This is our cybersecurity today, month in review for the month of February. And, welcome to Laura Payne from White Tuque. Thanks, Jim. Nice to be here again. And David Shipley from Beauceron Security, good to see you, David. Always a pleasure to be here, thank you. It's been the month of months.
Actually, I usually, I hate to say this, but even though cyber security is depressing some days, I actually find it better than politics, but this month has been a pretty big shake up and there's been a lot of things happening that have, I've found. And, maybe this is this will come up as we talk through some of these stories. there doesn't seem to be the volume of attacks, but the attacks are bigger, badder, and smarter.
And that was, if there was a theme for this month, that was coming at me like a freight train. I generally agree, February has been a time, but I want to actually be the rare. Moments where I'm going to bring some good news into frame, on the cybercrime site. I know legit. What David's going to really, my heart fake of David. Yeah. That's what I'm wondering. I'm like, what, who are you? And what have you done with Shipley?
So listen, things are going to be dark when you get the, normally the naysayer is going to say, you know what, there's some bright light here. But let's start off with some pretty huge wins in Canada by police agencies. So we've got work done by the Ontario RCMP. We have work being done by the Toronto Police Service and others rolling up fraudsters and cyber enabled fraud. The overall story for 2024 in Canada, not good, up 20 percent from 570 million to 670 million.
But seeing some of these, locals, in country folks, nab for this with one couple allegedly and accused of potentially, hitting as many as 500 plus victims. And a substantial amount of money in a variety of different cyber and evil fraud scam, seeing them actually get some wins. This is good. And we are seeing some significant progress on finding folks.
The folks that they're rolling up have violated David's number 1 rule of cybercrime fight club, which is you don't hack in a jurisdiction that you actually live in because they will come get you. Glad we're seeing some action on that. But we are also seeing more and more of these stories hit the media. There was one in Canadian National News of an individual who lost 750 feet. 1, 000. They were trying to go, find a better GIC rate. They were a senior, retired senior.
This was their life's earnings. And, they went to Google, saw a ad for a better GIC for their financial institution. This particular financial institution actually didn't do that ad. It was a criminal placed ad and got himself caught up into a scam and the money's gone. we're seeing that. to your point about cybercrime activity, the flourishing amount of activity is happening at the individual cyber fraud, level.
The big cyber attacks because they've been getting the whole of government response, this is the shift, away from where the cops are going to be. So that's not necessarily the happy part of the good news. We are seeing police try and respond to this threat, but we are seeing the threat explode. Yeah. And in Canada, my two things. One is, I think if we just go through, let's just recap this story, cause this is an interesting story. And I love your fight club analogy.
Cause I think it is, I hadn't thought about it in those terms, but the David is our culture critic. So we have to there was a couple, I think living in rather nondescript town. Use the software, which was one of those, hacking as a service things that allowed them to spoof numbers very effectively. And they'd gone through and fleeced a number of people. I think several hundred, they were in the top 28 in the world or something of users of this hacking service, but basically it was to defraud.
Innocent people who probably. Can't even afford this and to rip up, rip them off for their retirement savings and all this sort of stuff. So they get my special place in hell award. And this is what one of the things that, and I'm going to get semi political here. When we talk about putting cops at the border and things like that's fine with me, but don't take them on a cyber crime.
Yeah no, and I'll tell you right now, the RCMP is moving money out of, anti fraud and other things into these frontline national security issues. Make no mistake. It was happening before Dealt with that mentality before you give the mouse the cookie, they're going to want your national sovereignty. Whoops, sorry, I may have gone political. That was just, it was just let's refocus this is not political. This is not, this is just not being stupid. And, when you leave these people don't.
Remember that for the cops to do this is five international police forces or whatever, two or three jurisdictions in Canada cooperating with each other, and they'll spend 12 months where, you know, sometimes off the side of their desk because they care so damn much. And and they'll put this whole thing together to catch these two people and maybe, and for everybody who's listening out there, wherever you are, that informal cooperation between those police forces is so important because.
Cybercriminals don't, they're not always as stupid to pee where they play or whatever you don't mess around in your own home, they normally play around in another jurisdiction, so first of all, if they collaborate, we're in good shape, but also it takes just An amazing amount of dull work to pull off something like this. And what's interesting is, when you look at the Russian cybercriminal gangs and thanks to the Black Basta chat leaks, which has been absolutely fascinating.
Someone actually dumped, there was a, one of the Black Basta members, the Russian ransomware gangs, they had a bit of a spat. As these things have now become the culture, when your ransomware group falls apart, you leak your internal chats.
But when you look through that chat, that the decision, controversial decision by this Russian oriented group to target a Russian financial institution generated significant consternation because a bunch of people really didn't want to get pushed out of the upper floors of an apartment building. Cause that's how justice gets done there. And you used to see back in the day, early versions of ransomware.
And I don't know if you, Laura, if you ever saw this, but they used to go do a language checker for the languages that were installed on the computers. And if you had Russian Cyrillic installed, they wouldn't execute the ransomware. They had a little bit of a trigger, which then a whole bunch of security people actually loaded Russian language defaults onto machines. To act as a really cool security control. But the Russians have learned that you don't play in your own background rule painfully.
Generally Canadian cyber criminals have been smarter. But it is nice to see these wins. Yeah. And for those who missed this story, this was another fascinating story that happened over the past couple of weeks.
