Christine Gadsby [00:00:00]:
I think the industry as a whole, with the $1.3 trillion target on its back, is going to see a lot. I expect to see some fireworks, more automation and a lot more attack surface with AI government information colliding with other government information and secrets being lit out that shouldn’t. On the people front, you’re going to see a lot more sophistication and speed. A lot of these things are going to become quicker, faster, cheaper, smarter for the attacker, and they’re going to get their hands on a lot more, more data.
Karissa Breen [00:00:48]:
Joining me now is Christine Gadsby, chief security advisor at BlackBerry. And today we’re discussing why mobile espionage is a critical national security threat in Australia as well as globally. So, Christine, thanks for joining me and welcome.
Christine Gadsby [00:01:01]:
Hey, thanks for having me.
Karissa Breen [00:01:03]:
Okay, so let’s sort of set the scene a little bit here, Christine. Mike Burgess, who’s the Director General of Security in Australia in the Institute of Criminology, reports a conservative yearly loss to espionage at 12.5 billion Australian dollars, which most would assume is attributed to organized cybercrime. And although using mobile and online tactics like romance scams, fake investments that we’ve seen, et cetera, it’s driving dramatic growth. So I really want to walk through some of your thoughts. What’s coming up in your, in your mind when I ask you this question?
Christine Gadsby [00:01:38]:
So, first off, I mean, he was spot on. Nation states are spying and doing lots of, of crazy things at unprecedented levels, with unprecedented sophistication. He also warned that ASIO is seeing more Australians targeted more aggressively, really, than ever we’ve seen before. But the important thing to note here is modern espionage, kind of as you and I have known it in the past, it really no longer needs that, you know, mole in the room or, you know, we see in the movies the bad guy with the briefcase, you know, changing hands on a park bench with a parka, you know, over his face. That’s no longer how we do espionage. Now you just need a phone with some free messaging apps that, you know, are leaking your metadata in an unsecured environment. But I guess, more importantly, you asked kind of why this is happening. Mobile communications are opportunistically currently one of the weakest links and kind of a gold mine for an attacker, if you think about it.
Christine Gadsby [00:02:39]:
We have a combination of many incredible things happening in the global audience right now, and that is, you have telco networks themselves. Think about all that technology that we use to connect a mobile cell phone call with. If I call you and you’re in Australia, think about the path that call takes one device to another. All of that infrastructure and technology is really old. So when you think about what’s worse there is you have areas of the globe that are still really dependent on not only that outdated technology, but also we’re still on 2 and 3G networks. So you have kind of this combination of insecurity connected to insecurity connected to insecurity. And that infrastructure itself is so old, some of it’s unpatchable. So in the security industry, as security practitioners, we know where vulnerabilities are being exploited.
Christine Gadsby [00:03:33]:
And if you think about that, it’s sort of like your laptop or your computer. When you get a, you know, an update for something that has all those security fixes, when you make a phone call, those updates sometimes aren’t possible for parts of the infrastructure, and those are known to be exploitable. So you’ve got this group of sophisticated attackers, they know how to exploit this technology and there’s no way to fix it. So many in the industry, including governments, respected security researchers, we all are having these conversations where we admit it’s just not fixable, which is kind of scary when you think about it, right? So you’ve got this system on how we connect and you’ve got it under attack. And then you add on top of that, really this new espionage kind of gold mine of attackers running businesses. You know, they are after making money, they don’t do this for nothing. And they’re using a combination of that and the fact that we’ve got a lot of these consumer applications being used for government, business, you know, sensitive conversations, business communications with attachments going back and forth and high value targets. And the user’s metadata in those conversations, it’s constantly exposed, it’s being mined by AI.
Christine Gadsby [00:04:41]:
So you add in kind of the top layer of this, you know, criminal ice cream sundae if you wish. The cherry on the top is now we have AI, which is, you know, making it just really easy for a criminal really to harness that data and use it for all of the things that they can. And it’s kind of an arms race at that point. Users don’t control their data because that’s how the free apps are making money. And that’s kind of the last thing we. Two more things we have to remember in this paradigm is those free messaging apps are making money off of you, you are the money. Your information is what they’re selling, and so it’s publicly available. And then you have on.
Christine Gadsby [00:05:16]:
The last thing here is just human error. We saw that here in the US where, you know, we had what was called signal gate, where, you know, human actually just made a mistake, which, of course, we all do. So, you know, the cyber threat from this, the scope and sophistication, I guess, is increasingly becoming sort of easier for the target, for a criminal. A lot harder for you and I to really deal with those. Those big campaigns that are hitting Asia. South Korea, Japan, and Australia, of course.
