WEBVTT 1 00:00:06.990 --> 00:00:09.450 Anna Delaney: Hello, this is the ISMG Editors' Panel. I am your 2 00:00:09.450 --> 00:00:13.140 host Anna Delaney and this is our weekly spot where we discuss 3 00:00:13.140 --> 00:00:16.920 and recap the top InfoSec stories and cybercrime trends 4 00:00:17.070 --> 00:00:19.710 you need to know about. I'm delighted to be joined by my 5 00:00:19.710 --> 00:00:22.890 colleagues today, Mathew Schwartz, executive editor of 6 00:00:22.920 --> 00:00:26.280 DataBreachToday & Europe and Tony Morbin, executive news 7 00:00:26.280 --> 00:00:29.310 editor for the EU. Wonderful to see you both. 8 00:00:30.090 --> 00:00:30.810 Tony Morbin: Good to see you. 9 00:00:31.110 --> 00:00:32.130 Mathew Schwartz: Great to be back, Anna. 10 00:00:32.580 --> 00:00:36.450 Anna Delaney: Very good. We are a cozy team today. Tony, what a 11 00:00:36.450 --> 00:00:38.970 beautiful statue behind you. Tell us more. 12 00:00:40.110 --> 00:00:44.190 Tony Morbin: Mercury. I took him for the god of communications 13 00:00:44.190 --> 00:00:48.060 which he is, not realizing he is also the god of financial gain, 14 00:00:48.930 --> 00:00:54.390 boundaries, luck, trickery, merchants and thieves. So I 15 00:00:54.390 --> 00:00:56.640 don't know how relevant all the other ones are. But I'm going to 16 00:00:56.640 --> 00:01:01.230 be talking about data transfer across the Atlantic so we might 17 00:01:01.230 --> 00:01:02.340 get some of all of those. 18 00:01:03.090 --> 00:01:05.160 Anna Delaney: Perfect for today. I didn't know communication 19 00:01:05.160 --> 00:01:06.810 thieves for ever something. 20 00:01:10.380 --> 00:01:12.630 Tony Morbin: Apparently so. It might well be the fact that it 21 00:01:12.630 --> 00:01:14.040 is the god of financial gain. 22 00:01:16.500 --> 00:01:19.170 Anna Delaney: And Matt, that's the halo above you? 23 00:01:21.150 --> 00:01:24.060 Mathew Schwartz: Yeah, that's a bridge Anna. That's the 24 00:01:24.060 --> 00:01:28.260 Millennium Bridge in Newcastle. Yes. I've got it for sale too, 25 00:01:28.260 --> 00:01:31.950 if you want. But yes, the gorgeous Millennium Bridge on 26 00:01:31.950 --> 00:01:36.480 the keys of Newcastle in England, where I was this past 27 00:01:36.480 --> 00:01:39.750 weekend to go to a music festival in a number of 28 00:01:39.750 --> 00:01:45.270 different venues. And it was just a lovely spring weekend in 29 00:01:45.270 --> 00:01:46.200 the north of England. 30 00:01:46.500 --> 00:01:49.590 Anna Delaney: I've not been to Newcastle. So, it's on my list. 31 00:01:49.740 --> 00:01:50.550 Mathew Schwartz: My first time. 32 00:01:50.820 --> 00:01:55.500 Anna Delaney: Yeah, very good. Well, I love the shot. I'm, well 33 00:01:55.500 --> 00:01:59.970 - Facebook, but I don't usually go on to or very much at least 34 00:01:59.970 --> 00:02:03.090 these days. But when I do, I enjoy the memories that they 35 00:02:03.090 --> 00:02:06.360 share and reminders of what happened several years ago and 36 00:02:06.540 --> 00:02:11.010 Facebook today told me that 11 years ago today, I was in 37 00:02:11.010 --> 00:02:15.510 Barcelona with my mom. So this is happy memories from Gaudí's 38 00:02:15.540 --> 00:02:21.210 Park Güell's mosaic artwork for you. Okay. And the sunshine that 39 00:02:21.210 --> 00:02:26.280 I'm missing. Anyway, bring it on. Matt, you wrote a piece 40 00:02:26.280 --> 00:02:30.180 earlier this week that considers the cybersecurity lessons 41 00:02:30.840 --> 00:02:33.630 policymakers and defenders should be learning and applying 42 00:02:33.900 --> 00:02:39.000 15 months after Russia intensified its invasion on 43 00:02:39.000 --> 00:02:41.910 Ukraine. So let's first do a little bit of an assessment of 44 00:02:41.910 --> 00:02:45.840 where we are right now with the war, what the cyber angle looks 45 00:02:45.840 --> 00:02:50.280 like, and how much of a role cyberattacks continue to play in 46 00:02:50.280 --> 00:02:53.400 the war. And then we can move on to key takeaways. 47 00:02:54.270 --> 00:02:58.980 Mathew Schwartz: Great. So just to do a brief recap on the cyber 48 00:02:58.980 --> 00:03:04.350 war, if you will, that wasn't really a cyber war. Before, as 49 00:03:04.350 --> 00:03:09.360 you said, Russia intensified its invasion. February 24 2022 is 50 00:03:09.360 --> 00:03:14.310 when it went all out. And before that, there had been a number of 51 00:03:14.340 --> 00:03:19.410 online attacks, intensification of online attacks, probing 52 00:03:19.890 --> 00:03:23.100 attempted disruption, especially of some critical infrastructure 53 00:03:23.130 --> 00:03:29.340 sectors and wiper malware. And then in the early part of the 54 00:03:29.370 --> 00:03:34.410 intensified invasion, there was a lot of wiper malware, and a 55 00:03:34.410 --> 00:03:40.290 lot of cyberattack, online attack activity, we saw the rise 56 00:03:40.320 --> 00:03:44.460 of hacktivists, and we can talk about that perhaps in just a 57 00:03:44.460 --> 00:03:50.460 moment as a force, both working in supportive Moscow, and as a 58 00:03:50.460 --> 00:03:55.260 force working in support of Ukraine. The hacktivists angle 59 00:03:55.260 --> 00:03:59.010 was a surprise to a lot of people. What was also a surprise 60 00:03:59.010 --> 00:04:03.000 to a lot of people once Russia went all out was the fact that 61 00:04:03.000 --> 00:04:06.900 we didn't really see cyber war, we have not seen cyber war, 62 00:04:06.930 --> 00:04:10.170 whatever that might be. But however you're going to define 63 00:04:10.170 --> 00:04:13.530 it, we really haven't seen it. We've not seen close 64 00:04:13.530 --> 00:04:18.120 coordination between kinetic