Surviving between the Cyber Frontlines

Thank you Ada and it's great to be here. It's great to see so many of you still here. I hope you're not just waiting for the beer, but you've been interested in this great and sometimes very rich discussion that we've just experienced. We are probably gonna go a little bit more practical at this level simply because that is part of my background. I've spent the last 14, 15 years working on international security and internet governance issue and combine that with an InfoSec, cybersecurity practitioner's point of view.

However, I also worked at the private sector. One of those stints was with the World Economic Forum where I am now a recovering executive as the saying goes. And I thought I'd share some of my experiences from that and also in between. But first of all, two apologies. First of all, I have a hacking cough, so it's good possible that if I cough it will blow out the speaker. So please don't be frightened. That means though, however, I will keep my presentation relatively short. I also am interested in hearing comments from all of you 'cause that is the reason actually why I'm here.

And the secondly, despite the fact that I have in American English, I'm bilingual German I from Austria and I'm absolutely open to have the questions put to me in German. Some of this has been quite intense I think for non-affluent English speakers and I completely appreciate if you wanna put your question or your comments in German as well. So I'm here to share some of my thoughts on one of the greatest mysteries of them all and that is how do you communicate with the board about cyber? Now that is a really big mystery and I'm sure we'll all be unlocking this for a while yet.

But my one sole recommendation is quite simple. Make the point that cyber is just not about security. It's much more than security. In a recent world economic form cybersecurity outlook, which was run by a department that I used to head 93% of the so-called cyber leaders had strong or slightly strong opinion that the next two years there would be a significant cyber incident due to or actually catastrophic cyber incident due to geopolitics. This is a reflection of the world we're living in right now and this is also something that's reflected in general business sentiment.

Allianz also put out a recent poll not too long ago saying that of all the business risks that chief executives were worried about, cyber was still number one tied with supply chain disruption sometimes, but still number one. And that is even though many of these chief executives probably don't really understand that much about cyber.

So one of the things I wanna communicate with you right now is how you can use geopolitics and your history of what's been happening in the cyber domain over the last 10, 15 years and what role cyber crime plays to communicate with your C level and basically show that geopolitics is effectively at the moment run very often by cyber crime related trends. So first of all, a disclaimer, we can't even agree on how to spell the word cybersecurity, so we shouldn't be surprised that we're not exactly clear what it means.

So you can write cybersecurity as a single word, you can write it as two separate words. If you're not sure you can put a hyphen in between. I've actually seen government documents that use two different spellings. Why is this relevant? Because it shows how ambiguous everything is in cyberspace. Everyone knows how difficult it is to do attribution. We sometimes don't know we're dealing with state actors or non-state actors or something in between. And sometimes we don't also know what the purpose of an attack was. Was it espionage? Was it preparation for war? Was it information warfare?

Everything is ambiguous in cyberspace and therefore we should always approach every statement and every tology that we're dealing with with a bit of caution. That also leads me to a reminder. Cyberspace used to be a concept of science fiction. It didn't exist really into when I started in this business. It didn't exist officially at all. It didn't only exist since 2008 when the US Department of Defense effectively classified cyberspace as a real domain of action equal to airland C and space beforehand.

If you want to talk about cyberspace, you had to talk about information networks or the internet, both of which of course don't really capture it. And the most important thing that came out of this discussion in the Department of Defense was how they saw the geography of cyberspace. And that geography of course starts with the basic physical layer of cyberspace, which is the roots of which is the the routers, the cables, and where it exists. The level above it is the logic layer that supports the logic layer, which of course is a code.

The data layer is supported by the logic layer and finally, it all supports the social layer. What we all depend upon, the reason why all of this exists.

Now, as a self-taught hacker from the nineties and many of you as well, you really know that all of this is about affecting change in the social layer. The big best hack is for me simply to say to you, to tell you what I want you to do and you do it. If I have to tap a cable on the physical layer or if I have to use a zero day on the logic layer or if I have to get you to divulge your password on the data layer, it's all a detour. The most effective hacks are always the ones that hit the social layer. And that is something that we sometimes, as technical people tend to forget about.

Now, first some good news. The question is also, is your board ready?

Now, most of you will probably be aware that there's some really big pieces of legislations that has not been enacted and there are coming down the pipeline, which also is gonna make our job hopefully a lot easier. The first of course, is in the us which the Security Exchange Commission has demanded that boards now take effectively responsibility for being aware not only of how cybersecurity risks are managed in their company, but also show that they can effectively show that they have expertise in understanding the data that's provided to them. Now that's gonna be interesting, right?

