The Voice of Cyber®

Episode 186: Deep Dive: Raj Samani | Cybersecurity as a Team Sport: How Transparency Can Reduce the Likelihood of Breaches
First Aired: May 31, 2023

In this episode of KBKast, we delve into the world of cybersecurity and the impact of breaches on organizations and society. Raj provides insights into his experience with past cases, emphasizing the importance of being open and transparent in handling breaches and reducing the impact on customers. We uncover the risks posed by social media, the challenge of managing expectations from regulators, and the economic impact of breaches. We also explore how cybersecurity extends beyond computer viruses and IT systems, and how the rise of autonomous vehicles and growing technology dependence increases the risk of attacks. Join us as we discuss the need for transparency and information sharing to improve the collective defense of the industry.

Raj Samani is a computer security expert responsible for extending the scope and reach of Rapid7’s research initiatives. He joins Rapid7 from McAfee where he served as McAfee Fellow and Chief Scientist after serving as VP and Chief Technical Officer in EMEA.

Raj has assisted multiple law enforcement agencies in cybercrime cases, and is special advisor to the European Cybercrime Centre (EC3) in The Hague.

Raj has been recognized for his contributions to the computer security industry through numerous awards, including the Infosecurity Europe hall of Fame, Peter Szor award, Intel Achievement Award, among others. He also co-authored the book ‘Applied Cyber Security and the Smart Grid’ as well as the CSA Guide to Cloud computing, and he has served as technical editor for numerous other publications. In addition to speaking at myriad cybersecurity industry events, Raj is sought after for his commentary on breaking news such as major security breaches and emerging threats. His commentary has appeared in Forbes, The Wall Street Journal, Business Insider, The Daily Beast, and more. He can be found on twitter @Raj_Samani.

Help Us Improve

Please take two minutes to write a quick and honest review on your perception of KBKast, and what value it brings to you professionally. The button below will open a new tab, and allow you to add your thoughts to either (or both!) of the two podcast review aggregators, Apple Podcasts or Podchaser.

Episode Transcription

These transcriptions are automatically generated. Please excuse any errors in the text.

Karissa Breen [00:00:43]:

Joining me today is Raj Samani, senior vice President, chief Scientist from Rapid Seven. And today we’re discussing some of Raj’s experiences working alongside law enforcement for cybercrime cases. So, Raj, thanks for joining. It’s wonderful to have you on the show. I know it’s quite early morning where you are because you are on the opposite ends of the world, so I appreciate you getting up early to have this interview with me.

Raj Samani [00:01:05]:

Good morning, and thank you for the invitation.

Karissa Breen [00:01:07]:

So, Raj, I really want to speak about your experience, and I’ve done a little bit of research about some of the cases that you have sort of worked on and alongside of, so I’m keen to sort of explore those a little bit more fidelity in a moment. But maybe let’s start with you have sort of worked alongside law enforcement agencies. So what were some of the cases that you collaborated on? Talk to me a little bit more about them.

Raj Samani [00:01:31]:

So there’s been a few and actually predominantly started with this botnet by the name of B Bone. I know it sounds made up, but it’s truly not. And this was a malicious downloader that was infecting computers across the globe. As we started to do the analysis on trying to understand the scale of the issue, once we actually what we call it is it sinkholing. So once we actually sinkholed the malicious infrastructure hosted by criminals, what we realized was that the number of infected computers was considerably higher than we originally anticipated. So we thought a few thousand infections a day. I think on day one, it was like 38,000 infected systems we found just on a single day. And that number just continued to increase, increase. So that was the first one. But I think the piece of work that I’m most proud of was working and co founding the no More Ransom Initiative. Ransomware is obviously the hottest topic, and it has been for a number of years. So with this particular initiative, what we did was we developed a collaboration with law enforcement whereby we made available free decryption keys and worked on sort of trying to disrupt ransomware operations. And when we launched it in 2016, we had seven free decryptors. So, in other words, seven families of ransomware that we could freely give your information back without having to pay the criminals. And today we’re at about 160 with over 150 partners. And so, yeah, there’s been a lot.