attacks or physical attacks and 65 00:04:18.120 --> 00:04:23.400 online attacks. So troops aren't assaulting a position backed by 66 00:04:23.910 --> 00:04:27.150 just-in-time malware, for example, they crashed the 67 00:04:27.150 --> 00:04:30.480 electric grid in the region where they are. There are a 68 00:04:30.480 --> 00:04:34.080 number of explanations for that. But I think the simplest and 69 00:04:34.080 --> 00:04:37.650 that's probably the most likely is it's really hard to 70 00:04:37.680 --> 00:04:41.700 coordinate online attacks with physical attacks. Also, if 71 00:04:41.700 --> 00:04:44.280 you've gone to the effort, if you're Russia, of 72 00:04:44.370 --> 00:04:48.750 pre-positioning yourself in various systems, do you want to 73 00:04:48.750 --> 00:04:53.610 use that once as part of a ground attack that might get 74 00:04:53.610 --> 00:04:57.540 repelled, might not work, or do you want to use that for as long 75 00:04:57.540 --> 00:05:02.880 as possible as part of a cyber espionage operation. And so, if 76 00:05:02.880 --> 00:05:10.050 I can conclude the brief-ish recap, what experts suspect is 77 00:05:10.050 --> 00:05:15.060 that when it comes to the online arena, what Russia is doing is 78 00:05:15.150 --> 00:05:18.660 continuing to focus a lot on cyber espionage and giving 79 00:05:18.660 --> 00:05:22.740 itself insight into Ukraine and other countries, of course, as 80 00:05:22.740 --> 00:05:26.250 well. But trying to give itself the best intelligence it can get 81 00:05:26.370 --> 00:05:29.520 about what's going on, what decision makers are thinking, 82 00:05:30.090 --> 00:05:34.530 and so on. We've seen some wiper malware, but it looks like they 83 00:05:34.530 --> 00:05:38.370 had some in reserve, or some ready to use, and they used it 84 00:05:38.370 --> 00:05:41.610 up. And it's not clear that they've had enough time to 85 00:05:41.730 --> 00:05:45.630 replenish. Russia, by all accounts, thought that the war 86 00:05:45.630 --> 00:05:49.260 was going to last a week, maybe two. So there may have been some 87 00:05:49.260 --> 00:05:53.520 really poor preparation and planning before it launched its 88 00:05:53.520 --> 00:05:58.290 war. Unfortunately, Russia can be in things for the long haul, 89 00:05:58.320 --> 00:06:02.760 as we've seen, and as many prognosticators are predicting, 90 00:06:03.720 --> 00:06:09.210 the Ukraine-Russia war might not end anytime soon. So that's my 91 00:06:09.210 --> 00:06:13.380 brief introduction about lessons learned, I think, about how 92 00:06:13.380 --> 00:06:16.680 Russia is waging its campaign, especially when it comes to the 93 00:06:16.680 --> 00:06:20.730 online arena. So maybe this is a good time to shift that into 94 00:06:20.880 --> 00:06:26.550 what are some of the takeaways? So there was a great session 95 00:06:26.550 --> 00:06:30.570 recently held by the Center for Strategic and International 96 00:06:30.600 --> 00:06:36.480 Studies - online session - that was launching a new report that 97 00:06:36.480 --> 00:06:40.560 was commissioned by the National Cybersecurity Center here in 98 00:06:40.560 --> 00:06:46.530 Britain, where we all are. And the NCSC asked this question, 99 00:06:47.400 --> 00:06:52.350 "What are the takeaways that we can take away at this point in 100 00:06:52.350 --> 00:06:55.620 the conflict?" and I'm just going to start with what one of 101 00:06:55.620 --> 00:06:59.850 the conclusions was - an excellent conclusion by a woman 102 00:06:59.850 --> 00:07:04.260 named Erica Lonergan who is an assistant professor in the Army 103 00:07:04.260 --> 00:07:07.410 Cyber Institute at the US Military Academy at West Point. 104 00:07:08.310 --> 00:07:11.190 And she said something great, which is, we have to be really 105 00:07:11.190 --> 00:07:15.390 careful - I'm paraphrasing - not to harp on what the most 106 00:07:15.390 --> 00:07:19.230 convenient explanations of success are so far. And we're 107 00:07:19.230 --> 00:07:21.750 going to go into some of those points of success here in just a 108 00:07:21.750 --> 00:07:25.560 moment. But just because we think something was a success, 109 00:07:25.710 --> 00:07:28.020 we need to be really careful. She said, we need to do some 110 00:07:28.020 --> 00:07:32.190 really careful analysis, because there's lots about this conflict 111 00:07:32.220 --> 00:07:38.250 that hasn't come to light yet. And what are the other great 112 00:07:38.400 --> 00:07:42.930 points made in this presentation that they had to launch the 113 00:07:42.930 --> 00:07:49.290 report is that we don't know what Russia's goals are. The 114 00:07:49.290 --> 00:07:52.350 goals that Russia has the conflict, it might be meeting 115 00:07:52.380 --> 00:07:55.530 all of those goals in terms of how the conflict is being waged, 116 00:07:55.800 --> 00:07:58.530 we might look at what's going on and think, "Well, they could 117 00:07:58.530 --> 00:08:04.470 have done that really well." But as Paul Chichester, who's 118 00:08:04.470 --> 00:08:08.640 director of operations at the NCSC said, their view of success 119 00:08:08.640 --> 00:08:10.680 and ours may prove to be different in the future. And 120 00:08:10.680 --> 00:08:13.110 we're not going to know that until much later. That was one 121 00:08:13.110 --> 00:08:16.710 of the takeaways. I think, James Lewis, who helped with the 122 00:08:16.710 --> 00:08:18.780 report, he wrote the introduction to the report, he's 123 00:08:18.930 --> 00:08:22.350 at CSIS. He said, this is one of the lessons that came out from 124 00:08:22.350 --> 00:08:26.190 the Soviet era, when the wall came down and people looked 125 00:08:26.190 --> 00:08:28.890 