- Welcome to the Cyber5, where security experts and leaders answer five burning questions on one hot topic and actual intelligence enterprise. Topics include adversary research and attribution, digital executive protection, supply chain risk, brand reputation and protection, disinformation, and cyber threat intelligence. I'm your host Landon Winkelvoss, co-founder of Nisos, a Managed Intelligence Company. In this episode, I talk with former United Kingdom National Cybersecurity Center CEO, and Former Director General for Cybersecurity of GCHQ, Ciaran Martin. We discussed the political, legal, and ethical challenges of today's ransomware threats, and the corresponding nation state challenges of Russia, China and Iran. We discussed what the US and global economies can do to reduce these threats and how the financial industry can assist in a greater capacity. Stay with us. - Ciaran, Welcome to the show, sir. Would you mind sharing a little bit about your background for our listeners? - First Landon, thanks for having me. Great to be here. My name is Ciaran Martin. I'm an advisor with Paladin Capital. I'm also a professor at the Blavatnik School of Government at the University of Oxford. I've been doing both of those for just shy of a year. For the previous 23 years, I was a British government official. The last seven of those 23 years, I set up and then ran a new national cybersecurity center, part of GCHQ, the intelligence agency, the sort of NSA, DHS sister equivalent in the UK. - No, can't thank you enough for certainly joining the show. Paladins is one of our esteemed trusted investors. And certainly we appreciate everything they've done on their advisory boards for Nisos and all the advice that you've given here past few months. So, certainly kind of diving in, and we're really gonna get into the geopolitical and world economic context of everything before facing around cybersecurity today. So I guess kicking it all off, like, I guess it'd probably be helpful for listeners to just have a general background. I think everybody here and knows what ransomware activity is at the very core level, but certainly, probably aren't really tracking a lot the political, legal, and ethical challenges. So lay the background of the political, legal, and ethical challenges to the current cybersecurity challenges that are really culminating in this uptake in ransomware. - Well, here's my high level view. My high level sophisticated view based on all my experience, ransomware is really annoying, that may sound facile. So let me explain. We've got at the minute battle for technological supremacy between the US and the wider west on the one hand, and China on the other. We've got major geopolitical trends affecting how technology works, whether we can keep it free and open while still respecting privacy and all of that. We've got semiconductor battles going on and so forth. And yet the biggest issue in cybersecurity at the minute is a bunch of criminals of medium sophistication causing absolute havoc. And in some respects, if it wasn't so serious in terms of the impact, you know, in disrupted hospitals, the entire disruption of the national healthcare system and in Ireland, food retail problems in Sweden, schools in New Zealand and the UK being taken offline, of course, gas shortages in the east coast of the US. If it wasn't that social disruption, ransomware would be of no strategic significance at all, because it's just criminals, but it's becoming a really serious problem for all the talk about cyber war and the cyber Armageddon and cyber Pearl Harbor over the last 20, 30 years. It's actually ransomware that's coming closest to hurting anybody. So what's happening, I think there are broadly three things at one is Russia and some states around it allow criminality to flourish. They allow it to take place. There are countless numbers of Americans or Britains or continental Europeans who could run a really sophisticated and well-run ransomware organization, but our police forces don't let them, they would kick down the doors within a month of these guys being set up, but the Russian state, for its own reasons decides to leave them alone as long as they don't harm Russians. So that stability, that safe Haven really matters. The second thing is we've got a bunch of problems in our own cybersecurity. We've had them for a couple of decades, and which mean that an attack on a enterprise system can take out a pipeline. And then the third thing is we've got a business model that works spectacularly well for the criminals. Everything works in their favor. Any attack gets hyped up as an existential threat. So people who don't understand how cybersecurity works are panicked into paying. They don't have to disclose that they've paid. They have to pay in cryptocurrency, so it's harder to trace and disrupt and so forth. So you've got those three things, the safe Haven in Russia, weak cyber security in the west, and a business model that favors the criminals. And that's why a problem that was taking up 2019, I don't remember having a drink with Chris Krebs of then of the head of cybersecurity in the US, in Munich in February, 2020, and we were getting really concerned about ransomware, but it's just got out of control in 2021 because its criminals have realized it's become so lucrative and that's why. - Well, I guess so let's pick those three portions apart, right? So many could argue that many of the cybersecurity challenges