About this Episode
On Episode 102 of Voices in AI, Byron Reese discusses security and its impact on AI as a whole with Managing Director Steve Durbin of the Information Security Forum.
Listen to this episode or read the full transcript at www.VoicesinAI.com
Byron Reese: This is Voices in AI brought to you by GigaOm, and I’m Byron Reese. Today our guest is Steve Durbin. He is the managing director of the ISF, the Information Security Forum. His main areas of focus include strategy, information technology, cybersecurity and the emerging security threat landscape across the corporate and personal environment. He runs his company as the managing director, which he has been doing for almost a decade. Welcome to the show, Steve.
Steve Durbin: Nice to be here, Byron. Thanks for having me.
I always like to get our bearings real quickly. I normally ask what artificial intelligence is, but I’m going to give you a different kind of “getting our bearings.” It seems that through the history of code makers and code breakers it’s been unclear who has the upper hand. And maybe it goes back and forth. Right now, when you look at the security landscape of the technologies out there, is it easier to be white hat or black hat?
I think that I’d have to say it’s easier to be black hat. Why do I say that? I think that if we look at all the technology that’s available, then we have to bear in mind that for every white hat there are probably at least two black hats that are making use of that very same technology, and they don’t have some of the challenges that the white hats have. So, they’re not as restricted in things like corporate governance, in things like budgets, in things like where they might practice and ply their trade. That’s why I’m saying that for the time being anyway that the black hats probably have the upper hand.
That’s a pretty provocative statement to say there are twice as many people trying to break security as trying to enforce it. I assume that’s a gut feeling, but break that open a little bit… Where are all these bad guys?
Yeah, I think the major shift, Byron, has come about with crime as a service. So, if you roll it back to the good old bad days of probably only about three to five years ago, then you needed to have a certain amount of skill to be a black hat, to be a bad guy. Crime as a service then became very much more readily available, particularly on the dark web. And now you don’t need to have some of that skill. You can, for instance, purchase denial of service attacks. They do come with 24-hour support. They do come with a hotline, provided you pay your bill… then you can pretty much try these things out.
And so, one of the concerns I think for everybody is that it isn’t just the professional hacker, the professional black hat. We’ve also got now some amateurs that are plying their trade, and they’re really starting to make use of some of these things. So that’s why I’m saying that the number of the bad guys outweighs the good.
The other reason, of course, is that we know that there is a skill shortage – in terms of the good guys trying to find the right level of skill set, the right level of capability, and attracting them to your organization. That is proving to be a very difficult challenge to overcome.
So, geographically… I’m really intrigued by this. There are these companies I could just order up a denial of service that I can… from the way you described it, they have better tech support than some of the companies I call to try to get support. Are they concentrated geographically or dispersed throughout the world?
Well, one of the challenges for law enforcement of course is: How do you find where these people are? And the Internet has provided a means of bouncing traffic across multiple servers, across multiple geographies, that make it exceptionally difficult for law enforcement to catch these people. And therein lies one of the challenges. Even if you can track back crime that perhaps is being committed in, let’s say, Denmark… and you know that the perpetrator is sitting in the Ukraine, being able to extradite that individual and actually nail them down is very very difficult. And that’s just one of the challenges.
This really goes back to the point I was making about technology: Whilst advancing, whilst providing a lot of opportunities for the good guys, it is also being used to the same extent by the bad guys.
When you read about these breaches where 50 million people’s credentials were stolen, and 100 million credit cards, and 60 million Social Security numbers and these staggering numbers… why isn’t the world awash in more identity theft than it seems it is? We know credit cards still work. Right? My credit card fees when I process a credit card are 2.25 percent. I have credit cards that give me 2 percent cash back. Somehow my credit card company is living off half a point, which tells me there either is not enough fraud or they’re not bearing the cost of it. All these numbers are small, but why don’t we have this apocalypse? Why doesn’t that crash the financial system… at least the retail financial system?
