350 --> 0:03:59.119 encrypt lock systems and data and extort money or data 0:03:59.130 --> 0:04:03.410 breaches which often are accompanied by extortion. We are looking 0:04:03.419 --> 0:04:06.460 at financially motivated groups and then at the bottom of 0:04:06.470 --> 0:04:07.020 the capability 0:04:07.123 --> 0:04:10.184 spectrum. But increasingly over the years, I've been in this field, 0:04:10.194 --> 0:04:12.893 we've seen that shift quite a bit upwards in terms 0:04:12.904 --> 0:04:18.114 of skills is the activists, the cyber activist groups, those 0:04:18.123 --> 0:04:21.164 have been in popular culture represented a lot by anonymous 0:04:21.174 --> 0:04:24.503 and we've seen a sort of guy fawkes mask for 0:04:24.514 --> 0:04:26.334 those of you that are avid on the TV side. 0:04:26.343 --> 0:04:29.493 Mr Robot had a great depiction of this type of, of, 0:04:29.503 --> 0:04:32.894 of sort of group, but usually they're ideologically motivated. 0:04:33.260 --> 0:04:36.799 Now, one of the interesting trend and you know, for 0:04:36.809 --> 0:04:39.599 some of those our listeners who might have worked on 0:04:39.609 --> 0:04:41.910 Wall Street during the times, the sort of occupy Wall 0:04:41.920 --> 0:04:45.558 Street movement saw a lot of activity. Exactly. And a 0:04:45.570 --> 0:04:48.969 lot of groups targeting big banks, but usually we see 0:04:48.980 --> 0:04:52.750 a lot of environmentally motivated groups. We have a plethora 0:04:52.760 --> 0:04:56.440 of different ideologies. I think the shift in recent years 0:04:56.450 --> 0:05:02.420 has been much more politically ideological motivations that veer on 0:05:02.428 --> 0:05:02.839 state 0:05:03.303 --> 0:05:07.493 level sponsorship or support. And this is what we've seen. 0:05:07.505 --> 0:05:11.165 Certainly in the Middle East, the law we've seen across 0:05:11.174 --> 0:05:14.484 parts of eastern Europe where these groups become difficult to 0:05:14.494 --> 0:05:17.815 discern whether or not they are actually individuals or small 0:05:17.825 --> 0:05:20.644 groups or if they are being asked to run these 0:05:20.654 --> 0:05:22.505 operations by governments. 0:05:23.144 --> 0:05:25.434 Let me go back to the government in a second. 0:05:25.445 --> 0:05:29.515 Which is so, yes, there are capabilities that governments apply 0:05:29.524 --> 0:05:32.565 to espionage and we know most countries do it. 0:05:32.950 --> 0:05:37.738 Um, there's also this whole layer of snooping that governments 0:05:37.750 --> 0:05:38.970 owe to their own people. 0:05:39.529 --> 0:05:43.459 And we've been hearing about certain software packages that certain 0:05:43.470 --> 0:05:46.589 countries commercialize and sell and you hear all sorts of 0:05:46.600 --> 0:05:49.029 unsavory governments picking up those things. So, tell us a 0:05:49.040 --> 0:05:50.230 little bit about that. Yeah, 0:05:50.238 --> 0:05:50.578 it's 0:05:50.589 --> 0:05:55.000 been a maybe a good decade now that we've seen 0:05:55.010 --> 0:05:58.118 crop up these companies that have specialized private sector companies, 0:05:58.130 --> 0:06:04.118 technology companies that have specialized in designing and developing toolkits capabilities, 0:06:04.130 --> 0:06:04.850 malware 0:06:05.065 --> 0:06:10.346 at times to essentially conduct espionage operations and have commercialized 0:06:10.356 --> 0:06:13.856 it to law enforcement agencies across the world and for 0:06:13.867 --> 0:06:16.856 a range of different purposes, sometimes legitimate purposes. And we 0:06:16.867 --> 0:06:21.677 do see counter terrorism operations or particularly in countries with 0:06:21.687 --> 0:06:25.207 the resources to