Welcome to Kobe Time, a podcast series on Markets and Economies from DVS Group Research. I'm Pam Rebek, chief economist, welcoming you to our 123rd episode. Today's episode is a function of popular demand. Uh whether at work or at home concerns on cybersecurity are on the rise and elevated to say the least. Uh Here in Singapore stories on cyber scams, ransomware are rife and perhaps they are an underestimate given that many of such crimes go under reported.
Uh and there is cyber threat at the corporate and government levels, which is a whole different ball game. So let's talk about all this with an expert. I'm really pleased to have Nicholas re from control risk with me. He's a partner there uh with control risk, digital risks,
America's and global threat intelligence practices. Nicholas specializes in the provision of threat intelligence to public and private sector organizations as well as leading and delivering complex threat intelligence and security projects. Nick regularly advises fortune 100 executives on digital transformation, cybersecurity, emerging tech risks and threat intelligence matters. Nick Race. Welcome to Kobe Time. Thank
you very much. It's a pleasure to be here.
You just happen to be in Singapore. That's happen to want to do this thing. So, I'm really grateful that you could make the time. Yeah. No.
And I really appreciate the invite. I know the firm has been a long listener to the podcast and there's been lots of people that have been very excited about this. So I'm glad to meet you and glad to be in Singapore.
Fantastic. Nick. Maybe we can start by going over the three kinds of cyber threats, you know, the state sponsored ransomware and the whole idealistic quote unquote activism stuff.
Yes, I think that's a good place to start. And for a lot of listeners, I'm sure this is going to be something they're relatively familiar with because it's been, you know, over the past decade, something that's now made the mainstream news media. We're starting to hear about these things and we can talk about the political aspects, we can talk about the financial aspects. But when we think about threat actors, we usually classify them
in those three categories. So at the very, very top of capabilities and sophistication usually linked to states, whether military or civilians, we have those intelligence units, those apts as they're often called advanced persistent threat groups that are very, very highly resourced and that usually will work on the back or at the behest of a government, they will do things like large scale espionage operations, disruptions linked to conflict.
And that's certainly something that we're looking at more and more as we come into this geopolitical arena in 2024 that's going to be very challenging for businesses. And we also see some of these groups leverage these capabilities for financial gains. And that's something that in the banking industry, we've talked for a long time about no Korea very famously has deployed state level capabilities to target
financial institutions and the financial ecosystem as a whole. But that's the broad family of sort of nation state level operations. And then we have next to this is organized criminality and sometimes heavily disorganized criminality because it's not just very, very well resourced and capable groups. It's also at times, people who just want to make a quick buck and who have discovered that cyber is a great way
to do this. It's a very low risk operation. You rarely get arrested on the streets for doing a cyber crime. And certainly that's both a function of law enforcement resources and the multi jurisdictional and transnational nature of the risk for organizations. But it's also because of the ease of anonymisation online. And that's been a big trend over the past few years. You know, Cryptocurrency
have helped a lot in the space. But more broadly, we've seen these criminal groups of various degrees of sophistication share one thing in common. They're motivated by financial gain. So whether we're talking about ransomware extortion, the ability to encrypt lock systems and data and extort money or data breaches which often are accompanied by extortion. We are looking at financially motivated groups and then at the bottom of the capability
spectrum. But increasingly over the years, I've been in this field, we've seen that shift quite a bit upwards in terms of skills is the activists, the cyber activist groups, those have been in popular culture represented a lot by anonymous and we've seen a sort of guy fawkes mask for those of you that are avid on the TV side. Mr Robot had a great depiction of this type of, of, of sort of group, but usually they're ideologically motivated.
Now, one of the interesting trend and you know, for some of those our listeners who might have worked on Wall Street during the times, the sort of occupy Wall Street movement saw a lot of activity. Exactly. And a lot of groups targeting big banks, but usually we see a lot of environmentally motivated groups. We have a plethora of different ideologies. I think the shift in recent years has been much more politically ideological motivations that veer on state
level sponsorship or support. And this is what we've seen. Certainly in the Middle East, the law we've seen across parts of eastern Europe where these groups become difficult to discern whether or not they are actually individuals or small groups or if they are being asked to run these operations by governments.