Raj Samani [00:03:06]:

Of work, and there’s a lot of.

Raj Samani [00:03:08]:

Work that happens which doesn’t result in lots of press as well.

Raj Samani [00:03:12]:

So I’d say it’s kind of part of the course.

Raj Samani [00:03:16]:

Now, if you work in cybersecurity, there is a need to be able to collaborate and work with law enforcement across the globe.

Karissa Breen [00:03:23]:

Yeah, most definitely. You’re absolutely right. Would you say that from working alongside of law enforcement historically, you’ve sort of learned a lot which you’ve brought forward in your career today in terms of knowledge, insights, any of those types of things?

Raj Samani [00:03:40]:

Well, I think everything has contributed because when I started in this industry, cybercrime.

Raj Samani [00:03:47]:

Wasn’T it wasn’t what it is today.

Raj Samani [00:03:49]:

Whereby we were dealing with probably low end attacks, what we used to call war dialing, and now we’re dealing with things that have an impact on geopolitics, for example. So when we identified a case targeting the Winter Olympics, that was a case that we strongly believe to be operated from malicious nation state groups. And if you’d have told me like 1520 years ago, well, you’re investigating attacks associated with the Winter Olympics, we would have said, well, come on, that’s a bit far fetched. And yet today that’s normal operations, I think. So the adversary has fundamentally shifted and changed. It’s become a lot more professional than it ever has done, and so it’s important to try to understand what’s actually occurring. And a really good example of that was COVID. When COVID actually hit, what we kind of recognized fairly quickly was the number of threat actors that were involved in in leveraging and utilizing COVID as as a hook to try to infect or or target individuals and companies, for that matter, was just like kicking over a hornet’s nest. It was like almost every possible capable threat actor out there was leveraging and using COVID. And so I’d say all of the above has contributed towards this continuous learning requirement that exists within our industry.

Karissa Breen [00:05:15]:

And from my research that I’ve done around BeBone, I mean, it was quite large in terms of a lot of people responding to it, a lot of people having their version of the story. Would you say that there are sort of I hate to call it rumors, but do you think that people sort of had their view of B Bone was maybe slightly skewed to what you sort of saw in terms of being a little bit more closer to the case and really working on the ground.

Raj Samani [00:05:40]:

That’S the challenge that we face with any digital attack is from a cybersecurity perspective. It’s asymmetrical in terms of the amount of information that you have. And so, for example, we had some assumptions going into this, which is the scale of the impact or the location of the victims. And that becomes important because predominantly because we need to try to understand which countries are the most targeted. So as we bring this case forward to law enforcement, then we can fundamentally find a partner to work with.

Raj Samani [00:06:19]:

What they want to know is predominantly.

Raj Samani [00:06:21]:

The scale of the impact, specifically within their territories. And so we constantly were dealing with this kind of asymmetrical component around the amount of information we had. What turns out when we disrupt the criminal infrastructure, implement the sinkholing, we actually then get the full transparency of what the scale of the issue is and so see this as everybody has their opinion. Absolutely. But of course that opinion is shaped by the amount of information accessible and available to you at the time, and what’s available and accessible for you at the time may not in many cases isn’t actually an accurate reflection of what’s going on. And so with that particular case it was we learned so much about the scale of the attack, more so after we did the action, than before. But of course that doesn’t mean what we did before was appropriate, it just means we actually didn’t have the amount of information we needed in order to be able to accurately scope out the.

Raj Samani [00:07:22]:

Scale of the campaign.

Karissa Breen [00:07:23]:

Yeah, and you’re absolutely right. And I guess things as you go along and you do those investigations, more things become uncovered. Do you think it’s hard as well? So, for example, if there’s like a well known data breach, there’s so many versions of, whether it’s a vendor or consultancy or someone internal that has their view then of the story. So it’s quite hard to navigate because like you said, some bits of information are included and some are not, which is like a key piece. And then it’s probably hard as someone trying to follow these stories as a consumer or even clients looking into it, because every vendor or whoever, their line of questioning and the line of details in their story seems to change. Do you think that then that just adds more complexity then to the outside world for people looking in on some of these cases and some of these breaches?