Karissa Breen [00:05:45]:
Okay, so this is really interesting. I want to get into this a bit more so. Because I love the way you’re explaining it. Now, going back to the start of the interview, you were saying that, you know, more Australians are, like, targeted. Why do you think that’s the case?
Christine Gadsby [00:05:58]:
Well, I think, you know, we have to go back again to how industrialized really this is becoming for the attackers. Phones are now the center of daily life for Australians and the globe, but there are enough vulnerabilities in. In that attack surface where these exploits are kind of known. And again, those unfixable things become the easy targets. So where Australians bank and work and socialize, all of those things become sort of the perfect target. And what this really just means is those criminal groups are taking advantage of those new capabilities and again, you know, taking advantage of AI. We know that AI has brought this really different dynamic, and including Australia, which is attackers are able to impersonate people and change behavior that you wouldn’t normally worry about as an Australian citizen. As a mom, I know not to send money to someone I don’t know, but if my daughter texted me and needed something, you know, my.
Christine Gadsby [00:06:54]:
My guard is down as a human. Right. So criminals are just using that AI to prey on human weak spots. Your empathy. And of course, the same is true for the business world. In Australia, criminals are impersonating, you know, CEOs, and then they’re preying on the loyal employee to do what their boss says, which, you know, again, they’re just taking advantage of that empathetic person or the loyal person, and they’re using these mobile devices to carry out these attacks. It’s crazy. I mean, you know, the Australian region isn’t alone in this, but they absolutely are each in their own.
Karissa Breen [00:07:26]:
So would you say that perhaps people in the US Market, North America, market a bit more skeptical of those things? If we’re saying that there’s definitely an increase in Asia Pacific And Japan, I.
Christine Gadsby [00:07:36]:
Think the US has been dealing with it maybe just a little bit longer and are becoming, I guess, more immune to it. I mean, if you think about this, like for example, you have here in the States, I don’t know if Australia has this or not, but here in the States we have all of these targeted sort of attack services which are a text that is saying respond or it’s high and it’s just empty, or it’s, you know, hey, we were supposed to meet at 6 and you didn’t show up. Really what that attacker is trying to elicit is any response. They’re just trying to see if the number is, you know, if there’s a human on the other side. And so I think you have a lot of fatigue here in the US with that because I think that’s how it started to roll out and how that’s rolling out in other areas of the globe. It’s just a little bit newer. And so I think there’s a lot of, there’s a learning curve that kind of has to happen, I think as we grow immune to attackers. But you know, they always have the upper hand too.
Christine Gadsby [00:08:27]:
There’s just kind of a new campaign they’re going to start or a new way of doing it. And that’s kind of a problem too. There’s a pig butchering scam that are kind of stark examples of this, where the victims, quote, unquote, are being fattened up with fake relationships and gains before being financially kind of slaughtered, quote, unquote. That’s kind of how that is. And attackers are really smart and they’ll take advantage of culture. So the differences too from the US and places like the ASEAN region and Australia is that the culture here is different than it is there. And attackers really learn the area and the people and know what Australians might respond to versus what again, what US people have grown, have grown accustomed to and sort of immune. And those are statistics that are run by these criminal organizations.
Christine Gadsby [00:09:11]:
So if one type of attack in the US started out as getting an 80% response and now it’s, you know, a year later down to a 10% response, they won’t use it anymore, but then they know that’s a good one and maybe they’ll tweak it a little bit for culture in Australia and then take it there. So it really is a really thoughtful business.
Karissa Breen [00:09:28]:
Unfortunately, the other interesting thing is now I’m going to show you, and obviously living in the U.S. i got a U.S. number now and someone called me the other day and it had like scam call. You don’t get that in Australia. So it’s like automatically I was on the bank foot. I’m thinking like, who’s calling me up? I don’t know that many people yet for my phone to ring all day. But that was something that I noticed, which was different. In Australia you get scam calls all the time, but it doesn’t tell you.
Karissa Breen [00:09:51]:
So that was something that I thought coming here automatically. I just screened the call. So I think that there are some more nuanced things as an Australian living in the US that I’m starting to notice that they don’t have in Australia, which is probably case in point to a lot of things that you’re talking about today, Christine.