Let me go back to the government in a second. Which is so, yes, there are capabilities that governments apply to espionage and we know most countries do it. Um, there's also this whole layer of snooping that governments owe to their own people. And we've been hearing about certain software packages that certain countries commercialize and sell and you hear all sorts of unsavory governments picking up those things. So, tell us a little bit about that. Yeah,
it's been a maybe a good decade now that we've seen crop up these companies that have specialized private sector companies, technology companies that have specialized in designing and developing toolkits capabilities, malware at times to essentially conduct espionage operations and have commercialized it to law enforcement agencies across the world and for
a range of different purposes, sometimes legitimate purposes. And we do see counter terrorism operations or particularly in countries with the resources to build their own cyber capabilities as limited
valid use cases for criminal investigations. The challenge though is that in some jurisdictions and depending on the nature of the government, we've also seen abuse of this capability and part of this abuse has been used to target journalists, freedom of the press, but also freedom of religion and at times even minorities within certain countries, I think the real challenge is making a distinction and this is what we talk a lot in the threat into our world is making a distinction
between motives and capabilities, having the capability to do so like snoop on an iphone, which most governments will have a capability to do is only legitimate when it is used by a purpose that is lawful. And I think that's where a lot of even the regulatory framework has
been evolving very quickly. Over the years when most of our privacy regulations were built back before 2017 18, with the Chinese cybersecurity law in the European Union's general data protection regulation, data privacy law had been written in 1990. You know, we were talking before starting about the iphone release in 2007. Look at the pace of evolution and how difficult it is to stay on top of these
capabilities for regulators. And I think that's going to be a constant economy in the near future in our societies and in our democracies, how do we balance the capabilities our governments have with the motives and the intent to use these capabilities through legislation and through democratic processes?
What's your sense of GDPR? Now, whenever I go to a website, there's a little box that comes up. Do you accept the cookies or not? That is it really changing things? So
I think it has and there's been really interesting case law in Europe where some of the fundamental principles of GDP are notably the right to be forgotten, which really came from a single activist based in Spain who sort of was really upset about when he entered his name on Google. The results that came in were either too old and were misrepresentation of who he was or were in
at times. And I think now within the European Union and certainly as European citizens, individuals can request that their information be taken down, that has undeniably really improved the privacy of European Union citizens. And I think we've seen similar bills come across the world and we are seeing
a real trend towards adoption of this approach. That being said, one of the objectives of GDPR was, you know, seriously improve the accountability of organizations in protecting consumer and employee data. And whilst we've seen improvements as a whole, it's not all of one size fits all. It's certainly not a silver bullet. And I think the challenge is regulation will not be the only answer to the problem that cybersecurity poses the privacy of our data
um uh entails. And importantly, whilst GDPR was a step in the right way, it is only a single step in what's going to be a very long hike.
Is it too early to say that the data leak issue in Europe is sort of better than elsewhere because of all these laws,
I think, I wish as a European Union citizen that it was better. I don't think unfortunately, it is going to be better. Thanks to regulation. I think regulation creates better accountability. I think you mentioned that the introduction to this episode, there's always been this challenge of, we only know what we know and as the public or as you know, members of the business community, we know if somebody's been hacked because they say it publicly, what
GDPR has helped. And I think what a lot of the legislations are coming out and I just saw the, the CS A here in Singapore is doing more work on mandatory disclosure of breaches is creating a universe of accountability that is very helpful because at least it creates a level playing field in terms of statistically. Do we see less data breaches since GDPR? No, we probably see more. And that's also a factor of just the sophistication of the landscape and just how much more data reliant we are.
So tell me something about the level of sophistication and the scale of cybersecurity threats out in the world. How often, how big are we talking about?
