WEBVTT 1 00:00:07.140 --> 00:00:09.630 Anna Delaney: Hi, and welcome to the ISMG Editor's Panel. I'm 2 00:00:09.630 --> 00:00:12.510 Anna Delaney, and here we discuss the week's top cyber and 3 00:00:12.510 --> 00:00:16.320 information security trends, stories and interviews. I'm very 4 00:00:16.320 --> 00:00:20.010 pleased to be joined by some of the talented editorial team. Tom 5 00:00:20.010 --> 00:00:23.550 Field, senior vice president of editorial; Suparna Goswami, 6 00:00:23.670 --> 00:00:27.420 associate editor at ISMG Asia; and Mathew Schwartz, executive 7 00:00:27.420 --> 00:00:30.420 editor of DataBreachToday and Europe. Great to see you all. 8 00:00:31.500 --> 00:00:32.010 Tom Field: Thanks for having us. 9 00:00:32.009 --> 00:00:32.519 Suparna Goswami: Glad to be back. 10 00:00:33.060 --> 00:00:34.050 Mathew Schwartz: Yeah, great to be here. 11 00:00:34.890 --> 00:00:36.690 Anna Delaney: Suparna, why don't you start us off? 12 00:00:37.590 --> 00:00:40.110 Suparna Goswami: Well, yes, hello. We just concluded a nine 13 00:00:40.110 --> 00:00:43.200 day festival here in India, where we dance and feast on good 14 00:00:43.200 --> 00:00:47.160 food. So, this dance form is called Dandiya where we use 15 00:00:47.160 --> 00:00:51.840 colorful sticks, and it is mainly in western India, more 16 00:00:51.840 --> 00:00:55.230 prominent in western India, but is now spread across most of 17 00:00:55.230 --> 00:01:00.090 India. And, you know, we eat a lot, I was saying, so, more than 18 00:01:00.090 --> 00:01:02.820 dancing, I have been eating a lot, hopping different pandals, 19 00:01:03.270 --> 00:01:07.860 and eating a lot of food, junk food, mainly. But yes, good nine 20 00:01:07.860 --> 00:01:08.400 days! 21 00:01:08.790 --> 00:01:10.980 Tom Field: Continue to dance and the food will not be an issue! 22 00:01:13.680 --> 00:01:15.510 Anna Delaney: We will be starting all that soon, as well. 23 00:01:15.510 --> 00:01:17.700 So, may the festivities begin! 24 00:01:17.820 --> 00:01:18.750 Suparna Goswami: Yes! 25 00:01:18.930 --> 00:01:21.810 Anna Delaney: Tom, what a beautiful backdrop! Have you 26 00:01:21.810 --> 00:01:22.620 taken this photo? 27 00:01:22.000 --> 00:01:26.350 Tom Field: This is not my photo, but this is my town. This is a 28 00:01:26.350 --> 00:01:31.180 view of the downtown of my village, as it is in the fall, 29 00:01:31.180 --> 00:01:33.910 which is where we are right now. Not a lot of dancing, but plenty 30 00:01:33.910 --> 00:01:34.420 of good food. 31 00:01:35.640 --> 00:01:36.270 Anna Delaney: Stunning! 32 00:01:36.510 --> 00:01:37.440 Tom Field: And, vibrant colors. 33 00:01:38.200 --> 00:01:41.200 Anna Delaney: Beautiful, and Mat. It looks like a storm. But, 34 00:01:41.290 --> 00:01:43.990 as usual, you've made it look like art. 35 00:01:44.310 --> 00:01:45.930 Mathew Schwartz: Oh, thank you so much. This is a little 36 00:01:45.930 --> 00:01:49.860 reflection of the storm Babett's aftermath. Actually, the 37 00:01:49.860 --> 00:01:53.700 aftermath is mostly gone. This is just a typical day of rain in 38 00:01:53.730 --> 00:01:58.290 autumnal Scotland. But, we got hit hard with storm Babett last 39 00:01:58.290 --> 00:02:01.500 weekend. So, a lot of areas, especially here on the east 40 00:02:01.500 --> 00:02:05.160 coast of Scotland are still waiting for the waters to 41 00:02:05.160 --> 00:02:05.880 recede. 42 00:02:06.990 --> 00:02:08.760 Anna Delaney: So much so you were grounded, right? 43 00:02:09.560 --> 00:02:13.520 Mathew Schwartz: Yes, yeah, we had a red alert, amber alert, 44 00:02:13.520 --> 00:02:17.840 for wind and rain over a period of two-three days and lots of 45 00:02:17.840 --> 00:02:20.300 flooding, people having to get rescued from their houses who 46 00:02:20.300 --> 00:02:24.740 hadn't left by Coast Guard helicopters. Craziness. So, 47 00:02:24.770 --> 00:02:27.800 thankfully, that's starting to get better. 48 00:02:28.320 --> 00:02:30.360 Anna Delaney: I'm glad you're safe. Well, I've included a 49 00:02:30.360 --> 00:02:33.960 timely backdrop this week in honor of the spooky season. So, 50 00:02:33.960 --> 00:02:36.750 this is something I spotted in Greenwich Village in New York, 51 00:02:36.750 --> 00:02:40.260 recently. It's quite fun, I think, they do Halloween quite 52 00:02:40.260 --> 00:02:44.880 well in the States. Well, Tom, you have started recording 53 00:02:44.910 --> 00:02:47.580 interviews with Israeli cybersecurity leaders. And, I 54 00:02:47.580 --> 00:02:50.610 believe this was something in the works for a while. You were 55 00:02:50.610 --> 00:02:53.700 supposed to be on the ground there, in Israel, recording 56 00:02:53.700 --> 