I Had a (Bot) Farm in Africa

The next talk uh is from the illustrious Sha Funvault. And uh I don't know whenever you get somebody introing you at a conference, they do two things wrong. The one is they go on long. I'm going to go on long sh um and the two they know nothing about you. So they read this thing. So Charl like hired me into security. He was my first boss. It's very difficult boss to work for. Um because his brain operates at this speed while everybody's operating at this speed. So you have to periodically get him to come back down to to reality. So Charles is really deep thinker who like really cares about things. That's it's a nice combination

like he it matters to him and he spends a lot of time thinking about it. Uh so I'm very excited to see um to see what he's put up. And then Charles also just he's been in security 26 years. One of the founders of of SensePost. Uh no he's been in security longer than 26 years. I'm only counting counting Senseost. Uh so he really has seen this industry change over time. Uh has a deep interest and care for for Africa cyber security in South Africa. Um so I'll have some really interesting insights. And if you get a chance to speak to him, you might not know this. He's a like a crazy adventurer. Uh he has run through I

don't know how many deserts. In my mind it's seven, but I have a tendency to overexaggerate. Is it four? Is it seven? >> It was five. Okay. Off by two errors. I've not run through one desert. So, five is more than uh he's sailed across funny parts of the world. He sent me a picture with no skin left on his hands from all of the rope and things. So, if you get a chance, chat to him about his adventures. They're they're pretty good. But anyway, he's one of the most genuine humans I've ever met. Uh and it's my absolute pleasure to introduce Charl. Oh, are you still getting Somebody's fiddling with your pants. Yeah. Okay. Do I have to wait while they

fiddle with your pants? Okay. The number of times this has happened. Yeah. Anyway, I hope you have an incredible bsides and uh thank you everybody.

>> Voila. All right. So, good morning everyone. Um I'm Shaw. I'm with Orange Cyber Defense. I'm the I'm the head for security research there. Um just want to echo Dominic's point um of thanks to the organizers especially. It's it's really a remarkable thing that you do. Um, and to all of you, thank you for giving up your your time and your so many other things you could have been doing this morning than listening to me. Um, and it's it's really a privilege to to be able to speak to so many people and I I value that uh that I have this opportunity to share some some thoughts. Uh, and I I want to start by telling you

about my cousin You've got cousins. You know what I'm talking about. I've got a cousin called Spike and I've got a cousin called Bloat. I've got a cousin called Wayne. He's the one that got eaten by the leopard. Uh, and they're all in Zimbabwe. They live in Zimbabwe. And so, uh, we go and visit them from time to time. And, uh, when I go, they always set things up for me so I can have a great vacation in in Zimbabwe. On this occasion a couple of months ago, we went to Zimbabwe and I think uh Spike organized accommodations somewhere in somewhere in the bush where no one else goes and Bloat organized transport and Brent, who's my favorite

and my least favorite at the same time, he organizes a vehicle. It's a four-wheel drive, but actually it's just a very old Bucky that smells like wet dog. And they set us on this trip, me and my family into Wangi National Park. Bloat tells me, or was it Spike, that there's a shortcut you can take, but you need a four-wheel drive. But I'm okay with that because Brent, not the one who got eaten by the leopard, the other one, he says, "I've got your four-wheel drive." Which is actually just a Bucky that smells like wet dog. Anyway, so we drive into Wangi. We follow the shortcut. We get to the place where you need a four-wheel drive. We

find out it's not a four-wheel drive. And there we sit in the middle of nowhere, like proper in the bush. Don't know where we are. Can't see what's going on. There's big scary animals everywhere. And this is my point. This is what I'm telling about my family is in that process, you're sitting in the car, and I think you've all been here. You're sitting in the car and you're like, "Fuck cousins. Who needs them?" And then and then you're like, I should be drinking a ginonic by now. And then you're like, oo, it's kind of hot. And then you're like, we don't actually have any water. And you're like, when is anybody going to come past here?

Probably never. All right. There's probably never anybody going to come past here. So, one of two things is going to happen. Either someone is going to find this stinky wet dog Bucky with like four skeletons in it, you know, 12 years from now. Or I need to kick into a different kind of gear, right? I need to make a a shift in my mind that recognizes that like this is now like this is now kuck is happening, right? This is not like ginonic time anymore. I need to phase change. I need to like break out of this state that I was in and recognize that I'm in a different state and act differently. And I call that the oh [ __ ]

moment, right? There's an oh [ __ ] moment that happens when your mindset changes. Now we're at a cyber security conference. So the question that I'm interested in, the the thing that I've been engaging with over the last few weeks is if and when in a domain like cyber security, you reach like an oh [ __ ] moment like where you where you recognize that actually this is like not genonic time anymore. like something real is happening and I have to shift out of this mindset or it's going to end up with a stinky car with four skeletons in it 12 years from now. You know what I There's like there's a tipping point and

