WEBVTT 1 00:00:07.140 --> 00:00:09.600 Anna Delaney: Hello and welcome to the ISMG Editors' Panel. I'm 2 00:00:09.600 --> 00:00:13.200 Anna Delaney. And this is our final episode of 2023, where 3 00:00:13.200 --> 00:00:16.140 we'll be sharing a selection of our top interviews of the year. 4 00:00:16.530 --> 00:00:19.440 And joining me on this reflective episode: Tom Field, 5 00:00:19.470 --> 00:00:22.230 senior vice president of Editorial, Marianne Kolbasuk 6 00:00:22.230 --> 00:00:25.350 McGee, executive editor for HealthcareInfoSecurity, and 7 00:00:25.350 --> 00:00:28.260 Mathew Schwartz, executive editor of DataBreachToday and 8 00:00:28.260 --> 00:00:30.120 Europe. Wonderful to see you all. 9 00:00:32.970 --> 00:00:37.230 So, Tom, you're keeping warm by your fireplace. 10 00:00:37.290 --> 00:00:39.900 Tom Field: You have no idea how stacked that fireplace is right 11 00:00:39.900 --> 00:00:42.870 now. Yes, I thought we'd have a fireside chat today. So welcome. 12 00:00:42.000 --> 00:00:46.710 Anna Delaney: Love it. Marianne, keeping warm? 13 00:00:47.670 --> 00:00:51.570 Marianne McGee: Oh, yeah. Well, since the view outside of the 14 00:00:51.570 --> 00:00:55.200 hotel, they had to stay out when we had a power outage earlier 15 00:00:55.200 --> 00:00:59.460 this week. And so the view once the storm ended was pretty, you 16 00:00:59.460 --> 00:01:02.550 know, so that's nice to see the silver lining, I guess. 17 00:01:03.720 --> 00:01:06.660 Anna Delaney: Nice comment. Both you and Tom had quite the week, 18 00:01:06.780 --> 00:01:11.700 I here. And Mathew, snowman behind you? 19 00:01:12.360 --> 00:01:15.300 Mathew Schwartz: Yes. Not my snowman. No, I've found snowman 20 00:01:15.300 --> 00:01:18.660 community snowman. We've had a little bit of snow here in 21 00:01:18.690 --> 00:01:23.130 Scotland, not too much. And I don't know if we'll get any more 22 00:01:23.130 --> 00:01:26.370 this year. It can be very fleeting. So it's fun to play 23 00:01:26.400 --> 00:01:27.270 while we have it. 24 00:01:27.840 --> 00:01:28.950 Tom Field: Way more than we have. 25 00:01:30.720 --> 00:01:32.160 Anna Delaney: Well, can anyone guess where I am? 26 00:01:34.590 --> 00:01:35.760 Tom Field: Looks very familiar. 27 00:01:37.050 --> 00:01:39.930 Anna Delaney: Yes, I am at one of the ISMG studios at RSA 28 00:01:39.930 --> 00:01:43.050 conference earlier this year. And Matt, you might be able to 29 00:01:43.050 --> 00:01:44.670 see yourself. 30 00:01:46.670 --> 00:01:49.361 Mathew Schwartz: Oh, wow! I'm in two places at once, maybe. Wow. 31 00:01:49.419 --> 00:01:50.450 That's incredible. 32 00:01:50.000 --> 00:01:53.081 Anna Delaney: But I thought it'd be nice to share one of the many 33 00:01:53.141 --> 00:01:56.766 memories you've had at various studios across the globe this 34 00:01:56.827 --> 00:02:00.391 year. And it's always a pleasure to interview our guests in 35 00:02:00.452 --> 00:02:03.835 person but also a great opportunity to hang out with you 36 00:02:03.895 --> 00:02:07.581 and spend time with the team. Well, Tom, 2023 was a very busy 37 00:02:07.641 --> 00:02:11.085 year to see say the least. Forrester analyst Allie Mellen 38 00:02:11.145 --> 00:02:14.952 described it as chaotic on last week's Editors' Panel, economic 39 00:02:15.012 --> 00:02:18.697 uncertainties seemed to dominate much of the year, as well as 40 00:02:18.758 --> 00:02:22.141 unfortunately many layoffs at security companies. We saw 41 00:02:22.202 --> 00:02:25.585 high-profile espionage hacks, many software supply chain 42 00:02:25.645 --> 00:02:29.270 breaches. And of course, the emergence of generative AI kept 43 00:02:29.331 --> 00:02:32.775 all sectors busy. And I'm sure all those topics have been 44 00:02:32.835 --> 00:02:36.520 discussed in your interviews, however, which interview stands 45 00:02:36.581 --> 00:02:37.850 out among all others? 