00:02:56.580 these, in person. For obvious reasons, you're not there, but 57 00:02:56.610 --> 00:03:00.330 maybe share some background to the series itself and who you've 58 00:03:00.330 --> 00:03:01.230 interviewed, so far. 59 00:03:01.540 --> 00:03:03.640 Tom Field: Yeah, that's right. I was supposed to be traveling to 60 00:03:03.640 --> 00:03:06.280 Israel for a series of interviews with security and 61 00:03:06.280 --> 00:03:10.060 technology leaders, and because of the Israeli war with Hamas, 62 00:03:10.060 --> 00:03:13.180 that's just not happening right now. And so, instead, I've been 63 00:03:13.180 --> 00:03:16.360 working with our colleagues, our partners, at Xtra Mile, which of 64 00:03:16.360 --> 00:03:21.850 course is a B2B, lifecycle marketing agency that's part of 65 00:03:21.850 --> 00:03:26.170 ISMG based in Israel. I've been working with them to still do 66 00:03:26.290 --> 00:03:30.340 this series of interviews, but to do it virtually, and to talk 67 00:03:30.340 --> 00:03:33.610 with security and technology leaders, really about how 68 00:03:33.610 --> 00:03:37.180 they're responding to the war conditions; how it's impacting 69 00:03:37.300 --> 00:03:41.740 their organizations, their teams, their families; what they 70 00:03:41.740 --> 00:03:47.200 see going forward in their message to their customers and 71 00:03:47.200 --> 00:03:50.470 to their global partners. So, I started this series earlier this 72 00:03:50.470 --> 00:03:54.580 week, by talking with Michael Yehoshua; he is the CMO of 73 00:03:54.610 --> 00:03:58.930 HolistiCyber. And, he got my attention immediately, when I 74 00:03:58.930 --> 00:04:03.130 asked him, how he's doing, how his family is, how his team is, 75 00:04:03.130 --> 00:04:09.100 his employees. And, he told me, "we're doing fine, but we're not 76 00:04:09.100 --> 00:04:14.320 okay." And, that really kind of struck me as a predominant theme 77 00:04:14.320 --> 00:04:18.640 in these conversations is that it's about resilience. It's 78 00:04:18.640 --> 00:04:23.320 about the ability to continue to work literally under fire. As he 79 00:04:23.320 --> 00:04:27.790 and I were talking, there were rockets bursting overhead. So, 80 00:04:27.790 --> 00:04:30.880 literally being able to be resilient and to continue under 81 00:04:30.880 --> 00:04:34.390 fire. It's something that I haven't experienced, I don't 82 00:04:34.390 --> 00:04:37.600 know that many of us have. And so, it's insightful for me, 83 00:04:37.600 --> 00:04:40.090 certainly to conduct these conversations. And I'm hoping, 84 00:04:40.090 --> 00:04:43.150 it's just as insightful for our audience as well. I'll be doing 85 00:04:43.150 --> 00:04:47.050 a series of these, we'll be producing them on the ISMG sites 86 00:04:47.350 --> 00:04:51.190 as early as maybe even today. And, the point is to share 87 00:04:51.220 --> 00:04:55.270 insights from Israel, from security and technology leaders, 88 00:04:55.270 --> 00:04:57.940 who are going through this in their message to the world. So, 89 00:04:58.210 --> 00:05:02.650 if you don't mind, I'd like to share a bit of a clip from the 90 00:05:02.650 --> 00:05:05.440 interview I did with Michael Yehoshua. And, the question I 91 00:05:05.440 --> 00:05:09.040 asked him was, what is your message to your employees, your 92 00:05:09.040 --> 00:05:11.410 customers and to your global partners? I'm going to show you 93 00:05:11.410 --> 00:05:12.250 a short excerpt. 94 00:05:12.510 --> 00:05:14.970 Michael Yehoshua: War is something that nobody wants, 95 00:05:14.970 --> 00:05:17.820 especially not on this side. It's not a war that we started 96 00:05:17.820 --> 00:05:22.530 and not one that we ever wanted. But, war does have its silver 97 00:05:22.530 --> 00:05:26.550 linings, if you look at the Yom Kippur War, the aftermath of 98 00:05:26.550 --> 00:05:31.650 that was the most was a very prosperous time here in Israel. 99 00:05:31.890 --> 00:05:35.040 If we look in the United States after World War II, we had the 100 00:05:35.040 --> 00:05:40.080 baby boomers and we had the rise of the economy, and tough times 101 00:05:40.080 --> 00:05:44.160 create tough people, and tough people create tough products. 102 00:05:44.550 --> 00:05:50.340 And, well, we are a resilient group of people. And, we'll get 103 00:05:50.340 --> 00:05:52.320 out of this and we'll be stronger than ever. 104 00:05:52.000 --> 00:05:54.730 Tom Field: I was told once that tough times don't build 105 00:05:54.730 --> 00:05:57.640 character, they reveal it; and we're pleased to see the 106 00:05:57.640 --> 00:05:58.210 character. 