really closely at what Russia had been trying to do, what the 126 00:08:28.890 --> 00:08:32.280 Soviet Union had been trying to do. Oftentimes things the West 127 00:08:32.280 --> 00:08:35.940 thought were failures were successes inside the Soviet 128 00:08:35.940 --> 00:08:39.630 Union. So I love that umbrella there of, "We need to be careful 129 00:08:39.630 --> 00:08:44.610 about what we decide worked and didn't work." But if we're going 130 00:08:44.610 --> 00:08:48.240 to focus on what we think is working, I'm going to go back to 131 00:08:48.240 --> 00:08:52.080 Paul Chichester, and one of the things he said, which I love, is 132 00:08:52.440 --> 00:08:58.110 the key thing is that we can see the defenders get a vote. A lot 133 00:08:58.110 --> 00:09:01.950 of people thought Ukraine wouldn't survive Russia's 134 00:09:01.980 --> 00:09:07.170 invasion. Setting aside the ground war, Ukraine has really 135 00:09:07.170 --> 00:09:12.360 distinguished itself in the cyber defense sphere. It's been 136 00:09:12.360 --> 00:09:16.380 lucky - not really luck - but it's been targeted by Russia for 137 00:09:16.380 --> 00:09:20.400 so long. And it's been getting help from the EU, it's now a 138 00:09:20.400 --> 00:09:24.690 part of the NATO Cooperative Cyber Defense Center of 139 00:09:24.690 --> 00:09:28.620 Excellence as well. That just happened this month. It's 140 00:09:28.620 --> 00:09:31.890 getting lots of great input. And in exchange, especially now with 141 00:09:31.890 --> 00:09:35.640 this NATO angle, it's also feeding back about what it is 142 00:09:35.640 --> 00:09:40.230 doing, and how that's helping, what works, what doesn't work. 143 00:09:41.340 --> 00:09:44.460 So far in the conflict, CyberPeace Institute says third 144 00:09:44.460 --> 00:09:48.300 parties have catalogued about 1,600 cyberattacks and 145 00:09:48.300 --> 00:09:52.980 operations tied to the conflict attributed to 93 different 146 00:09:52.980 --> 00:09:56.370 threat actors. So there's a significant amount or quantity 147 00:09:56.370 --> 00:10:00.540 of cyber operations happening here. Obviously, this is 148 00:10:00.570 --> 00:10:05.280 something we should be taking lessons away from. So as I 149 00:10:05.280 --> 00:10:08.220 mentioned, Paul Chichester saying defenders get a vote, I 150 00:10:08.220 --> 00:10:12.690 love that. If you prepare, you can repel the likes of Russia. 151 00:10:13.410 --> 00:10:17.040 Will Ukraine continue to do that in six months and 12 months? 152 00:10:17.190 --> 00:10:20.820 Hopefully, I mean, this is where we are so far. But one of the 153 00:10:20.820 --> 00:10:26.160 big takeaways is resilience. And we saw that with the Biden 154 00:10:26.160 --> 00:10:30.090 administration's new National Cybersecurity strategy, released 155 00:10:30.270 --> 00:10:35.730 in March, and again, James Lewis, CSIS, notes that 156 00:10:35.760 --> 00:10:38.880 previously, deterrence was one of the main focal points for 157 00:10:38.880 --> 00:10:41.640 governments, but especially as we've seen with the U.S. 158 00:10:41.670 --> 00:10:44.760 cybersecurity strategy, deterrence is still useful in a 159 00:10:44.760 --> 00:10:47.220 political sphere to signal the intention of a government. 160 00:10:47.970 --> 00:10:51.660 Resilience, however, is where it's at these days. And the 161 00:10:51.660 --> 00:10:54.750 great thing about resilience is it doesn't matter if you're 162 00:10:54.750 --> 00:10:59.130 attempting to combat a nation state or a criminal, or proxy 163 00:10:59.130 --> 00:11:04.980 elements. If you are resilient, you can repel them all. So which 164 00:11:04.980 --> 00:11:10.350 was another great point, I think. Finally, what I would 165 00:11:10.830 --> 00:11:16.500 highlight is one of the big surprises for people, aside from 166 00:11:16.500 --> 00:11:20.670 the there was no major roll of cyber war, has been the role of 167 00:11:20.670 --> 00:11:24.180 allies and business partners. So I touched on allies already. 168 00:11:25.020 --> 00:11:28.620 Business partners, though, has been, and continues to be, 169 00:11:30.330 --> 00:11:34.290 essential. And they've also been some unforeseen consequences. 170 00:11:34.320 --> 00:11:38.070 For example, Starlink helped Ukraine and the government and 171 00:11:38.070 --> 00:11:43.110 the military stay online, when Russia launched a major malware 172 00:11:43.110 --> 00:11:47.700 attack that bricked a lot of the satellite routers, the Viasat 173 00:11:47.730 --> 00:11:51.030 satellite routers that were being used in Ukraine that 174 00:11:51.030 --> 00:11:53.370 should have knocked or could have knocked Ukraine offline. 175 00:11:53.550 --> 00:11:56.520 Starlink came in and helped out. Later in the conflict, though, 176 00:11:56.520 --> 00:11:58.620 Starlink said, "Oh, wait, we didn't know these were being 177 00:11:58.620 --> 00:12:02.610 used for offensive military operations," its routers. And 178 00:12:02.610 --> 00:12:04.860 there is a little bit of a tussle there about what might 179 00:12:04.860 --> 00:12:09.210 happen. Starlink eventually backed off. But some of the 180 00:12:09.600 --> 00:12:16.260 people who wrote essays for this report said this is something 181 00:12:16.260 --> 00:12:18.570 that other governments need to think about, because it's going 182 00:12:18.570 --> 00:12:22.080 to be the rare government that can keep itself online, that can 183 00:12:22.080 --> 00:12:26.640 keep its services in the cloud without using cloud providers, 184 00:12:26.760 --> 00:12:30.750 because on-premises doesn't work in a battle sphere. Oftentimes, 185 00:12:30.750 --> 00:12:32.820 if you're being invaded, you need to