46 00:02:38.890 --> 00:02:40.570 Tom Field: Well, it's a tough one. Because think about it, 47 00:02:40.570 --> 00:02:44.500 this was the first year we got to go back to RSA Conference 48 00:02:44.650 --> 00:02:48.160 post COVID. First time I had the opportunity to go to BlackHat 49 00:02:48.400 --> 00:02:52.180 post COVID. And just the number of conversations that we do day 50 00:02:52.180 --> 00:02:55.600 in, day out, who haven't we had the opportunity to speak with 51 00:02:55.600 --> 00:03:00.250 really, but if I had to narrow it down, choose one, the one I'm 52 00:03:00.250 --> 00:03:04.450 going to choose is with Anne Neuberger, deputy assistant to 53 00:03:04.450 --> 00:03:07.390 the President and deputy national security advisor for 54 00:03:07.390 --> 00:03:11.500 cyber and emerging tech, based in the White House. We had the 55 00:03:11.500 --> 00:03:15.610 opportunity to speak with her at RSA, and we spoke about many 56 00:03:15.610 --> 00:03:18.250 things, we spoke about the President's cybersecurity goals, 57 00:03:18.250 --> 00:03:21.910 we spoke about a critical infrastructure protection area 58 00:03:21.910 --> 00:03:25.600 that they hadn't addressed yet, the executive order. But what I 59 00:03:25.600 --> 00:03:29.290 want to share with you today was when I asked her what are the 60 00:03:29.290 --> 00:03:33.340 highlights of what you've done so far, essentially midway 61 00:03:33.340 --> 00:03:35.830 through the term at the point that we talked. So I want to 62 00:03:35.830 --> 00:03:38.830 share with you her response on the highlights of what the 63 00:03:38.830 --> 00:03:40.960 administration has done for cybersecurity. 64 00:03:41.740 --> 00:03:43.810 Anne Neuberger: It's a great question. I think to your point, 65 00:03:43.840 --> 00:03:48.310 the executive order really said two core messages. One, we will 66 00:03:48.310 --> 00:03:51.550 practice what we preach, and we set aggressive guidelines for 67 00:03:51.760 --> 00:03:54.670 improving cybersecurity across federal government networks. 68 00:03:54.880 --> 00:03:57.670 That was in the aftermath of SolarWinds that compromised 69 00:03:58.300 --> 00:04:01.960 quite a few sensitive federal government networks. The second 70 00:04:01.960 --> 00:04:05.590 piece was we said, we in the U.S. government buy large 71 00:04:05.590 --> 00:04:09.940 amounts of technology and we buy the same tech American companies 72 00:04:09.940 --> 00:04:12.760 are buying, let's use the power of the purse to say we will only 73 00:04:12.760 --> 00:04:16.030 buy software that meets these critical security standards. 74 00:04:16.030 --> 00:04:20.110 Let's establish that standard. And by our own purchases, lift 75 00:04:20.110 --> 00:04:23.230 that up. There were many elements of the executive order. 76 00:04:23.620 --> 00:04:27.220 Those were two key ones that we focused on. When we look at the 77 00:04:27.220 --> 00:04:30.700 National Cybersecurity strategy, you have, of course that first 78 00:04:30.700 --> 00:04:34.120 piece where it captures the work done to improve the security of 79 00:04:34.120 --> 00:04:36.670 critical infrastructure I mentioned a moment ago. It 80 00:04:36.670 --> 00:04:40.480 focuses on our international partnerships. And it focuses as 81 00:04:40.480 --> 00:04:42.880 well to say there's a shared partnership between the 82 00:04:42.880 --> 00:04:46.960 companies who build tech, and the companies who use tech. And 83 00:04:46.990 --> 00:04:50.080 as tech is a bigger part of our economy is a bigger part of our 84 00:04:50.080 --> 00:04:53.620 critical infrastructure, the companies who build tech really 85 00:04:53.620 --> 00:04:57.130 need to recognize their role in building tech that's as secure 86 00:04:57.130 --> 00:04:57.820 as possible. 87 00:04:58.450 --> 00:05:11.830 Anna Delaney: So much more to share .. that's a good one. 88 00:05:02.050 --> 00:05:05.406 Loved it. Brilliant interview. And, Tom, how do you assess the 89 00:05:05.460 --> 00:05:08.438 effectiveness of the Biden administration's approach to 90 00:05:08.492 --> 00:05:11.686 cybersecurity, seeing as we have the National Cybersecurity 91 00:05:11.740 --> 00:05:13.960 Strategy and more recently, the EO on AI? 92 00:05:13.000 --> 00:05:17.440 Tom Field: Yeah, this administration has paid more 93 00:05:17.440 --> 00:05:20.830 attention to cybersecurity than any that we've seen to this 94 00:05:20.830 --> 00:05:24.100 point. And I think there's been some significant progress made, 95 00:05:24.100 --> 00:05:27.250 