107 00:05:58.420 --> 00:06:00.940 Anna Delaney: Well, Israel has been dubbed the cyber nation 108 00:06:00.940 --> 00:06:04.360 and, as you say, has a strong tradition of military 109 00:06:04.360 --> 00:06:07.270 intelligence and cybersecurity. How do you think this background 110 00:06:07.450 --> 00:06:10.600 influences the leadership and the strategies in the 111 00:06:10.600 --> 00:06:11.830 cybersecurity sector? 112 00:06:12.580 --> 00:06:15.070 Tom Field: There's a lot of preparation. And, I think that 113 00:06:15.070 --> 00:06:20.290 the Israeli executives I deal with have got good backup plans. 114 00:06:20.710 --> 00:06:23.560 They've always thought about resilience. They don't keep 115 00:06:23.560 --> 00:06:27.070 things in one area, and so they've got leaders and teams 116 00:06:27.070 --> 00:06:29.650 and systems deployed in different areas of the world. 117 00:06:29.950 --> 00:06:33.280 They're prepared for situations such as these. There's been a 118 00:06:33.280 --> 00:06:38.710 huge call up of reservists to go into a military service. Michael 119 00:06:38.710 --> 00:06:43.870 was telling me about even some of his colleagues from the US 120 00:06:43.990 --> 00:06:47.440 who have gone through great pains to fly back to Israel, to 121 00:06:47.440 --> 00:06:51.730 go back into the service and to be on the front lines. This is a 122 00:06:51.730 --> 00:06:56.800 country and a people that certainly don't welcome crisis, 123 00:06:57.190 --> 00:06:58.270 but they're prepared for it. 124 00:06:59.860 --> 00:07:03.310 Anna Delaney: Very true and great first interview, and we 125 00:07:03.310 --> 00:07:06.580 look forward to watching the rest. Lots to be learned there. 126 00:07:06.610 --> 00:07:07.540 Thank you, Tom. 127 00:07:07.540 --> 00:07:08.110 Tom Field: Thank you so much. 128 00:07:08.690 --> 00:07:11.510 Anna Delaney: Mathew, a few days ago, it was reported that Cisco 129 00:07:11.540 --> 00:07:15.740 released patches to address two zero-day vulnerabilities in its 130 00:07:15.800 --> 00:07:20.390 IOS XE operating system users' networking devices. Now, since 131 00:07:20.390 --> 00:07:24.290 then, security researchers have observed a significant drop in 132 00:07:24.290 --> 00:07:28.010 the number of compromised devices. So, bring us up to 133 00:07:28.010 --> 00:07:31.400 speed with events and explain the significance of this sudden 134 00:07:31.400 --> 00:07:33.620 drop in the number of compromised hosts. 135 00:07:34.530 --> 00:07:37.590 Mathew Schwartz: Well, as you say, Anna, Cisco has begun to 136 00:07:37.590 --> 00:07:43.110 release patches for a lot of its IOS XE, that rolls off the 137 00:07:43.110 --> 00:07:48.270 tongue, operating system, which powers or it's the OS that runs 138 00:07:48.300 --> 00:07:54.240 a lot of Cisco's devices, things like access points, routers, and 139 00:07:54.360 --> 00:07:58.320 numerous other things. So, these patches have not fully arrived 140 00:07:58.320 --> 00:08:02.130 yet, but at least some of them have started to get shipped. 141 00:08:02.340 --> 00:08:06.870 Because about a week ago, reports started to emerge that 142 00:08:06.870 --> 00:08:12.630 there seemed to be a widespread malware campaign targeting these 143 00:08:12.660 --> 00:08:17.310 devices. So, attackers were exploiting vulnerabilities and 144 00:08:17.310 --> 00:08:19.800 it took some time to figure out what was going on. But, 145 00:08:19.800 --> 00:08:23.310 exploiting a couple of vulnerabilities to gain remote 146 00:08:23.310 --> 00:08:27.120 access to these devices, and then to infect them with 147 00:08:27.120 --> 00:08:33.810 malware. It's not clear what has been happening next, in terms of 148 00:08:33.990 --> 00:08:37.470 whether attackers are pivoting off of these devices into 149 00:08:37.470 --> 00:08:42.090 victims' networks, potentially using this as a beachhead to 150 00:08:42.120 --> 00:08:46.320 further explore the network and attempt to gain 151 00:08:46.350 --> 00:08:50.520 administrator-level privileges on other systems. Not clear if 152 00:08:50.520 --> 00:08:55.110 this is a nation-state attacker, that's probably a good guess, 153 00:08:55.230 --> 00:08:58.680 given that these are zero-day vulnerabilities. But, we have 154 00:08:58.680 --> 00:09:02.670 occasionally seen cybercrime groups, especially ones wielding 155 00:09:02.790 --> 00:09:08.490 ransomware, also target zero-day flaws. Lots of questions here. 156 00:09:09.240 --> 00:09:13.290 Another question, as you say, is what led to this dip in the 157 00:09:13.290 --> 00:09:21.030 number of internet connected Cisco ISO XE devices? For 158 00:09:21.030 --> 00:09:25.080 baseline, researchers were tracking about 80,000 of these 159 00:09:25.080 --> 00:09:30.120 devices