I think that’s a really good question, and I think the answer to that is that we should never underestimate the amount of investment, the amount of skill the financial services organizations in particular have deployed in terms of monitoring what is happening – in terms of credit card transactions, being able to use systems to intelligently determine whether it’s you, whether it’s me, or whether it’s a third party that is using the credit card, and to stop some of these things before they incur significant losses.
I think one of the other things that is going on in this space is encryption. That is making life still difficult for people who’ve stolen the information… to un-encrypt them unless they happen to have gotten the keys. In most cases that isn’t happening.
So, there are some checks and balances in there that mean that even though we’re seeing a lot of losses of really valuable information, it isn’t being used at a fairly exponential rate to bankrupt organizations. And so I think that we have to give a little bit of credit to the financial services organizations in particular – because they’ve been the targets for quite some while now, because let’s face it that’s where the money is – [and to the way in which] they have been implementing systems in terms of fraud detection in particular and client notification and so on… and indeed collaboration amongst themselves to share details of the attacks and so on… We need to give them a little bit more credit in that space, I think.
So if I’m a black hat person, just a lone person, but I’m very talented and I live in a country where it would be hard to get at me, what is the lowest thing… the easiest thing to do to try to make money? Is it phishing scams? Is it trying to just get a couple of people’s information and use it? Where do you see the most activity occurring right now?
I think the sort of individual that you’re talking about is… I would describe as the “start out” black hat. What they’re really trying to do is to see whether they can run a number of phishing scams. Those are relatively easy to do. They’re relatively cost-effective in terms of the amount of money required to purchase some of those personal details. It’s a small number of dollars. We’re not talking massive amounts at all. If you send out enough of these, you will get some responses that will more than adequately cover your costs. So that for me is the “start out” guy.
The bigger area of concern – and this is really highlighted by people like Interpol for instance in their upcoming threat report that recently came out – is around the way in which ransomware is becoming much more of a targeting tool. So, looking at how you can really go after specific individuals or specific organizations with sophisticated ransomware, which certainly law enforcement is concerned about… To do that, of course, you need to be very much more sophisticated from a black hat point of view. We’re not talking about the rank amateur who is just starting out here. We are talking about people who’ve been doing it for quite some while. And if we go on from there, then we move into the nation state environment, where you have some very highly sophisticated cyber criminals, who are looking to do everything from steal research and development to potentially attack critical infrastructure.
I certainly want to come back there, because that’s a pretty exciting thing. But before we get there, let’s talk about ransomware for a minute. I remember it wasn’t long ago where a group of hospitals were hit, under the theory that they’re going to have to pay. Right? Like quickly, because lives were threatened. What percentage of things like that does the general public hear about? Or is the incentive for people who must pay, generally speaking, to keep it very quiet, pay and not mention it?
I think there is always going to be an incentive – particularly if the information is critical – for you to be tempted to pay. Particularly if the amount that’s being asked for isn’t debilitating from an organizational standpoint. There are very few organizations out there that can really afford the disruption of a full-blown ransomware attack and not respond to it in some way shape or form. I mean there are a number that were hit by the NotPetya, for instance, who did just replace their entire infrastructure. If you think about that, for a large multinational… the amount of time, resources, money that’s required to do all of that… very few organizations can do that. And you do have, particularly if we look at say the healthcare space, hospitals, organizations for which the primary business is patient care. It’s about looking after you and me when we need it the most. And technology is a means of facilitating that. And so, I think that there is always going to be a temptation if the price is right to pay and move on.
But I come down on the same side as law enforcement on that one. That probably isn’t the way to go… even though tempting. Because what you’re doing is, you’re sending a signal that says we do pay, we do reward blackmail of this nature. [It’s] very hard though if all your systems are on the floor and you’ve got a hospital full of people and you must revert to pen and paper. How long are you going to be able to do that? How long is that going to be sustainable for your business? So, I don’t think it’s an easy thing to answer or to recommend, but obviously you have to be aware that if you do pay once there is a good chance that the people may come back and ask for more at a later point in time. And that’s just something you need to be aware of.