And this was somebody in one of these groups got ticked off and they released a whole pile Of chats, of documents, and then here's, and you'll even like AI for this one, David, somebody put together a GPT and I, we referred to it in our story and maybe I'll put a link to it in the notes so you can find it, but it's probably pretty easy to search if you use chat GPT, but they, you can actually use AI to search all of these things
Just asking questions and finding out what these guys are talking about. it's interesting because when you've ever wondered if your startup problems are common across other quote unquote startups. Yes, they are. So what's one of the stories that have been getting to you this month? Oh my goodness.
I think there was a pretty interesting one actually you don't want, this is going to wade a little bit into the politics because it's nation state again, but, we have our new biggest bank heist in history with 1. 5 billion in cryptocurrency leaving, the hands of somebody in Dubai and moving into the hands of the leader of North Korea. And that's forget checking the, go see if the gold is at Fort Knox. Find out if your cryptocurrency is still there.
I still, I tried to follow this and this, they have cold wallets where they're detached. And that's where they store the main parts . You're laughing, David, help me out on this. So the philosophy of buying cold wallets is the same as whenever I hear someone tell me that our, OT network is completely isolated from the internet . It's . okay, so you have to, these cold walls, you actually have to connect to them, to a warm wallet to do transfers, but a billion and a half dollars worth of crypto.
My question was. Like, wasn't somebody thinking maybe we should be really careful with this? So in their defense there, there are a lot of things that were set up for this. And, ugh, this pains me. It's almost like a root canal. Gotta give it to the Lazarus group on this one. This was a well thought out supply chain. Poison the software that's used for the multi signature required smart contract moving process from warm to cold wallet fees. This is what an APT does. They've got planning time.
They can think it through. They've got patience. They can go for the big score. This is the oceans 11 of cyber, right? This is, can I be Dean Martin? Oh the handsome North Korean version of George Clooney and their little merry gang They've done it. And Laura's right. Thank you for updating it to the recent century.
Yeah. Yeah. Yeah. the previous sort of champion round for an attempt at a bank heist was the infamous Bangladeshi bank heist, which is allegedly also a North Korean group, which almost got 800 million, but they only ended up with about 50 million and they were, some of that they recovered, et cetera. But that was old school compromise. The wire transfer system that's used around the world, it's horribly outdated. But again, it was isolated air gap network.
these folks find a way and I'll end off with my usual Jurassic Park reference. It's like that moment where Jeff, Goldblum's character, turns around and goes, Life finds a way. North Korean hackers, man, they find a way. I'm, I may edit this out, but how many times have you actually seen Jurassic Park? Many times. And the book. Because I think you could recite the entire script. Almost. For those who aren't seeing it David may have gestured about 15 times, no, 30, sorry. Double hands.
Oh, it's gotta be at least 30. 30 times. So let's go back on this one because I think there's a lot to unpack there that you said. First of all, this was an incredibly well planned. Peace. There were a lot of moving parts. They must have been thinking about this for quite a while. And they put a lot of things in place to beat the controls that they had. The other thing that amazed me was how fast you could disperse this money.
Now, just to put back on this, there was a gold robbery this month and They think they'll never recover all the gold. Why? Cause once you get gold, you melt it down. It's it's, you can't tell your gold from somebody else's gold. So that's a big thing, but gold's heavy. You have to actually move it. But they managed to get a billion and a half dollars worth of cryptocurrency and launder it in a matter of. A day? I don't know. And to places where it won't come back from.
There's some of these networks and I can't figure out how that works, where you've got a network that's plugged into an international network of cryptocurrency and they can disperse stuff and they won't do anything to unroll the theft. Yeah it's brilliant in its execution. It's, you'll, we'll probably find at the end of the day that it's, three swirls in a phishing email is what started this off.
And you get in, you do your reconnaissance, you understand the supply chain but this is what resources do when you can think through a problem and what's interesting about this is obviously there's a. A key financial need for North Korea to access currency to prop up its regime. It's the most isolated country in the world in terms of sanctions and other things. while it's made a boatload of money selling artillery shells to Russia and, they got paid in rubles, though, that's the problem, right?
It's still not it's almost as bad as Canadian tire money. I love my Canadian tire money for the record. I have bought many, some days I'd rather have Canadian tire money than Canadian money, trust me. So fair point. my point being, they've gotten really, the problem for all of us to think about is that when you get this good.
When you have to be this good and you get this good and you're at that level, think what they can do now in critical infrastructure in other areas that are not trying to spend the money. Like I'm sure by bit was spending to try and protect billions of dollars in cryptocurrency. And, you're developing capabilities and skills and thought processes, these intangible things. So we covered two stories. One, I think does affect us.
And for anybody who, like I said, if we're talking about, cyber crime and fraud, everybody's got a relative. Everybody's got somebody who's vulnerable even if that's not a corporate thing, I think you have to pay attention to that. This cryptocurrency thing is really an amazing story to watch. a couple of things that just hit close to home. One was, and I was shocked that this still existed in Microsoft software, but there was a botnet out there doing password spraying.
The accounts that operate behind the scenes , and we don't see them all the time, but they're logging in for us and all these various APIs and all these things. And in some cases still with plain text and a password, and it's ubiquitous. you log into a website, you log into one page, you go to another page, you have to keep that alive. It's it either exchanges a token in some cases to keep an application alive. It'll keep logging in for you with a password and an ID. So manipulating that.