Raj Samani [00:08:13]:

Well, I think it stresses upon the biggest problem we have, which is we truly suffer from a lack of transparency in as much that when we think about these breaches, invariably the only thing that we seem to focus on is who is at fault and who was behind it. And yet I would argue that those are probably well, I’d say those are probably two of the least pieces of most relevant information. Look, if you’re a data subject, then knowing who was compromised is obviously going to be a key area of interest. But from an industry perspective, what we really want to try to understand is what were the approaches, what were the tools, what was actually done in order to be able to compromise? Having that level of transparency becomes imperative because then if we have that information, we can then make the playbook, as it were, the playbook of the threat actors, accessible and available to every company on the planet. This actually will allow us the opportunity to be able to protect other organizations because if we learn and know more about what the bad guys are doing or the bad girls are doing, then of course we’ve got the opportunity to be able to reduce the likelihood of other organizations being compromised. The other thing that I think we often kind of neglect is what is the scale of the economic impact or what is the scale of the impact? And invariably that’s something that is very rarely reported on because we jump from breach to breach, like chasing these headlines, whereby what we want to try to understand is all the scale of the issue as well. And so it is a particularly maybe the word is litigious, but it is an environment in which we don’t really get all of the information. And the type of information we get isn’t the type of information we really, truly want or need or demand. But of course, that’s the nature of the issue that we deal with today, whereby it is trial by public opinion. And yes, of course, organizations are looking to mitigate or reduce the impact of the bad press, the bad publicity.

Raj Samani [00:10:27]:

And I think that’s understandable because there.

Raj Samani [00:10:29]:

Is this construct called the abnormal churn rate. And so an organization that’s been compromised, there’s a theoretical statistic which says these are the number of customers that will leave you. And so, of course, they want to try to reduce the impact. And if there is the opportunity to be able to absolve themselves of the blame, then some organizations will try to do that. There are other organizations that are completely open and entirely transparent, but there isn’t kind of a playbook where every organization does this or does that. We do see, like, varying different degrees or approaches.

Karissa Breen [00:11:06]:

Okay, so, Raj, there’s a couple of things in there that you said which was interesting. You mentioned that if you look at a breach, for example, specific details you say or you believe, people are very focused on things that you believe people shouldn’t be focused on. Can you give an example of, from your experience, what people are focused on the wrong thing?

Raj Samani [00:11:24]:

Well, I think attribution becomes one of the most hotly contested and discussed topics there are who was behind the attack? And we’ve called it Attribution Roulette, whereby you kind of roll the dice and you see, well, who’s going to be in the frame for this attack this week? I think it’s important to try to understand the source of the attack, but not for the purpose of trying to get more clicks. For example, understanding attribution is important so we can start to map out the tools and techniques and procedures being used by various different threat groups that allows us the opportunity to be able to implement detection and protection against specific threat groups. It shouldn’t be used as a vehicle to try and generate more coverage. And equally, there has to be a bar with regards to what leads us towards that conclusion. So, for example, if we ever do things such as attribution, and certainly public attribution, we’ll go through a series of measures to determine the confidence that we believe or that will lead us to believe the root cause of the problem or the root cause of the attack.

Raj Samani [00:12:35]:

So can’t you think to yourself, well.

Raj Samani [00:12:37]:

Rather than, for example, and I’ve seen this in the past whereby somebody looked at an IP address and said, well, that IP address is coming from this country, therefore it’s this country during the attack. Well, it’s very simple to mitigate that. And actually, we see campaigns whereby threat groups put in these false flags which make you believe, oh, actually it’s somebody else, as opposed to another threat group. And so there is this kind of game of cat and mouse where attribution is being used. And when I talk about attribution, what I mean by that is drawing a.