get your stuff into the 186 00:12:32.820 --> 00:12:36.660 cloud. Microsoft helped with that. Amazon helped with that. 187 00:12:36.990 --> 00:12:41.430 And so, these experts such as Julia Voo, a cyber fellow at 188 00:12:41.430 --> 00:12:43.800 Harvard's Belfer Center for Science and International 189 00:12:43.800 --> 00:12:46.440 Affairs, says governments need to be thinking about this, they 190 00:12:46.440 --> 00:12:49.230 need to be putting things in place, legal mechanisms, as 191 00:12:49.230 --> 00:12:53.220 well, that perhaps give some legal immunity to the 192 00:12:53.220 --> 00:12:57.030 organizations they're working with, and which specify how 193 00:12:57.030 --> 00:13:01.830 these services can be used. For example, for the military. Do 194 00:13:01.830 --> 00:13:05.220 this now, she says, because, as we see with Starlink, and some 195 00:13:05.220 --> 00:13:08.040 other things, you don't want to have to be doing this in the 196 00:13:08.040 --> 00:13:11.160 middle of an all-out war. So there's lots of lessons that can 197 00:13:11.160 --> 00:13:13.740 be learned here, a lot of it comes down to resilience, which 198 00:13:13.740 --> 00:13:18.420 comes down to preparation. And, again, always looking at what 199 00:13:18.630 --> 00:13:21.780 others who are at the sharp end or facing the sharp end of the 200 00:13:21.780 --> 00:13:25.080 spear are having to deal with and thinking if that's us in a 201 00:13:25.080 --> 00:13:30.180 week, a month, a year? How do we ensure that we are where we need 202 00:13:30.180 --> 00:13:35.460 to be in order to best repel whoever is trying to do us harm? 203 00:13:36.360 --> 00:13:38.130 Anna Delaney: That was excellent. And as you say, this 204 00:13:38.130 --> 00:13:42.900 huge collaboration between the private and public spheres. But 205 00:13:43.410 --> 00:13:48.060 what if this war were to last for years? We don't know how 206 00:13:48.060 --> 00:13:52.110 long this will go on. Are policymakers, governments 207 00:13:52.110 --> 00:13:56.190 thinking about how this will be funded this model or how it will 208 00:13:56.190 --> 00:13:56.940 continue? 209 00:13:57.780 --> 00:14:00.780 Mathew Schwartz: Well, that's a huge point. And that was raised 210 00:14:00.810 --> 00:14:05.220 by this collection of essays that CSIS put together. The 211 00:14:05.220 --> 00:14:08.910 participants are saying, yes, what does happen if it's 2-3-4 212 00:14:08.910 --> 00:14:13.500 or five years, Ukraine is a bit of a special case. The world has 213 00:14:13.500 --> 00:14:17.400 rallied, well parts of the world have rallied to his defense. And 214 00:14:17.400 --> 00:14:22.680 thus far, you have businesses like Microsoft, saying, "This is 215 00:14:22.680 --> 00:14:26.070 costing us a lot of money, and we're happy to donate it." But 216 00:14:26.070 --> 00:14:29.850 will this carry on? Can it afford to carry on? Can Starlink 217 00:14:29.850 --> 00:14:35.790 afford to gift access to Ukraine? So one of the models 218 00:14:35.820 --> 00:14:39.720 that's been proposed is charitable giving, basically 219 00:14:39.720 --> 00:14:43.140 just appealing to people to donate, do the right thing, do 220 00:14:43.140 --> 00:14:46.800 the moral, do the ethical thing. Not clear that that would be a 221 00:14:46.800 --> 00:14:50.100 sustainable long-term solution. One of the other things has been 222 00:14:50.100 --> 00:14:53.100 proposed, which I think is sustainable, is the likes of 223 00:14:53.100 --> 00:14:55.920 NATO or the UN or some governmental organization 224 00:14:56.190 --> 00:14:59.910 creates a fund to which people can contribute and in times of 225 00:14:59.910 --> 00:15:04.320 conflict, this fund pays out to get them the vital services they 226 00:15:04.320 --> 00:15:07.440 need. And again, here, you can build in these rules or 227 00:15:07.440 --> 00:15:11.250 agreements where vendors agree to work with the fund. And they 228 00:15:11.250 --> 00:15:14.940 agree to play by the funds rules, which is this might go to 229 00:15:14.940 --> 00:15:18.180 the military, for example, to help keep its forces online to 230 00:15:18.180 --> 00:15:21.960 help its drones be able to function, that sort of thing. 231 00:15:22.140 --> 00:15:25.920 So, yes, really interesting policy questions and discussions 232 00:15:25.920 --> 00:15:28.620 having now and that need to be happening now. 233 00:15:29.130 --> 00:15:31.230 Tony Morbin: While I totally agree with all those takeaways 234 00:15:31.230 --> 00:15:34.680 and particularly, you know, resilience, and very 235 00:15:34.680 --> 00:15:38.490 interesting, what you had coming from the NCSC there and Chich 236 00:15:38.520 --> 00:15:42.000 talking about this - we don't know what we don't know, in 237 00:15:42.000 --> 00:15:45.210 terms of what their intentions were. But I'm going to disagree 238 00:15:45.210 --> 00:15:48.540 with the overall premise that we haven't seen cyber war because I 239 00:15:48.540 --> 00:15:53.670 think trying to take down the satellites was an out-and-out 240 00:15:53.910 --> 00:16:00.840 attempt at using cyber to affect their real-world goals. Same 241 00:16:00.840 --> 00:16:04.860 goes for the wipers, they kind of shot their boat with bringing 242 00:16:04.860 --> 00:16:08.670 down Ukraine's electricity years ago, so they were a lot better 243 00:16:08.670 --> 00:16:12.480 prepared when it came to a war. And so I think it was a mixture 244 00:16:12.480 --> 00:16:17.970 of 1) Ukraine successfully fought off the cyber war, in my 245 00:16:17.970 --> 00:16:23.790 view, even though we don't know if Russia has another SolarWinds 246 00:16:23.790 --> 00:16:26.700 hidden somewhere. We don't know that. But, you know, from what 247 00:16:26.700 --> 00:16:30.360 we've seen, they fought off everything that was thrown at 248 00:16:30.360 --> 00:16:37.980 them. But not only that, the big issue is that cyber is a bit of 249 00:16:37.980 --> 00:16:43.110 a damp squib compared to dropping a bomb on somebody. So 250 00:16:43.140 --> 00:16:46.860 you know, and I think that's the big thing is that kinetic trumps 251 00:16:46.860 --> 00:16:47.430 cyber. 