There's this huge botnet that's doing all this password spraying and being able to try and log in for you and take over your session. They were taking over Microsoft 365 accounts. That was what was amazing. And that, and then I discovered Microsoft hasn't fully phased this out yet. Thank you. Legacy interoperability. Yeah. And thanks to not. Giving us security settings by default, although I think that one maybe is now on by default, that's disabled.
But, there's a lot of accounts out there that were set up in earlier days of M365 and they have that still open and enabled. It's easy picking for anybody who just wants to brute it, right? Absolutely. And legacy is hard. Tech debt is real.
you have this paradox where you may be turning off basic auth is the thing you have to do because the threat environment, but if you did that without a replacement viable plan and testing of that replacement, you're going to actually cause more harm than potentially what's happening back and forth. And this attack surface, and I do like the labeling of these, what they call non human identities. service accounts, API access, et cetera.
We can't even get the flesh and blood identity and access management working well. And then you're talking orders of magnitude more non human identities to try and manage. And then, I will say this. The next layer is agents, all of this, chatter about what AI and LMS could do in terms of automating actions acting on our behalf, that's going to be another explosion in the amount of non human identities. See what humans.
IOT and systems and software and then boom, the atomic blast of what could be AI agents. And that's going to shift the attack surface massively. And, Laura probably speak better to this than me is the ability to attack software is still far faster, easier, and better than the ability to defend the software and services. I don't know if that makes sense.
Yeah. what's hard to think of like the whole banking system in Canada and something that becomes a risk to it being pedestrian, but that's the times we're in, but the push towards some of the FinTech adoption rules, and the way it has been accomplished so far has basically been people just trust a service. Hopefully it's a good one to take their credentials that they use for their banking, hold those credentials and then access their banking services.
and I think, I hope it's obvious to our listeners if you're not a first time listener the reason that's bad is because that service, if it's compromised can now act as you and do any of the actions you could perform in your banking. And that's been how interoperability quote between these fintechs and banking has been done for years.
If it's going to be true fintech integration, open banking, we're going to need to allow people to create these service accounts for their individual banking services. So we're actually now getting to where, this was Typically a problem of businesses, right? But we're going to see, or we should, fingers crossed, we'll be seeing the right thing, which will be, all of these sub accounts starting to be created, or these sub permissions being created by individuals too.
So it's really going to be very interesting to see how open banking emerges in a way that doesn't just let Services replicate the actual owners of the accounts fully, going forward.
Yeah, and that gets interesting because, the political pressure in Canada to push for open banking and to automatically dismiss valid concerns raised by incumbent banks about the risks there is simply them acting in their motivated self interest is that's going to take someone who, in the middle of all this, can look at that balanced approach that Laura just mentioned and go, okay, we've got to balance these compete needs now.
Now, right now, a lot of this is screen scrapers, which is even more terrifying. It's like you give your username and password in, and it just tries to scrape and do things In a very dangerous way to a whole bunch of providers who are not held to the same security standards as the actual banks, which is fascinating. So it's not like we don't have a problem. Now. It's just that how we choose to implement it.
If we don't listen to the really smart points that we're just made about the nuances behind structuring these as permissions and making it. A virtuous and consent driven cycle for the end user, where they actually understand what they're giving up and what the risks are. We're in a lot of trouble, like a lot of trouble. And I think it's the old thing of the, if you try to build a moat, you're just going to make things worse. I'm not sure where I am on the side of this.
In one case, I think, we've got FinTech and doing non secure things, screen scraping. These non interactive sign in log accounts and those, non human accounts, you've called them, David, you've got all of those things, but they're out in innovating. So they're not going to stop. And if we try and put a halt to it, we create an insecure situation. really need to have a strategy that where you can't stop innovation.
You've got to have a strategy that's based on security and we're not paying enough attention to that. No. And I think it's a typical Canadian problem. In the sense that, we do end up with clusters of very large institutions, and they tend to be in numbers that you can count on one hand and the fingers of one hand, maybe two hands. And so when problems like this come up where.
We want to innovate, we want to add services and those institutions themselves aren't the ones providing it, or, just a healthy ecosystem is that you allow small companies to develop and poke at these ideas and create these services. The burden tends to be pushed from the government to the incumbents. It's not the fault of the incumbent that somebody else has come up with a really cool new idea and make it their problem to make sure that the cool new company is going to do their job properly.
the public appetite, I think, needs to hopefully recognize that and then put some of the funding in place to do the regulatory oversight and it has to be balanced. But I think to make the big incumbents, the 1 who are responsible for the oversight. I hope that also is obvious why it's flawed. Yeah. But we're not tackling this effectively. And for instance, in Canada, we have Interact, which is absolutely, a very lean and very smart organization that keeps a lot of our transactions secure.
And we don't, we're not thankful enough for it. I don't know if there's an American equivalent, if there's a listener out there, I'd love to hear what that is. But we also have standards. and we have, the Digital Council of Canada has a standards creating body. And in the U. S. they had NIST at least up to last week. Destroying NIST is one of the stupidest moves anybody could ever make.
We all depend on NIST for standards, but having standards for security and having organizations that can provide the interfaces is essential to us having financial innovation and we don't seem to pay enough. We do have Payments Canada as well in the mix and things like that, but it's a great point about NIST this will be slightly political leaning, right?