before the attack. So, at any given time, about 80,000 160 00:09:30.120 --> 00:09:32.670 of these devices were internet-connected, and thus, 161 00:09:32.670 --> 00:09:38.340 could be catalogued or counted using freely-available scanning 162 00:09:38.340 --> 00:09:43.680 technology. After this attack, researchers figured out a way to 163 00:09:43.680 --> 00:09:49.290 fingerprint these devices, and they counted in the range of 164 00:09:49.290 --> 00:09:56.070 maybe 34,000 last week, rising to about 42,000 that had signs 165 00:09:56.070 --> 00:10:01.230 of compromise, declining again to 36,000, possibly, because 166 00:10:01.650 --> 00:10:04.290 companies couldn't pass, they could mitigate, they could 167 00:10:04.290 --> 00:10:09.180 deactivate the HTTP capability on these devices to remove them 168 00:10:09.180 --> 00:10:11.760 from the internet, which was a mitigation. So, dropped to 169 00:10:11.760 --> 00:10:15.030 36,000. And then, without warning, they suddenly dropped 170 00:10:15.030 --> 00:10:21.330 to 1,200. So, the question was, who did this? Could it have been 171 00:10:21.360 --> 00:10:25.230 grey hat hackers, who came in and proactively knock these 172 00:10:25.230 --> 00:10:29.310 devices off the publicly-connected internet, so 173 00:10:29.310 --> 00:10:33.030 that organizations wouldn't get hacked before they had time to 174 00:10:33.030 --> 00:10:36.180 eventually patch. That was kind of a hopeful note that was 175 00:10:36.180 --> 00:10:39.300 added. What it appears to actually have been, 176 00:10:39.300 --> 00:10:43.950 unfortunately, is the attackers returning to their devices. And, 177 00:10:43.980 --> 00:10:46.560 they know how they've been fingerprinted. The ones they've 178 00:10:46.560 --> 00:10:51.060 hacked, so they changed things up a little bit. They added an 179 00:10:51.060 --> 00:10:56.670 HTTP authorization header. So now, when a scan comes in and 180 00:10:56.670 --> 00:11:01.830 looks for the string that would indicate these had been hacked, 181 00:11:02.490 --> 00:11:06.090 if that scan doesn't have the right username and password, to 182 00:11:06.090 --> 00:11:09.990 do a little handshake with the piece of hardware, it doesn't 183 00:11:09.990 --> 00:11:13.860 respond to the scan. And so, that's why the number of 184 00:11:13.860 --> 00:11:17.790 obviously hacked devices had dropped to 1,200. Researchers 185 00:11:17.790 --> 00:11:20.640 have changed things up, and now they have a new way to 186 00:11:20.640 --> 00:11:24.720 fingerprint the devices. And, lo and behold, when they use this 187 00:11:24.990 --> 00:11:28.860 new technique the number of infected devices has actually 188 00:11:28.860 --> 00:11:33.150 now risen to about 38,000. So, it's gone up slightly, even from 189 00:11:33.180 --> 00:11:37.260 before. So, the long and the short of it is anyone who's 190 00:11:37.260 --> 00:11:40.980 running a Cisco device that has this sort of operating system 191 00:11:41.310 --> 00:11:44.040 should mitigate, if the patches are available, they should get 192 00:11:44.040 --> 00:11:47.940 them in place as quickly as possible. And, all of them, 193 00:11:48.000 --> 00:11:51.540 whether or not they've mitigated or patched or not, need to be 194 00:11:51.570 --> 00:11:55.770 looking at their security logs for signs of compromise because 195 00:11:55.830 --> 00:11:59.730 this is a mass exploitation. And, it's very likely that 196 00:11:59.730 --> 00:12:04.110 attackers have come in and later disguised their tracks, having 197 00:12:04.110 --> 00:12:08.190 already pivoted into other parts of the network. So, a very 198 00:12:08.190 --> 00:12:11.940 serious hacking campaign, which I think is going to be causing a 199 00:12:11.940 --> 00:12:14.220 lot of damage for the foreseeable future, because a 200 00:12:14.220 --> 00:12:17.100 lot of organizations probably won't be spotting this activity, 201 00:12:17.370 --> 00:12:20.550 even though they should be trying to chase it down. 202 00:12:21.590 --> 00:12:23.480 Anna Delaney: Very serious, indeed. And, how do you think 203 00:12:23.720 --> 00:12:27.890 the attackers' tactics really reflect the evolving nature of 204 00:12:27.890 --> 00:12:30.770 cyberthreats and what this means for our security measures? 