originate with the US private sector. And again, this is all the move fast, break things, type of mantra that you hear a lot. Silicon Valley and everything is certainly being connected in some way, shape, or form. Can you really fix legacy problems like these? - Can you fix them? It depends what you mean by fixed, Landon. Can you mitigate them? Yes. Can you strategically fix them? No. We have to fix the next generation of technology. And I think you're right. It is this move fast and break things, and it achieved great revolutionary change, mostly for the bachelor and the human experience. But there's a great quote from Dr. Vint Cerf, one of the godfathers of the internet, if you like, at the Google end of things. He said something like, "When we were something building this, we didn't think enough about the people who'd wanna break the system." And so a system that was very much, if you like, not even a US invention, but a sort of California, very open, very liberal, prioritizing connectivity over everything else has meant that there's all sorts of structural flaws. Having said all that, there are things that we can do. I mean, in the UK government, we started to do interventions for free that the commercial sector didn't have the incentive to do so DMARC brand protection, you know. stopping half a billion emails a year being sent, pretending to Sue for a tax authority, automatic blocking of known malicious destinations. There are various free checks for small public authorities that can't afford to do the sort of detailed vulnerability scanning. And so there are things you can do. I also think that, you know, things like clever regulation, looking at the insurance models, looking at corporate governance and incentives. Mean, how do investors know whether a potential investment is actually managing cyber risk? Well, if it's, if you're worried about say pensions risk, you can, there's all manner of data that companies are obliged to disclose. If you're looking at how to manage cyber risks, there's an also... Cybersecurity is as much an economic problem as a technological one. And there are things the incentives are all wrong, and there are lots of things that we could do to mitigate the risk. And lawful lot of it is about, particularly when you're talking about ransomware is about business continuity. I mean, if you can keep your business running, then it's much harder to extort you. But I think the longterm is around fixing the next generation of technology. So, something that's already pretty much with us is a really interesting example, IOT, Internet of Things. So as the T suggests, The Internet of Things is a different business model from previous generation of technology. Let me caricature of the previous generation of technology as you didn't have to pay money for anything you paid with personal data for free access to web based services, pretty horrible model from a security point of view. With the internet of things you pay for an object and the service that goes with it. And that's a pretty traditional model. And that allows you to specify standards. It allows you to ban stuff that's dangerously unsafe, and it allows industry to set standards that people can say, well, I'm prepared to pay more for security, but can you verify that this is more secure? This is better security standards. And we're starting to see that now with things like IOT codes of conduct, where you can, you know, you can't sell some things, but you can sell most things, but there are ways of telling whether or not things are more secure. So that's the opportunity now. - Piggy backing off that you mentioned briefly around some of the opportunities that the UK government and economy has taken, I guess, what are the opportunities really for the world economy at large to improve, and I guess what are the major challenges? I mean, I have to assume that there probably needs to be some sort of standards across the board, whether they are country specific, region specific, continent specific, really, I guess, holds, you know, a lot of different technology companies and software companies accountable. Where are you seeing as, you know, potential challenges there? - Well, I'll go for the opportunities first. I mean, first of all, for the private sector, there are huge opportunities here. I remember when I started at GCHQ before we'd set up the national cyber security center. Senior technologists who'd been around for years saying to me, he said, "you know, when I joined this place..." and he joined this place in the sort of 70's, I think. He said, "you know, we thought we needed to keep pace with all communications, development in a way that we could sort of really sort of master and influence." Now he said, "look, you know, the total British intelligence budget is 2 billion British pounds to say $3 billion. The total global technology industry is about $3 trillion. So you're just not gonna be able to do that." So if you take something like ransomware, a technological solution for ransomware would be for a particular aspect of ransomware would be commercially lucrative. There are all sorts of opportunities. I think also we're past the age of awareness raising so you can sell good security. And if you can, as new technologies developed, we've already talked about IOT, but you know, use cases of AI and ultimately quantum, you know, people who sort of fix the security of those things, I think will be very well rewarded. And