build their own cyber capabilities as limited 0:06:25.337 --> 0:06:29.957 valid use cases for criminal investigations. The challenge though is 0:06:29.967 --> 0:06:30.596 that in some 0:06:30.694 --> 0:06:33.282 jurisdictions and depending on the nature of the government, we've 0:06:33.294 --> 0:06:36.593 also seen abuse of this capability and part of this 0:06:36.604 --> 0:06:39.514 abuse has been used to target journalists, freedom of the press, 0:06:39.523 --> 0:06:43.032 but also freedom of religion and at times even minorities 0:06:43.044 --> 0:06:47.003 within certain countries, I think the real challenge is making 0:06:47.014 --> 0:06:49.104 a distinction and this is what we talk a lot 0:06:49.113 --> 0:06:52.343 in the threat into our world is making a distinction 0:06:52.354 --> 0:06:56.223 between motives and capabilities, having the capability to do so 0:06:56.550 --> 0:06:59.501 like snoop on an iphone, which most governments will have 0:06:59.510 --> 0:07:03.710 a capability to do is only legitimate when it is 0:07:03.721 --> 0:07:06.460 used by a purpose that is lawful. And I think 0:07:06.471 --> 0:07:09.580 that's where a lot of even the regulatory framework has 0:07:09.591 --> 0:07:12.941 been evolving very quickly. Over the years when most of 0:07:12.950 --> 0:07:17.621 our privacy regulations were built back before 2017 18, with 0:07:17.631 --> 0:07:20.670 the Chinese cybersecurity law in the European Union's general data 0:07:20.680 --> 0:07:26.180 protection regulation, data privacy law had been written in 1990. 0:07:26.470 --> 0:07:28.649 You know, we were talking before starting about the iphone 0:07:28.660 --> 0:07:32.170 release in 2007. Look at the pace of evolution and 0:07:32.179 --> 0:07:34.290 how difficult it is to stay on top of these 0:07:34.299 --> 0:07:36.899 capabilities for regulators. And I think that's going to be 0:07:36.910 --> 0:07:40.269 a constant economy in the near future in our societies 0:07:40.339 --> 0:07:44.679 and in our democracies, how do we balance the capabilities 0:07:44.690 --> 0:07:47.829 our governments have with the motives and the intent to 0:07:47.839 --> 0:07:51.799 use these capabilities through legislation and through democratic processes? 0:07:52.019 --> 0:07:54.970 What's your sense of GDPR? Now, whenever I go to 0:07:54.980 --> 0:07:56.049 a website, there's a little 0:07:56.575 --> 0:07:59.165 box that comes up. Do you accept the cookies or not? 0:07:59.175 --> 0:08:01.105 That is it really changing things? So 0:08:01.115 --> 0:08:01.126 I 0:08:01.135 --> 0:08:04.656 think it has and there's been really interesting case law 0:08:04.665 --> 0:08:08.295 in Europe where some of the fundamental principles of GDP 0:08:08.305 --> 0:08:11.446 are notably the right to be forgotten, which really came 0:08:11.455 --> 0:08:15.286 from a single activist based in Spain who sort of 0:08:15.295 --> 0:08:19.165 was really upset about when he entered his name on Google. 0:08:19.175 --> 0:08:22.665 The results that came in were either too old and 0:08:22.675 --> 0:08:25.635 were misrepresentation of who he was or were in 0:08:25.971 --> 0:08:29.462 at times. And I think now within the European Union 0:08:29.471 --> 0:08:33.521 and certainly as European citizens, individuals can request that their 0:08:33.530 --> 0:08:39.041 information be taken down, that has undeniably really improved the 0:08:39.052 --> 0:08:42.861 privacy of European Union citizens. And I think we've seen 0:08:42.872 --> 0:08:46.442 similar bills come across the world and we are seeing 0:08:46.492 --> 0:08:50.681 a real trend towards adoption of this approach. That being said, 0:08:50.771 --> 0:08:55.391 one of the objectives of GDPR was, you know, seriously 0:08:56.590 --> 0:09:01.690 improve the accountability of organizations in protecting consumer and employee data. 0:09:02.000 --> 0:09:05.150 And whilst we've seen improvements as a whole, it's not 0:09:05.159 --> 0:09:07.179 all of one size fits all. It's certainly not a 0:09:07.190 --> 0:09:11.150 silver bullet. And I think the challenge is regulation will 0:09:11.159 --> 0:09:15.030 not be the only answer to the problem that cybersecurity 0:09:15.039 --> 0:09:16.909 poses the privacy of our data 0:09:17.159 --> 0:09:21.510 um uh entails. And importantly, whilst GDPR was a step 0:09:21.520 --> 0:09:24.739 in the right way, it is only a single step 0:09:24.750 --> 0:09:26.689 in what's going to be a very long hike. 0:09:27.010 --> 0:09:29.829 Is it too early to say that the data leak 0:09:29.840 --> 0:09:32.900 issue in Europe is sort of better than elsewhere because 0:09:32.909 --> 0:09:33.809 of all these laws, 0:09:34.299 --> 0:09:39.369 I think, I wish as a European Union citizen that 0:09:39.380 --> 0:09:43.630 it was better. I don't think unfortunately, it is going 0:09:43.640 --> 0:09:46.559 to be better. Thanks to regulation. I think regulation creates 0:09:46.570 --> 0:09:49.630 better accountability. I think you mentioned that the introduction 0:09:49.830 --> 0:09:52.960 to this episode, there's always been this challenge of, we 0:09:52.969 --> 0:09:55.570 only know what we know and as the public or 0:09:55.580 --> 0:09:59.210 as you know, members of the business community, we know 0:09:59.219 --> 0:10:03.150 if somebody's been hacked because they say it publicly, what 0:10:03.200 --> 0:10:05.069 GDPR has helped. And I think what a lot of 0:10:05.080 --> 0:10:07.829 the legislations are coming out and I just saw the, 0:10:07.960 --> 0:10:10.409 the CS A here in Singapore is doing more work 0:10:10.419 --> 0:10:14.848 on mandatory disclosure of breaches is creating a universe of 0:10:14.859 --> 0:10:15.729 accountability 0:10:16.039 --> 0:10:18.309 that is very helpful because at least it creates a 0:10:18.320 --> 0:10:21.439 level playing field in terms of statistically. Do we see 0:10:21.450 --> 0:10:24.260 less data breaches since GDPR? No, we probably see more. 0:10:24.270 --> 0:10:26.809 And that's also a factor of just the sophistication of 0:10:26.820 --> 0:10:30.150 the landscape and just how much more data reliant we are. 0:10:31.000 --> 0:10:35.690 So tell me something about the level of sophistication and 0:10:35.700 --> 0:10:40.289 the scale of cybersecurity threats out in the world. How often, 0:10:40.299 --> 0:10:40.909 how big are we 0:10:40.919 --> 0:10:41.530 talking about? 0:10:41.539 --> 0:10:45.330 I mean, we'd be talking about every millisecond. If we 0:10:45.340 --> 0:10:49.449 looked at the technical materialization of attacks, I think there 0:10:49.460 --> 0:10:51.848 has been attempts at quantifying the damages. 0:10:52.085 --> 0:10:55.806 We are talking if cyber crime was an economy in 0:10:55.815 --> 0:10:59.116 2025 it's scheduled to be the third largest economy in 0:10:59.125 --> 0:11:01.314 the world after the US and China. So we are 0:11:01.325 --> 0:11:05.176 talking trillions of dollars of damages. Dabbing said I always 0:11:05.184 --> 0:11:08.236 take this quantification with a pinch of salt. There is 0:11:08.245 --> 0:11:10.265 no and this is one of the big challenges in 0:11:10.276 --> 0:11:12.786 our space is there is no way to 0:11:12.881 --> 0:11:16.262 actually understand the scale of the problem because it is 0:11:16.271 --> 0:11:20.661 reliance on reporting, it is reliance on