I mean, we'd be talking about every millisecond. If we looked at the technical materialization of attacks, I think there has been attempts at quantifying the damages. We are talking if cyber crime was an economy in 2025 it's scheduled to be the third largest economy in the world after the US and China. So we are talking trillions of dollars of damages. Dabbing said I always
take this quantification with a pinch of salt. There is no and this is one of the big challenges in our space is there is no way to actually understand the scale of the problem because it is reliance on reporting, it is reliance on transparency internationally. And the reality is we don't have much of this. What we can see is both in terms of spend budgetary wise by governments and private sector and in terms of
cost of remediation, the problem is significant. And in my 10 years working in the private sector and advising organizations around the world, I now very rarely do not see an organization that has cyber on top of its risk register as both high likelihood and high impact. I think where we see the trend moving is because our societies and our organizations are connecting more and more.
We are seeing massive investments in digital transformations. The reality is the problem is only going to get bigger and because we are connecting, not just ourselves to the internet, but we're also connecting machines, we're connecting factories, we still have roughly 50% of the world that's not connected to the internet. There is still a huge amount of vulnerabilities that are only yet to come.
If we are fixated on the vulnerabilities, sometimes we sacrifice efficiency or productivity. I used to work at a public sector organization where the fear of cyberattack was so big that we used to use two different laptops, one for external access, one for internal use. And then there was a virtual dropbox.
If you downloaded some data from outside, you'd go through, but it'll go through like filter after filter before you could bring it to the, but that was in my view, inefficient, it slowed us down. Um, are you seeing that sort of paranoia which is causing that sort of cost?
Yeah. I think it's a really good point and I think it's one that we often in the security industry don't talk about enough security for a long time, was seen as this huge blocker and an impediment to doing business. I mean, we've had scenarios where we tell executives if you travel to a certain country, you can't take your cell phone and they look at us and they say
we're going to take our cell phones. So not only does it encourage, you know, bypassing the controls, it also the controls become too difficult, then we lose our purpose of being a business or operating properly what we are seeing. And I think this is, this is the biggest thing that everyone out there, both organizations and individually, we need to think about paranoia is unhealthy. We need to be proportionate and to
be proportionate, we need to understand our environment. And if I am a bank or if I'm a government institution or if I am a health care company or law firm, my threat environment is going to be different. Not everybody needs to be for Alamo, not everybody needs to have military grade defenses. Some do maybe parts of our organizations do and those parts they need to be proportionate to the risks that we face, if we apply a blanket rule, we are going to waste money, we're gonna piss off
our users and ultimately we're going to be counterproductive. Right.
Right. I mean, I've noticed this even in certain apps where the security concern is so big that the app shuts down at every single hint of vulnerability. And as a result, it's not a user friendly app anymore.
I think banking has really led the way in balancing this because it's fundamentally A B two C business. So and it's a business that has been heavily targeted historically by cyber attacks. It's also a business where consumers are very concerned about the safety and the security of their data. And at the same time, they need that seamless connectivity.