Christine Gadsby [00:10:08]:
Yeah, and that’s a fair point. You and I are both reliant on a lot of infrastructure. Again, going back to just the basic connection of a mobile call. It’s got to connect so many different places and you’re going from telco to telco to telco. And if you call me and you’re in Florida and you know I’m in Texas, that isn’t the same call route. Obviously if you’re in Australia and I’m in Texas, that it’s going to take. But what you’re talking about is you’re dependent also on carriers and, and their involvement in how they’re going to protect you from these calls. I also have that screening available to me where I can also set thresholds of what I’m willing to accept or not.
Christine Gadsby [00:10:48]:
I have mine set really high. All of mine are declined if I don’t know who the caller is. And in other parts of the world, again, not only are they dependent on sometimes 2 and 3G technology and these outdated infrastructure that we know is exploitable, but then they don’t have the sophistication at the carrier level either, or the government requirement for the carriers frameworks and dependability on us to regulate this kind of stuff. It absolutely kind of a needed thing.
Karissa Breen [00:11:15]:
And this is where it gets interesting. So I’ve had a couple of interviews with your colleague David Wiseman in the past and we’ve spoken a lot about mobile carriers or telcos more specifically. So you know how you’re mentioning before Christine, like it’s really old and it’s outdated infrastructure and it’s insecurity with insecurity and it just, it’s spiraling. Is anyone sort of sitting back? I mean, obviously you are, but anyone in these telcos sitting back going, you know, we really need to think about if Christine’s calling me from Texas into Australia and how does that route look like? It’s obviously going to be really outdated, really old school. Are people having these conversations? Because again, maybe there’s less, there’s more of a reluctance because you put more money into it and you know, businesses are businesses. No one wants to invest money.
Christine Gadsby [00:12:00]:
They don’t have to.
Karissa Breen [00:12:02]:
But again, to your point, do you think anyone’s really sitting there at night going, hmm, I’ve really got to think about the infrastructure in our, in our telco world.
Christine Gadsby [00:12:11]:
Yeah, this is such a great question. So to answer your first question, yes, the conversations are happening. Even someone like myself, I am very close to a lot of these telcos, obviously BlackBerry. We’ve been doing this for 40 years and you know, we are very used to working with telcos from back when we had and carriers from back when we had handsets. There’s deep, deep, deep relationships there. Again, including myself, we absolutely have these conversations. There’s a few challenges though in that even, you know, if I were to go to my carrier, for example, on who my cell phone routes through, they don’t own all of that. They’re one cog in the wheel.
Christine Gadsby [00:12:47]:
So they own maybe like if, if I make a call or send a text or communicate on my mobile device. If you think about it this way, inside a handset, a phone, it’s probably 200 different vendors, products in there, right. It’s crazy. You have a supply chain that is really long, right. So you think about a phone call being made, it’s the same thing. So while your carrier might own out of that, let’s say it’s 500 steps, the carrier might only own 15 of those. And so really, you know, while they can go and say, hey, this is broken, they might only have the power to fix 10 things out of a hundred. It’s not one issue, it’s a lot of issues because all the infrastructure, shared infrastructure.
Christine Gadsby [00:13:30]:
Right. It’s not just the bigger carriers, I think though they do do a lot and they are doing a lot, like you said, on the front end of how to help consumers protect themselves. That is the one thing on the global stage I would like to see see more of as a shared responsibility and a shared, almost governance task is how are we looking to protect consumers as a global audience rather than a one carrier doing one thing and one doing something else.
Karissa Breen [00:13:56]:
So then I want to move on to sort of the behavior. So as you sort of mentioned before as well, like people are on our phones, I Don’t know about you, but I get the notification every Sunday around. How long you been on your phone this week, Carissa? And it’s a lot when I think about it. Apparently it’s, it’s less than the average person on their phone. I think it’s like seven, seven or eight hours a day and there’s only 24 hours in a day. So that’s quite a long time. That could almost supersede. So do you think that in your experience, given your role at BlackBerry, but also your pedigree in this space, are phones just something that’s just been relegated? Everyone’s talking about, oh, the endpoint, the machine, the laptop, like everyone’s talking about that.
Karissa Breen [00:14:32]:
But even running this podcast of 350 plus interviews that I’ve conducted just on the show alone, haven’t had a lot of people really talk about mobiles and the safety around that. Is it something that just gets relegated, would you say? Or where is people’s minds at with this?