transparency internationally. And 0:11:20.942 --> 0:11:23.580 the reality is we don't have much of this. What 0:11:23.591 --> 0:11:27.601 we can see is both in terms of spend budgetary 0:11:27.611 --> 0:11:31.841 wise by governments and private sector and in terms of 0:11:31.851 --> 0:11:37.161 cost of remediation, the problem is significant. And in my 0:11:37.171 --> 0:11:41.721 10 years working in the private sector and advising organizations 0:11:41.731 --> 0:11:42.562 around the world, 0:11:43.030 --> 0:11:46.109 I now very rarely do not see an organization that 0:11:46.119 --> 0:11:49.880 has cyber on top of its risk register as both 0:11:49.890 --> 0:11:51.729 high likelihood and high impact. 0:11:52.280 --> 0:11:57.059 I think where we see the trend moving is because 0:11:57.070 --> 0:12:00.960 our societies and our organizations are connecting more and more. 0:12:00.989 --> 0:12:05.250 We are seeing massive investments in digital transformations. The reality 0:12:05.260 --> 0:12:08.799 is the problem is only going to get bigger and 0:12:08.809 --> 0:12:12.520 because we are connecting, not just ourselves to the internet, 0:12:12.630 --> 0:12:16.450 but we're also connecting machines, we're connecting factories, we still 0:12:16.460 --> 0:12:18.929 have roughly 50% of the world that's not connected to 0:12:18.940 --> 0:12:19.500 the internet. 0:12:19.880 --> 0:12:23.909 There is still a huge amount of vulnerabilities that are 0:12:23.919 --> 0:12:25.140 only yet to come. 0:12:25.700 --> 0:12:26.979 If we are 0:12:27.900 --> 0:12:32.950 fixated on the vulnerabilities, sometimes we sacrifice efficiency or productivity. 0:12:33.280 --> 0:12:35.659 I used to work at a public sector organization where 0:12:35.669 --> 0:12:38.489 the fear of cyberattack was so big that we used 0:12:38.500 --> 0:12:41.210 to use two different laptops, one for external access, one 0:12:41.219 --> 0:12:44.489 for internal use. And then there was a virtual dropbox. 0:12:44.500 --> 0:12:46.400 If you downloaded some data from outside, you'd go through, 0:12:46.409 --> 0:12:48.549 but it'll go through like filter after filter before you 0:12:48.559 --> 0:12:52.189 could bring it to the, but that was in my view, inefficient, 0:12:52.200 --> 0:12:53.080 it slowed us down. 0:12:53.419 --> 0:12:58.049 Um, are you seeing that sort of paranoia which is 0:12:58.059 --> 0:12:59.478 causing that sort of cost? 0:12:59.489 --> 0:13:02.400 Yeah. I think it's a really good point and I 0:13:02.409 --> 0:13:05.589 think it's one that we often in the security industry 0:13:05.659 --> 0:13:09.150 don't talk about enough security for a long time, was 0:13:09.159 --> 0:13:12.760 seen as this huge blocker and an impediment to doing business. 0:13:12.770 --> 0:13:15.979 I mean, we've had scenarios where we tell executives if 0:13:15.989 --> 0:13:18.500 you travel to a certain country, you can't take your 0:13:18.510 --> 0:13:19.849 cell phone and they look at us and they say 0:13:19.859 --> 0:13:21.479 we're going to take our cell phones. So not only 0:13:21.489 --> 0:13:22.679 does it encourage, 0:13:23.080 --> 0:13:27.900 you know, bypassing the controls, it also the controls become 0:13:28.020 --> 0:13:30.719 too difficult, then we lose our purpose of being a 0:13:30.729 --> 0:13:34.369 business or operating properly what we are seeing. And I 0:13:34.380 --> 0:13:37.059 think this is, this is the biggest thing that everyone 0:13:37.070 --> 0:13:39.750 out there, both organizations and individually, we need to think 0:13:39.760 --> 0:13:40.140 about 0:13:40.409 --> 0:13:43.690 paranoia is unhealthy. We need to be proportionate and to 0:13:43.700 --> 0:13:47.809 be proportionate, we need to understand our environment. And if 0:13:47.820 --> 0:13:50.130 I am a bank or if I'm a government institution 0:13:50.140 --> 0:13:52.900 or if I am a health care company or law firm, 0:13:52.989 --> 0:13:56.309 my threat environment is going to be different. Not everybody 0:13:56.320 --> 0:13:57.909 needs to be for Alamo, 0:13:58.539 --> 0:14:04.429 not everybody needs to have military grade defenses. Some do 0:14:04.609 --> 0:14:06.640 maybe parts of our organizations do 0:14:07.159 --> 0:14:09.820 and those parts they need to be proportionate to the 0:14:09.830 --> 0:14:13.319 risks that we face, if we apply a blanket rule, 0:14:13.469 --> 0:14:16.190 we are going to waste money, we're gonna piss off 0:14:16.200 --> 0:14:19.320 our users and ultimately we're going to be counterproductive. Right. 0:14:19.380 --> 0:14:23.059 Right. I mean, I've noticed this even in certain apps 0:14:23.070 --> 0:14:26.489 where the security concern is so big that the app 0:14:26.500 --> 0:14:28.609 shuts down at every single hint of vulnerability. 0:14:28.849 --> 0:14:30.429 And as a result, it's not a user friendly app 0:14:30.440 --> 0:14:31.099 anymore. 0:14:31.229 --> 0:14:34.380 I think banking has really led the way in balancing 0:14:34.390 --> 0:14:39.390 this because it's fundamentally A B two C business. So 0:14:39.549 --> 0:14:42.859 and it's a business that has been heavily targeted historically 0:14:42.869 --> 0:14:46.140 by cyber attacks. It's also a business where consumers are 0:14:46.150 --> 0:14:50.099 very concerned about the safety and the security of their data. 0:14:50.429 --> 0:14:53.169 And at the same time, they need that seamless connectivity. 0:14:53.369 --> 0:14:55.419 And so if you look at some of the innovations 0:14:55.429 --> 0:14:58.919 of the technical layer multi factor authentication, the use of 0:14:58.929 --> 0:15:03.130 biometric on our phones for fingerprinting, the banks are still 0:15:03.140 --> 0:15:05.590 leading the charge. And I think there's a real lesson 0:15:05.599 --> 0:15:09.239 here for the community that security can be done whilst 0:15:09.250 --> 0:15:12.669 being user friendly. It doesn't have to be everybody log 0:15:12.679 --> 0:15:14.609 out every 10 minutes and I need to re input 0:15:14.619 --> 0:15:18.179 15 passwords. And luckily the tech is moving into such 0:15:18.190 --> 0:15:19.090 a space where 0:15:19.359 --> 0:15:23.669 the solutions designers, the technology companies are really thinking about 0:15:23.679 --> 0:15:24.219 the user 0:15:25.140 --> 0:15:27.900 nick coming from DB si fully relate to what you're 0:15:27.909 --> 0:15:32.770 talking about. Um As we speak, we have two full 0:15:32.780 --> 0:15:36.469 blown military conflicts in the world. Russia, Ukraine Israel Gaza 0:15:36.479 --> 0:15:40.659 and we have this simmering tussle between the US and China, 0:15:40.669 --> 0:15:42.559 which probably will last our lifetime. 0:15:43.070 --> 0:15:47.830 So talk about cyber security and dimensions of actual conflict, 0:15:47.840 --> 0:15:49.979 both full blown one as well as a simmering 0:15:49.989 --> 0:15:51.909 one. Yes, I think this is, this could be a 0:15:51.919 --> 0:15:55.440 topic for the next 20 hours. It is by far 0:15:55.450 --> 0:15:58.010 the pieces that I find the most fascinating in this 0:15:58.020 --> 0:15:58.809 space because 0:15:59.354 --> 0:16:02.934 it's where we see the real convergence of this risk 0:16:02.945 --> 0:16:07.705 environment and the convergence between real life and that digital component. Look, 0:16:07.715 --> 0:16:10.434 I think for a long time, we had forecasted