there'll be huge growth in cybersecurity itself. Innovation in cybersecurity is gonna be everything. I think the main challenge, and this is why I said, at the start, "ransomware it's just really annoying." For the first time in the history of modern technology, there is a genuine competitor to the US led model, which looks and feels different and it's very threatening. And that's the model of technology being developed out in China. I mean, Russia, both in terms of state activity and criminal activity, they're behaving very badly and causing great harm, but on America's internet, China is building a completely different model of technology, which is just, in the eyes of some, cheaper and therefore more attractive. But also it's designed to be more authoritarian. You look at things like the new IP proposal, which would make it much easier to tell what data is the content of data being transmitted around the world. You look at the sort of social credit system, the surveillance technologies in use against its population domestically, particularly in Western China. This is a really, really challenging test for us because, you know... I remember being in Shanghai a couple of years ago and a pretty moderate Chinese figure saying to me, he said, you know, 20 years ago, you in the west, you were telling us the state control of this new technology was impossible. Well, we've proved you wrong. And I think most people would accept that China has shown that state control over internet based technology is possible. I said, then you said... even if it is possible, it's undesirable, you should let everything run free. Now 20 years on you guys are talking about privacy invasion. You're talking about cyber crime, you're talking about child sexual exploitation. We were warning you about this all the time. This is why you need a model of technology that favors state control. And I think that's worth reflecting on because we need to shore up confidence in our own model. And we can only do that... One of the ways of doing that is by making it more secure, by making sure people have confidence in it and that as the biggest risk to our current way of life and in my view, and it's crucially important that we show up confidence in the security, privacy, and health, if you like of our own of our own technology. - That's a fantastic reflection. And then you said that that reflection was with talking to government officials 20 years ago in Shanghai. Is that correct? - That was two years ago, but they were talking about 20 years ago, they were talking about us back trailing them 20 years ago. They were saying, "now look, you know, so 20 years ago you told us we couldn't control the internet, well we can." And I said, "yes, that's correct." I mean, not objectively, observably true. You can't use the internet freely in China. So there is a model that works in that respect. But they also said, "look, they said, you warned us, even if it was possible to control the internet, you shouldn't do it." Well I know they were saying that they've got this model, which takes all the harm out of it because, you know, it makes it harder to commit crime. It makes it harder to expose children. It makes it harder to launder money, et cetera, et cetera. And so it was essentially a dig at the west saying what you're losing confidence in your model of technology. We're gaining confidence in ours. We're gonna out pace you. - Let's go really to the next series of, you know, discussion points. I think that's a perfect leeway into that. Do you see the west tackling ransomware groups similar to, you know, how non-state threats of the past 15 years, and here really I'm talking about mostly around the counter-terrorism wars has been fought over the past 15 years. There's some people that say to you, you have to go out after ransomware actors, similar to how you went after those non-state actors. Is it more complex? Are we moving back to almost the cold war era, where we contend with China, Russia, Iran, and this facet? - So I think there are two different things here. There's ransomware, which is essentially a criminal activity. And then there's China, Russia, and Iran and arguably North Korea, which state actors, and the ransomware groups and the non state threats. I think this brings into the conversation, a question that we probably both asked ourselves many times over the years, you know, to what extent are cyber challenges different from all the challenges or are they just the same challenges except the involve computers? So that's ponder that for a minute. Ransomware in particular, illustrates that there's one distinctive feature of cyber crime, which is genuinely new, which is that hitherto in the human experience. If you wanted to commit crime, even if it was safe, so-called politically motivated crime like terrorism, eventually somebody, either you or somebody working with you had to set foot in the territory, you were attacking in order to perpetrate the act. You just couldn't do it remotely from start to finish in ransomware and wider cyber crime you can. So unless as occasionally happens, one of these people goes on holiday to the west and ends up spending, you know, 35 years, some worth courtesy of the FBI. We're not gonna touch them through law enforcement means. So that's very different. So how do you tackle that? Well, then you think of, well, when was the last time we faced a major non-state threat that was harbored by a nation state