For those of you who have dealt with larger companies and those boards, we, they have a lot to do. And being able to understand the cybersecurity is not a job you can basically do on the side, but effectively this is what's now gonna be expected from them is that they have to prove effectively in a disclosure form that've been adequately briefed at a regular level. And this is plus all the other good stuff that was in this update of the SEC rule, which is includes disclosures and other things which we've had in Europe for a while.

Now, the most important thing is they have to really prove that they have adequate cyber expertise. Now in the network information security directive version two that we are now also starting on Article 20 does something similar, directly refers to the need for boards to show that they first of all oversee the implementation of adequate cybersecurity risk. They are responsible, they cannot outsource it to three levels down the stack. They are personally responsible.

And furthermore, they have to also show they have sufficient knowledge to be able to understand what they're, what they're being told about. These are both two kind of breakthrough concepts in what is known in English as duty of care or so h, and which effectively are going to change the equation in the big way. Because two of the biggest problems I have experienced over the last 15 years is the outsourcing down and ignoring of cybersecurity risk. It was too complicated.

It was pushed out out of the business in terms of insurance or or contractors or it was buried at the technical level and now that's not gonna be an option anymore theoretically. 'cause speaking about boards, there are a lot of great comments out there. For instance, I told them to back up everything that's great. Have you ever tried to recover from your backup at speed? Because that can be the real challenge. There's no reason for anyone to attack us.

Sure, but there's no reason to not attack you. The whole idea of a pay and spray attack is that it cost them nothing. So why shouldn't they? If it's not broke, not fix it. Cybersecurity is not a run to fail proposition. If you fail, you're probably dead. So it's not necessarily a good way to operate and needed to update this. My guys have this great war game Mac, it has a pew, pew. And though you can see the cyber attacks incoming and outgoing, that's really helpful for dealing with senior management sometimes with the question is what do you do with that data?

And that is what insurance is for. And we are a compliant, right? Insurance has gone through a lot of different stages in the last 14 years I've been observing it and right now we're a very interesting stage. But I can tell you one thing is that cyber insurance doesn't cover everything and it, it still won't. And just being compliant does not necessarily mean you're gonna be able to to to cover all the necessary risks out there, even though I actually think it's a very good development. But most importantly, I think this a statement is we are not at war.

And when I hear that statement, especially in the last couple of years I think, right? I think this is where we have to start talking about geopolitics, understand why cyber is not necessarily just another business risk as I've been hearing for a long time. But it's something very specific and it pays a very specific role in the geopolitical landscape when we talk about war. What is your definition of war do you think? War is continuation of politics by other means. This of course is clause of it. It's the foundation of international law. We have war and not war and there's nothing in between.

So effectively when we're at peace, we have peaceful rules and we're at war, we have international humanitarian law, we have the laws of armed conflict, there's nothing in between. But there is however a different definition and that is politics as the continuation of war by other means. And this is very often ascribed to Lenin and is actually coming up to 100 years of 100 years since he supposedly said this.

And what is not a assumption is that this is a core part of doctrine in Marxist Leninist thoughts and in particular in military doctrine as well as security policy and international and international relations. A whole multiples of generations of people in Russia and China have been taught to think of war as being a continuous state that everything else is a distraction and all means are effectively, are effectively plausible means or useful means for this.

This is why when you hear of such concepts of China of Lawfare or similar, that is actually very much in line with a long-term idea that war is eternal and any kind of idea that we have a peace and wartime situation just isn't accurate. What is your act of war? What do you think def on in the United Nations and international? An international legal system that we basically live under, it's kind of clear, it's usually an armed assault and use of force that basically allows you to, to engage in self-defense.

So in our case, I've spent 10 years effectively in the UN international cybersecurity discussions and we are always talking about of course cyber war scenarios. The worst possible scenario is being blackout or really bad blackouts being that we either go back to the 1920s or the Iron Age depending on how gloomy you are, right? So this is what the obsession of the west has been for about 15 years now, trying to make sure international law can deal with the consequences of cyber and they treat it a little bit like it's a nuke. But that is not necessarily the only discussion there.

There is a whole bunch of people in part of the world that really sees the the threat being information warfare and that the absolute worst outcome is regime change. This very much relates to the previous comment that you saw, which is one, that war is eternal. And in that context they see that this type of regime change operation is the number one threat that they need to ward against.

And for instance, if you talk to Russian and and Chinese cyber specialists, they will point back to for instance the picture on the right which is Belgrade 2000, the democracy movement that got wr, that got rid of Sloan Alvi, that was the original sin from their point of view. From that point where point onwards they contend the west has been engaged in the process to overthrow their governments.