And so if you look at some of the innovations of the technical layer multi factor authentication, the use of biometric on our phones for fingerprinting, the banks are still leading the charge. And I think there's a real lesson here for the community that security can be done whilst being user friendly. It doesn't have to be everybody log out every 10 minutes and I need to re input
15 passwords. And luckily the tech is moving into such a space where the solutions designers, the technology companies are really thinking about the user
nick coming from DB si fully relate to what you're talking about. Um As we speak, we have two full blown military conflicts in the world. Russia, Ukraine Israel Gaza and we have this simmering tussle between the US and China, which probably will last our lifetime. So talk about cyber security and dimensions of actual conflict, both full blown one as well as a simmering
one. Yes, I think this is, this could be a topic for the next 20 hours. It is by far the pieces that I find the most fascinating in this space because it's where we see the real convergence of this risk
environment and the convergence between real life and that digital component. Look, I think for a long time, we had forecasted and not just we are control risk, but organizations across the world had forecasted that Cyber was going to become a normal part of conflict and particularly of hybrid conflicts like what we're seeing and certainly both in the Middle East and in eastern Europe,
it has manifested this way. I think Ukraine was a surprise to a lot of commentators because I remember at the beginning of the war, there were lots of questions about, are we going to see a very large scale cyber attack, crippling the entire electric grid or even into Europe? And for our listeners that may have an interest in the field, you know, the scenario was colonial pipeline, the shutdown of a pipeline in on the eastern seaboard in the US. The reality is we
didn't see this. And I think there were two reasons for this. One is Cyber is part of military operations is one the many tools at the disposal of states. But it is also not a replacement for traditional kinetic war and traditional conflict. That being said it does feature prominently as part of both of these conflicts. And I think they
give us a taste of what there is to come. Actually, Ukraine, you know, after the invasion of Crimea in 2014, we saw the development of disruptive or destructive cyber attacks against Eastern European energy infrastructure by Russian Linked units. And what that was a good forecasting sign of is war is a capability development moment in cyber. It is through military means that we see novel tactics and techniques. It is what we've seen in the targeting of satellite systems during
the war in Ukraine. It's also what we've seen in the targeting of data centers and large scale telecommunication infrastructure. It is not the sort of big nuclear apocalypse that people may have forecasted, but it is evident that it has become a critical part of before during and after conflicts. And I think the concern when we look at some of the tensions around the world today is there are more and more
states developing these capabilities. What keeps me up awake at night is the private sector is going to be caught in the middle of all of this.
We private sector companies, not only oftentimes run the infrastructure that sits in those countries, it is also our business imperative to work across jurisdictions and what we're seeing and particularly the sanctions that came by both the US and the Eu after the invasion of Ukraine on Russian businesses was a good indicator when all of a sudden you couldn't update Microsoft in Russia because the sanctions prohibited Microsoft from sending updates to laptops and assets in Russia.
It is reshaping the world of technology these conflicts. And I think very interestingly for us, for instance, we are increasingly looking at technology as a resilience concern and just strictly a cyber security concern. And I know that's a big part of the discussion in Singapore about the resilience of the infrastructure cyber resilience in Singapore. I think that is absolutely the right discussion to touch on the US and China. Look we are entering a US electoral period, we don't yet know what
will happen. But it is very clear that the tensions around the control of technology and the development of generative A I, we've got the beginnings of quantum discussions happening a little bit everywhere is going to be a real arms race between the two superpowers. And it's going to put businesses in the middle of this, of having to pick where do I choose my technology supply chain from? How do I build resilience in light of different regulatory framework?
And importantly, what is the direction of travel from an access to technology and the security of our technology in light of my own business strategy
Right. I want to go back to the issue of resiliency for a second in the context of Russia, Ukraine. So, yes, at the beginning, the fear was that there will be cyber attacks from Russia and there will be widespread blackouts both in Ukraine and elsewhere. Now, what about the fact that almost three years after the conflict started? And despite all sorts of sanctions, Russia's capabilities seem pretty good. How are they being so resilient?
It's a great question. And I think there's been lots of analysis recently around the sort of move of Russia towards a war economy regime and something close to 70% of GDP now being dedicated to the war effort. And I think that most governments now in their strategic military planning take cyber as one of the aspects of we need to maintain resources, we need to maintain capabilities throughout the continuation of a
war effort. And so that pivot has been very significant in Russia, I think equally I mentioned earlier on when we were talking about the different types of threat groups. What we saw at the beginning of the conflict is a lot of the ransomware groups that were very active targeting financial institutions and other businesses in the US or in Europe or in a all of a sudden stopped their activity and focused on Ukraine.
And this is where the resourceful and the asymmetric nature of cyber capabilities where it actually doesn't cost that much to do and it becomes very sustainable over time because unless you lose the infrastructure within Russia, it's still a computer with internet access and you can do a lot of damage with that. And so I think those resources and the asymmetric nature of the spend has been one of the reasons why we have seen the continuation of the cyber
operation surrounding the conflict in Ukraine. But also certainly that pivot towards a war footing economy, a wartime economy has allowed Russia to sustain a lot of its efforts.