particularly when you look at how federal agencies have 96 00:05:27.250 --> 00:05:30.490 responded to the zero trust mandate, and to multi-factor 97 00:05:30.490 --> 00:05:33.460 authentication. I think you've seen some great advancements 98 00:05:33.460 --> 00:05:38.650 there. But what concerns me is that cybersecurity is no longer 99 00:05:38.980 --> 00:05:44.650 a bipartisan issue. Anything about security now comes down on 100 00:05:44.650 --> 00:05:47.800 political lines. And that concerns me particularly going 101 00:05:47.800 --> 00:05:50.680 into an election year. So I think the administration has 102 00:05:50.680 --> 00:05:55.300 done a decent job. But there are issues ahead because it's going 103 00:05:55.300 --> 00:05:56.710 to be hard to get agreement on anything. 104 00:05:57.640 --> 00:06:00.130 Anna Delaney: Challenging times ahead. Well, thank you. That was 105 00:06:00.130 --> 00:06:04.090 a great start, Tom. Marianne, moving to the healthcare sector 106 00:06:04.090 --> 00:06:07.090 now. So you've been kept very busy this year reporting on the 107 00:06:07.090 --> 00:06:10.270 many disruptions from both familiar and new threats 108 00:06:10.270 --> 00:06:12.970 targeting the industry. Same question, what does that one 109 00:06:12.970 --> 00:06:14.170 interview you'd like to share? 110 00:06:15.050 --> 00:06:19.490 Marianne McGee: Well, my choice in what sort of sums things up 111 00:06:20.000 --> 00:06:23.540 on kind of piggybacks on what Tom was just talking about when 112 00:06:23.540 --> 00:06:27.620 it comes to regulation. I spoke earlier this year with Senator 113 00:06:27.620 --> 00:06:34.220 Mark Warner, who's a Democrat in Virginia, about his plans to 114 00:06:34.220 --> 00:06:37.580 work on bipartisan legislation to bolster cybersecurity in the 115 00:06:37.580 --> 00:06:41.090 healthcare sector. Among his other leadership roles in 116 00:06:41.090 --> 00:06:43.940 Congress, Warner chairs the Senate Select Committee on 117 00:06:43.940 --> 00:06:49.400 Intelligence. Now, Warner late last year issued a whitepaper 118 00:06:49.400 --> 00:06:53.180 with a variety of proposals on how to push healthcare sector 119 00:06:53.180 --> 00:06:57.950 entities into taking a stronger security stance, and he received 120 00:06:57.950 --> 00:07:00.980 about 100 comments from healthcare industry stakeholders 121 00:07:00.980 --> 00:07:07.280 on those proposals. But while Congress has not yet moved 122 00:07:07.280 --> 00:07:12.500 forward with a bill to improve healthcare cybersecurity, in 123 00:07:12.500 --> 00:07:16.730 recent months, that effort has built some momentum among other 124 00:07:16.730 --> 00:07:20.060 Democrats and Republican lawmakers. For instance, 125 00:07:20.060 --> 00:07:25.130 Republican Senator Bill Cassidy of Louisiana, who is one of 19 126 00:07:25.130 --> 00:07:29.060 physicians in Congress, last month launched a working group 127 00:07:29.060 --> 00:07:33.080 with Warner and several other senators to investigate ways to 128 00:07:33.080 --> 00:07:37.070 bolster healthcare cybersecurity. In the meantime, 129 00:07:37.250 --> 00:07:41.210 as Tom mentioned, the Biden administration is also pushing 130 00:07:41.210 --> 00:07:44.870 forward with recently proposed cybersecurity strategy for the 131 00:07:44.870 --> 00:07:49.460 healthcare sector. Now, some of the Biden proposals are similar 132 00:07:49.460 --> 00:07:53.150 to the ones that Warner has been keen on. And that includes 133 00:07:53.150 --> 00:07:56.960 potential regulatory sticks and carrots for hospitals that 134 00:07:56.960 --> 00:08:00.710 participate in Medicare programs, including financial 135 00:08:00.710 --> 00:08:04.970 incentives or penalties in Medicare reimbursements if those 136 00:08:04.970 --> 00:08:08.630 hospitals don't meet certain yet-to-be-specified 137 00:08:08.780 --> 00:08:14.030 cybersecurity performance goals. Now, as part of that strategy, 138 00:08:14.030 --> 00:08:17.690 the Biden administration is also looking to overhaul the HIPAA 139 00:08:17.690 --> 00:08:21.050 Security Rule, which is also something Warner and some other 140 00:08:21.050 --> 00:08:24.890 lawmakers have been eyeing. But here's what Warner told me 141 00:08:24.890 --> 00:08:28.430 earlier this year about potential financial incentives 142 00:08:28.640 --> 00:08:32.330 and disincentives to promote better cybersecurity and health 143 00:08:32.330 --> 00:08:37.610 care sector. And why some groups oppose such proposals. 