205 00:12:30.000 --> 00:12:30.870 Mathew Schwartz: If anything can be hacked in a mass campaign, 206 00:12:30.870 --> 00:12:33.180 and attackers can figure out a way to do it, they're going to 207 00:12:33.240 --> 00:12:43.950 do it. And, we've seen this with secure file sharing software, 208 00:12:44.130 --> 00:12:48.720 the CL0P ransomware group keeps hitting it again and again. And, 209 00:12:48.720 --> 00:12:52.290 it's not always clear that it's that detrimental of an attack 210 00:12:52.290 --> 00:12:56.220 depending on what's being stored on these devices. Something like 211 00:12:56.220 --> 00:12:59.790 this Cisco networking gear, though, it's widely used, used 212 00:12:59.790 --> 00:13:03.960 by tons of telecommunications companies, the majority of 213 00:13:04.140 --> 00:13:07.140 victims - based on scans - are in the U.S., followed by the 214 00:13:07.140 --> 00:13:11.130 Philippines. So, I think if you're a nation-state attacker, 215 00:13:11.160 --> 00:13:15.150 and you can execute this sort of attack, hit all of these 216 00:13:15.150 --> 00:13:19.050 endpoints, find some that look really juicy and exciting, you 217 00:13:19.050 --> 00:13:24.060 can take down some really big targets. So, it reinforces the 218 00:13:24.060 --> 00:13:28.500 need for monitoring tons of defense in depth, because you 219 00:13:28.500 --> 00:13:31.980 cannot stop all these zero-day attacks. What you can hope to 220 00:13:31.980 --> 00:13:36.300 do, though, is to see signs of unauthorized or suspicious 221 00:13:36.300 --> 00:13:40.410 activity. So, even if they've gotten purchase on this type of 222 00:13:40.410 --> 00:13:44.190 hardware, when they try to pivot into your network, they get 223 00:13:44.190 --> 00:13:47.280 blocked, or they get blocked for long enough that you figure out 224 00:13:47.280 --> 00:13:49.470 what's going on and really lock it down. 225 00:13:49.000 --> 00:13:52.900 Tom Field: And, P.S. Mat, this is happening in parallel what 226 00:13:52.900 --> 00:13:56.620 we're seeing happening with Okta right now. And, Okta's customers 227 00:13:56.620 --> 00:13:59.020 aren't just feeling it, Okta itself is feeling it in the 228 00:13:59.020 --> 00:14:01.960 market valuation. So, tough week for security vendors. 229 00:14:02.380 --> 00:14:05.170 Mathew Schwartz: Tough week, and Okta's customer support system 230 00:14:05.170 --> 00:14:10.600 was hacked. And, it was informed of this by, at least, 231 00:14:10.600 --> 00:14:16.420 BeyondTrust and, also, by Cloudflare, among the other 232 00:14:16.420 --> 00:14:18.790 organizations that have come forward to say they got hit, and 233 00:14:18.790 --> 00:14:22.270 it took Okta a few weeks to figure this out. So, attackers 234 00:14:22.270 --> 00:14:26.140 are going for any angle they can think of, and like you say, this 235 00:14:26.140 --> 00:14:29.620 isn't the first time we've seen this sort of pivot hit a 236 00:14:29.620 --> 00:14:33.970 widely-used piece of software or service, and then try to get to 237 00:14:33.970 --> 00:14:35.590 as many of their customers as possible. 238 00:14:37.430 --> 00:14:39.710 Anna Delaney: Excellent insight, and yes, to be continued, of 239 00:14:39.710 --> 00:14:44.330 course. Thanks, Mat. So, Suparna you've been talking to a wide 240 00:14:44.390 --> 00:14:47.660 range of security leaders and legal experts this week about 241 00:14:47.660 --> 00:14:51.140 Indonesia's recently formed data protection law and the 242 00:14:51.140 --> 00:14:54.440 challenges faced by businesses in the country. So, how are 243 00:14:54.440 --> 00:14:56.240 businesses dealing with this new law? 244 00:14:57.830 --> 00:15:00.170 Suparna Goswami: Sure, Anna! So, I have spoken to you before on 245 00:15:00.170 --> 00:15:04.010 how various countries in APAC are now coming up with privacy 246 00:15:04.010 --> 00:15:06.800 law and are even thinking whether to have a unified law 247 00:15:06.830 --> 00:15:11.810 across APAC. But, as I said before, each country is facing 248 00:15:11.810 --> 00:15:14.630 its own challenges. So, I thought of speaking with a panel 249 00:15:14.630 --> 00:15:18.710 of CISOs from Indonesia. So, Indonesia enacted its first 250 00:15:18.740 --> 00:15:22.310 Personal Data Protection law last year, around September. 251 00:15:22.910 --> 00:15:24.980 And, the interesting thing about this law is that it came out 252 00:15:24.980 --> 00:15:28.250 last year, but it comes into force only next year. So, 253 00:15:28.250 --> 00:15:32.210 essentially, government has given them - the practitioners, 254 00:15:32.210 --> 00:15:35.390 the enterprises - two years to prepare themselves. So, 255 00:15:35.390 --> 00:15:40.400 technically, the law is not enforced as of now. So, let me 256 00:15:40.400 --> 00:15:45.410 start with the challenges. Like, though it is saying that it will 257 00:15:45.410 --> 00:15:50.480 get enforced next year, the practitioners are asking whether 258 00:15:50.480 --> 00:15:54.230 they can postpone it further by a couple of years more. So, 259 00:15:54.230 --> 00:15:57.650 where are the challenges? So, let me start with the challenge. 