252 00:16:48.270 --> 00:16:50.040 Mathew Schwartz: Well, and that was one of the points made again 253 00:16:50.040 --> 00:16:54.840 by James Lewis from CSIS. Kinetic seems to tump cyber, but 254 00:16:54.870 --> 00:16:59.430 if you could get it right, would cyber plus kinetic be even more 255 00:16:59.430 --> 00:17:03.330 powerful? And that's not clear. And we don't know why Russia 256 00:17:03.330 --> 00:17:06.780 hasn't done it. Is it its inability to do it? Is it 257 00:17:06.780 --> 00:17:10.560 because it's very costly? Did it test it and it didn't work out 258 00:17:10.560 --> 00:17:13.200 the way it wanted it to? So that's a bit of an open 259 00:17:13.200 --> 00:17:16.710 question. To your cyber war point, it's a question of 260 00:17:16.710 --> 00:17:20.550 semantics. A lot of people who study the area think cyber 261 00:17:20.550 --> 00:17:25.050 operations is probably a better term just because what is cyber 262 00:17:25.050 --> 00:17:29.310 war? It is very nebulous. So a lot of people that are favoring 263 00:17:29.310 --> 00:17:33.180 something a bit more specific, which is, again, the cyber 264 00:17:33.180 --> 00:17:39.570 operations. And that gets to the nuance of is it espionage? Is it 265 00:17:39.600 --> 00:17:42.510 something in support of a military operation? We don't 266 00:17:42.510 --> 00:17:45.600 always know all of these wrinkles. And so it's difficult 267 00:17:45.600 --> 00:17:48.660 to see the bigger picture. I guess, perhaps when the war is 268 00:17:48.660 --> 00:17:51.990 over, we can look back at what was the cyber war aspect of it. 269 00:17:52.260 --> 00:17:55.890 But we don't always know. And also about the satellite, it 270 00:17:55.890 --> 00:17:58.770 didn't take out the satellite, it took out the routers, and 271 00:17:58.770 --> 00:18:03.720 then the provider of the service replaced the routers. So yes, it 272 00:18:03.720 --> 00:18:07.200 was an onslaught. But I mean, we've seen attacks brick routers 273 00:18:07.200 --> 00:18:12.030 before, typically not in a service of an invasion. So yeah, 274 00:18:13.680 --> 00:18:17.700 they can be called the cyber war. But it wasn't the cyber war 275 00:18:17.700 --> 00:18:19.950 that many people were predicting. 276 00:18:20.520 --> 00:18:23.370 Tony Morbin: Oh, absolutely not. I mean, you know, we haven't 277 00:18:23.370 --> 00:18:28.560 seen a Stuxnet as such. We haven't, for obvious collateral 278 00:18:28.560 --> 00:18:32.370 damage reasons, we haven't seen a WannaCry. And I wonder how 279 00:18:32.370 --> 00:18:37.410 much that may have influenced Russia's actions with cyber 280 00:18:37.410 --> 00:18:41.550 weapons that you can't control the collateral damage. And then 281 00:18:41.550 --> 00:18:45.990 there may be additional kinetic consequences from that. 282 00:18:46.680 --> 00:18:49.050 Mathew Schwartz: Yeah, Russia has been very circumscribed in 283 00:18:49.080 --> 00:18:53.940 who it attacks. And even the proxies, like KillNet, the 284 00:18:53.940 --> 00:18:57.510 hacktivist group have been very circumscribed in who they attack 285 00:18:57.510 --> 00:19:00.420 and actually they're really not doing much damage. It's more 286 00:19:00.420 --> 00:19:03.330 information operations and supportive Kremlin propaganda. 287 00:19:03.570 --> 00:19:07.830 But in terms of actual attributed to Russia, that's 288 00:19:08.430 --> 00:19:10.590 based on what's become public. It's possible things have 289 00:19:10.590 --> 00:19:12.420 happened that we don't know about, but based on what's 290 00:19:12.420 --> 00:19:16.860 become public, Russia is not targeting the West. Western 291 00:19:16.860 --> 00:19:19.410 governments warn that might happen. They've not seen it. A 292 00:19:19.410 --> 00:19:22.290 lot of people are deducing that Moscow really doesn't want to 293 00:19:22.290 --> 00:19:24.060 get anywhere near those red lines. 294 00:19:25.440 --> 00:19:27.000 Anna Delaney: Well, I have to say the conversation doesn't 295 00:19:27.000 --> 00:19:32.010 stop here. But in order to move on for time, to Tony's topic, 296 00:19:32.670 --> 00:19:37.380 Facebook's owner Meta has been fined 1.3 billion dollars this 297 00:19:37.380 --> 00:19:40.140 week for mishandling people's data when transferring it 298 00:19:40.140 --> 00:19:43.680 between Europe and the United States. So it's the largest fine 299 00:19:43.680 --> 00:19:46.860 to date imposed under the EU General Data Protection 300 00:19:47.010 --> 00:19:50.700 Regulation privacy law, and coincidentally comes in the same 301 00:19:50.700 --> 00:19:54.630 week as the GDPR's fifth anniversary. So what went wrong 302 00:19:54.630 --> 00:19:58.890 for Facebook or what didn't go wrong? What's your take? Tony? 303 00:19:59.460 --> 00:20:01.410 Tony Morbin: Okay, I mean I was going to take sort of a wider 304 00:20:01.410 --> 00:20:04.470 look at privacy, but obviously then focusing on what's happened 305 00:20:04.470 --> 00:20:07.620 with Facebook. And, you know, just as one man's freedom 306 00:20:07.620 --> 00:20:10.050 fighter is another man's terrorist, so it is with 307 00:20:10.050 --> 00:20:14.190 privacy, where what's seen as a legitimate expectation of an 308 00:20:14.190 --> 