Raj Samani [00:13:09]:

Conclusion as to the root root cause.

Raj Samani [00:13:11]:

Or the source of a particular threat attack. Unfortunately, this is the thing that these are the headlines that drive the clicks that drive the coverage that drives. And so we need to be, I think, more probably more grown up with regards to how we treat attributing, specific threats and specific attacks.

Karissa Breen [00:13:29]:

Yeah, I do hear what you’re saying, but even if you watch like, I don’t know, a press conference, the first thing that the CEO says is, oh, our suspicion is a threat actor is from X country, or whatever it is. I do notice that a lot. And I do understand and as you mentioned before, it is important. But from what I’m hearing, from what you’re saying, it’s just not maybe what people should lead with straight out the gate. So what would you then suggest people should be focused on? Attribution is 100% important. People do want to know where the attack came from. But you sort of mentioned before that people should be focused on other things. What are these other things people should be sort of thinking about initially?

Raj Samani [00:14:13]:

The key thing is to be open and transparent about the scope of the attack.

Raj Samani [00:14:18]:

And look, there may be components of.

Raj Samani [00:14:19]:

The attack which are sensitive so you can’t disclose, but making things available and accessible to the wider industry about the artifacts of a specific breach, for example. So what I’d love to be able to see is organizations being transparent and saying, look, this is what we know thus far. This is what we can publicly share. Oh, and by the way, these are the tactics that we use, or these are the we call them indicators of compromise, for example. So these are the assets or these are the kind of tricks that the criminals used in order to break in. Now that becomes important because other organizations that are also being targeted by the same threat group, potentially by the same playbook as it were, can then use the accessible or available information in order to protect themselves. We’ve often said that cybersecurity is a team sport, but it seems more often than not that many of these team players are less than collaborative. And that’s not everybody. By the way, there was a breach, I think it was this week or last week, where a security vendor actually were very open and very transparent about the tools and tactics being used. And so making that information accessible allows other organizations the opportunity to protect themselves collectively. As a society, we’re very, very quick to point the finger whether if somebody’s been breached or not. What the conversation probably needs to move towards is, hey, look, everybody has the potential to be breached. The fundamental question we’ve got to ask ourselves is, did the organization that got compromised take all reasonable measures to protect your data or information about you? And if that organization did take reasonable measures, then rather than vilifying them, what we should probably do is say, well, okay, what was it about this attack that allowed them to successfully get in? And what do we need to do in order to stop this happening in the future? If an organization gets compromised and their password is 123456 and they completely missed every alert, then okay, there is a question of, well, they didn’t take reasonable measures. And so I think there’s got to be more of a balanced view with regards to breaches as opposed to this, well, they got compromised, so therefore they must be terrible. That, I think, is an unhealthy approach because then what it does is it creates this back to your point. It creates this environment in which, like you said, somebody will stand up and say, well, it was a sophisticated attack done by a country, so there’s nothing we could have done. Well, whether it’s a nation state or an organized crime group, they’re still compromising systems. They’re still criminals, and so they’re not superheroes. So that, I think, starts to become a really necessary kind of part of the discussion we need to have.

Karissa Breen [00:17:16]:

I like the part when you said reasonable measures because you’re so right. So, for example, I don’t know whether you follow news out here in Australia, but there’s been multiple very large breaches here. And now I think people are desensitizing themselves. It’s like so and so company got breached. Then I think that’s where for majority of people, the conversation stops. Rather than saying, like you said, was there reasonable measures that they did try to protect your data or whatever it may be, or was it passer 1234 and missed all the alerts and no other security controls at all? So I think that now if I look on the consumer lens of it. It’s more like, okay, so another company got breached. Who cases they failed us. That’s sort of the commentary I’m seeing from large media science with I read the comments from people saying that even talent from a cybersecurity perspective in Australia is horrendous. Like pretty bad stuff, right? But I think they’re not doing that extra little bit of the missing piece which you mentioned before, the reasonable measures. But then it gets hard because I was talking to someone the other day. They’re like, yeah, but sometimes KB, when you’re out here and you’ve got stress and then you’ve got legal counsel then on your back to say you can only say X amount of things. And then it’s one day in and people want an update, but you don’t really have all the information. Then if you do another update two days later, maybe it was 20% data you thought was stolen, then it was 40 and in seven days time it’s 100%. So he’s like, it’s really hard to manage those expectations from internally, from regulators, as well as consumers and customers. So do you think that I don’t envy these people in these positions that have to get up there and sort of really take a massive hit? So I’m just curious to know what your thoughts are on that.