if we reflect over the year then there are several things that happened in cyerspace like over the last what is it 12 18 months that are like quite extraordinary you know and I noticed here the the vault typhoon attacks Chinese state adversary all up in US telos like irreparably up in the US telos they can't get them out they're like we haven't seen them for a while but they're still here somewhere we don't know where they are and not just in the US like all across the world. These guys are embedded and they're basically doing what they want. So there's one example that seems a little bit like distressing actually if you think about it to the extent that the US

government guidance was really you shouldn't be sending anything via Telos. You should use signal you know which we're busy banning but until it's banned use signal because we can't trust this stuff anymore. Like for me that is quite a um like that's quite a distressing idea, right? That your own government tells you not to trust a national telco because they're all owned by the Chinese. Then in Norway, you've got a dam that gets opened up by activists and they've got water pouring out of it for 5 hours. They can't turn the taps off because some guy in Russia who's got a political beef is like he turning dials, you know, drinking Red Bull. And then you've got the the Jaguar Land

Rover incident uh in August this year that they reckon cost the U. UK economy 2 billion pounds. And I was asking people in the UK, I was there last week. I was like like is that a lot of money? and they're like it's a it's a fair amount of money. Like it's changed their GDP GDP projection numbers like by percentage points, right? They're like, "Oh, it was going to be 0.26. Now it's only going to be 0.21 or something." Like, it's tangible. It has an impact. They reckon Jaguar's supply chain was 5,000 businesses. 5,000 small businesses weren't getting money for 5 weeks. 100,000 people employed by those things all sitting there not knowing if they're

going to get a paycheck or not. For me, these feels like indicators that you know like maybe we're approaching an oh [ __ ] moment. Anyway, um the point of my story is I'm interested then firstly in this idea of are we in this oh [ __ ] moment and then secondly does it apply to us here in Africa. Is Africa the same? Are we in the same boat as uh as everybody else? There's something lying on the floor here. ah wellness day. Um thank you or or are we in a different boat? And I and I had the opportunity to examine that earlier this year um when myself and Vicas and some of my team we set out to do a study on

like cyber security in Africa like very deliberately what is the state of cyber security in Africa and uh I was really I was very engaged by it. was very interested in the in the topic like how does it look here? Is it the same as in Europe and in UK and the US? Are we telling the same stories? Are we telling different stories? Um, and I started by asking myself, uh, well, where's the data? What data do we have? That in Latin says, where's the data? And underneath I translated it into binary for you, so you wouldn't have to do that work yourself. So, I start looking for the data and I'm reading now. I'm reading all the

reports. There's lots of reports about cyber crime in Africa and you get gems like this one. This is a University of Cincinnati academic publications like 11 co-authors on this paper and they say there is a cyber crime epidemic in West Africa. And then they prove that point with numbers like 679 million email threat detections, 8.2 million file detections. And I'm like, this sounds like I'm reading Hitchhiker's Guide to the Galaxy. You know, this could be like there were 38 zorks and a flimatut between, you know, 4:00 and tea time. I'm like, okay, that's okay. It doesn't sound good. Um, then you get ones like this where uh people say, well, Africa's become a testing ground. It's become a

testing ground for nation state actors. I'm like, oh [ __ ] that's not good. So, I start reading it up and it's a it's a local vendor. It's a press release from a local vendor which quotes their own report which quotes themselves. So I'm like okay like I actually think this is a very interesting idea but there's like it's just words right? Somebody just put words down. Then you get um this one which is from an Interpol report. Interpol brings out a really good report on the state of cyber crime in Africa. Um, the Interpol report quotes something on the internet which is a Kasperski article which quotes the previous year's Interpol report. So it's just like

they're just like they're just like talking. I'm like okay. Oh wait. And then there's this one. This one also from the Interpol report says cyber crime cost Africa $3 billion in 2024. I'm like okay well that is a big number. That is worth looking at. So I go and look for that number. That's also from an article on like Tech News Africa or something which quotes a Sabri report which says actually it's 3 billion rand. So we've it's like a 20x shift there and it's for crime and it's for South Africa. So we've like moved changed and then multiplied by a 20. But there you go. That's a number a we can uh this is the Africa this is the

interpol report that quotes itself and they're just like anyway but there are other reports and this one I can talk about because we were involved in this investigation in 2019 there's this gang called operator and they hit financial institutions across North and West Africa and it was a real thing right it was an actual uh financially motivated cyber crime cost somewhere between 11 million and $30 million over like a two two year period. Okay, that that happened. That's a real thing. Um, Sophos has got a relatively interesting report which is query uh survey based 360 IT professionals. Maybe some of you are in here. Um, and in this report they say some like pretty fundamental things like