144 00:08:38.170 --> 00:08:42.640 Mark Warner: Whenever you talk about mandates, the trade 145 00:08:42.640 --> 00:08:47.050 associations all say "no, no, no," you know, that's going to 146 00:08:47.050 --> 00:08:49.810 be a cost a burden. Interestingly enough, and I 147 00:08:49.810 --> 00:08:54.580 thought this was very telling. While trade associations said 148 00:08:54.610 --> 00:09:00.130 government regulations are voluntary, a number of smaller 149 00:09:00.130 --> 00:09:04.120 hospital systems, even some of the doc groups that responded 150 00:09:04.120 --> 00:09:07.870 and said, You know what? Voluntary doesn't work. We've 151 00:09:07.870 --> 00:09:10.360 got to have some level of mandates. And this is not a 152 00:09:10.360 --> 00:09:14.320 complete analogy, but it was somebody who was in the telecom 153 00:09:14.320 --> 00:09:18.190 business before I got into politics. I still am haunted by 154 00:09:18.190 --> 00:09:22.000 the fact that 12 years ago, when we did the Affordable Care Act 155 00:09:22.420 --> 00:09:25.600 on electronic medical records, we didn't put any kind of 156 00:09:25.630 --> 00:09:28.960 interoperability requirements around so the promise of 157 00:09:29.230 --> 00:09:31.630 healthcare it has never been fully realized. Because we've 158 00:09:31.630 --> 00:09:34.690 got all these isolated, separate systems that don't talk to each 159 00:09:34.690 --> 00:09:40.360 other. I think we have a little bit of the same on mandates and 160 00:09:40.720 --> 00:09:44.950 interoperability between cybersecurity systems around 161 00:09:44.950 --> 00:09:47.800 healthcare is something we're trying to sort through and 162 00:09:47.800 --> 00:09:52.780 obviously, that goes to a lot of systems around questions of 163 00:09:53.170 --> 00:09:57.700 rebates and what shared the federal pay so I think that will 164 00:09:57.700 --> 00:10:00.790 be an ongoing conversation next association. 165 00:10:01.230 --> 00:10:04.110 Marianne McGee: So it's also worth noting that it's not just 166 00:10:04.110 --> 00:10:07.740 the U.S. federal government that's looking for ways to 167 00:10:07.770 --> 00:10:11.130 improve healthcare sector cybersecurity, because after 168 00:10:11.130 --> 00:10:15.480 all, you know, the sector is a critical infrastructure sector. 169 00:10:15.780 --> 00:10:19.920 Now, New York State has also this month published proposed 170 00:10:19.920 --> 00:10:23.040 regulations to boost cybersecurity at hospitals. 171 00:10:23.430 --> 00:10:26.820 Those proposals, however, are backed by a half a billion 172 00:10:26.820 --> 00:10:30.810 dollar budget request, hospitals would potentially be able to get 173 00:10:30.810 --> 00:10:34.830 financial assistance from the state choosing to help them 174 00:10:34.830 --> 00:10:37.710 invest in meeting those new requirements. So we'll have to 175 00:10:37.710 --> 00:10:42.480 see what happens not only in some of the states, but with the 176 00:10:42.480 --> 00:10:44.190 federal government in the year ahead. 177 00:10:45.270 --> 00:10:47.490 Anna Delaney: And Marianne, as you reflect on the past 12 178 00:10:47.490 --> 00:10:50.760 months, what significant lessons has the healthcare industry 179 00:10:50.760 --> 00:10:53.670 learned that could shape the challenges of 2024? 180 00:10:54.530 --> 00:10:56.900 Marianne McGee: Well, you know, some of the lessons are 181 00:10:56.900 --> 00:11:00.050 important ones, and not necessarily new ones. But I 182 00:11:00.050 --> 00:11:02.900 think this year was a very good example of how everyone 183 00:11:02.900 --> 00:11:06.110 continues to be a target in healthcare. You know, regardless 184 00:11:06.110 --> 00:11:09.290 of whether you're a large healthcare system with multiple 185 00:11:09.290 --> 00:11:14.300 hospitals, or a small doctor clinic, or a specialty provider, 186 00:11:14.300 --> 00:11:19.340 like imaging, and especially their vendors. Now, many of