Raj Samani [00:18:59]:

Look, it’s never easy being in the middle of an incident, and I’ve been in the middle of more incidents than I probably care to do in any lifetime. And you see a lot of varying different reactions. But there is a way, I think, to be open and transparent in a way that doesn’t potentially compromise you. And look, I remember this case I dealt with a little while back and it was in Asia Pacific region. When we got inside and started to do the analysis, what we realized was the threat actors had been inside for a number of years now. The Ferrari internally was, oh, kick them out, kick them out, kick them out. We need to throw the adversaries out of the network. And when we started to have the discussion with the senior leadership team, it’s like, look, you’ve got criminals inside your network. Now if we take the action to close the back doors of the network, they’ve been in here so long that the risk you have is they’ve actually created additional ways into your environment. Now, throwing them out I e. Closing the doors of what we know today introduces a risk that they’re going to come in via a different mechanism and completely destroy the network because they’re going to want to cover as many tracks as they possibly can. So what I recommend we do, and I know this sounds really difficult, is we leave them in the environment, we monitor everything that they do, we watch what they do, and then we have the opportunity to be able to find more backdoors into your network and then we can close everything. So we scheduled what we call a Strike Day. So that Strike Day was, hey, we’ve been monitoring them for a period of time. We know how they’re getting in. We know all of their backup ways to get in. Now we’re going to close every single door, every single window, lock it and lock it and shut it tightly. And at the time, I was like, well, they’re never going to go for this. What will happen is we’ll end up kicking them out. And then in a week later, I’ll get phoned and said, hey, by the way, the network’s been toast. But what was interesting was the company was like, well, look, we understand that. We understand the need for it. Let’s go ahead and proceed with that. And I think that one surprised me because I never expected them to accept that because it was the right approach. Taking the right course of action or the most appropriate course of action can be painful, but in the long term, it can be truly beneficial. And I think probably what changed it all was we were able to provide a very, very clear plan. We were able to mitigate the risks that they had identified, and we were very clear about the timeline that we would take the action. And I think in the middle of a breach, you’re dealing with regulatory pressures, law enforcement, you’re dealing with press, you’re dealing with legal, you’re dealing with all of these kind of swirling things. But I think if you’re very clear and concise about what you’re doing, why you’re doing it, then I think you’ve got a more higher likelihood to be able to take that course of action and ultimately you have the opportunity to be able to control the narrative. Yeah, and there’s been multiple cases in the past where people have said, no, we’re not going to do what you recommend. We’re going to do what we think is right. And then I remember one case where I got a call like three weeks later saying, oh, by the way, we’ve been compromised again. And this time it’s even worse than what it was. The first crime for me, it’s about actually being clear and concise about what you want to do and why you want to do it. And of course, ultimately, from a security perspective, it’s not your decision. You are consulting for the business, whether you’re a CISO, whether you’re a vendor, whether you’re a consultant. So you have to listen to what the business is demanding, but ultimately, as the expert, you can provide your input into that. And there are cases in which senior leadership do listen.

Karissa Breen [00:22:58]:

Yeah, okay, that’s really interesting. So before I ask a couple of questions off the back of your previous statements, I’m curious then to know so if I were to sort of close the loop on a lot of your lessons because you have worked historically alongside of law enforcement, would you say that your depth and breadth towards incidents and cases has maybe solidified then your approach? Because I’ve interviewed a number of people that have done your field of work or they’ve worked more on the DFIR front or more in the incident response sort of area. You just seem to bring probably a very unique angle. So would you say that your unique angle comes from your experience working alongside law enforcement which gives you a different sort of lens to apply?