The term color revolutions even just recently is constantly used as a bad word in Russia and China 'cause they're convinced that rather than it being effectively a phenomenon related to democracy or an internal uprising, these are operations planned by inter by foreign intelligence services to undermine them. And don't forget when if they get undermined, it's very personal, they can end up being shot. So for them regime change is something very personal indeed.

And even though one can argue about how likely their interpretation is that any of these movements are directly coordinated or even influenced by intelligence agencies, that's their stated fear and they do plan accordingly. What does it look like operationally? If you are trained as a traditional InfoSec person or especially in the military, in the military intelligence environment, you're gonna be well familiar with the document on the left. That's JP three 13 information operations, which is effectively how, I can't really read it, can you?

Which is effectively is how information operations have been defined in the military since 1999. That's computer network operations, that has computer network attack, computer network exploitation, computer network defense. It's all nice and tidy and it sits in an environment that effectively was defined by the US military in the nineties. And all of us have learned in our ISO 27,000 box that is always about the data, always about protecting the confidentiality, the integrity, the availability of the data.

Therefore when we see an attack we're like, ooh, what do they want to do with this data? What are the three attributes that they wanna violate?

However, there's a different way of viewing this and that's just to view the entire paradigm through that of effectively psychological warfare. If you look on the right side, you effectively see that there is a, on the right side of the map, you have a rendition of philosophy called reflexive control, which is a military doctrine that has existed in Russia since the 1970s. And in this model, psychological operations is effectively the all defining parameter in the west.

Psychological operations are something that happened at the operational level in militaries, in Marxist Len, in the systems it's traditionally the most important parameter, not a single operation specifically at the top is not planned without the psychological dimension having primacy. And this is something that carries on at every level. And the concept of reflexive control means that is all about information and all activities, physical activities or otherwise are captured as information packets.

And the idea of an innovation information packet is get you as the adversary to effectively do what they want, preferably without you knowing it. In an ideal world, a reflexive control attack will allow you to effectively or lead you to lose a war without even knowing that a war has been declared. Now this is just an example of what of effectively many people in China and Russia who especially who were trained in the military and the government will have effectively learned effect in in their, in their service.

But it's something that we consistently forget about because when we think about cyber attacks, we're always thinking about the data very often it's not the data. There are many cyber attacks that we've had, specifically significant ones against critical infrastructure that have nothing to do with data. They're always about the political narrative. If you wanna have cheap deniable cyber power, you need to have cyber crime.

This was a NATO Analyst told me this in 2008 and to this day I think it's probably the most succinct interpretation of why you would want to have cyber crime as an important component of your national cyber power. It does a lot of really good things for you, effectively inflicts real economic pain on your adversary.

We've now reached incredible numbers, which we'll talk about later on, but even in 2008 it was already pretty high, but it also distracts defenders and that's great because it allows you effectively to use your state intrusion sets and go after the really important targets it provides you with plausible deniable cover.

That's always been the main statement allows you to engage in intelligence for sabotage or preparation for war and all pretend that someone else is doing it and especially reject any type of mutual law in system mutual law, legal assistant treaty attempt to cooperate to take these people down. It obviously provides a logistics support for state operations. We all know how much of of cyber crime is used by by state actors in many different contexts.

And finally it can cause domestic political pressure, basically loss of confidence in the US you've had, we've had a number of different incidences where data leaks have been traumatic enough that the poli the, that the political landscape was dominated by it for a couple of days. In the UK for instance, the same thing is happening again, this might not change politics itself overnight, but what it does is it slowly shifts to argument and this is not something new. There's good report that I've referenced here.

There's many others about the history of how Russia and intelligence services work together with criminal actors. But this has really been going on for quite a long time and then we'll talk about that in a second. And most importantly, what it really is about is very often creating political pressure or narratives, pressure points, whatever you want to call it for western governments to do something in cyberspace. They have very specific sometimes objectives that want to be accomplished by these attacks going public.

Again, they don't care about the data they want the attack to be. That's why rent ransomware exists. They want to be however destructive and they want to get a lot of attention and they want things to happen as a result. And one of the things they wanna re wanna change is how the internet is managed specifically. So the two of the big discussions on the international level that I've been following are in the field of internet governance, which is the management of internet resources and international security, which is the war and peace component.

In both of these are connected to a push by Russia since 1999, which is basically since the existence of ICAN to effectively establish international code of conduct for information security. They with a lot of other allies that are now basically collected in the Brix group, want to change the internet from its present.