00:20:18.210 individual's privacy by some is regarded as undermining 309 00:20:18.210 --> 00:20:21.810 necessary security measures for another, or the stifling of free 310 00:20:21.810 --> 00:20:25.410 market and innovation for yet another. So here we are, as you 311 00:20:25.410 --> 00:20:29.070 say, five years on from the implementation of GDPR, where 312 00:20:29.070 --> 00:20:32.520 the EU effectively took a stand against the hoovering up of its 313 00:20:32.520 --> 00:20:36.840 citizens data by a U.S. social media giant for commercial 314 00:20:36.840 --> 00:20:40.830 exploitation. At the time, it appeared the issue was purely 315 00:20:40.830 --> 00:20:44.820 between Europeans, whose public had privacy concerns centered on 316 00:20:44.820 --> 00:20:49.380 how their data was being taken without their consent to better 317 00:20:49.380 --> 00:20:52.770 sell them products and services. And the US where privacy 318 00:20:52.770 --> 00:20:56.070 concerns tended to focus on the suspicion of creeping government 319 00:20:56.070 --> 00:20:59.160 overreach into surveillance of their lives, sometimes are 320 00:20:59.220 --> 00:21:02.760 allied to conspiracy theories, sometimes allied to actual 321 00:21:02.760 --> 00:21:05.340 government policies and the Ukraine sort of falling 322 00:21:05.340 --> 00:21:09.060 somewhere between the U.S. and Europe. Of course, in 323 00:21:09.060 --> 00:21:12.510 authoritarian regimes such as Russia, China, North Korea, and 324 00:21:12.540 --> 00:21:15.780 many in the Middle East, the impact of public opinion falls a 325 00:21:15.780 --> 00:21:18.510 long way behind the need to ensure stability of the 326 00:21:18.510 --> 00:21:22.080 government. And this is done by limiting opposition at home and 327 00:21:22.080 --> 00:21:26.280 abroad. So privacy is framed on a national security basis, not 328 00:21:26.280 --> 00:21:29.010 letting the foreigners get your information or gathering all you 329 00:21:29.010 --> 00:21:33.900 can yourself. Today, all of those three concerns converge. 330 00:21:34.200 --> 00:21:38.760 And in all three constituencies, all of them can come up with 331 00:21:38.760 --> 00:21:41.700 actual examples of where their worst fears have been realized. 332 00:21:42.030 --> 00:21:46.260 So coming back to Facebook, most significantly this week, the 333 00:21:46.260 --> 00:21:51.720 European Union hit Facebook parent Meta with $1.3 billion 334 00:21:52.260 --> 00:21:55.800 privacy fine, and ordered it to stop transferring users' 335 00:21:55.800 --> 00:21:59.160 personal information across the Atlantic by October this year. 336 00:21:59.490 --> 00:22:02.850 The move is the culmination of a 10-year saga between Facebook/ 337 00:22:03.450 --> 00:22:06.720 Meta, and Austrian privacy campaign and Max Schrems, who 338 00:22:06.720 --> 00:22:08.730 objected to potential surveillance by U.S. 339 00:22:08.730 --> 00:22:12.270 intelligence agencies of Europeans data, as revealed by 340 00:22:12.270 --> 00:22:17.040 NSA contractor Edward Snowden. In litigation, Schrems sunk 341 00:22:17.100 --> 00:22:20.370 previous regulations that formed the basis to allow European and 342 00:22:20.370 --> 00:22:24.120 US data transfer. Schrems himself this week has said for 343 00:22:24.120 --> 00:22:28.050 10 years, Meta has not taken any material precaution, but simply 344 00:22:28.050 --> 00:22:30.930 ignored the European Court of Justice and the European Data 345 00:22:30.930 --> 00:22:34.530 Protection Board. Now Meta does not only have to pay a record 346 00:22:34.530 --> 00:22:38.520 fine, but also return all personal data to its EU data 347 00:22:38.520 --> 00:22:44.190 centers. This can be very hard to do. And even hosting data in 348 00:22:44.190 --> 00:22:48.210 the European Economic Area will not necessarily overcome all the 349 00:22:48.210 --> 00:22:51.810 concerns raised by the regulators, if Meta in the US 350 00:22:51.810 --> 00:22:55.800 can still access the data stored in the EU. Plus, it could cause 351 00:22:55.800 --> 00:22:58.380 issues with some of Meta's advertisers, if they're still 352 00:22:58.380 --> 00:23:02.220 using this data to target their ads. Now while the aim of the 353 00:23:02.220 --> 00:23:05.340 regulation is to change corporate behavior with privacy 354 00:23:05.340 --> 00:23:08.820 by design, it can be viewed as challenging some of the business 355 00:23:08.820 --> 00:23:11.910 models use or in some cases, outright preventing them. And 356 00:23:11.910 --> 00:23:14.250 this particularly applies to information gathered for one 357 00:23:14.250 --> 00:23:16.980 purpose such as health monitoring is used for another 358 00:23:17.010 --> 00:23:21.480 such as targeted advertising. Along the way, we've also seen 359 00:23:21.600 --> 00:23:24.360 the Israeli offensive surveillance industry decimated 360 00:23:24.390 --> 00:23:28.770 following NSO's use against the US, including the closure of NSO 361 00:23:28.770 --> 00:23:32.670 competitor QuaDream announced today they've been clamped down 362 00:23:32.670 --> 00:23:35.100 on the use by Western governments - Huawei, in 363 00:23:35.100 --> 00:23:39.900 comparison, Kaspersky technology and apps such as TikTok, but on 364 00:23:39.900 --> 00:23:43.710 the other side, China and Russia are introducing data residency 365 00:23:43.710 --> 00:23:47.280 and app use restrictions with China this week, banning US 366 00:23:47.280 --> 00:23:52.680 chipmaker micron back to GDPR. Initially, enforcement there was 367 00:23:52.680 --> 00:23:55.680 viewed as weaker than anticipated, but it has ramped 368 00:23:55.680 --> 00:23:59.670 up in recent years, and reported total fines