and 0:16:10.445 --> 0:16:13.135 not just we are control risk, but organizations across the 0:16:13.145 --> 0:16:18.405 world had forecasted that Cyber was going to become a 0:16:18.684 --> 0:16:22.315 normal part of conflict and particularly of hybrid conflicts like 0:16:22.325 --> 0:16:23.184 what we're seeing 0:16:23.479 --> 0:16:27.450 and certainly both in the Middle East and in eastern Europe, 0:16:28.539 --> 0:16:31.469 it has manifested this way. I think Ukraine was a 0:16:31.479 --> 0:16:35.059 surprise to a lot of commentators because I remember at 0:16:35.070 --> 0:16:38.349 the beginning of the war, there were lots of questions about, 0:16:38.359 --> 0:16:41.140 are we going to see a very large scale cyber attack, 0:16:41.150 --> 0:16:43.200 crippling the entire electric grid 0:16:44.205 --> 0:16:48.005 or even into Europe? And for our listeners that may 0:16:48.015 --> 0:16:50.216 have an interest in the field, you know, the scenario 0:16:50.226 --> 0:16:53.815 was colonial pipeline, the shutdown of a pipeline in on 0:16:53.825 --> 0:16:56.575 the eastern seaboard in the US. The reality is we 0:16:56.585 --> 0:16:58.515 didn't see this. And I think there were two reasons 0:16:58.526 --> 0:17:02.875 for this. One is Cyber is part of military operations 0:17:02.885 --> 0:17:03.575 is one 0:17:03.682 --> 0:17:07.261 the many tools at the disposal of states. But it 0:17:07.271 --> 0:17:13.271 is also not a replacement for traditional kinetic war and 0:17:13.281 --> 0:17:17.390 traditional conflict. That being said it does feature prominently as 0:17:17.401 --> 0:17:19.901 part of both of these conflicts. And I think they 0:17:19.911 --> 0:17:23.702 give us a taste of what there is to come. Actually, Ukraine, 0:17:24.160 --> 0:17:28.560 you know, after the invasion of Crimea in 2014, we 0:17:28.569 --> 0:17:33.180 saw the development of disruptive or destructive cyber attacks against 0:17:33.189 --> 0:17:38.760 Eastern European energy infrastructure by Russian Linked units. And what 0:17:39.109 --> 0:17:42.709 that was a good forecasting sign of is war is 0:17:42.719 --> 0:17:47.310 a capability development moment in cyber. It is through military 0:17:47.319 --> 0:17:50.599 means that we see novel tactics and techniques. It is 0:17:50.609 --> 0:17:53.349 what we've seen in the targeting of satellite systems during 0:17:53.359 --> 0:17:55.560 the war in Ukraine. It's also what we've seen in 0:17:55.569 --> 0:17:59.660 the targeting of data centers and large scale telecommunication infrastructure. 0:18:00.209 --> 0:18:00.819 It is not 0:18:01.060 --> 0:18:04.689 the sort of big nuclear apocalypse that people may have forecasted, 0:18:04.790 --> 0:18:08.540 but it is evident that it has become a critical 0:18:08.550 --> 0:18:12.379 part of before during and after conflicts. And I think 0:18:12.390 --> 0:18:15.160 the concern when we look at some of the tensions 0:18:15.170 --> 0:18:18.000 around the world today is there are more and more 0:18:18.010 --> 0:18:21.859 states developing these capabilities. What keeps me up awake at 0:18:21.869 --> 0:18:24.899 night is the private sector is going to be caught 0:18:24.910 --> 0:18:26.040 in the middle of all of this. 0:18:26.479 --> 0:18:31.629 We private sector companies, not only oftentimes run the infrastructure 0:18:31.640 --> 0:18:36.319 that sits in those countries, it is also our business 0:18:36.329 --> 0:18:40.430 imperative to work across jurisdictions and what we're seeing and 0:18:40.439 --> 0:18:42.750 particularly the sanctions that came 0:18:42.949 --> 0:18:46.250 by both the US and the Eu after the invasion 0:18:46.270 --> 0:18:49.839 of Ukraine on Russian businesses was a good indicator when 0:18:49.849 --> 0:18:52.510 all of a sudden you couldn't update Microsoft in Russia 0:18:52.619 --> 0:18:58.219 because the sanctions prohibited Microsoft from sending updates to laptops 0:18:58.229 --> 0:18:59.410 and assets in Russia. 