Multi-stakeholder organized system or the government, the private sector and civil society basically work together to one that is run by governments and they do that particularly so they can ward against in their mind the threat of foreign information operations closing a threat to their rule. This has been a very, very obvious and sometimes clearly declared goal on parts of these governments for a long time. And it is actually, if you want to put it ethically, it is a legitimate goal. It just not happens to be the goal that I personally share or want to see happen.

But what it also means is that very often that any type of crisis, destruction and unrest that is caused by cyber attacks feeds this narrative. It feeds a narrative of what our government's doing to keep us safe. Why does internet run the way it is? The internet in fact is mostly run by the civil society groups at the center which run the DNS and the BGP, the protocols that make the whole thing work. The companies in which own 90% of the internet and government can only listen in and blow things up. It doesn't really do very much there.

So effectively this is a model that they wanna have changed and they're spending a lot of time on it. Now how does this relate to ransom war? Right. Well I refer to ransomware simply because this is a continuation of something that's been going on for a very long time. I wanna have a show of hands here to from the group. Who remembers RBN? Only one person. I'll try again. Russian Business Network.

2, 3, 4, 5. Okay, game over Zeus.

Yeah, I thought that'd be a bit more popular. So Russian Business Network in 2006 to 2007 was the first or the largest cyber crime syndicate. They effectively invented the crime as a service model. At one point they were responsible for 40 to 60% of all cyber crime worldwide. And they were the guys who effectively provided logistics and maybe executed the famous 2007 attack against Estonia as well as the 2008 attack against Georgia. And this was always clearly part of a Russian intelligence operation or Russian government operation. There's plenty of evidence for that.

Building off the spectacular results of effectively DDoS, gangs and crime as a service, the journey continues. It went off into e-banking game over Zeus and Slavic and the people who are associated with creating this malware and malware as a service. And it continues to this present day. And the objective is, as I showed before, not only about simply encouraging a lot of people to be active in cybersecurity but is also the objective is to effectively cause unrest.

And that is one thing that we have a responsibility in consistently calling out WannaCry and not Petya are two perfect examples of the third or fourth version of this. Just let's remind ourselves how this all started.

One first, what happened was Eternal blue. Eternal blue, which of course is M-S-B-M-S-M-P exploit that was sometimes sold as ANSA exploit was stolen and then released by Shadow brokers, which is now very clearly associated Russian military intelligence. GRU. They put it out there and saying, Hey, you know guys, this is, something's out there you can use it. Nothing happened actually for first couple of months unfortunately. And actually it took about two or three years. So there was quite clear they put this out there, they hoped something was gonna happen.

Not much happened, actually it was even worse. These graphics are terrible. Oh there you go. You can't really see it. But what actually happened is that the first intrusion sets that started to use the Eternal Blue Exploit bef were actually North Korean gangs operating in China. And they were basically using it in part to steal crypto, crypto crypto cycles. So they were basically trying to mine cryptocurrency. They were using it in a way that was definitely not intended by the shadow broker release.

Which is why after observing this in the InfoSec community for about two, three months, thinking that's kind of interesting, why is this happening in China? So North Korean attributed groups working against China is not normally what's supposed to happen. They're supposed to be working out of China against the rest of the world, not against Chinese interests. That's a big no-no. So then you had very suddenly, when probably somebody realizes this was going on, you suddenly had WannaCry. And WannaCry obviously was quite destructive.

Were everybody's familiar with the damage that the National Health Service in the UK supposedly suffered? I think that's probably even worse than was publicly reported. And of course then we, and even in Germany, Deutsche Bond had a significant effect as well. But that still was kind of limited because effectively it was, you know, there was a kill switch associated with with WannaCry and it was called out. So moving on that something else happened that happen afterwards and that was not Petya.

And not Petya now is also very clearly attributed to a government actor and that was also very clearly no attempt whatsoever to make money from it. Want to cry, kind of attempted to make money, but there was like not real way to get any of the money. I mean it was quite clearly for nothing, right? It was really just there to show, hey, criminal under syndicate, check this out. Isn't this a cool thing? Don't you want to pick it up? Because nobody was biting, right? Everybody was making money doing something else. Why should they So not Petya try to do the same thing again.

Really again, had no real interest in trying to make money, but again, tried to show that it was, that it was something that that was possible moving forward after not Petya, we basically moved to next pick stage. So not Petya led to obviously a whole bunch of cyber crime gangs figuring out, hey, there's something here. Most of them were funnily enough Russian. And then the next big stage was like attacking critical infrastructure, colonial pipeline attack, 50% plus of the entire US Eastern seaboard fuel supply depended on colonial pipeline.