Christine Gadsby [00:14:48]:
That’s an amazing point. And you’re right. And this really is the, is the sort of the crux of why we’re here. I think as an industry, we have gone so fast and furious from being on our laptops all the, you know, all the time to the majority of the things we do are now on our phones. That’s a big difference. And that, you know, we saw a lot of that shift, I think during sort of the pandemic when people were starting to have to be remote and people started to work from everywhere. We saw a lot of that shift then. But really what is happening is exactly that you have in a rich attack surface from a lot of attackers taking advantage of a shifting industry and shifting technology that doesn’t scale to what it was meant for.
Christine Gadsby [00:15:31]:
Right. I mean, we weren’t in the beginning of when we thought about how we used our phones and how this infrastructure was set up. I don’t think anybody really thought we would be here doing these things from this device in our hand. And so it wasn’t built to scale that way. So you’re correct in that we are facing that is the challenge. And what is the answer to that? Well, I mean, my gosh, there’s so many things we can talk about about behavior and things that we know and things that we do. But I know that we won’t be able to really deal with the criminal part of this and how, how we allow criminals to access this until we talk about the behavior. So if I’m a, I’m a mom and if I’m doing this today and I’m calling my daughter, I’m texting my daughter and I’m asking her to stop and pick up a loaf of bread on the way home.
Christine Gadsby [00:16:21]:
And she’s 18, she drives great, that’s a conversation that I’m not concerned about. However, if I am a highly, you know, risk government, that’s a different conversation. And if we handle those and treat those the same, as far as a privacy and a security realm, we’re doing it wrong. And that’s where I really see the need to shift the behavior away, is really to identify that your mobile device is an attack surface. And I think that, that the user, whether or not they’re an employee or a government person, or you or me or mom, when we open our laptop we think about that endpoint protection. It’s like you always are going to run like what we call quote unquote antivirus stuff, which I mean, you know, different things to you, to me. But we don’t think about that on our phones. And that’s really where we have to start forcing that behavior change because again, no matter what the risk is in your using your mobile device, it is absolutely there.
Christine Gadsby [00:17:18]:
And attackers are taking it’s becoming the more of a gold mine and low hanging fruit than now laptops are. So because, you know, attackers are taking advantage of the fact that we aren’t thinking about it. So I think it is that behavior shift that really needs to happen.
Karissa Breen [00:17:32]:
And then just to sort of extend this even more, I mean I’ve spoken to people even when I’ve worked at large corporations in the past, it’s like, okay, well here’s your work phone and it’s super restricted. You got two apps on there or you’re running some form of mdm, but it’s just super slow. Right? So what happens when it’s slow? People forgo it? They go back to their personal handset?
Christine Gadsby [00:17:51]:
Yep, absolutely, 100%. And that is a challenge as old as time is that if security hinders performance and efficiency, it will be bypassed. I mean, how many times you’ve been in your laptop and had to turn something off because it’s doing the same thing. So I think it’s really, really, really, really critical again to take a step back and shift the mindset to productivity with security, something BlackBerry’s talked about forever. You know, we’ve always had to build in our security into being productive because we support the most security conscious governments and companies in the world and they have to do work. So that is a big deal. But again, understanding that the tolerance levels for risk at some point have to be in a good place and understanding where sovereignty and resilience needs to come into play there.
Karissa Breen [00:18:36]:
So then just talking about a little bit more, I think I randomly got a text. I don’t know whether it’s on my. Because I run a dual sim, whether it’s on my Australian line or us. Anyway, obviously it was some form of a scam. So I responded back saying, like, yes, I didn’t get a response, but I know it’s more just around, you know, trying to solicit some type of response to see, hey, is this person at Target or not? But do you think going back to the mindset, like, people think, hmm, I’m going to wake up, I’m going to go, my phone because I’m traveling today could get scammed? Do you think that people have that in their mind or do they not think that this device potentially has so many issues attached to it? But again, we’ve sort of just grown up with like, these devices literally being beside our bed every day. So it’s sort of like, oh, it’s. It’s something that isn’t going to be impacted by scammers. How does that mindset sort of go?
Christine Gadsby [00:19:30]:
So I don’t think that people actually wake up in the morning and grab their device on their nightstand and really think to themselves, like, what kind of message is. What kind of messages am I sending right when I wake up? And it is a valuable point I think we should talk about, which is a little bit of the metadata that actually leaves the device every time you do that. So free messaging applications, and this is a known thing. It’s not a secret. This is what I don’t think people are thinking about. I want to walk through some of the data that’s actually leaving the handset when you have those types of conversation. So when you use any kind of consumer messaging app, where again, you are the prophet. Your account information, your phone number, your profile name and your photo, your device information, you know, the model and the operating system you’re using, along with your usage data, the last time you were seen, the messaging timestamps and the frequency and duration of how long you use that application, more importantly, your connection data.