But Canada has relied for a long time on the resources of NIST, and we've contributed to, A lot of people maybe don't realize that Canadian partners definitely contribute to the standards that get put in or published by NIST. But I think, recent history shows us the importance of maintaining a proper catalog of our own standards and the ability to develop them on our own for things that are uniquely Canadian or where Canadians care more than other countries about that particular aspect.
And then once we have the standards, having effective ways to make sure that they're being followed, right? Whether it's. Through, a penalty framed enforcement or just a positive framed enforcement, right? You got to be this tall to ride and, and the people who will let you ride won't let you on unless you're that tall, right? Like that's the simple framework, right?
And I think the last thing on this particular point, because I do want to talk about what's happening a bit in the United States and what risk that poses. Not just to Canada, but globally, but the shared responsibility model has to be crystal clear and it cannot be 100 percent incumbent bank risk because then it will just get farmed out as a cost model to all of us.
And like what we saw with cyber insurance and ransomware, it will explode Our research has shown is that if the individual banking customer does not feel that they own any of the risk and responsibility, they will behave in irresponsible ways. And if they don't understand their role, that some AI based cyber tech solutions completely protected them, then they will also bear, and behave in, in, in your responsible way.
We have to have that clearly understood and we're going to have to get better at doing because your point is valid, Jim. We can't just sit around the campfire and go, what are we going to do? It's happening. We need to make it more secure than what's happening now, but we also can't just kick the gates open from a populist perspective and just go YOLO. Let's open banking it up. It's going to be great.
I do want to talk a little bit about what we're seeing with the federal government cuts in the U S and I was quite vocal about this on LinkedIn it's important for people to use their voices when and where they can, and certainly not always to my own personal or business benefit to be as vocal as I've been on certain topics, but gutting CISA. Is among the most short sighted and stupidest things in the current environment. And so this is gutting CISA.
Remember, they're still trying to understand how deep the Chinese got into now nine plus telecommunications carriers. And the CSRB, which was the investigative industry and CISA body that was helping put groundbreaking work. They were the traffic safety of the internet was disbanded, completely destroyed earlier this year. And now the agency staffers. Now, I'm sure there were folks on that probationary list who just weren't working out, but that was not the 130 plus so far and what could come.
And I think Jen Easterly has been doing a fantastic job, the former director of CESA. Advocating and talking about this impact. I, if you're a hiring company able to pick up some of this talent that's coming out of CISA, you'd be dumb not to hire them because they're hardworking folks. But my point being is so much of the world Canada included has relied on the U. S. leadership in this area. And we have.
Reaped the dividends from that investment and it's going away faster than my coffee at 8 a. m In the morning, like we are going to have to figure this out fast. And what frightens me is In conversations I've been having is that there's a business as usual attitude still percolating in Canada with respect to but our Relationships with so and so in this agency and the five eyes and my guys world's changed and as dumb as this all seems this is not going away.
And I wanted to get into this probationary thing just so people are really clear on, on firing probation, probationary employees. All that means is you're new. You could be the most knowledgeable person in cybersecurity and someone has convinced you to work for a government agency when you could make it a lot of bucks working somewhere else. I don't think any of these people, the strong security people from CESA will have it.
A moment's problem, finding a job, if they do call me, I will personally phone six or seven CIOs and we'll get you set up in no time because there's such a dearth of talent. So they're not going to suffer, but what's going to suffer is our ability to manage cybersecurity in a way that CISA has been, I don't think people even appreciate how much that organization does.
Yeah, and, you can also get probationary status when you've been at an organization for a long time and you get promoted into a new leadership or management role. You've now changed classification and so this is a great example of a couple of 25 year olds running around with a script and an AI, Just firing willy nilly gets you firing the entire staff responsible for your nuclear weapons arsenal. And stockpile security. Yeah, that happened. That's in normal times.
That should have been a scandal of such national security significance that heads would roll not. Job well done. And oh, let's just push the undo button. And my only consolation for all this chaos is that Elon's, Tesla stocks have shed significant money so far this year. we are witnessing one of the biggest cybersecurity failures in modern history right now. And I'm, again, it's, I don't care what you think about Trump or Elon or anything like that. We have people.
Who had to be told in the security infrastructure, not to name their colleagues in plain emails that were going to be sent out, that were going to be seen by people between the age of 19 and 25. Nothing wrong with that, but most of us know not a great amount of cybersecurity experience in that group. Listen, I haven't had a lot of any experience in that group, but I think this is the story and it does touch on a key theme.
And Jim, you said it a lot of people didn't appreciate or understand what this group was doing. And I think that's actually the whole theme of what enabled. This to come to be is that there's a lot of things that all the government departments were doing and were responsible for and I'm sure there were some people who were coasting through we're not talking like, 90 percent of people, or even 50 percent of people coasting in their jobs.
They all had very important services that they were providing missions that they were working towards accomplishing. But if you don't tell the Public enough information, and you don't get their attention on things, it becomes very quick for the public to paint a picture of I see a big price tag, and I don't know what I'm getting for it. I don't have food on my table. I don't have a roof over my head or, my road's not plowed. That's a Canadian comment.
And why is there all this money being spent and you don't understand what's going on around it? It's very hard. Of course, there's a lot of things happening, but that's also, the course of cybersecurity budgets, right? Everybody has a budget when there's been a breach. Because now I know what security does, right? It would have helped me stop that breach. It's helping me clean up from that breach. It's going to make sure another breach doesn't happen.