The attack was so effective that the dark sides, the Russian gang behind it had to apologize, say, oops, sorry, didn't really want to do that that bad. But they, but they set the general, they set the general tone, right? Critical infrastructure is tasty, it's people will pay to get their stuff back. Colonial pipeline paid four and a half million dollars to get their data back and just ask should vest find in it? And nor I invest find right now, I mean they're having a serious ransomware incident that they have to un resolve, right?

So, so critical infrastructure became again sold as like, hey, this is maybe the target you really wanna go after. And yeah, people, they did go after it. So what happened after the start of the Ukraine conflict, Europe gets hammered by ransomware.

It's, it's the number one target. We've phishing attacks, which are still one of the most popular, the most popular vectors for ransomware are up 800% in, let's quote in the code, in, in, in one port in one year only, right? And 26 of these attacks right now within, within the overall 26% of the attacks that effectively hit the for instance German internet space are probably ransomware attacks. Now that is actually the highest rate overall of InfoSec incidences worldwide. So this is again shows you that there is a particular interest in targeting Europe with ransomware.

Ransomware is only part of the total cybercrime costs, but those costs are really kind of ridiculous. We've reaching now numbers of $15 trillion to the global economy. I mean $15 trillion just is a staggering, staggering sum, right? And that is something which effectively we have to deal with. So I'm running out of time so I'm gonna effectively come to the conclusion of my piece and which is effectively ransomware is one great has one great advantage of going for it. It's easy to communicate to decision makers. Everybody has heard about ransomware.

It might not be the most, most costly of all cyber attacks we're dealing with, but everyone's dealing with it. Cybercom literally was attack us. Cybercom was literally attacking ransomware gangs, Ville, for instance, white House issued statements again a couple of days ago. When Hive get gets taken down, it's in the national news. So this is a great, great narrative device to help you communicate with boards about how geopolitical and cyber crime space is because they've heard of ransomware and they know it's destructive. Why? Because people want them to.

So this is my final slide 'cause is it possible to stay safe between the cyber front lines? No, not really. Only you can do is you can try your best on the battlefield because everyone is here is basically on the battlefield. There are no in-between the front lines here. So these are a couple of my favorite, favorite simple famous five to take a steal from Microsoft. I believe in zero trust. It's the easiest thing to do obviously, but try to be agile and defense in depth.

Most small medium enterprises, which are the main target for ransomware, very large companies usually can deal with it quite well. They have defense in depth. Smaller enterprises are gonna keep only limited to zero trust models, which obviously use least privilege and similar principles to defend themselves, you need to be agile, you need to basically tell your board you're gonna have to change the rules, you're gonna have to change it, especially privileged rules to deal with certain scenarios. You should prepare against becoming collateral damage in this conflict.

Cloud service providers, managed service providers, third party tools in particular software, they're all gonna be targets and they always are targets. Putting everything in the cloud doesn't help you if, if it's, especially if that cloud isn't gonna be the target of for a different a cyber war attack. Of course you still want to use the cloud, but you need to know how to use it properly. Sometimes you can set zones, sometimes you're able to do other kind of contingency, but be aware that there's a lot of different ways to become collateral damage in this space.

Revisit your business continuity management, disaster recovery posture. In a nutshell, I'm a complete believer in a 3, 2, 1 rule. You should always have three different copies of your data and two of them should be on different types of media and one of them at least should be offsite. If you keep it all offsite, you're asking for trouble. You should create digital slack in your organization and have free agreed authorities ready. Digital slack. Slack is a term in resilience and for the German climbers among you, it's you.

It's effectively something that allows you to deal with too much tension in the system. So it means you have redundancy built in and you have also pre-read authorities ready to go in a crisis. Creating digital slack is one be the biggest challenges for larger, for larger companies. Concentrating on resilience and finally incorporating cyber expertise on the board. This is really something that is now practically mandated in United States and in Europe, but it still needs to happen.

And that means not only having effectively a guest speaker come by, but also means that CISOs really need to live off to the name. And as we've heard already a couple times today, CISOs are buried very often, quite far down the stack. And that can only change. It means either CSOs are a guest vote, a guest on the board at regular, or you have regular exercises on the board. There are many different ways to do this, but you have to have cyber expertise on the board so the board feels comfortable in calling up its expertise.

And trust me, if that happens, the discussion will change because most of the cyber leaders out there, companies that have a lot of experience in cybersecurity, are aware that this is not just a normal risk and we need all the help we can get in dealing with it. Because one of the great comments I heard today from Carol, Carol beforehand was that this is really about free societies and fundamentally the political component of all this is is immutable and we need all the help we can get. So good luck to us all and I unfortunately, we're out of time for questions as far as I can tell.

Thank you.