Christine Gadsby [00:20:28]:
So your IP address, who your carrier is, your connection type and your contact list, your group messages, who you communicate with, how often, all of that kind of stuff, your location data and thumbnail previews of files you send are all out for everybody to see. None of that stuff is yours. It is being bought and sold and traded and used by criminals to know where you are and know how to pursue you. Really that drives into the culture of an attacker if they know your location and they know where you’ve been and they know you go to. And we see this in high value targets. So this is where the, the big government and the espionage comes in is, is if an attacker can tell where a really important person is having coffee every day at 4, there’s a lot of information that and who they’re talking to every day at 6:00, that kind of opens the door for a lot of attack surface. Now you and I, you know, as again, I’m a mom, maybe I’m not that high value target, but I am the high value target for scams. It’s just how the attacker is going to make money.
Christine Gadsby [00:21:33]:
All of this kind of stuff just points to that open attack surface. And this is on the behavior side where people just don’t think about that when they wake up in the morning. It’s like, hey, I’m going to send this message. Somebody could be seeing who I’m communicating to is not the first thought most people probably have when they wake up in the morning. Maybe it’s mine, but, but for the majority of it, I don’t think most people are thinking about that.
Karissa Breen [00:21:54]:
That’s valid. Christine. However, shouldn’t the owners be, you know, if we look at WhatsApp, so Meta owns WhatsApp, so would it be that, well, what are they doing about it? Where’s their privacy sort of stance, do you think? Where’s that conversation going on that front?
Christine Gadsby [00:22:08]:
Well, I mean, great point. And that’s how they make money. You’ve got this behind the scenes sort of discussion that, that I think a lot of security professionals have with a lot of governments and a lot of entities and that how do we regulate that? But the reality is this is how these companies make money. It’s you. So you know, until we can regulate that, it’s going to be a losing battle. I mean they’re not going to regulate themselves. It’s how they make money. So this is the point on the secure communication side is you really have to understand what conversations are okay for that type of audience and then what aren’t.
Christine Gadsby [00:22:42]:
You’re a high valued target government, highly regulated business bank or whatever. You shouldn’t be having those conversations on those app, knowing those facts.
Karissa Breen [00:22:51]:
So going back to Meta for a moment before we move on, would you. And yes, that’s how they make money. Would you say as well that going to criminals? Obviously Meta isn’t selling this data to criminals, they’re selling it to retailers and getting information. This is maybe data they can collect on building reports for certain industries or whatever it may be. But are they cognizant that this is getting into the hands of criminals, which is then used to scam like our society, their citizens, our people?
Christine Gadsby [00:23:21]:
I think we have to think about the chain of that and how that happens. So you’re correct in that I don’t believe any of these companies knowingly just say, okay, yeah, we’re going to go sell all your information to criminals. That would be terrible. But they do sell them to advertising agencies. And have you ever gotten one of those letters in the mail that says, you know, your company that you did business with was breached and all the records are now for sale on the Dark Web? This is kind of the same thing. You know, if Meta’s selling it to A plus businesses who aren’t doing their security homework and their security hygiene, and that company gets breached because an attacker says, oh, I know this is a main consumer of, of this data and I want that data. They’re not going to go through Meta, they’re going to go through these third party agencies that are purchasing the data and they’re going to breach them and then steal it. So that happens all the time.
Christine Gadsby [00:24:05]:
We know that. So I don’t really think it’s not. That problem in itself is a tough one to solve in that, you know, you’re really, you’re really up against an entire army of attackers knowing where they can get this data and then they sell it between themselves. Right? This is where you hear the terms of like the Dark Web and, and hosting all these data. There’s tons of spots for them to house and resell the data that they were able to steal for pennies on the dollar. But we know that’s true for credit card information and personal identification information and phone numbers. And again, at the end of this attack chain, that’s why you’re getting the text messages, because some attacker was able to buy your phone number off of a list of available phone numbers. And now they’re testing you out.
Christine Gadsby [00:24:48]:
And you mentioned before that you know, you replied to a message before that is the case. Sometimes you won’t hear back because they’re just trying to verify you are in fact a number worth paying for. You will respond.