But before it happens, nobody knows what that security team is doing, and the budget doesn't get allocated or nobody understands what the security team could be doing. That just brings back that importance always of understanding what your value is. in your organization, and being able to articulate it. it's not about, scaring people with the boogeyman. It's about these are real risks. Not only that, they are more real now than they've ever been. And we need to do something now.
Or we will have a cost in the future and it will be tenfold at least of what you're going to pay to get it dealt with up front. and I thought we had some interesting cultural moments with, that Netflix, movie with Julia Roberts and Marsha Andele, where, a cyber apocalypse happens and Netflix has got a new one out with Robert De Niro called Zero Days but I think what's been interesting is people think that's the realm of, Fiction fantasy. It's not real. It's not as real as my eggs cost too much.
I think Laura, you hit the nail on the head is doing the hard work of clarifying why this matters in a world where I can't afford eggs, is hard and it's not technical. And I think that's probably why our field is struggling. We've always struggled. This is, but it's now moved from inside of the organization or the boardroom to a societal level struggle. I'll be honest, I'm gobsmacked. there were so many things that the U. S. was doing amazing on.
Creating CISA, the executive orders, the emphasis on secure by design, the CSRB, like from a policy nerd standpoint, this was amazing. And the fact that there was political will and momentum, but to see how quick it can grind to a halt and slam into reverse, That has been, it was like, what was the base on the foundation that we built the political capital for this, or was it always this ephemeral this insubstantial, that it could just Go like this. It's just that part's study.
And if anybody thinks that the North Koreans aren't taking advantage of this, they're absolutely insane. I guarantee you that Big Balls, or whatever he's called, has been hacked. I guarantee you, I will pay money to anybody who proves that he hasn't been and all of them have, why? Because smarter people than them are hacked and so all of this stuff that they've had, they've been able to touch is in somebody else's hands now.
And there's a reason, by the way, probably get accused of ageism on this one, but I'm gonna be really clear, is there's a reason why certain roles in society, you gotta be a minimum age, like the presidency, for example, though no maximum age, that should probably be get revisited at some point for generational continuity, but, you don't know what you don't know between 19 and 25, and how I grew up in my 30s really grew up, really understood my limitations and other things.
This is why we have people who have 20 years experience in senior roles running the federal bureaucracy, because you've learned, and it takes time and experience to do that. And that's probably the last thing I'll note about this giant outflux, because it's not just the probationary firing. Remember, there's a number of folks who are taking biopackages to just get out of the circus. And the loss of that corporate, institutional, long term knowledge, and the hard earned experience.
We're all gonna pay for that. it's frightening, but I want to bring it full circle. Like in addition to gutting the critical agencies responsible for cybersecurity, we're also gutting the regulators that were trying to understand the future of the cryptocurrency market and what role regulation should play on that. And we are going all in on fun ideas, like a national strategic cryptocurrency reserve in the United States, which I mean, North Korea has got to be like, Oh. Yeah, there we go.
We have funded our defense budget for the next 10 years. If we can raid the, the new digital crypto Fort Knox when they are so foolish as to do it. And I'm calling it here. I see that ship sailing out of South Hampton and racing for the iceberg and it's going to suck. The other thing that. They say there, this, there are a lot of victims to this, to what's happened here. every time I do a show on a digital ID. I get inundated with emails and I'm going to get them again.
People saying the government's going to take over my identity. They're going to give up my information. And we've been fighting that good fight because in many cases, a great digital ID structure. Digital government is actually more secure and just, and we have a lot of technical people in our audience, but just to pass out to you, I don't have to pass my information to someone, I just have to pass the idea that it's absolutely certain that I have the authority to do what I'm doing.
We will never, we will set back the idea of moving, getting to a digital ID or any sort of much safer ID than we have today. Why? Because who's going to believe you that your government is not, can't, that information you share with your government is not going to be shared with.
Somebody politically, whether you agree with them politically or not, it should not be shared with anybody in a political state or for anything other than God forbid, the reason you gave it to them and that they disclosed to you, It's, it's not something I've spent a lot of time like digging into and researching, but it does, at least on the surface to me feel like that false fear, right?
The government already controls your ID they issued it, and they have a lot of information about you already, and it's not to say oh, don't worry about it, it's just, the change of format isn't maybe what's gonna be the problem here, right? If you distress the government already that is unfortunately part of living in a civil society, right? Is that we enjoy government services that make it much easier for us to all benefit and live wealthier lives than anybody at any time in history.
And, so it's like staring down the barrel of the wrong problem, right? Yeah, but even if you're in Estonia, I think a million population who already has digital government. If anybody in the government actually takes a look or anybody who has access takes a look at my record, I see they did it. You don't have that now. Revenue Canada could be looking at, everybody could be looking at anything of yours and you'll never know. That's the benefit.
Of digital and when I exchange information with them, I don't send my name, my birth date, all of those things across some sort of unencrypted line, because I'm certain that when we're communicating all this great security stuff to revenue Canada, that a lot of it's plain text. Just saying, but so I'm passing all that information to prove who I am when I could pass a token as I do with my bank card or anything else that says, you know who I am.