260 00:15:57.650 --> 00:16:00.050 The first challenge they spoke about, of course, which is 261 00:16:00.050 --> 00:16:04.820 common across the globe, and ASEAN, is not having sufficient 262 00:16:04.820 --> 00:16:09.530 cybersecurity professionals. So, Indonesia, I discovered, has, in 263 00:16:09.530 --> 00:16:14.270 total, only 100 CISOs, the entire country has only 100 264 00:16:14.270 --> 00:16:18.200 CISOs, and that too, this happened in the past one year, 265 00:16:18.320 --> 00:16:23.690 before that there were hardly some 20-30 CISOs across the 266 00:16:23.720 --> 00:16:27.710 country. So, the PDP law now requires every data controller 267 00:16:27.710 --> 00:16:31.670 to appoint a data protection officer. And, of course, the 268 00:16:31.670 --> 00:16:35.270 country which has only 100 CISOs appointing a data protection 269 00:16:35.270 --> 00:16:38.510 officer on top of that will be tough. The president of ISC2, I 270 00:16:38.510 --> 00:16:41.900 spoke to him as well, said IT people are being appointed as 271 00:16:41.900 --> 00:16:45.890 CISOs, their certifications are going on. But, of course, it's a 272 00:16:45.890 --> 00:16:48.530 very haphazard process, they annoy me to understand the 273 00:16:48.530 --> 00:16:52.730 entire security. So, the progress has been very slow. So, 274 00:16:52.730 --> 00:16:56.180 other aspects of the law, which are not very clear. Now, who 275 00:16:56.180 --> 00:16:58.760 will be the privacy regulator, as of now, the Ministry of 276 00:16:58.760 --> 00:17:03.500 Communication is responsible, is the one who designed the policy 277 00:17:03.500 --> 00:17:06.230 and who's the one who came out with this, but going forward who 278 00:17:06.230 --> 00:17:10.460 will head the privacy agency. Even after a year it has been 279 00:17:10.460 --> 00:17:14.000 announced, there is no communication in this regard. 280 00:17:14.360 --> 00:17:17.060 What, specifically, this agency's role will be and how 281 00:17:17.060 --> 00:17:20.960 this agency will interact with other ministries. For example, 282 00:17:21.830 --> 00:17:26.600 as far as the financial industry is concerned, financial industry 283 00:17:26.600 --> 00:17:33.950 is regulated by the OGK. So, will the one heading the privacy 284 00:17:34.070 --> 00:17:37.490 interact with OGK, because OGK too came out with certain 285 00:17:38.570 --> 00:17:42.110 cybersecurity regulations for the financial industry. So, 286 00:17:42.110 --> 00:17:44.600 banks are anyway struggling to meet that, on top of which, 287 00:17:44.630 --> 00:17:49.460 there is a privacy law that they now have to adhere to. Now cross 288 00:17:49.460 --> 00:17:52.400 border data transfer, the rule is that the recipient country 289 00:17:52.400 --> 00:17:56.030 should have same or higher level of data security controls in 290 00:17:56.030 --> 00:18:01.370 place. But again, how does one ensure that, how will the 291 00:18:01.370 --> 00:18:04.250 government come out to the list, there is no list that has been 292 00:18:04.250 --> 00:18:10.760 shared so far. And, as far as DPO is concerned, only specific 293 00:18:10.760 --> 00:18:14.960 businesses need to appoint a DPO. Again, none of the 294 00:18:14.960 --> 00:18:18.740 companies have any clarity on, you know, the specifications 295 00:18:18.740 --> 00:18:21.680 because nothing has been mentioned. Like, which are the 296 00:18:21.680 --> 00:18:25.940 companies who need to appoint a DPO or which are the businesses 297 00:18:26.300 --> 00:18:28.790 that qualify for this, nothing has been mentioned. So, 298 00:18:28.790 --> 00:18:31.250 essentially, only an announcement has been made, a 299 00:18:31.250 --> 00:18:35.210 year has passed, but there is, literally, no clarity on what 300 00:18:35.630 --> 00:18:39.860 businesses need to do. And, it also says that businesses should 301 00:18:39.860 --> 00:18:42.950 review existing data flow and categories of data that has been 302 00:18:42.950 --> 00:18:47.300 processed. So, again, you know, the law specifies which category 303 00:18:47.300 --> 00:18:51.110 requires what requirements, what data flow needs to be measured 304 00:18:51.110 --> 00:18:54.020 in what category again? I mean, there are challenges. So, there 305 00:18:54.020 --> 00:19:00.470 is no clarity. So, I had a conversation with the CISOs, and 306 00:19:00.470 --> 00:19:05.390 they are literally saying that we are asking the regulator, the 307 00:19:05.390 --> 00:19:09.320 Ministry of Communication, to postpone it even further because 308 00:19:09.650 --> 00:19:13.370 a year has passed and no clarity has been given. Just, there's 309 00:19:13.370 --> 00:19:17.630 this skeleton; that