0:18:59.880 --> 0:19:04.599 It is reshaping the world of technology these conflicts. And 0:19:04.609 --> 0:19:08.439 I think very interestingly for us, for instance, we are 0:19:08.449 --> 0:19:12.969 increasingly looking at technology as a resilience concern and just 0:19:12.979 --> 0:19:15.699 strictly a cyber security concern. And I know that's a 0:19:15.709 --> 0:19:18.649 big part of the discussion in Singapore about the resilience 0:19:18.790 --> 0:19:22.520 of the infrastructure cyber resilience in Singapore. I think that 0:19:22.530 --> 0:19:24.260 is absolutely the right discussion 0:19:24.810 --> 0:19:27.219 to touch on the US and China. Look we are 0:19:27.229 --> 0:19:31.719 entering a US electoral period, we don't yet know what 0:19:31.729 --> 0:19:35.310 will happen. But it is very clear that the tensions 0:19:35.319 --> 0:19:37.510 around the control of technology 0:19:37.890 --> 0:19:42.079 and the development of generative A I, we've got the 0:19:42.089 --> 0:19:45.689 beginnings of quantum discussions happening a little bit everywhere is 0:19:45.699 --> 0:19:49.728 going to be a real arms race between the two superpowers. 0:19:49.849 --> 0:19:52.810 And it's going to put businesses in the middle of this, 0:19:52.819 --> 0:19:55.579 of having to pick where do I choose my technology 0:19:55.589 --> 0:19:58.619 supply chain from? How do I build resilience in light 0:19:58.630 --> 0:20:00.160 of different regulatory framework? 0:20:00.430 --> 0:20:04.949 And importantly, what is the direction of travel from an 0:20:05.160 --> 0:20:08.619 access to technology and the security of our technology in 0:20:08.630 --> 0:20:10.459 light of my own business strategy 0:20:10.469 --> 0:20:10.869 Right. 0:20:11.229 --> 0:20:12.579 I want to go back to the issue of resiliency 0:20:12.589 --> 0:20:15.219 for a second in the context of Russia, Ukraine. So, yes, 0:20:15.229 --> 0:20:17.010 at the beginning, the fear was that there will be 0:20:17.020 --> 0:20:20.670 cyber attacks from Russia and there will be widespread blackouts 0:20:20.680 --> 0:20:22.629 both in Ukraine and elsewhere. 0:20:23.209 --> 0:20:26.189 Now, what about the fact that almost three years after 0:20:26.199 --> 0:20:30.420 the conflict started? And despite all sorts of sanctions, Russia's 0:20:30.459 --> 0:20:34.819 capabilities seem pretty good. How are they being so resilient? 0:20:34.859 --> 0:20:35.359 It's 0:20:35.369 --> 0:20:37.780 a great question. And I think there's been lots of 0:20:37.790 --> 0:20:41.429 analysis recently around the sort of move of Russia towards 0:20:41.439 --> 0:20:44.438 a war economy regime and something close to 70% of 0:20:44.449 --> 0:20:47.060 GDP now being dedicated to the war effort. And I 0:20:47.069 --> 0:20:47.540 think that 0:20:47.869 --> 0:20:51.880 most governments now in their strategic military planning take cyber 0:20:51.890 --> 0:20:55.609 as one of the aspects of we need to maintain resources, 0:20:55.619 --> 0:20:59.719 we need to maintain capabilities throughout the continuation of a 0:20:59.729 --> 0:21:03.469 war effort. And so that pivot has been very significant 0:21:03.479 --> 0:21:04.010 in Russia, 0:21:04.104 --> 0:21:07.354 I think equally I mentioned earlier on when we were 0:21:07.364 --> 0:21:10.405 talking about the different types of threat groups. What we 0:21:10.415 --> 0:21:12.675