Karissa Breen [00:25:00]:
So they’re moving on to the behavior of certain things that should be sort of on perhaps like consumer messaging apps versus More secured environment. It’s hard, though. And look, I’ve spoken to your colleague about this before, David. The. It blurs the lines. Like, often a lot of people message me on WhatsApp, because now it’s like, hey, KB, are you in Australia? Are you in the US which phone should I message you on, considering you have two numbers now? I don’t know, but I’ve only got Chris’s personal Australian phone number, so maybe I’ll just message her that way. And I need to get to her because it’s. I don’t know what time of the day it is, or she travels all around the world and then sometimes it’s like, okay, so it’s.
Karissa Breen [00:25:36]:
Is this person messaging me for work? Kind of, yeah. But then it kind of talks about, hey, how was your moved over to the US So it’s kind of like, at what point is it like, all right, now we need to change because we’re sort of now getting outside of, you know, personal sort of stuff and moving more towards work sort of things. How do people make that demarcation and sort of cut the conversation, move elsewhere?
Christine Gadsby [00:25:59]:
Yeah, that’s also a great question. And I think we have to remember that free messaging apps will always have a place because they’re convenient, they’re available, and they’re global. I can download one and communicate with you, like you just said, on the other side of the world for anything. So they’re common and that they’re great because they’ve done a lot of, you know, there’s a lot of parts of society that they’ve done good. Think of all the parts of the world that wouldn’t be connected if we didn’t have access to this type of technology. So it’s not a bad thing for everybody. However, they’re not the place for sensitive government communications or infrastructure type of safety communications because they lack certified encryption, administrative control, again, control over that metadata, and then protecting against disclosure of that metadata. So I think if you can just.
Christine Gadsby [00:26:45]:
The behavior part of it is more like if you’re communicating with somebody that you don’t mind knowing, I mean, know that that metadata is out there and exists, then that’s okay. And is that an okay decision to make? Of course it is. However, if you are, you know, a government entity talking about sensitive conversations, or you’re a CEO or someone that works in a corporation where you’re talking about the earnings report that’s coming out, you know, two days or whatever, not the place to be having those conversations. So I think it really is A behavior choice of knowing there are two ways to communicate on a mobile device and, and just accepting at the fact that if you’re going to use the first way that your stuff’s not private.
Karissa Breen [00:27:25]:
So, Christine, I want to ask more of a rudimentary question. So if you are a CEO of like a large corporation, like, you’re not an idiot, right? You didn’t get there. Like you’re smart, you’re educated, like you understand how things work. But is the behavior in terms of messaging or consumer messaging applications spoiled that far out of control? The people at that level aren’t even thinking, oh, you know, probably not just going to WhatsApp someone about like my company earnings for the year was such a good question.
Christine Gadsby [00:27:54]:
So I think we need to take one step back before we answer that question and think about this. Just as a business. Global losses hit US$1.3 trillion in 2024 from this. And in Southeast Asia alone, just alone in Southeast Asia, These losses reached 2023 to 35 billion or so, depending on who you ask. So this is big business. Second thing you have to remember is cultural differences. We talked a little bit about this, but remember in places like Asia, and I’ve recently had a fascinating conversations when I was traveling in parts of Asia about this. You have really, really, really strict leadership roles where they are answering these questions because culturally it would be a different problem for them if they didn’t answer them.
Christine Gadsby [00:28:45]:
In the US So in the US it’s, you know, acceptable to be skeptical. In parts of Asia, it’s not at all you. It’s the cultural alignment is you answer questions because it’s an authority figure versus in the US you can just choose to say no. So I think criminals know all of this. They’re very, very, very good at being really intentional. Then the third thing we’re going to add on to this sort of this ice cream sundae is AI. So what we what is new to this ice cream sundae is the ability for attackers to use AI to generate something that is so real and so close to being, to being authentic that it’s really a hard judgment call. And again, when they have all this metadata, they have all of that feeding this AI, so they know where you were on Saturday that you know who you’re talking to.
Christine Gadsby [00:29:35]:
And so if they need to try and associate themselves with the CEO, the CEOs got earnings tomorrow. And the CFO, he’s waiting for him to call at 4:00 clock because the attacker knows he always calls at 4 o’ clock. And these, this attacker has used AI to copy all of those things. That CEO might have a really hard time telling that it’s not Bob the cfo because he gets the call from Bob the CFO every day at 4 o’. Clock. It sounds like Bob, looks like Bob. Why would the CEO question that? So I don’t think, think it’s a matter of these are the smartest people in the room. They are.