the 187 00:11:19.340 --> 00:11:22.010 largest breaches we've seen reported in the healthcare 188 00:11:22.010 --> 00:11:25.340 sector this year involve hacking incidents on more mainstream 189 00:11:25.340 --> 00:11:29.780 vendors, such as exploits on vulnerabilities in Progress 190 00:11:29.780 --> 00:11:33.800 Software's MOVEit, and Fortra's GoAnywhere File Transfer 191 00:11:33.800 --> 00:11:37.700 software. But there's also been a significant number of 192 00:11:37.730 --> 00:11:41.780 ransomware and data exfiltration attacks on the more fishy types 193 00:11:41.780 --> 00:11:45.830 of vendors, such as medical transcription firm Perry Johnson 194 00:11:45.830 --> 00:11:49.820 & Associates, which affected many of its clients and at least 195 00:11:49.820 --> 00:11:56.000 9 million patients. The lessons emerging from these incidents or 196 00:11:56.000 --> 00:11:58.370 things that we hear so much about all the time, you know, 197 00:11:58.370 --> 00:12:02.420 patching vulnerabilities quickly, as soon as they're 198 00:12:02.420 --> 00:12:07.010 known, keeping software up to date, regularly backing up data, 199 00:12:07.280 --> 00:12:11.630 implementing multi-factor authentication, anti-malware 200 00:12:11.720 --> 00:12:16.970 software, phishing awareness for employees, log and systems 201 00:12:16.970 --> 00:12:21.290 monitoring and deleting old files containing patient 202 00:12:21.290 --> 00:12:24.950 information that's no longer needed for business, or no 203 00:12:24.950 --> 00:12:29.720 longer required to be saved for regulatory purposes. Now, again, 204 00:12:29.720 --> 00:12:33.320 none of those recommendations are new. But many of these 205 00:12:33.320 --> 00:12:37.580 measures still aren't done and healthcare was thus, you know, 206 00:12:37.580 --> 00:12:41.450 this push to have some sort of government mandates to make 207 00:12:41.660 --> 00:12:46.220 these entities do these things. And in some cases, it's as 208 00:12:46.220 --> 00:12:50.540 simple as either performing a comprehensive risk analysis, 209 00:12:50.540 --> 00:12:53.330 which again, many entities in the healthcare sector fail to 210 00:12:53.330 --> 00:12:58.700 do, or even having a CISO. The New York proposals that I just 211 00:12:58.700 --> 00:13:03.290 mentioned a few moments earlier, has a requirement that hospitals 212 00:13:03.290 --> 00:13:05.990 would have to have a system many still don't. 213 00:13:08.150 --> 00:13:10.730 Anna Delaney: Very surprising, but also great analysis there. 214 00:13:10.730 --> 00:13:14.330 Thank you very much, Marianne. Matt, last but not least, I 215 00:13:14.330 --> 00:13:16.280 believe you're sharing some cautionary advice from one of 216 00:13:16.280 --> 00:13:17.930 the industry's top minds. 217 00:13:19.520 --> 00:13:21.410 Mathew Schwartz: Yes, definitely. So earlier this 218 00:13:21.410 --> 00:13:26.630 month was the annual BlackHat Europe in London. And the 219 00:13:26.630 --> 00:13:31.490 conference's founder and creator Jeff Moss, always does a great 220 00:13:31.490 --> 00:13:36.740 job, jumping up on stage introducing keynotes, giving 221 00:13:36.740 --> 00:13:40.130 some bookends to the conference in terms of what we're going to 222 00:13:40.130 --> 00:13:43.700 be hearing about, then what we heard about, but also 223 00:13:43.700 --> 00:13:47.510 highlighting some trends. And he said that the InfoSec community 224 00:13:47.510 --> 00:13:53.540 has two dates that it needs to be aware on his calendar 2024. 225 00:13:53.840 --> 00:13:57.320 The first is because there's going to be major elections 226 00:13:57.320 --> 00:14:00.350 across the more than half the world, including a U.S. 227 00:14:00.380 --> 00:14:06.140 presidential election. If you recall, in 2016, the U.S. didn't 228 00:14:06.140 --> 00:14:10.850 do a great job of resisting Russian attempts to interfere, 229 00:14:11.030 --> 00:14:16.160 to use disinformation and misinformation. And not just 230 00:14:16.160 --> 00:14:20.990 Russia, but other countries will be looking to interfere. What 231 00:14:20.990 --> 00:14:24.170 defenses do we have in place? What can we have in place? Open 232 00:14:24.170 --> 00:14:31.730 question. Another date 2027, less fixed. But this is the year 233 00:14:31.760 --> 00:14:34.880 by when Chinese president Xi Jinping has said he wants the 234 00:14:34.880 --> 00:14:38.900 option to invade Taiwan. He wants the military to be ready. 