Fascinating. I, I really didn't see, you know, this coming from Russia. I'm pretty amazed that, you know, uh to your point that if indeed the Apple I Os or Microsoft 365 upgrades are not happening. How on earth are they not falling into technological obsolescence unless they have friendly countries which are helping them? The text Act?
Absolutely. There is a lot of, we're seeing a lot of Interstate Cooper operation aligned particularly to kind of more traditional geopolitical alliances. We're also seeing a lot of home grown talent coming out of a lot of places. One of the, one of the paradoxes of cyber and I often draw a parallel with the sort of nuclear arms race. If a group gets a hold of a nuclear warhead, they can use it once and that's it. Once it's been used, it's been spent unless you know how to
manufacture it, it's gonna be very difficult. If you get access to computer code, you can reuse it ad nauseam. It is constantly standing on foundations that cannot be shaken. We are not tomorrow going to redesign if tomorrow Microsoft can't update Windows in Russia. Windows doesn't stop working. It's still going to work and you can customize things on top of it. And that's one of the reasons why technology feels like such an exponential pace of development. It's because we never really
have to start over. We're always building on top of things that are being built on top of things. And so that's why it's very, very hard to build things, but to maintain and improve things is actually a lot easier and a lot less costly.
I can imagine that the cybercrime unit at Interpol is having sleepless nights because the possessive of this issue. So I brought up Interpol for a reason. So on the ransomware attacks these days, everybody wants or everybody, most uh hackers want crypto as a settlement for ransom. My view on crypto was it should be the most transparent system in the world. It's a Blockchain and we
know what the transactions are happening. Why is it so hard to not be able to track down people who are receiving crypto payments?
Yeah, I think it's, it's the same frustration that a lot of innovators have had with platforms like social media, you know, the the impetus and the design was very much towards transparency, freedom of access, freedom of of, of sort of control of or from control of, of, of centralized institutions. And that's still very much if you look at the sort of the maths and the science behind the Blockchain, that is the philosophy, it is a transparent ledger.
But then clever people who had bad intentions realized that much like any human attention span, much like banking transaction. If you run transactions through hundreds of different layers becomes very difficult to reverse engineer. And I think that's where we've seen this real frustration. And at times what I think has slowed down the likelihood of adoption of crypto as part of traditional banking or as part of traditional national economies is
because there's been a weaponization of the capability. So we did see very early on when ransomware became a thing, the birth of what's called Tumblr, which are services that you can purchase on the dark web where you will say I have an illegal transaction. I want to hide it. It's money laundering, it's, it's and it's automatic systems that will run the Cryptocurrency through hundreds and hundreds and hundreds of different wallets that have just been created. And all
of a sudden, it becomes very difficult to trace. The last thing I'd say on this point. And I think this is the tension with both the regulatory and the sort of governance of these technologies, part of the principles of cryptocurrencies and the Blockchain was freedom from central oversight and governance. But it is also because of that freedom from central oversight and governance that we see these abuse materializing because there is no authority
to say the technology shouldn't be used that way. The way banks dealt with anti money laundering in Kyc over the past 2030 4050 years has been through cooper operation between institutions. Well, if there is no institution, co-operation becomes very difficult. And so that's a very inherent tension in the philosophy of these technologies that will eventually need to be reconciled one way or the other
is anything happening in that regard, global efforts.
There are lots of discussions, there are lots of working groups. I think lots of governments and financial institutions are looking into it. The open source community has built amazing and there are tremendous people who are spending a lot of their personal time working to the betterment of the technology. I think we are seeing a more optimistic term. I mean, we've obviously had the situations like ftxs and it's it's been rife for scams and various other, but it is very much the
infancy of the technology. And to some extent, you know, Ponzi schemes never stopped us from banking. So I don't, I'm not a very bad pessimist in this space. I think it will take multilateral efforts. And I think the concern going back to the geo politics of it all is states seem less and less inclined to be multilateral. So for technology like this I think we really need to think about what the community and the private sector can do to help to improve the transparency of it. You know,
Nick, when you were saying that I was basically thinking of the parallel between climate change and cybersecurity. The exter analogies are so substantial that you trying to take your foot within your own borders doesn't work. You've got to work the whole global community. Yes.