now reach some 2.6 369 00:23:59.670 --> 00:24:02.460 billion euros and others in process could bring that up to 370 00:24:02.460 --> 00:24:07.080 3.5 billion. Now that's going to increase dramatically with the 371 00:24:07.080 --> 00:24:11.400 mattifying. The auditor stop transatlantic transfers of the 372 00:24:11.400 --> 00:24:15.420 personal data will apply to the users data, such as names, 373 00:24:15.450 --> 00:24:19.740 email, IP addresses, messages, viewing history, geolocation 374 00:24:19.740 --> 00:24:24.390 data, and other information that Meta and others such as Google 375 00:24:24.540 --> 00:24:28.170 use for their targeted online ads. We're also seeing many 376 00:24:28.170 --> 00:24:31.410 countries around the world now replicating GDPR-style privacy 377 00:24:31.410 --> 00:24:35.160 regulations, which set the bar of its potential, find a 4% of 378 00:24:35.160 --> 00:24:39.120 annual global turnover for offenders. Some 70% of the 379 00:24:39.120 --> 00:24:41.820 world's countries now have some form of privacy or data 380 00:24:41.820 --> 00:24:45.330 protection legislation in place and another 10 to 15% are 381 00:24:45.330 --> 00:24:50.910 reported working on it in this area. Unusually for the US is 382 00:24:50.910 --> 00:24:54.030 playing catch up as it's appearing to introduce privacy 383 00:24:54.030 --> 00:24:58.740 regulations state at a time. Meta has warned that services in 384 00:24:58.740 --> 00:25:01.710 Europe could be cut off and it's appealing the decision, but 385 00:25:01.710 --> 00:25:04.740 commentators suggest it's going to be unsuccessful, and it may 386 00:25:04.740 --> 00:25:08.640 subsequently face class actions and other big tech organizations 387 00:25:08.640 --> 00:25:13.560 will likely face similar action. The Irish DPC, which issued the 388 00:25:13.560 --> 00:25:16.290 fine, did suggest that we have sufficient encryption, the 389 00:25:16.290 --> 00:25:18.870 transfers may have been permitted, and others have 390 00:25:18.870 --> 00:25:22.020 called for greater use of data virtualization, as well as the 391 00:25:22.020 --> 00:25:24.570 use of AI to automate the recording location and 392 00:25:24.570 --> 00:25:28.380 visibility of data. But going forward, the core issue will be 393 00:25:28.380 --> 00:25:31.020 about making the right decisions at the beginning of a product's 394 00:25:31.020 --> 00:25:34.470 life cycle or data life cycle, so that data protection is 395 00:25:34.470 --> 00:25:38.670 embedded early, including in core business functions. While 396 00:25:38.670 --> 00:25:41.700 AI might be part of the solution, it's also been pointed 397 00:25:41.700 --> 00:25:44.430 out that there are inherent tensions between the principles 398 00:25:44.430 --> 00:25:47.910 of data protection and the principles of two AI systems, 399 00:25:47.940 --> 00:25:51.480 data minimization, purpose, limitation, learning and 400 00:25:51.480 --> 00:25:55.650 transparency. When it comes to data transfers, at least wider 401 00:25:55.650 --> 00:25:58.080 adoption of privacy regulation provides a baseline for 402 00:25:58.080 --> 00:26:01.590 discussion. But geopolitical tensions and divergent 403 00:26:01.590 --> 00:26:04.740 ideological approaches to the rights of individuals versus 404 00:26:04.740 --> 00:26:07.260 those of the community or especially in the state will 405 00:26:07.260 --> 00:26:11.670 make this difficult. If the US and the Europe can't broker a 406 00:26:11.670 --> 00:26:14.940 deal, how much more difficult is that going to be to reach an 407 00:26:14.940 --> 00:26:17.610 agreement with those who truly see the world differently? 408 00:26:19.590 --> 00:26:22.770 Anna Delaney: Excellent. And Tony, five years on, we're in a 409 00:26:22.770 --> 00:26:27.270 different place. Since the beginning, when it was enforced, 410 00:26:27.270 --> 00:26:32.070 where we've got cloud computing and ChatGPT and remote working - 411 00:26:32.640 --> 00:26:36.150 do you think GDPR is fit for purpose right now in this new 412 00:26:36.150 --> 00:26:36.630 environment? 413 00:26:37.590 --> 00:26:40.140 Tony Morbin: It's certainly improved, but there's 414 00:26:40.140 --> 00:26:44.190 inconsistency is probably the biggest issue. You know, I 415 00:26:44.190 --> 00:26:47.760 noticed your discussion you had recently in a panel where they 416 00:26:47.760 --> 00:26:51.570 compared Spain and Portugal, I think I'll make the figures up. 417 00:26:51.570 --> 00:26:56.790 But it was something like 87 complaints issued in Portugal 418 00:26:56.790 --> 00:27:02.160 and in the hundreds in Spain. And so that's an issue. And 419 00:27:02.250 --> 00:27:04.770 particularly if we're trying, one of the whole purposes was to 420 00:27:04.770 --> 00:27:07.680 get consistency. Having said that, the ramping up of fines 421 00:27:07.680 --> 00:27:15.000 recently does sharpen the focus for businesses as to making sure 422 00:27:15.000 --> 00:27:15.810 that they're compliant. 423 00:27:17.340 --> 00:27:19.500 Anna Delaney: Brilliant, I think Matt agrees. He's nodding there. 