is that. So, and even how consent should be 310 00:19:17.630 --> 00:19:20.510 obtained, they have little clarification on that, whether 311 00:19:20.510 --> 00:19:23.780 it's just terms and conditions, whether it's in writing. So, 312 00:19:23.780 --> 00:19:27.620 yes, like a typical new law that is there. There is a lot of 313 00:19:27.620 --> 00:19:32.210 confusion. But, what I found it surprising is the country which 314 00:19:32.210 --> 00:19:36.170 is, I think, the third or the fourth most populated country in 315 00:19:36.170 --> 00:19:42.380 Asia, I think. Third, I think, yeah, the entire country has 100 316 00:19:42.380 --> 00:19:45.590 CISOs, and, that too, of them 70 have been appointed in the last 317 00:19:45.590 --> 00:19:46.610 one year in a hurried manner. 318 00:19:47.710 --> 00:19:49.870 Anna Delaney: The confusion, the lack of clarity. Did the 319 00:19:49.870 --> 00:19:52.840 panelists share any recommendations for businesses 320 00:19:52.870 --> 00:19:56.590 in Indonesia looking to improve and enhance their cybersecurity 321 00:19:56.590 --> 00:19:57.250 practices? 322 00:19:57.700 --> 00:19:59.470 Suparna Goswami: Yes, so they said, you know, they should 323 00:19:59.470 --> 00:20:04.120 review how, you know data processors are probably 324 00:20:04.120 --> 00:20:07.570 responding to data at the moment or how a third party is 325 00:20:07.570 --> 00:20:11.080 implementing this responsiveness of data, how are they tracking 326 00:20:11.080 --> 00:20:14.590 it. This is one of the things that they said needs to be done. 327 00:20:14.950 --> 00:20:21.970 They should review the existing data flow, and plus I think one 328 00:20:21.970 --> 00:20:26.860 thing they said is very important is know what kind of 329 00:20:26.860 --> 00:20:32.020 data you have, categorize those data, because, especially the 330 00:20:32.020 --> 00:20:37.780 banking industry, they have a lot of data of consumers. So, 331 00:20:37.780 --> 00:20:41.740 categorize which is the personal data, which data is something 332 00:20:41.740 --> 00:20:45.280 that can be shared with others. So, that categorization of data, 333 00:20:45.850 --> 00:20:49.060 none of them have started, even the biggest bank there, they 334 00:20:49.060 --> 00:20:52.120 have not started. So I asked them, in fact that, you know, a 335 00:20:52.120 --> 00:20:55.330 lot of companies there would be adhering to GDPR. So how about 336 00:20:55.330 --> 00:20:58.780 those companies? And unfortunately, only two banks 337 00:20:59.110 --> 00:21:05.500 there are adhering to GDPR. None of them are because they don't 338 00:21:05.500 --> 00:21:09.700 really have that kind of exposure. So yes, there's a lot 339 00:21:09.700 --> 00:21:14.530 of work to do. But, hopefully, things will plan out. But, as of 340 00:21:14.530 --> 00:21:17.920 now, it looks difficult. Next year, I'm not sure whether they 341 00:21:17.920 --> 00:21:21.550 will have the law that will be implemented. It will take 342 00:21:21.550 --> 00:21:25.300 another couple of years. That's what I've been hearing from even 343 00:21:25.300 --> 00:21:26.500 the financial regulator. 344 00:21:27.130 --> 00:21:28.630 Anna Delaney: Very good, well, thank you so much for sharing 345 00:21:28.660 --> 00:21:32.170 Suparna; that was great. And, finally, and just for fun, 346 00:21:32.290 --> 00:21:36.970 what's the most unexpected or amusing or downright bizarre use 347 00:21:36.970 --> 00:21:40.450 of AI you've come across in the realm of cybersecurity news 348 00:21:40.630 --> 00:21:42.460 recently. Tom, go for it. 349 00:21:42.940 --> 00:21:44.200 Tom Field: I've got something to share with you first, I don't 350 00:21:44.200 --> 00:21:48.070 know if you've seen this. This is the ChatGPT Halloween 351 00:21:48.070 --> 00:21:55.810 costume. So, get yours today. I gotta say, Anna, you and I've 352 00:21:55.810 --> 00:21:58.660 talked about this before, the thing I can't get past is AI 353 00:21:58.660 --> 00:22:02.710 hallucinations. And, I know I've experienced it as well, I asked 354 00:22:02.740 --> 00:22:06.820 ChatGPT to help me with my own biography. And, it came up with 355 00:22:06.820 --> 00:22:10.330 things I wasn't aware of! Completely invented things. So, 356 00:22:10.330 --> 00:22:13.210 the whole AI hallucinations; I'm wondering if we're projecting 357 00:22:13.210 --> 00:22:15.760 down the road, if in the few years, we're talking about AI 358 00:22:15.760 --> 00:22:17.680 flashbacks. That's my fear. 359 00:22:18.280 --> 00:22:20.110 Anna Delaney: At least it recognized you, I didn't think 360 00:22:20.110 --> 00:22:25.690 it even know who I was! So, let's talk! Suparna, what have 361 