It's the, I call it the Russell Peters identification. This may only work for Canadians, somebody going to get a hurt real bad. It's I'm somebody, you know it, you don't have to know exactly who I am, but you know who we're talking about, which is a great description of this. Of digital ID. I actually like that. I, I was driving before Christmas in, Fredericton heading uptown. And there was this, early 2000s red Toyota. And they had two bumper stickers.
One was save the children and the other was say no to digital ID. And that told me everything I needed to understand about the information environment that person is existing in that I don't exist in and how that has framed their perception of the relative risks and issues of the day. these are big, weighty issues. These are the issues that we need. The techno philosophers of our day, our next Hobbes, our next lock, our next, actual thinking deeply about this.
Cause it has to be Calvin and Hobbes yeah, this is the real Hobbes. Yeah. what I mean by this is, we either have government for the people, by the people, to use an Americanism, as a public good, it establishes identity and citizenship, both physically and digitally, or you have corporatism, and so digital identity is controlled by the private sector, which seems like a cyberpunk dystopia, writ large, but that's where we're heading to, and that's the power.
You're either a person or not a person. And, if government, if we fail to be able to build publicly backed, public good, public owned digital identity, innovation, to your point earlier, Jim, innovation will not stop. It will be provided alternatively, and we will have the meta insert bank name, consortium identity, and you now exist, and you're able to use that because the problem requires that solution. The attestation that Jim Love is actually Jim Love.
So we, the typical thing in Canada for American listeners is that we love to talk about doing something, see a high speed rail in this country. We just announced a plan for a plan that will cost us 5 billion to maybe build high speed rail. That was the media covered it as we're getting high speed rail. It's no, it's I'm going to win the lottery. It's a concept of a plan. I'm going to go buy the lottery ticket. Maybe no, like we actually have to regain the capacity to do stuff.
And ironically, I think at its core, this is. What people thought they were signing up for with the drain, the swamp, got the government, let's make it run like a business approach that we're seeing down there. I don't think anyone really cast their ballot going, can't wait to see what this reality TV show season is going to look like. Maybe there were a few. But we actually do have to have that conversation and do it in a much more sane way. That's my thoughts on it.
Another place where the distrust breaks down, and this was another story that happened this week, is Apple has actually pulled encryption out of the UK. If you're in the UK, you cannot use Apple's encryption, in its fullest, in terms of its transfers to the cloud and all of that to protect your information. Why? The government wanted a backdoor. And Apple, possibly because of its experience in America, is not going to give a government a backdoor.
The last time we had a backdoor was on the U. S. telco system, where, that was used to invade the entire system. Is going to be another place that we're going to be held back because I don't have a good answer. There is the idea of encryption. I get it. You could have child pornography. You could have terrible things that are protected by encryption.
On the other hand, if we don't have end to end encryption that is unbreakable and doesn't have back doors so that Hackers can find them and use them, then we can't protect our own information. It's a place where you really do need to have an intelligent discussion and we're now at a point where that breaks down as well. And it's not an easy one to answer. Because it's very much about how do you have a legitimate process, right? A search warrant process, for example, right?
That says, yes, this request has been reviewed. It's legitimate to invade this person's privacy because we have reasonable grounds to suspect that what they are doing is illegal, and so you're not putting in so much a backdoor as a legitimate mechanism to say, you know what, you're not allowed to abuse our platform for illegal purposes. And if you use our platform. Understand. That if somebody comes to us with a properly authorized search warrant, we will share your information.
That's in every EULA already, right? It's already there. I think it's more about how do you create that mechanism. It's public. it's in the privacy policy, ? We're not saying we don't have access to your information. We're saying we only access it under authorized circumstances. And we may not tell you about it because that's the law, ? We don't have to tell you when a search warrant is executed against you. That's also, part of the rules. But if we're allowed to, we will. Great.
But I, and I think that's part of framing the discussion, ? Is to put that in place. I think it's also, part of, and this is a challenge, right? Cause people aren't great at risk management. If you save something on your phone, I don't know. Anything you save digitally. That's very neat. Just sure, it's something you're okay if it gets out or you're gonna, you've got a plan how you're going to deal with it. The internet's not exactly the best at keeping secrets.
And there's secrets that are super important to keep. We've talked about digital identity. We've talked about banking, right? We certainly make the barrier to leaking those things as high as we possibly can. But at the end of the day it's all. It's all digital and it's all, at risk in a sense. Someday. So physicality is not not at risk either. It's not like just having a piece of paper. Isn't risky either. Laura, I'm going to get a t shirt made.
I'll go back and listen to the exact clips because I think it's just brilliant. It was like, the Internet is terrible at keeping secrets is it's going to be 25. T shirt. Like I think that's a quotable right there. But I try and do it 50, a brilliant point. The internet is terrible at keeping secrets. But I just wanted to go at this thinking about this issue of end to end encryption and I want to paint the business drivers here.
Apple, Meta, and everyone else is not implementing end to end encryption because they are die hard privacy. This is, this is our line in the sand, notwithstanding all the marketing. They're doing it so they don't have to support investigations because that's expensive. It is far easier to just say, Can't do it, privacy, man. And you get rid of all these trust teams, the MLAT, mutual legal aid assistance team responders, all of this cost center to making your money.
And you just encrypt the problem away. Yeah, great. This is, I'm sure there are some people that genuinely do care at those things, but I'm actually understanding that the overall business drivers here, it's, it makes perfect sense from that side. On the other side of this, the CIA and the NSA in the United States, the, what should be the two most secure organizations for keeping secrets, lost their best tools.