And I think the parallels with climate change are, you know, the magnitude and the scale of the problems are so significant that they can feel so daunting that individually, we rescind and we retract from trying to be a part of the solution. I think this is something we've seen a lot in the world of business and the SEC published directors recently to make sure that boards that were uh regulated by
the SEC had accountability of Cyber. I think that's a great first step towards ensuring that everyone realized we are part of the solution. All of us use cell phones, all of us have smart watches. Now we have smart homes, we are connected, we are responsible as well for not just our security but ensuring that we are pushing technology and innovation direction that's going to be a net positive for the world.
We do connectedness. I was at a board meeting in Singapore last week and during the my presentation, somebody's doorbell back in Oslo rang and he was like, who's you know, knocking on my door and he was taking it out. Um, Nick, you live in the US, you face a lot of American companies, but you're visiting Singapore. I'm assuming during your stay here, you'll be talking to a lot of Singaporean companies. What's your sense of Singapore? Is Singaporean population susceptible to more
scams and cyber scams than other countries. Our Singapore institutions facing it better than others. Just give us a sense from an international perspective.
I'm always fascinated when I come by Singapore because you're very much one of the most connected economies, connected societies in the world. And I think that's both a blessing and a curse when we think about cyber because I think the level of awareness and education around the problem, the government has done a lot of work at discussing the issue with the private sector. There's been regulations that have been sectoral
and national around the issue. Um And at the same time because it is such a connected economy, we do see a lot of attacks in Singapore proportionally speaking, not any different than many other places in the world. But I think you are by virtue of the concentration of high tech businesses between finance, health care, tech, all of these businesses that have a larger attack surface than most and also one of the largest shipping ports in
the world. And we are seeing a huge amount of businesses investing in Singapore. That is a perfect recipe for cyber threat, actors of all ilks to target the country. I think when we look at major data breaches that have occurred in the past few years, you know, whether these be in the healthcare sector, we've had breaches in the telecommunications space very recently in the law firms, uh sector of professional service industry. Those trends mirror very much
what we are seeing elsewhere. I think the real challenge for Singapore in the years ahead is how to continue maximizing the opportunities that come from this incredibly connected population. I'm fascinated every time when you look at the infrastructure, the roads, the public transport, the applications that exist for hailing a cab are remarkably ahead of many other places around the world. But that creates a layer of vulnerability.
And I think when I look at the landscape here, there's been probably a less less lesser concern around the top level geopolitical risk, although that may very well change in the near future, but more concern around criminality and that's absolutely where we see it scams are rife. I think the advent of
generative A I is going to trigger even more. You know, we are in a city in a country where there's 3 to 4 primary languages spoken for business and for sort of transactions that opens a lot of doors for spear phishing, for scams for all of these sort of things. And I think it is balancing that opportunity with the
risks that is a challenge moving forward. But I'd certainly say on par the exposure is greater, but actually, there's been also great works and companies here are very aware of the issue and are certainly getting more and more aware and investing more and more in security.
Yeah. No, no doubt about the investment aspect. And I think that firms and the government are, you know, very enthusiastic investors and procure of, you know, technologies to sort of prevent or, or reduce the fallout from cybercrime. Uh You mentioned generative A I. So let's talk about A I a little bit.
Uh So even before large language models came in, you know, just the application of A I itself meant that, you know, one can again run complex algorithms and iterative calculations to break codes or uh learn people's behavior and then apply it against them, that sort of stuff. Now, this 18 months, 16 months of LM MS uh are the hackers of the world
picking it up and the world's still here, as far as I'm aware, we're not in a simulation yet. Um So, yeah, I think there's, there's been a bit of um there's been a bit of a, a balancing of public consciousness around the development of the technology. So to answer your direct question, yes, we're seeing hackers beginning to
use it. And I think particularly in social engineering attempts, there was a very notable case of an engineering firm in Hong Kong that was breached for about $20 million and it was a deep fake voicemail that allowed the breach to occur. So somebody's voice had been mimicked. And I think in a sort of spectrum of risks that we're anticipating from generative A I, we're really in phase one, which is that disinformation, deep fake social engineering.