00:22:25.690 --> 00:22:26.110 you seen? 362 00:22:26.170 --> 00:22:28.180 Suparna Goswami: That's where I'm not sure about his 363 00:22:28.180 --> 00:22:33.940 genuineness. But, I found it so funny. In fact, Prajeet was the 364 00:22:33.940 --> 00:22:37.930 one who showed me this. So, a hacker group pranks a rival 365 00:22:37.960 --> 00:22:40.930 group using AI to mimic the voice of the rival group's 366 00:22:40.930 --> 00:22:44.620 leader that contains instruction like delete all your files and 367 00:22:44.620 --> 00:22:48.220 format your hard drive. And, the messages are so convincing that 368 00:22:48.220 --> 00:22:52.210 they actually carry this out. So, again, I'm not sure about 369 00:22:52.210 --> 00:22:54.820 the genuineness, but apparently they transferred all the 370 00:22:54.820 --> 00:22:58.570 Bitcoins to the rival group. And, they posted this video 371 00:22:58.570 --> 00:23:03.040 making fun of them. But, yeah, there was this news there and I 372 00:23:03.040 --> 00:23:08.890 found it really funny. Like, you know, the hacker, probably, you 373 00:23:08.890 --> 00:23:10.270 know, phishing, the other hacker group. 374 00:23:11.320 --> 00:23:13.660 Anna Delaney: Amazing. Yeah! Mat? 375 00:23:14.800 --> 00:23:17.560 Mathew Schwartz: So, it's going to seem pretty basic, probably. 376 00:23:17.560 --> 00:23:21.940 But, for a lot of the interviews I do, I'm transcribing them now 377 00:23:21.940 --> 00:23:27.730 using AI-enabled transcription tools. And, it's great with lots 378 00:23:27.730 --> 00:23:30.880 of different kinds of American accents. But, I find that it can 379 00:23:30.880 --> 00:23:36.760 really struggle with Scottish accents, and especially with 380 00:23:36.790 --> 00:23:40.900 Northern Irish accents, to the point where I will have to read 381 00:23:40.900 --> 00:23:45.070 the transcripts out to myself, filled with seemingly legitimate 382 00:23:45.070 --> 00:23:50.170 words, but attempting to hear what it was hearing in terms of 383 00:23:50.170 --> 00:23:55.210 the actual words being used. So, there's an extra step there. It 384 00:23:55.210 --> 00:23:58.570 does transcribe, but it's more of the sounds as opposed to the 385 00:23:58.570 --> 00:24:03.100 actual words. So, just a little misstep perhaps on the road to 386 00:24:03.520 --> 00:24:04.420 AI autonomy. 387 00:24:04.870 --> 00:24:07.030 Tom Field: And, again, AI is confident when it has no right 388 00:24:07.030 --> 00:24:07.360 to be! 389 00:24:08.050 --> 00:24:12.730 Anna Delaney: Yes, any funny examples? A word...? 390 00:24:12.760 --> 00:24:13.870 Mathew Schwartz: You don't want to hear my Northern Irish 391 00:24:13.870 --> 00:24:18.880 accent. I don't want to see that lack of fan mail there. Sorry. 392 00:24:19.740 --> 00:24:22.529 Anna Delaney: Well, the most bizarre press release I've come 393 00:24:22.590 --> 00:24:26.169 across is something that you sent me Mat, like a few months 394 00:24:26.229 --> 00:24:29.747 ago. The headline read AI just created the best girlfriend 395 00:24:29.808 --> 00:24:33.507 you'll ever have. So, dream GF is a new cutting-edge platform 396 00:24:33.568 --> 00:24:36.358 that purports to be revolutionising the dating 397 00:24:36.419 --> 00:24:40.118 industry with AI, and from what I gather, you can create your 398 00:24:40.179 --> 00:24:43.818 perfect girlfriend and your dream girlfriend, which includes 399 00:24:43.879 --> 00:24:47.154 having engaging conversations and embarking on virtual 400 00:24:47.214 --> 00:24:50.550 adventures. I mean, who can imagine, but that isn't the 401 00:24:50.611 --> 00:24:54.371 strangest thing. The best line from the press release was "you 402 00:24:54.432 --> 00:24:58.132 can even create your first two girlfriends for free!" Oh, how 403 00:24:58.000 --> 00:25:03.130 Tom Field: Lot of confidence in a long relationship, I see. 404 00:24:58.192 --> 00:24:58.860 we laughed. 405 00:25:04.750 --> 00:25:06.640 Mathew Schwartz: It was so revolutionary, Anna! I've 406 00:25:06.640 --> 00:25:09.160 actually literally blocked that from my mind until you just 407 00:25:09.160 --> 00:25:09.790 mentioned it. 408 00:25:11.580 --> 00:25:13.980 Anna Delaney: Yeah, find a cybersecurity angle there. Well, 409 00:25:14.010 --> 00:25:17.040 Mathew, Suparna, Tom, thank you so much. This has been a 410 00:25:17.040 --> 00:25:18.570 pleasure. Excellent as always! 411 00:25:19.780 --> 00:25:22.300 Tom Field: Thank you for giving us a new definition of trick or 412 00:25:22.300 --> 00:25:22.660 treat. 413 00:25:24.760 --> 00:25:27.340 Anna Delaney: Can't beat that! Brilliant line to end on! Thank 414 00:25:27.340 --> 00:25:28.960 you so much for watching. Until next time.