Christine Gadsby [00:30:09]:
Attackers are just as smart and they have the upper hand because they have this technology that they are weaponizing to use this. Again, all of these exploits that are freely available to have this great attack service. We have a lot of stats in the US that we are tracking right now of CEOs this has happened to. There’s some famous cases about people losing millions of dollars because, you know, an attacker has done just what I said. They have created this, this massive game plan that takes thought. And these attackers are going after these big money transactions. They’re not, you know, in this scenario, it’s how much can they make and how effective can they be. So the CEOs are still the smartest people in the room.
Christine Gadsby [00:30:50]:
They just are targeted with a lot more sophistication than they were two years ago.
Karissa Breen [00:30:55]:
Yeah, I get it. And you know what, I’ve actually interviewed someone else on the show recently and he was sort of saying, like, we’re talking about, oh, we got to give awareness and people have to be skeptical and all this sort of stuff. He’s like, well, maybe we should just build better technology. So where does that sit with you then?
Christine Gadsby [00:31:09]:
I think it’s somewhere in between. Like we’re never going to eliminate this risk entirely because it is an arms race. Right. So if it’s going to take us 10 years to build all this new technology, where’s the criminal advancement going to be that in 10 years? So you do have to do kind of a. It’s a little of this and a little of that. There is no silver bullet. I wish there was. And if there was, trust me, we would have it.
Christine Gadsby [00:31:30]:
I really do think it’s part behavior and part sophistication in changing how we work. Right. So again, I always go back and when I’m counseling other companies or governments or talking to other security people, I always fall back on the principle of know your attack surface. If you are a highly regulated business or a government or doing crucial transactions that are life, safety or confidential information, no, that’s an attack surface. It boggles my mind still that I have this conversation with some and they’re not thinking about that at all. So you have that as just a really low hanging fruit, easy thing to do. Do we need to upgrade technology? Of course we do. But is it the onerous on these companies and these governments and these for having these highly valued conversations to do something more than use a free messaging app? Yes, of course.
Christine Gadsby [00:32:19]:
Right, that’s part of it. So I think it’s a little on both sides. Better technology, of course we need that. But ownership of the data that you’re, that you need and whether or not that needs to be either sovereign or at least encrypted, lots of security and privacy are important in that. So I think it’s a little of both.
Karissa Breen [00:32:34]:
And how would you say government is sort of approaching this given security problems? Like there’s a lot of geopolitical stuff going on at the moment. There’s all sorts of things. So what’s their sort of mindset towards this to be like we kind of need to keep these things a secret and we just can’t be frivolously just messaging me whatsapping them. We always need to be skeptical in case someone is trying to impersonate someone else. These are real, real things that happen. But what’s their take?
Christine Gadsby [00:33:00]:
So I think a lot of things at the government level are happening and a lot of things at the government level are happening globally. So if we take it from the very top, you’ve got a lot of governments sort of looking at how do we form some sorts of frameworks or belts and braces to, to deal with some, some of these attacks. That’s not maybe specific to mobile, but it is specific to, you know, AI and how we’re looking at how the attackers are able to generate some of this. You do have some governments like the U.S. for example, did just recently released guidance on mobile conversations. So, and I believe that we were the first to do that. That needs to be happening a lot more. We do need a lot more governments to step in and just say, okay, this is an attack surface, at least for our highly regulated information.
Christine Gadsby [00:33:47]:
We need some belts and braces around security frameworks for how that should be handled. So we’ve got the start of that. But you know, that is really the most kind of recent, I think things coming out of the industry in that. I will also say though that a lot of cross pollination government talks are happening. I think when CISA released its last information, which was 80 plus countries including Australia were confirmed to have intrusions and then over 600 organizations were compromised with call logs stolen location data, stolen unpatched systems. That was a joint FBI, nsa, CISA in that sort of effort. So I do think there is a lot of joint efforts happening. It’s just going to be again, how fast and how quickly can we get, can we get some sort of frameworks for guidance or maybe not even regulation, but just guidance together.
Christine Gadsby [00:34:42]:
But I mean, again, the good news is the conversations are happening for sure and they weren’t a year ago.