How do hackers use it? They will use it to very rapidly create tailored emails to target their targets based on their linkedin profile. It's not something they haven't done before. They just go quicker or maybe to translate into Mandarin when they normally only speak Portuguese. And there we go. The spear phishing email looks much more credible and much more likable, but it hasn't been a total collapse that some were predicting.
And I think in part, it's largely because of how challenging the education about what it is that we talk about when we talk about general A I and I'm sure it's been the same in your firms and in the conversations you've had in the communities, there is a very varied level of understanding of what the tech can do today. Its possibilities in the future are tremendous, but we are still seeing just the very beginnings of the application.
So what we thought was going to revolutionize the world in two months, you know, 18 months, we're still here and there's still a lot of great things that have happened. But by no means what the public may have expected, I think when we look to the future, there are indeed considerations from a cyber perspective where it's a barbaric term, but it's existed for a while, but it's called Polymorphic malware.
So it's the ability of computer code to adapt to its environment to know if it's sitting on a Windows system or a MAC system or an I OS system. And we do expect small language models to be included in malware development so that there's less and less need for human operators, much like we are using LMS to reduce the need for traders to kind of look at every single bit of the trades that they're doing to gain speed in the research
that they do. And so it's always a sort of arms race between the good guys and the bad guys. It's whatever we develop to either defend or to do our day to day work, they develop to exploit or attack. And so we will see more, it's still very much in its infancy.
OK. Um On that, uh there's a lot of foundation of cybersecurity built around cryptography and the whole Blockchain is built on the foundation of cryptography. Uh putting aside L MS but just the other exciting science fiction area which is quantum are these cryptographic foundation of modern technology at threat.
So you can, yeah, I think they, I think they are um the question is more difficult to answer if you ask me when. Uh but certainly in the concept stages. And we have seen, you know now that the public is getting in a lot of boards of fine, we understand A I the next question is quantum computing and quantum telecommunication, which do theoretically pose a systemic risk to encryption everywhere around the world. And I think encryption will only be the beginning quantum computing
in its commercial applications. And as far as we can tell because again, it is very much not out there yet. There are proof of concepts, there are some small scale applications but we still have massive physics challenge to resolve to deploy commercially will absolutely jeopardize the very foundation of encryption as we designed it because it will allow for cracking. What would take today billions of years to crack a password using RS A encryption theoretically could take less than a few
hours with a quantum computer. Now, I think quantum for me is emblematic of again, that exponential curve in technology. Um we are living in an era where I think it took, you know, 60 years for a million people to gain access to the radio. Then 40 years for people to get access to the TV. Then 20 years for 1 million people to have access to the internet, it took four hours for 1 million people to use chat GP T. And that curve is very much a again, a symptom of
the foundations that we are building upon. Those building blocks are still here. So quantum is really about computational capabilities we are going to live in an era where a lot of the current security and defensive measures we've put in place that are reliant on the limitations in our current computing capabilities will have to be rethought. And that's going to be a very significant effort by everyone and costly.
Right now, I'm assuming scientists are fully cognizant of the theoretical threat posed by quantum. And the really smart ones are trying to already figure out some countermeasure to that. Uh I mean, so like the day somebody says we have a fully operational quantum computer, the world doesn't completely panic and sell everything they have hopefully, is there some hope like that? There,
there is some hope. And I think, you know, the scientific community does what the scientific community should do. They're innovating and much like what we've seen in other major societal and economic evolutions, they are not necessarily thinking about this from a purely risk based perspective and you wouldn't want them to. This is also one of the benefits. I think of all the noise around gen A I, we had certain suddenly a lot of people around the world became technology, ethical specialists.
And you know, everybody has an opinion of what's good, what's bad in this space. That is part of where I think the checks and balances that are happening across a lot of places in the world, in government, in academia, in the R and D community is around having a multidisciplinary group of people around the table. And this is what we say a lot to boards and executives when we meet them. And we talk about these emerging technology issues.