235 00:14:39.410 --> 00:14:43.040 He wants that on his desk. So when he says go, they can go. 236 00:14:43.220 --> 00:14:47.330 And Jeff Moss told me at the conference that what a lot of 237 00:14:47.330 --> 00:14:51.440 analysts think is China is possibly preparing to launch 238 00:14:51.440 --> 00:14:55.940 preemptive, disruptive, but non-lethal cyberattacks against 239 00:14:55.970 --> 00:15:02.060 Taiwan's allies to buy Beijing enough time to seize control of 240 00:15:02.060 --> 00:15:08.060 Taiwan without having to face other country's military forces, 241 00:15:09.230 --> 00:15:13.040 Jeff Moss: One of the most popular theories is you would 242 00:15:13.040 --> 00:15:15.710 pursue a sort of "everywhere, everything all at once" 243 00:15:15.710 --> 00:15:18.590 strategy, which is, you would spend the next couple of years 244 00:15:18.590 --> 00:15:23.810 leading up 2027, leaving behind, you know, rootkits in 245 00:15:23.840 --> 00:15:30.050 infrastructure and civilian or critical systems. And then when 246 00:15:30.050 --> 00:15:34.130 you're ready to go, you hit all the buttons all at once, and you 247 00:15:34.130 --> 00:15:37.130 tie up all the cyber defenders, you snarl the supply chain, the 248 00:15:37.130 --> 00:15:40.970 logistic chain to make it hard. And then the country is turning 249 00:15:40.970 --> 00:15:46.010 inward to face their challenges. And that gives China a number of 250 00:15:46.010 --> 00:15:53.150 weeks or months to try to get Taiwan. So if that's plausible, 251 00:15:54.500 --> 00:16:01.640 then that tells us well, we have until 2027 to get ready. And I 252 00:16:01.640 --> 00:16:04.280 call that out because I think that's quite unique to have a 253 00:16:04.310 --> 00:16:08.660 sort of a date certain in the future, which means we have a 254 00:16:08.660 --> 00:16:13.010 responsibility then. Because if we know the date, and it's not 255 00:16:13.010 --> 00:16:16.310 some amorphous, well, at some point in the future, we think 256 00:16:16.310 --> 00:16:18.980 China may or may not do something, when it's so obvious 257 00:16:18.980 --> 00:16:21.800 and in print and that, you know, statements from the leader, 258 00:16:22.640 --> 00:16:24.740 well, then we have a responsibility to prepare for 259 00:16:24.740 --> 00:16:29.540 that. And maybe if we prepare really well, it has a deterrent 260 00:16:29.570 --> 00:16:33.800 effect, you know, maybe if their analysis at the end of the day 261 00:16:33.800 --> 00:16:37.250 is that we'll only screw us up for three or four days, and it 262 00:16:37.250 --> 00:16:40.400 really needs to screw us up for 21 days, then maybe it's not so 263 00:16:40.400 --> 00:16:45.320 much of an option. But if we do nothing, then I think the 264 00:16:45.320 --> 00:16:50.240 deterrent effect is gone. And I'm trying to think back in 265 00:16:50.240 --> 00:16:54.050 time, like when have we ever been in a situation? I can't 266 00:16:54.050 --> 00:16:58.010 think of anything. So we should probably call out that 267 00:16:58.010 --> 00:17:00.740 uniqueness. And we should probably start coming up with 268 00:17:00.920 --> 00:17:05.960 what's our 2027 plan, you know, or project 27 or incident 269 00:17:05.960 --> 00:17:08.810 response plan, because I think incident response capability is 270 00:17:08.810 --> 00:17:12.020 built around maybe one or two incidents, right? There's a 271 00:17:12.020 --> 00:17:14.720 ransomware incident and maybe something. 272 00:17:14.960 --> 00:17:17.630 Mathew Schwartz: So some ideas by Jeff Moss there about what we 273 00:17:17.630 --> 00:17:21.200 need to do. And he said, there's no easy answer here. It's not 274 00:17:21.200 --> 00:17:24.260 clear exactly how we might handle this. But we do need to 275 00:17:24.260 --> 00:17:28.550 get ready. We need to plan, we need to have the ability to 276 00:17:28.580 --> 00:17:33.200 respond, because we've got some serious deadlines approaching. 