and was causing harm where you think they always cases of Afghanistan and 9/11. And that obviously led to an invasion and occupation. Obviously we're not gonna do that to Russian mere cyber criminal. So what, what is different? So I think you are looking at a sort of, at least different than some aspects type of statecraft. So I think president Biden's absolutely right, but at top of his agenda with Vladimir Putin, as he did in Geneva, because one of the reasons why the Putin regime has been so content to harbor ransomware groups is that he wasn't getting any kickback for it. But if the president of the United States is saying that this is one of his top priorities, then this might make begin to make it more of a problem for Putin than hitherto... I think there are things... If you look at the capabilities of the likes of cyber command or the national cyber force in the UK, the way ransomware gangs work, this is the sort of activity where offensive cyber might come into play because it doesn't have some of the other difficulties of offensive cyber. Technically these attacks can be confined. They're unlikely to spread go viral. If you like, and attack innocent, and infrastructural all over the world. They're unlikely to be escalatory because it's hard. It would be pretty hard to see the Putin administration, seeing a offensive cyber attack on a criminal group as you know, an attack on the Russian state. So there are things like that that we can look up, but it's a really, really hard problem. One of the things where it is common with the non-state threats that however the movement of money. So if you look at the G7 statement on ransomware issued last month, very, very powerful heart ending statement, but what happens now? That's a bit of concerns me, because after 9/11, when people said, right, we've got this big problem with global terrorism, and money's a part of it. It became almost impossible to move money around on behalf of a terrorist group. I mean, if anything, the financial regulatory regime was tightened so much. It became very onerous for the ordinary citizen. I mean, my now wife moved from the US to the UK just after 9/11, and couldn't open a bank account because financial regulations were so tight in the aftermath of 9/11. Yet here at the minute, we have easy to buy cryptocurrency being transferred to Russia in huge amounts on a weekly basis. And there's no real barriers to that. And I'm not an expert in financial transactions, but I would've thought if the G7 tough talk on ransomwares to mean anything, it should be coordinated action of stop the movement of money to these criminals. So that's the ransomware part of this. Then in terms of the state threats from the likes of Russia, China, and Iran, I think those are actually sort of almost three different things, sorry for the long answer, but China strategic competitor building its own technology. Chinese cyber attacks are almost, I mean, I know there was a huge expose of the Microsoft attack the other week. But Chinese cyber attacks are almost priced in an agency such as my old one. They're just a cost of doing business for our countries these days. The real challenge from China is technological supremacy. With Russia, I think it is kind of a cold war. It's trying to dis-incentivize them from doing the very pernicious, disruptive activity as it's done against France, as it's done against the Estonia, as it does all the time against Ukraine whilst accepting that it will be quite skillful at doing some of the accepted activity like spying, as we saw on solar winds. And Iran is a different problem again, because I'm not around as an asymmetric retaliatory. In other words, it is prepared to do things to the US and allies that are probably wouldn't attempt in the physical world. And so again, that is more of a sort of rogue state problem than a cold war problem. So I think one of the lessons of all of this is that cyber doesn't exist in a vacuum. It's not an isolated domain. You know, the way dealing with China, Russia or Iran cyber are pretty similar to how you deal with China, Russia, and Iran as states who have varying degrees of hostility to our interests. - Not such a good synopsis of the problems that we're gonna face, certainly for years to come. And I think I wanna pull on one thread that you just kind of touched on really there and that's around the global financial sector, understanding that a lot of this starts and stops with the financial sector. I mean, if we're talking about the massive threat, really to private enterprise, as ransomware poses, as well as of course the espionage threats, but I mean, for focusing, you know, mostly around either one of those types of threats, understanding that a lot of this starts and stops with the global financial sector, do major financial institutions really understand cyber risk? - What a question. Major global financial institutions tend to understand cyber risk as it affects themselves, but not as it affects anybody else. So if you look at the performance of financial institutions in protecting themselves from cyber risk, it's really good. And my theory shared by others is that a principle reason for that as well as being well-funded institutions that take cybersecurity seriously, is that the business model for major financial institutions incentivizes good cybersecurity. So you think back 30 years ago to the fall of Barings Bank in the UK, your huge insider trading job, what happens