You mentioned encryption was still strong, that encrypted messages are still hard to break. And I guess that works in reverse. When ransomware essentially encrypts somebody’s systems, that’s really hard… You say: “We don’t pay.” But you don’t say, I’m assuming: “Don’t pay, we have a way for you to get out from under it without paying.” Is that correct?
I think in some cases there may be a way out from under it without paying, but in the majority that is not the way to go. So, you are having to effectively write off your current dataset, and this really leads to the importance of planning for that day. We talk a lot at the ISF about planning for cyber resilience. It isn’t just about hoping for the best. It’s about assuming that one day something is going to happen. You’re going to be breached. You’re going to be attacked with a ransomware attack, whatever it might be. You’re going to have to rely on the backup plan. You must make sure it is comprehensive. You must make sure you have rehearsed it. And you hope that day will never come.
But the loss of data – if you are regularly backing up, keeping it separate and following a good approach to cyber security hygiene – means that you can get your business back up and running, albeit you will have lost a significant amount of data. But you won’t have lost everything, so you will be able to recover to a certain extent. The importance of making sure that you’ve got the right processes, policies and procedures in place really can’t be underestimated.
In the U.S., are companies required to disclose when they’re breached, or do they do that as good public relations… or do they do it at all?
There has been a bit of a change in the U.S. If I was talking to you probably five years ago, maybe a little bit more, then I was hearing certainly from legal firms that were advising clients who had been breached. The clients were not taking the advice. They weren’t notifying, even though they knew they had to in certain states.
I think that the world has moved on. We now have a much more stringent set of regulations in certain areas. You mentioned healthcare earlier. That is certainly there. If we look at personal identifiable information as it relates to European citizens for instance… the General Data Protection Regulation, that has a global reach. We look at some of the more recent laws that have been passed in California, for instance. So, I think the world is, as I say, moving on.
I do think we will get to a place rightly or wrongly where we will have much tighter regulation, where we will be required as organizations to report breaches within reasonable periods of time. In the European Union that happens to be 72 hours. Now we can argue whether that’s a good number or a bad number. But it’s clear what you have to do. And I think that is where we’re headed generally in terms of breach reporting.
Why is that? Well I think that there is a gradual growing concern amongst the public, amongst individuals, amongst other organizations in the supply chains for instance, that we need to have this information. We need to know that our data has been compromised or lost so that we can do something about it. At a personal level, simple things like changing passwords, and the sooner you can do that the better. And that’s just one of the drivers that are out there.
I chatted with a fella… and this has to be ten years ago, so perhaps it’s outdated. We were talking about DDoS (Distributed Denial of Service) attacks, and his company mitigated against them. When you had one, they got you out from under it. I asked, “How do you do that?” And he said, “Well, unfortunately, we break the law. We wish we didn’t. But we go out and attack all the machines that are attacking the server in question.” He said the law just isn’t up-to-date enough for that to be something that legally we’re allowed to do. But, of course, we’re deflecting an attack. So, it’s kind of all we can do. (A) is that still how it’s done? and (B) would that still be illegal?
“Hack back.” Yeah, you must have a pretty high degree of sophistication to be able to do that. That is not something most organizations can do. We are seeing a lot of discussion and saber rattling, if you like, in that particular space from certain governments here in the United States. That is certainly the case in the United Kingdom, so it’s similar as well. But that’s at the government level. At the organizational level, you will have to rely on a third party that has that capability. And I think that wherever you happen to be in the world, there are different views that are taken as to the legality of that, and certainly whether the action is viewed as being defensive or whether it is something else. It’s a very very complex area. It’s not one that you should be going into, I would say, unless you really understand what you’re up to. And, yes, you would need to have some sophisticated expertise on your side in order to do that effectively and make sure that you weren’t making the matter worse.
Listen to this episode or read the full transcript at www.VoicesinAI.com
Byron explores issues around artificial intelligence and conscious computers in his new book The Fourth Age: Smart Robots, Conscious Computers, and the Future of Humanity.