Karissa Breen [00:34:47]:
So how quickly do you think that these things will be up and running? And I ask this because like government at times doesn’t move the fastest or even like big corporations can move slow as well. A lot of things to happen, but obviously this is a problem. There’s big business in it. People are getting impacted by this. So do you think like maybe in a year’s time you and I have a conversation, this will move along quite substantially or where do you, how do you sort of see this playing out now?
Christine Gadsby [00:35:11]:
Now that we have the sort of the firing over the line of the first guidance, we’ll see a lot more. I think sometimes it just takes one government to put a stake in the ground to say I’m going to put out some best practices and generally a lot others follow. So I do expect this to get a lot more traction faster. But again that will just be the government and how it regulates sort of or at least offers up guidance and maybe it doesn’t regulate it now, but I do think the guidance will happen quickly. Now. I’m hopeful of the conversations as a company that we’re in, I’m going to tell you governments are now taking this a lot more seriously, just even if it’s not publishing guidance a lot more seriously than they were a year ago. I’m having deeper conversations with governments I did not have a year ago that are now starting to see the outcome of this massive financial loss. And they’re looking at two things.
Christine Gadsby [00:35:57]:
They’re looking at one, how do I make sure my consumer base and my people are being protected, number one. But number two, how do I worry about my government secrets and things that shouldn’t be available to others? So I do think the next year we’re going to see if you and I talk again October next year, south by Southwest, a year again, I do think we’re going to see a lot more guidance and of course we’re here to help that. So however we’re offering to be involved and we are seeing some take us up on it. So we’ll see how that goes.
Karissa Breen [00:36:26]:
Now I know you are giving a talk at south by Southwest in Sydney, Australia which I won’t be at. So I won’t be able to meet you in person yet, maybe share a little bit more about what, what you’re doing there.
Christine Gadsby [00:36:37]:
So I’m speaking at Self by Selfwest twice actually on October 13th. There is a panel that I’m part of on leadership through transformation which interestingly enough, sort of this topic is well to the forefront on really how do we help transform the industry being a corporate leader, I mean BlackBerry has been securing communications for four years and we know this is a tough problem to solve but we know a lot about this and we know a lot about the difference between a communication that needs privacy, where maybe some apps are good at that, but then where we need privacy and security and where, you know, our products like our BlackBerry psychisuite really come in for these governments. So that’s first. And then on the 14th I’m presenting on this very topic alone, which is mobile espionage. I’m going to go through some of the things we talked about today, but more in depth on these attackers and sort of the campaigns that they’re running and how that’s really impacting sort of the local, the local economy and some best case scenario things on how to prepare for the next stage of this trillion dollar attacker campaign that I see in like what I like to call my crystal ball. I’m going to do a little bit of crystal balling and do some future prediction stuff but then also again, what are the things and steps you should be taking as either a government or enterprise or a person to really protect yourself. So if there are listeners that are going to be attending self by self with Sydney, I would love to chat with you, meet you and I hope you can come and see that presentation. It should be awesome.
Karissa Breen [00:38:04]:
So then just quickly on future predictions, anything you can share?
Christine Gadsby [00:38:08]:
Well, I think the industry as a whole with the $1.3 trillion target on its back is going to see a lot more automation with AI. I think we’re going to see a lot more attack surface with AI and we’re going to start to see, see government information colliding with other government information and secrets being let out that, that shouldn’t, I’ve got some specific predictions on the, on the personal, on the people front as well. But I, I think it’s, you’re just going to see a lot more sophistication and speed. A lot of these things are going to become quicker, faster, cheaper, smarter for the attacker and they’re going to get their hands on a lot more more data. So I I expect to see some fireworks and part of my prediction also will be around frameworks and guidance like we talked about with governments.
Karissa Breen [00:38:52]:
And lastly, Christine, is there any sort of closing comments or final thoughts you’d like to leave our audience with today?
Christine Gadsby [00:38:57]:
I think for just some final thoughts. The goal in this really isn’t to eliminate risk entirely because we’re never going to do that. You know, BlackBerry has always been front and center stage of doing tough security and some of the things we bring into our products. I’ve been with the company a really long time, it’s really tough. But what we really need to do is focus on resilience and sort of gaining control of that. We need to understand the difference between handing the keys to our national security story into free messaging apps or you know, am I again, am I asking my daughter to stop and pick up bread on the way home from her friend’s house? Different conversations so my closing thoughts are really we have to focus on that being the level of conversation is really how do we take an industry and help people understand what they need to do with the conversations that they’re having?