then basically everybody limits the amount of transactions and the amount of harm any one person can do through rogue trading. Then look at the problem. So called fat finger trading. In other words, rogue trading by accident. The same thing. You then look at the financial crash and the post-crash regulatory environment, all about stress testing, all of this is brilliant, cyber security. So for example, if you work in a major investment bank in any sorts of sensitive job where, you know, things you do could cause the major disruption or loss, you have to take two weeks off where you will be shut out of your system and the purpose of that is somebody has to cover your job. That is brilliant for cybersecurity because what that means is, what essentially you're doing is take one rogue actor. It doesn't matter if they're an insider and outsider. It doesn't matter if they're acting deliberately or accidentally badly. Just cauterize the amount of damage one human being can do. And that's really, really good for cybersecurity that resilience and so forth. And when you think about some of the major cyber hacks, you know, The Office of Personnel Management in the US hacker setting, they're copying data, using huge amounts of energy for 26 hours. And nobody notices that probably can't happen in a major financial institution. And that's great, but of course, as you're saying, financial institutions sit at the heart of all the things. So are they doing much to incentivize good cybersecurity in others, not really, not yet, and not their fault. It's not their particular job. But, You know, the role of institutional investors, for example, has never acted as the force for good in cybersecurity, as it has in say, environmentalism, or in promoting better management of pension liabilities, and that sort of thing. And then the global financial system just hasn't got to grips with the movement of money and cybersecurity. And I'm not just talking about cryptocurrencies, although in the age of ransomware, that's primarily the problem, but there are all sorts of, you know, money laundering aspects to the cybersecurity problem that we just haven't got to grips yet with in the way that we have in terrorism. - We've had MasterCard on the show before, and MasterCard lays out how they want to really own all of the digital crime aspect, and really take that on as a challenge. And as a side note, they bought Risk Recon as an example that does a lot of third party diligence. Do you feel that more global financial institutions need to have almost the same type of a mantra that MasterCard has, where they are gonna, not only care about themselves, but really kind of look outward and take it forefront combating digital online crime. - Yes, and I don't wanna beat up on the financial sector. I think they've grasped this more seriously than pretty much any other sector I can think of. And if you look at things like online banking, even as simple as that, you know, the MP fraud protection measures are another... Not terrible one everyone's liking. Some people find them intuitive, some people still find them infective, but there are a lot better. A, they wear and B incomparable, all the sectors. I think that innovation that MasterCard are talking about with due diligence on third parties is another excellent example. I also think, by the way, that on both sides of the Atlantic and elsewhere, that regulators have been reasonably clever in trying to incentivize things like that. But there will always be things, whether it's, you know, the role of institutional investment, whether it's money laundering and so forth where we'll need to do more, but I would never want a message to come out of this saying, you know, that I was berating the global financial sector. I think that in cybersecurity we'd be worse off if it hadn't been for the efforts of many financial institutions. Of the last sort of five to 10 years. And I would encourage them. And one of the interesting things I've noticed that dealing with the financial sector is that competitors are perfectly comfortable in each other's companies talking about cybersecurity in a way that isn't always the case in all the sectors. And I would encourage them to keep these forums open, to keep the information, sharing the combined capabilities, going perhaps to extend them more into some of the policy areas that you're talking about, because this is a shared and collective risk. I think one of the things that big finance gets that not all the other sectors get, is that if one institution gets badly hit either directly or through a third party, then it's primarily bad for that institution, but it's really bad for the sector as a whole and everybody in it as well. - Ciaran, thank you very much for your public service. Thank you for all that you do with Paladin, and thank you for your time today. - For the latest subject matter expertise around Manage Intelligence, please visit us at www.nisos.com. There we feature all the latest content from Nisos experts on solutions ranging from mitigating advanced cyber actors, combating disinformation, mitigating insider threats, and reducing threats around third-party risk management and mergers and acquisitions. A special thank you to all Nisos teammates who engage with clients and solve some of the world's most challenging security problems. Without the value the team provides day in, day out, this podcast would not be possible. Thank you for listening.