Raj Samani [00:23:43]:

No, I think it’s all of the above. It’s our experience which shapes us. And it’s being involved with cases 20 years ago with things like blaster and nimda or want to cry, like all of the above, I think, has shaped the thinking and a lot of the thinking and a lot of the approach. The entirety of my approach is being very crystal clear about the impact, the capability of the threat. Actor but also what I believe to be the best course of action. Look, I genuinely believe the best course of action in any breach is to be open and transparent. The one thing that I’ve learned in I was going to say actually it’s been decades since I’m working in this industry is stuff will eventually get out whether you try to hide or whether you try to obfuscate or if you’re going to try to pretend that something wasn’t as bad, things will eventually get out. And the criminals have actually acknowledged and recognized this. And so the whole growth of this double extortion tactic whereby ransomware threat actors will steal information and then publicly disclose that they’re doing that because they know that organizations have in the past tried to either downplay or even entirely kind of obfuscate the fact that they’ve been compromised. Now, with double extortion, you can’t do that anymore. And so I would argue today that organizations, if you’ve been compromised, don’t look at that as the death knell of your business. What could be the death knell of the business is how you handle it. There are thousands of companies that have been compromised, tens of thousands of companies that have been compromised and almost all of them have come out of the other side of it. But I would argue the companies that come out the best are the ones that have been open, been transparent, not tried to hide, not tried to obfuscate. This considered the data subjects, considered the potential harm to the data subjects and put in measures in order to be able to reduce the impact to the customers that have entrusted them with their data. That for me is probably the most critical component. And for me I think that’s what my experience will lead to, which is, hey, look, everybody’s gone through this at some point, but those that have gone through it and come out the best have been the ones that have been the most transparent.

Karissa Breen [00:26:18]:

So it’s going back to your comment before around controlling the narrative. Now this is so interesting because more often than not, what do you often hear from people? Oh, they didn’t handle it very well. Oh, the CEO was like you said, obfuscating, or they weren’t transparent, they weren’t open. But then do you feel it’s like you’re damned if you do by someone, you’re damned if you don’t? Now, I know that sounds like a dumb question because you’re never going to make everyone in the world happy no matter who you are, what you are and what you’re saying. But would you say that more often than not at the moment more companies from your experience have lost control of the narrative?

Raj Samani [00:26:53]:

Well, I think with the advent of social media, I think people try and control the narrative anyway and people will just draw natural conclusions in the absence of clarity anyway. So I think that’s part of the reason why I say, well, it’s important to be transparent, it’s important to be open, and it’s important to share the information that you have for the benefit of the industry. If you are going to intentionally withhold information, then people will just make stuff up anyway, whether it’s true or not. And for me, I think that’s what I mean by controlling the narrative. It is about saying, well, look, this is what’s happened. This is what we’ve learned thus far. And actually, really importantly, ensuring that you are working with law enforcement, because it’s imperative that we try to hold those behind these attacks accountable and making that information accessible and available so that other organizations have the intelligence in order to be able to protect their own systems against this particular tactic. That for me is controlling the narrative, whereas trying to hide it or even not sharing the necessary information in a timely way then means people are just going to make up their own stories regardless. Is this organization been compromised? Oh, yeah, what we think it has. And there are entire social media accounts dedicated towards publishing information about the double extortion victims that exist. And so it was remarkable. I was looking at a winter feed the other day and this person had got like ten to 15, I think it was 2000 retweets on screenshots of a ransomware victim’s disclosure. So like the ransomware group had said, oh, we’d compromise this bank. And this channel had got like one and a half thousand retweets on it. And I was just stunned, like wow, that’s an incredible amount of publicity. And I think at the time the bank hadn’t even said anything or responded or maybe they didn’t even know. So the narrative had already been taken away from them because of these researchers that are publishing information continuously and constantly. And so that’s the challenge that we face is that in some cases you may not even know about it. Or if you do know about it and you’re thinking, well, actually, can I take a couple of days. Just to figure out what’s going on. Actually, the story is already broken, and it’s got a huge amount of publicity already.