277 00:17:36.180 --> 00:17:38.070 Tom Field: So it's like death entering the dinner party, you 278 00:17:38.070 --> 00:17:39.540 kind of cast a pall over New Year's. 279 00:17:41.610 --> 00:17:43.800 Mathew Schwartz: Serious issues, you know, I think we need to 280 00:17:43.800 --> 00:17:45.210 look forward here. That's all. 281 00:17:45.750 --> 00:17:47.610 Anna Delaney: I hear governments and organizations are listening 282 00:17:47.610 --> 00:17:51.210 to Jeff. But thank you so much, Matt, for sharing. And you also 283 00:17:51.210 --> 00:17:55.080 frequently report on the state of the ransomware landscape. I 284 00:17:55.290 --> 00:17:57.960 seem to remember this time last year, there were a few whispers, 285 00:17:57.960 --> 00:18:01.770 a few murmurs predicting the decline of the ransomware 286 00:18:01.770 --> 00:18:05.340 threat, but no such luck. Ransomware gangs definitely came 287 00:18:05.340 --> 00:18:08.610 surging back in the second half of this year. So again, what was 288 00:18:08.610 --> 00:18:12.930 the big takeaway from 2023 in this space? And so that we end 289 00:18:12.930 --> 00:18:16.530 on a positive note, where did we make the most significant gains? 290 00:18:17.350 --> 00:18:20.500 Mathew Schwartz: So if I had to summarize, I would say don't let 291 00:18:20.530 --> 00:18:23.710 perfect be the enemy of good enough. And that seems to be the 292 00:18:23.710 --> 00:18:26.710 strategy that's being used, along with a lot of other 293 00:18:26.740 --> 00:18:30.160 strategies. I think everyone's agreed, there's no easy way to 294 00:18:30.160 --> 00:18:34.780 get rid of ransomware. But what we have seen is this wonderful, 295 00:18:34.780 --> 00:18:39.490 I don't know, it's a military kind of phrase of persistent 296 00:18:39.520 --> 00:18:44.650 engagement or continuous engagement, by which authorities 297 00:18:44.650 --> 00:18:49.000 mean that like it's your little sister who just keeps poking 298 00:18:49.000 --> 00:18:53.320 you, won't leave you alone, doesn't let you think straight, 299 00:18:53.350 --> 00:18:55.690 you're trying to do something, you can't remember what it was. 300 00:18:55.930 --> 00:19:01.030 Well, not to be too comedic about the whole thing. It's the 301 00:19:01.030 --> 00:19:04.300 end of the year, though, so why not just a little. We've seen, 302 00:19:04.300 --> 00:19:08.440 for example, with Hive in January, and then just earlier 303 00:19:08.440 --> 00:19:13.150 this month with BlackCat, or ALPHV reservoir groups that 304 00:19:13.150 --> 00:19:16.660 authorities have disrupted them. And with Hive, it looks like it 305 00:19:16.660 --> 00:19:21.490 has stuck. And with BlackCat, it may stick and even if it doesn't 306 00:19:21.490 --> 00:19:25.990 stick, that's okay. Because they have disrupted business for the 307 00:19:25.990 --> 00:19:31.120 bad guys. And this is a strategy that the FBI and others have 308 00:19:31.150 --> 00:19:34.840 signaled that they are willing or able and planning to double 309 00:19:34.840 --> 00:19:38.860 down on because like I said, it's not the only strategy, but 310 00:19:38.860 --> 00:19:43.060 it seems to give attackers a real headache. So they're just 311 00:19:43.120 --> 00:19:47.860 using everything they can think of to try to make the ransomware 312 00:19:47.950 --> 00:19:53.770 profit model look less, like less of an incentive for current 313 00:19:53.770 --> 00:19:55.660 players and potential new entrants. 314 00:19:56.770 --> 00:19:58.780 Anna Delaney: Very good. We're all about headaches for the 315 00:19:58.780 --> 00:20:02.410 attackers. Some great note to end on. Well, finally, and just 316 00:20:02.410 --> 00:20:05.680 for fun, it's predictions time, of course. What is your one 317 00:20:05.680 --> 00:20:11.140 prediction for 2024, what the space looks like, next year? Go 318 00:20:11.140 --> 00:20:11.530 on, Tom. 319 00:20:12.230 --> 00:20:15.170 Tom Field: Well, so first of all, the event behind you. We 320 00:20:15.170 --> 00:20:20.750 call the RSA AI conference next year. And I think you can't stay 321 00:20:20.750 --> 00:20:24.710 away from from AI, can you? Think that we are at the top of 322 00:20:24.710 --> 00:20:27.410 a hype cycle right now, it might be a while before that starts