In the last decade, in spectacular insider leaks or levels of incompetence tied to Russian anti malware tools, but that's a story for another day. They cannot keep a golden key secure. So you can't just give them a universal way to unlock everybody's stuff. Listen, like legit this whole conversation, like ties well together in a very sort of complicated way. Police agencies and intelligence agencies are also equally lazy about this issue.
They don't want to, even in conversations I've had with cops and agencies, oh man, we got to go get a warrant. That's a lot of work. Yeah, it should be. That's an important democratic process. And the amount of times they just want to go and cowboy in without anybody ever knowing they're there just on the speculative guess without having judicial oversight ain't zero either. Or, at best, some secret closed door tribunal, they never have to be accountable for. That's not okay either.
And the reality is. We have great technological examples where you can defeat end to end encryption. How? You own one of the ends. So if you can't own Apple's end, then you got to get your malware on the end of the target that you want to receive. Or in the case of several hilarious criminal busts, you give them poison phones and poison encryption system and they just blab their worlds. Good. Policing work can be done in encrypted world to target the really bad people.
It just takes time and money. So what's hilarious is that our fundamental rights are caught between two groups who really don't want to spend time and money on the problem. Just to keep things cheerful, I want to end with one story and this is, David will recognize me. I'm the AI fanboy. I am out there. I believe we need to really experiment with this. We need to embrace it and all of that. from a cybersecurity point of view, we got to get smarter.
And there's a story, it was in the Byte this week, and the title of it was, Man's Entire Life Destroyed After Downloading AI Software. And when I'm talking about, I want you to experiment with AI, I want a sandbox set up somewhere. I want the tools to be vetted. I want these things to be made available to employees.
But I don't want them downloading image generators on their phone and putting those onto their computer that then Put malware on there that hack them and in this actual case, put a leak in there so that their employer's information is lost so that they are not only wiped out financially because they're easy take over their financial accounts, but also they get fired and if you're in the U S lose their job, their bonus and their healthcare. No. AI app is worth it.
But what's interesting is the meta narrative that's being driven right now is that all of our jobs are under this AI sword of Damoncles and only those that figure out first how to best use AI to be better at it are going to survive this coming. Jim and I are on different sides of the equation on this and I'm on team AI industry has overhyped the ever living hell out of what they actually deliver. There is some value in these 2 perspectives.
I will acknowledge that Jim is right on some issues here, just so we're clear that I'm not an iconoclast on my particular perspective, But the psychological pressure we're putting people under, that's directly tied to their economic survival, that I feel like I have to adapt by this or the AI asteroid is going to wipe my dinosaur self off of the earth, is that we're creating this problem.
And at the same time, irresponsible use of technology and just Dumping this stuff out there and then overhyping the hell of it for their share price and market interests are also tied into the destruction of this individual. And it reminds me back to this. Individual agency and responsibility has never been more important. And, thinking through exactly what Jim just said is like, what is this tool? Where's it coming from? Will it generally help me?
How do I do this in a safe way has never been more important. And secondly, security awareness programs. I'm going to be a little selfish here for love of God. Stop doing password modules. And in fact, have a session with your team about responsible use of AI. That's the best thing you can do to help prevent the next.
Gal or guy doing exactly this because the pressures on them to do it are huge and you need to enable them to do it safely so they can experiment and learn what value it can or cannot create for them. Yeah, I okay. I think very much that it is overhyped.
I agree with David that there's a lot of people who say AI is doing a lot of things and it's questionable whether they, even if they are doing it, whether it is doing it well or effectively or in the capacity that works reliably, is certainly, A challenge to discern, I will say a lot of the clients I'm working with are busy doing what their business does and are, if they're distrustful of AI, they're like, forget it.
I'm just going to keep doing what I'm doing and there's continuing to be successful. And the ones who are looking at AI or who are incorporating AI are actually saying, I'd like to be careful about it. Oh we're starting to look at it. We're starting to bring it in. I would say in general, and now that's obviously going to be skewed because. My clients actually care about security and that's why they have White Tuque working with them . that's fair.
So it may not be like a sample set of the general population that we see represented there. So you're like that old commercial, you call me now or call me later. Yeah, we prefer calling now. That's our core business, right? I think maybe the news there is that people who are naturally understanding of risk or want to understand risk are taking it a little bit more slowly with AI, or they're looking at how can they use it without exposing their data?
If you want to use perplexity as an example AI search engine and just put in generic terms. So you can more easily scrape information out of the internet. Go for it. Cause is that any more risky than using Google? I don't think so. It's just more efficient. So do that, practice there. But yeah, to start saying, you know what, I'm going to let it run rampant through all my corporate data and hope that my permission model is set up properly ha.
Then, maybe not that yet And even if you're me and you believe that we're at the tail end of the industrial revolution. And I live by the phrase, I'll go back to the importance of being earnest for our cultural critic. How do you go bankrupt? Slowly at first, then quickly. When this accelerates, I believe it's going to accelerate at a level that nobody will understand. And I do believe jobs are going to be lost. I do believe people need skills, but let's compare it to the last.