Karissa Breen [00:29:27]:

Yeah, I know exactly. I know exactly what you mean. And I think that was sort of in the earlier part of our interview by saying when the story changes, like whether it’s another vendor that got their version of the story or some random person on social media that has a view. And then all of a sudden, you don’t have a lot of those gaps filled, and people just start believing what other people say and then buying into their story. Now, I guess that goes back into on the consumer front, on where you get your information and your sources from. But I think it’s really important to know that you probably will always have a degree of feeling like you lose control of that narrative because you can’t control what media companies write about you and what they want to tell in their stories. You can’t control what Sally on Instagram thinks when she doesn’t have any idea about what really happened. And I think that’s just the nature of the world. So would you say that for people that are listening, be prepared, that even if you came out, you were transparent, you were open, you were honest, you were quite descriptive of what happened? There’s always going to be an element of someone will have a different opinion, or someone is always going to think that they know more than what you’ve sort of said. Is there always going to be that no matter how well you’ve handled that.

Raj Samani [00:30:42]:

Narrative, natural skepticism has been probably more amplified now that we offer this kind of pseudo anonymity. And so what I mean by that is people are more emboldened to be more divisive, more, I guess, more angry. I call it these kind of digital pitchforks, but they’re more happy to kind of take up arms when there is this perceived level of lack of perceived level of lack of risk by typing things out on a keyboard. And you see this within social networks and social media, whereby there is this kind of greater toxicity that exists digital than it does physically in the physical world. And so I’ve been a victim of this myself, where we’ve said certain things or posted certain things, and there are individuals that will come out and say, well, that’s terrible, I don’t agree, but do so in a way that’s entirely disrespectful or entirely unhelpful. And so I think this digital world that exists anyway, and we see this today where in the UK. For example, we left the European Union in 2016. And you look at the the level of discourse between various different groups, and it’s, you know, it’s not a constructive debate. It’s just throwing barbs at one another left and right, with memes thrown in as well. That exists now anyway. And I think that’s the worry, really, which is the whole purpose of social media and social networks, I believe, was to enable people to be able to connect, the ability to be able to shape opinions. But what we’ve done is just doubled down on our own opinions and if somebody disagrees with us, well, let me go after them with everything that I have. And so our world remains affected by the same approach whereby, well, yeah, you didn’t say this, so therefore this is what I think. Or well, you published this report and you said it was this threat group. Well, I think you’re full of crap and so let me tell you why, you’re terrorist. That I think, is just the very nature of the broader kind of social society that we live in today whereby people are a lot more comfortable and a lot more confident and a lot more emboldened to be as vociferous as they possibly can.

Karissa Breen [00:33:28]:

So if we look forward with some of your experiences that you’ve shared today and previously working on the ground alongside law enforcement, what would you sort of say would be some of your insights as we traverse into a more connected digital world? Do you have any insights or concerns? And I understand, like, you’re not nostradamus and you don’t have every answer, just more so curious to sort of hear your thoughts because you have seen the space change over the years. So I’m just curious to see if you’ve got anything to sort of leave our audience with today.