to 323 00:20:27.410 --> 00:20:32.090 diminish. But I do think what we will see in 2024, that we 324 00:20:32.090 --> 00:20:39.530 haven't seen in 2023 is attacks powered more by AI, and I don't 325 00:20:39.530 --> 00:20:42.920 mean, just phishing emails that have been written cleverly, I 326 00:20:42.920 --> 00:20:46.100 think you will start to see the adversaries harness the power of 327 00:20:46.280 --> 00:20:49.700 AI more to fuel their attacks, make them stronger, and make 328 00:20:49.700 --> 00:20:54.140 them broader. I think that's something we unfortunately, see 329 00:20:54.000 --> 00:20:58.620 Anna Delaney: Yeah. Helps with that scale. Absolutely. Marianne? 330 00:20:54.140 --> 00:20:54.830 in the months ahead. 331 00:20:59.970 --> 00:21:02.400 Marianne McGee: AI, again, something that I was going to 332 00:21:02.430 --> 00:21:05.640 talk about also for healthcare in particular, again, you know, 333 00:21:05.640 --> 00:21:08.190 some of the bad things that Tom was just talking about, you 334 00:21:08.190 --> 00:21:12.120 know, the sophisticated AI-enabled attacks, but on the 335 00:21:12.300 --> 00:21:17.250 more promising side, you know, AI being applied more for, you 336 00:21:17.250 --> 00:21:21.600 know, clinical decision support, your drug discovery, you know, 337 00:21:21.600 --> 00:21:25.650 trying to reduce the time it takes to identify, you know, 338 00:21:25.650 --> 00:21:29.370 appropriate participants in clinical trials. So that can 339 00:21:29.370 --> 00:21:33.330 move the pipeline faster. There's all sorts of interesting 340 00:21:33.330 --> 00:21:37.110 things going on, you know, with AI in healthcare. So, you know, 341 00:21:37.110 --> 00:21:40.680 as much as there's gloom and doom, potentially, there's also 342 00:21:40.680 --> 00:21:41.460 a lot of hope there. 343 00:21:42.380 --> 00:21:44.780 Tom Field: The best use cases in the in the business are in 344 00:21:44.780 --> 00:21:45.230 healthcare. 345 00:21:45.770 --> 00:21:49.100 Anna Delaney: Yeah. Matt, what do you say? 346 00:21:50.270 --> 00:21:52.310 Mathew Schwartz: I feel like I should be contrarian and come up 347 00:21:52.310 --> 00:21:55.010 with something that's not AI, but it's going to be AI, just 348 00:21:55.010 --> 00:21:58.550 because I think there are so many use cases that have yet to 349 00:21:58.550 --> 00:22:03.170 be discovered. Good, bad, maybe everything in between. It's 350 00:22:03.170 --> 00:22:07.130 going to help defenders, it'll no doubt help attackers. And I 351 00:22:07.130 --> 00:22:09.290 think there's a lot of potential and we really just don't know 352 00:22:09.290 --> 00:22:13.250 what that potential is. It's baby steps so far. I think the 353 00:22:13.250 --> 00:22:17.600 hype will die down, hopefully. And we'll just get to grips with 354 00:22:17.600 --> 00:22:22.100 what are probably some small wins in the short term, which, 355 00:22:22.310 --> 00:22:25.070 in the long term, sky's the limit still, I think. 356 00:22:26.630 --> 00:22:28.790 Anna Delaney: Well, I'm going to mention something you've kind of 357 00:22:28.790 --> 00:22:33.890 all mentioned today, election security. 2024 is being declared 358 00:22:33.890 --> 00:22:36.950 the world's biggest election year. More than 2 billion people 359 00:22:36.950 --> 00:22:40.460 across 50 countries could head to the polls in 2024. And of 360 00:22:40.460 --> 00:22:43.940 course, AI is part of this. So this is the year that will have 361 00:22:43.970 --> 00:22:48.140 mainstream tools like ChatGPT and Midjourney. So there's going 362 00:22:48.140 --> 00:22:51.770 to be a lot going on. Well, what a year! 363 00:22:51.770 --> 00:22:55.880 Tom Field: In my prediction, Anna, I bet we have lots more 364 00:22:55.880 --> 00:22:58.340 opportunities to get there, get together and have conversations 365 00:22:58.340 --> 00:22:59.060 such as this. 366 00:23:00.350 --> 00:23:02.150 Anna Delaney: And may they continue. I hope so. I hope 367 00:23:02.150 --> 00:23:05.750 you're right. Well, thank you so much. Thank you so much for 368 00:23:05.750 --> 00:23:09.800 today, but also for all your contributions to this panel over 369 00:23:09.800 --> 00:23:10.790 the past 12 months.