You have to look at this across the spectrum of your business, your risks, your duty of care, your social responsibility, your esg obligations, all of these are deeply interlinked and without doing so, we run the risk of really generating technology or employing technology that ultimately will harm our businesses or societies or our people.
Fascinating though, Nick, you're not a large language model. So I'm not gonna ask you to summarize in 20 words, the two hour presentations you make to companies. But um give us a sense of some of the best practices that you're urging companies and boards to adopt in dealing with cybersecurity.
Yeah, I think the the three things I would let companies sort of really focus on is first get the basics, right? And I think still today we talk about ja I we talk about quantum, the vast majority of businesses get compromised by a simple phishing email and that will never go away. We need to be realistic no matter how much technical spend we make. This is a human problem. And so continue with the basics and education in your business
as you do this. The second layer is think strategically about technology, not just in terms of security, but in terms of your resilience over the entire span of your business. One of the things I'm always surprised by is boards and executives are comfortable doing market entry analysis. We should be doing technology entry analysis. Why are we picking this? Lm why this
cloud provider? Why are we venturing into this space? Those questions need to be asked at the most senior level in business to get a holistic view of the risk. And then the last thing I would do is don't be afraid to look at both risk and opportunities over a long term horizon. Again, the parallel with climate change, I think are really
important here. We can be worried about today, but our executives and boards have a responsibility towards tomorrow and today, we need to make sure we do the basics, right? We need to prepare for what is going to be a very different world in 5, 1015 years. And when we think about cyber, it is talking about what does our business want to be? Do we want to have access to the latest technology and manage the risks? Do we want to be maybe
second line adopters? And first see how the technology evolves. And importantly, how do we look at implementation as a cultural phenomenon within our enterprises, how are users going to think about it? And this requires that long term vision much like we do long term business strategy, we should do long term technology risk assessments?
Fantastic final question. Um you mentioned earlier that, you know, financial sector has always been sort of the forefront of balancing user experience with infrastructural security and so on beyond financial sector, when you look around the healthcare defense uh other education schools, which sectors look to you fairly resilient and smartly managed and which sectors do you look to you the most vulnerable?
Yeah, II, I think we've seen a real leaps and bounds in the tech sector and, and particularly sort of um I'd say technology as a service that's been a massive because they've become so critical to the actual businesses of others. And if you're Amazon Ali or if you're Microsoft your business is security, security of your consumer data. And I think much like the banks, they've had to rapidly adapt their business models.
I think where I have deep concerns and um you know, health care has been a real area of concern because health care is incredibly complex as a sector from hospitals to insurance to sort of now we have, you know, health tech providers, farmers, but the real concern is the value of personal health
information is incredibly significant to a hacker. It gives us insights into people, it gives us insights into some of their challenges, but also how to reach into them and how to social engineer them that makes it very attractive for threat actor. The other sector that I have a long term worry of is my sector, professional services. And I think because we sometimes forget we are part of so many supply chains.
We work with businesses across all verticals, whether you're a law firm or consulting organizations, we have access to a lot of data, a lot of sensitive data and we sometimes make for the worst patients. It's like doctors make for the worst patients, consultants and professional service industries sometimes make for the worst patients because we think
we know better. And I think I will always stress on my clients and certainly everyone out there ask those questions in the discussions with your providers because again, it is a supply chain issue. It is very much the weakest link in the chain and all of our business are connected now and it will be very difficult to disconnect them. So that's probably where I'd see the sort of good and the bad.
Absolutely fascinating. Nick Race. Thank you so much for your time and insights.
Thank you very much for having me. It's been a pleasure.
It's been great and thanks also to our listeners. Copy Time was produced by Ken Delbridge Violet, Lee and Daisy Sharma provided additional assistance. All 123 episodes of the podcast are available on Apple Google and Spotify, as well as on youtube as for our research publications, webinars and all other material that we put out. You can find them by Googling D BS research library. Have a great day.