Raj Samani [00:34:03]:

Well, I think probably the big thing that I talk about is we started in a world in which cybersecurity was about computer viruses and it was about It systems. And if we think about what cybersecurity really and truly is, it is so much more than that. And we’ve seen examples whereby elections have been well, people have made the assertions that elections have been swayed through misinformation. And security for me has far more reach than just, for example, the computer sitting in your home. It’s absolutely fundamental to our way of life or to how we as a society will operate, whether that’s, like I said, whether it’s about propaganda or misinformation, whether it’s about people being able to receive patient care, whether it’s about, I guess, the way that we’re going to pay one another through online currency exchanges, i. E. Cryptocurrencies. We are going to become so much more dependent upon the confidentiality of data, the integrity of information, and the availability of systems. We collectively not governments, not private sector, not individuals, we collectively need to do more to acknowledge that because like, I think you touched on it earlier, which is people have become so numb to breaches that they almost ignore it. But I always say that, look, once your information is out, it is out and then that can then be weaponized and used against you. And so for me, I’d like to see a broader acknowledgment that cybersecurity is and fundamental to our way of life. And we need to start to put in measures to be able to reduce the impact that criminals, or effectively criminals, are having upon our natural way of life like we touched upon it earlier, which is the Brexit vote. Well, there’s been assertions that the whole Cambridge Analytical Scandal was something that helped influence the elections. And when you really start to break that down, it’s incredible to think that actually, that’s the potential that it could have. And so I think we’ve got to have this broader acknowledgment that cybersecurity is much broader and wider than what we have initially thought it to be. It’s not about just protecting that computer from a computer virus, actually. It’s about shaping public opinion. It’s about our ability to receive patient care. As I said, I think for me, as I look forward, we are going to continue to be entirely dependent upon digital systems and the accessibility and availability of information that hasn’t been purposely misinformed and that becomes imperative. And look, we saw this with COVID for example, with the crime of huge amounts of misinformation being conducted and carried out by either people that were misinformed or people with the sole intent of trying to inform the public.

Karissa Breen [00:37:05]:

Oh, my gosh, yes, I totally forgot about that. So true. So it’s going back to your Acknowledgment piece for a moment. Do you believe we have got the Acknowledgment? Or do you think it’s as we mentioned before, this is more of a forward conversation? Do you think that will come in due course and over the years we will get more acknowledgment about the impact cybersecurity has on consumers and businesses?

Raj Samani [00:37:30]:

No, I don’t think we’re anywhere near that at all. We are blindly installing apps. We are blindly accepting terms and conditions. We aren’t having the bigger discussions that I think we need to be having, which is like, in three to five years time, we’re going to have autonomous vehicles on the road, natural part of our lives. We haven’t started to discuss things such as, well, okay, where does the liability sit if there is an accident? We are just blindly accepting more technology, more features, more capabilities. We’re becoming more and more dependent upon these things. And we saw in 2016 with WannaCry, for example, an attack that starts in one part of the world within hours goes and infects the rest of the part. And the question became, well, okay, the speed with which interconnected systems can be compromised was absolutely frightening. But the question becomes, well, if that happens again, have we taken our lessons learned from that and actually have the opportunity? Well, I don’t know if we collectively have, because yet again, we’re continually and entirely interconnected. And so I don’t know if we’ve started to have these I know we’re having these discussions, but like, here’s the question. If there is another vote tomorrow, is it possible for somebody that is well skilled and well capable to be able to potentially spread misinformation using the platforms we depend upon today. And you and I know the answer to that is probably yes. If there is a botnet, for example, that started in one part of the world, is it possible to spread around the entire world in a matter of minutes? Well, yeah, probably still is. And so these fundamental weaknesses, I think you could call it, or the interconnected nature by which we gather information or our systems are connected still exist. I don’t believe we have really fundamentally asked these questions yet and actually put in the mechanisms in order to reduce the likelihood of that happening again.

Karissa Breen [00:39:25]:

Information warfare, that is a separate topic on its own, which is super interesting. And yes, I agree with you. There is the mechanism to misconstrue voting and people’s opinions. So that, on its own, is a separate problem and a separate piece. But Raj, I’ve absolutely enjoyed having this conversation with you today. I was just really listening to what you were saying and just curious about not only your experience, but your opinions and your thoughts towards how people should be handling and responding to breaches and also doing a little bit of a deeper dive into your work alongside law enforcement. So I really appreciate the time you waking up early today and coming on the show.

Raj Samani [00:40:08]:

My pleasure. Thank you so much for the invitation.

Share This