424 00:27:20.700 --> 00:27:23.130 Mathew Schwartz: Definitely. I mean, it's very difficult to get 425 00:27:23.130 --> 00:27:30.060 a country-by-country view of GDPR enforcement. And when we do 426 00:27:30.060 --> 00:27:33.240 get it, some of it has to be deduced by firms that are 427 00:27:33.240 --> 00:27:36.750 looking at these things. And as Tony said, it can be wildly 428 00:27:36.750 --> 00:27:41.040 different. Some countries don't even really release details 429 00:27:41.070 --> 00:27:45.960 about who they find or what sorts of enforcement actions 430 00:27:45.960 --> 00:27:49.170 they have undertaken. So there's very different - I don't know if 431 00:27:49.170 --> 00:27:52.410 you want to say it's cultural, but definitely different 432 00:27:52.410 --> 00:27:54.870 countries have different approaches. And I think that's 433 00:27:54.870 --> 00:27:58.380 made it difficult to ascertain to what extent things are being 434 00:27:58.920 --> 00:28:04.470 fairly and even-handedly applied. But as we see with this 435 00:28:05.100 --> 00:28:09.720 fight against Meta, where the Irish DPC was basically told 436 00:28:09.720 --> 00:28:13.650 that it needed to, it was overruled by the European Data 437 00:28:13.650 --> 00:28:16.560 Protection Board. There is pressure being brought to bear 438 00:28:16.860 --> 00:28:19.830 to make sure that things that are seen as being a problem are 439 00:28:19.830 --> 00:28:20.700 being addressed. 440 00:28:22.020 --> 00:28:23.730 Anna Delaney: Well, I have plenty more questions, but in 441 00:28:23.730 --> 00:28:26.550 the interest of time, we have to move on to my final quick 442 00:28:26.550 --> 00:28:30.990 question for fun. I want you to turn to the great Bard himself 443 00:28:30.990 --> 00:28:35.010 for inspiration now, William Shakespeare, of course. Which of 444 00:28:35.010 --> 00:28:38.160 his plays or quotes best describes the state of 445 00:28:38.160 --> 00:28:41.850 cybersecurity today. Matt? 446 00:28:42.570 --> 00:28:46.260 Mathew Schwartz: I'll jump in. So one of my favorite plays from 447 00:28:46.260 --> 00:28:48.900 Shakespeare, having done some Shakespeare when I was at 448 00:28:48.900 --> 00:28:54.030 university, is Anthony and Cleopatra. And Anthony's gone, 449 00:28:54.060 --> 00:28:57.990 Caesar shows up and basically tells Cleopatra how it's going 450 00:28:57.990 --> 00:29:01.440 to be. And he's like, "I'm going to be the master, I'm going to 451 00:29:01.440 --> 00:29:05.220 be the Lord, and if as long as we can agree on that, everything 452 00:29:05.220 --> 00:29:09.480 will be fine." Exit. And Cleopatra turns to her entourage 453 00:29:09.480 --> 00:29:16.050 and goes, "He words me girl, he words me" and that I should not 454 00:29:16.050 --> 00:29:20.430 be noble to myself, basically is the end of the quote. But I love 455 00:29:20.430 --> 00:29:23.550 that "he words me" because I just feel like with so many of 456 00:29:23.550 --> 00:29:27.810 the communications we see with data breaches, recently Capita, 457 00:29:27.840 --> 00:29:31.320 many offenders previous to that. They are wording us, they're 458 00:29:31.320 --> 00:29:34.020 just throwing words, trying to absolve themselves of any 459 00:29:34.020 --> 00:29:37.050 responsibility or to make themselves seem like something 460 00:29:37.050 --> 00:29:41.220 they're not. And I think that gets to, as everyone would say 461 00:29:41.220 --> 00:29:43.770 about Shakespeare, essential aspects of human nature. 462 00:29:44.400 --> 00:29:47.250 Anna Delaney: And that fits in perfectly with Tony's Mercury 463 00:29:47.400 --> 00:29:51.540 behind him. Tony, are you inspired today? 464 00:29:51.570 --> 00:29:55.230 Tony Morbin: Well, I mean, just for the title alone, I would 465 00:29:55.230 --> 00:29:58.860 have said "all's well that ends well" as a very hopeful - it's 466 00:29:58.860 --> 00:30:02.160 all about resilience, what happens along the way, but the 467 00:30:02.160 --> 00:30:06.810 story doesn't fit. So I'll grab a quote, "Wise men ne’er sit and 468 00:30:06.810 --> 00:30:09.840 wail their loss, but cheerily seek how to redress their 469 00:30:09.840 --> 00:30:14.490 harms." - Henry, the VI, part three, so, you know, no point 470 00:30:14.850 --> 00:30:17.910 wailing about it, just get on out there and fix it. That's the 471 00:30:17.910 --> 00:30:18.360 job. 472 00:30:18.780 --> 00:30:22.050 Anna Delaney: Did you dig into your compendium of Shakespeare 473 00:30:22.050 --> 00:30:23.070 and dig that out? 474 00:30:24.990 --> 00:30:26.670 Tony Morbin: That's one that didn't come off the top of my 475 00:30:26.670 --> 00:30:26.970 head. 476 00:30:28.590 --> 00:30:31.260 Anna Delaney: Mine is from Romeo and Juliet, "Wisely and slow, 477 00:30:31.290 --> 00:30:35.430 they stumble that run fast". And if you remember, you recall 478 00:30:35.460 --> 00:30:38.640 Friar Laurence is advising Romeo to think very carefully and 479 00:30:38.640 --> 00:30:42.000 wisely about his decision to marry Juliet. So I think we can 480 00:30:42.000 --> 00:30:45.840 take something from this. I mean, obviously Romeo didn't 481 00:30:45.900 --> 00:30:51.000 listen to Laurence, but in terms of defense, we often hear CISOs 482 00:30:51.000 --> 00:30:56.190 talk about taking a very well measure considered strategic 483 00:30:56.220 --> 00:30:59.970 approach to their defense strategy, as opposed to running 484 00:30:59.970 --> 00:31:02.310 in and rushing in. It's never a good idea. 485 00:31:02.850 --> 00:31:05.250 Tony Morbin: One of the quotes was quite good was, "When the 486 00:31:05.250 --> 00:31:08.640 sea was calm all ships alike showed mastership in floating" 487 00:31:08.910 --> 00:31:12.960 in Coriolanus. So yeah, when it was calm, everybody is good, 488 00:31:13.110 --> 00:31:15.630 when things get tough, that's when we find out who's actually 489 00:31:15.630 --> 00:31:16.110 prepared. 490 00:31:18.720 --> 00:31:22.410 Anna Delaney: Yes, the cyber master here. And I think there 491 00:31:22.410 --> 00:31:26.430 were quite a few more that I had my eyes on. But anyway, enough 492 00:31:27.990 --> 00:31:32.760 for now, for this week, farewell. We'll see you soon. 493 00:31:33.000 --> 00:31:35.760 Thank you very much. And thanks so much for watching.