Big revolution in transportation between the horse and the car, just because I believe you should be embracing the car doesn't mean somebody shouldn't teach you to drive, and that shouldn't have brakes and you shouldn't just toss somebody in the seat and say, Go to town, so I, and David, I think you brought this up. There's, we need an education and a discussion of AI from cybersecurity that I still don't see happening.
No. And what do, to your car analogy, how many decades did it take Ralph Nader and others to get seatbelts in cars? You had all the car manufacturers in front of numerous government committee saying we are going to go bankrupt if we have to put seatbelts in the car and our inability to see the commonalities of past lessons that we've already learned when it comes to the changes that are coming.
To us as a result of new technology and our unwillingness to get beyond this, black and white one or zero binary debate between innovation and safety. I can either be innovative or I can be safe. We can do both, but we have to have the capacity and will to want to do it. And it's because we believe capitalism. Functions best when it's most Darwinian that the risk takers win big the most out there. And that's the best for us that we are probably predisposition for a lot more horrors.
What happened to that individual? And I would love to say that I am smarter than Ralph Nader, and we can help drive faster adoption of safety technologies. I'm not. I'm, it's going to, we are going to have a casualty rate and what's really interesting is the same people that we get morally outraged when they would hear awful phrases in the military, like collateral damage, this individual and millions more are going to be collateral damage on the military.
Race to AI and the question for smart organizations is, are you going to be proactive and work with great folks like White Tuque and Laura on security and risk or Beauceron on the awareness side so that you aren't inadvertently one of those casualties because nobody else is going to reign this chaos in. I think just to ride that car analogy, the limiting tip factor to how fast you can go. Isn't the size of the engine, it's the effectiveness of your brakes and, so keep that in mind, right?
Okay, there's two t shirts for one show But I do want to bring this up and I'll just I'll leave this with our audience You're not just admiring the problem. The reality is, and I think you brought it up, David, is we do need to think about education. Laura, you brought it up that you really do need to know how these things work in terms of where our guardrails and safety is.
And whether you believe in AI or not, whether you think it's going to take over the world or not, it's there as a force that is now the biggest movement of shadow IT in our. IT history, and we need to be having effective discussions about that and a meeting of minds. So I hope, hopefully we can do a little bit. I did a show a couple of weeks ago on the dark side of AI, and where we left it was, don't be afraid to ask questions.
Asking questions is an important part of critical thinking and Jim, I will let you know. I have been experimenting with several AI tools, Leah, which is actually a tool to do a generation of. Online based computer based training using established pedagogies and improvements in language. And it has been value there. I'm also using a tool called Haygen to experiment with AI driven expert level videos. It is not auto magic and push a button and my job is done.
Is it giving me new capabilities and new things to think about in those areas? Yes, but it's also showing me the limitations of these things. So to your point, there is, there's change coming what's here today, ain't what that is, and there's a way to do it safely and responsibly, but what's being sold for AI in the security industry. And specifically in cyber security right now is a lot of hot garbage. So be careful out there. So you've you're coming over to the dark side, are you?
Wait till I lift my helmet and say, David, I'm your father. This has been great guys. Thank you so much for joy. Thank you to everybody in the audience for joining us for this show. We will, we're going to come back to this. Mr. Shipley, do you have a research. Papercut report coming out, is it through translation? What's happening with you? It is. Yeah. So our annual report is out. It's available on our website in English and in Canadian French.
And all of the things that we seeded, although I will concede, I got a couple of math points wrong. It wasn't a 50 percent higher risk. It's 140 percent higher risk for those that think the tech's got my back. I don't need to worry about this stuff. So that's been, been out there published the regular sort of, interest points about industry, click rates, report rates, et cetera.
We did see some interesting sort of negative trends on, click rates in specific industries, propensity to click went up. I think we got a good handle on some of the reasons why, and we have lots of questions on others. And, the other point that's probably interesting in it is the amount of time you spend on training matters and don't over train your employee. Get you back in next week to walk through it now that it's available.
Yeah. Yeah. I think I flipped you a copy and we can go through it, but yeah, I think a lot of the stuff that we gave. Listeners earlier this year, or late in 2024, are now there in writing for folks to chew on. And it's interesting to look at. I think it's time to do a review of that. Laura, what's happening with you? Oh, it's been a busy start to the year.
We're really, just helping folks with, Navigating the change in the landscape right now and, which is, you got to stay optimistic, be pragmatic, be realistic, we talked about, you can't, just take a laissez faire attitude and say, you know what, it's going to be fine, the fire is burning around you, you've got your coffee cup in hand, but maybe you could stay optimistic. Wait, go find a fire extinguisher, right? Or have a plan to get out of the room before it comes down.
we're busy with that kind of stuff, but, we keep doing what we're doing. these times are in ways unprecedented, but also, anybody who spent a lot of time in cybersecurity knows that there are stress cycles you go through and, the way you manage your health and resilience through that is going to predict how you come out on the other side.
Okay. Yeah, and I think it's good advice, whether it's career advice or whatever, is when things get tense and when you're getting overwhelmed, what I do is the next thing on my desk, because it, at least I've moved forward And so hopefully we'll be doing that, Laura. Thank you, David. Thank you. And thank you to our audience. And we will catch you next week. I'm off for a weekend of rock and roll. If you were, you're hearing this, I'm off playing guitar.
With no AI at all, David, you'd be really happy. It's all acoustic. See you next time. The beauty of human creativity. Great. Thanks, Tim.