7 69% of South Africans says we were hit by ransomware. don't say what being hit by ransomware is. Um maybe it's like being hit with a glove. But then they say 76% of those I guess actually did have data encrypted. Now that's an extraordinary number if it's true. And 43% of those actually paid money and the average was almost what is that a million dollars. Like if that number is true, that's like a lot of millions of dollarses that have been paid to uh cyber extortion actors. Uh Inter's got some other startling statistics like they reckon 30% of all crime in East and West Africa is cyber crime. one/3. And that's hard to imagine, but there's also this statistic

from an operation called um Serengeti where they went to go and arrest all of these guys. And they arrested 1,29 cyber criminals. It's the second operation Serengeti, by the way. So, I I don't know where they put the first 1,200 criminals and how they made space for another 1,200 criminals, but that's a lot of criminals, right? Those are big numbers. Anyway, the bottom line is um these it's like hard it's hard to know what's going on. Like these these figures are just confusing. So I decided to do uh something that I like to do very much which is to count things like I'm going to let's count things and see how many of them they actually are. Uh

and there are some things we can count like I can count how many instances of publicly reported cyber events are there and I can make some rules about like it has to be verifiable has to be from a reputable source. there has to be a purported um actor and a purported victim. So, I've got like a fairly good chance. And it turns out there's a few dozen. Maybe you get to like seven. I can't remember the number. Maybe you get to like 70. So, you can count them, but there's not a lot can count. Or we can count the uh the blogs from the cyber extortion data leak sites, right? You guys have all seen this. The bad guys,

they go, they hack you. They steal your datas and then they talk about it on their own website. Now, of course, we can't really This is Vitz, for example, on the Klopp uh data leak site. And shame, here's the Kenyan political red party registry, also on the on the CQIN um data leak site. So, this is self-reported, right? So, there's no vendor bias. It's got nothing to do with the reporting regime in that country. It's maybe not 100% reliable, but it's universally unreliable, right? So, if you want to uh compare things, you can sort of compare apples with apples. So I'm like, okay, this is a good number. And this number, it turns out, has got a

lot of things in it. So here we can compare those instances, those blogs over time. We can compare them in different regions. You can see the orange line is Africa at the bottom there. Doesn't compare uh much with places like North America, but it's there. It's a data point that we can examine. And um so this is from our from our latest report just uh actually just released this week. Uh, and you can see there's Africa more or less in the in the middle small all the way down at the bottom there. Um, but it's grown substantially 47% since uh since last year. So now we're starting to get a picture of how Africa compares actually with the rest of the

of the world. And you'll see despite it being a very big place, the numbers are quite small, right? We're doing an apples for apples comparison. Um, so if I add those things up, I add all the things we can see from public reporting and I add up the the data from the data leak sites. Now I've got some actual things that I can that I can look at and I can draw this pretty picture that shows you like where the different kinds of incidents are happening across the continent. Incidents everywhere except in central Africa. Um, and you can see that most of the incidents on East Africa followed by by North Africa and then Southern Africa. Um and and so

now with this data we can start to tell a story but I'm a bit dissatisfied with this um with this with this structural organization about like northeast southwest. I'm like what what difference does it make where a country is on the continent or does it make a difference? I don't want to talk about northeast southwest Africa as if they represent coherent tangible classifications. Right? I want to find other ways to to think about what shapes cyber security to organize my data in. Um, and so I want to build a little bit of a puzzle, right? That that organizes this data in a way that allows the numbers to speak to us to to make sense to us.

And my thinking is this. When you look at something like cyber crime or cyber security um in you know in society it emerges from two things. There's an environment like these are the structural factors that create the environment from which crime emerges and you can think there must be technology factors like are they on the internet? Is it welldeveloped or less welldeveloped? There's going to be like political and socioultural factors. Are they at war with someone? You tend to see activism in places where there's a lot of conflict. There's those kinds of factors and they create like a landscape and then within that landscape you've got threat actors that operate, right? And they're kind of constrained by that

landscape. The landscape is like the map on which they're moving around. Um and we we kind of think about state actors, state aligned activists, and then um your criminal actors, right? Yes. It's okay. I think Dominic was telling me my flies are. So I figure it kind of all comes together like this, right? You've got the the technology factors in a country. So how developed they are with with regards to ICT? Okay. Are they on the internet? Are they wellconed? etc. Then you've got the like sort of cyber maturity factors, you know, is are there laws? Is there police? Are people educated? Do they have skills? Etc. And then you've got the threat actors and

these things all converge and that's what's going to create the circumstances in which then cyber incidents emerge. And I figure I can bring those things together and it turns out that these two elements the ICT development and the cyber maturity development are concrete metrics that you can reference. Right? There's an organization called the International Telecommunications Union. It's based in Geneva and they actually measure these things country by country. So they go across the world and they say South Africa is very IT developed and like somewhat cyber developed and I don't know America is very cyber developed and somewhat IT developed and they've got numbers. So we can look at those numbers um and learn a bit about

what the state is of uh an economy. So the top line there shows the IT maturity index um published by the ITU for Africa and you see it's got this very interesting pattern. The first bump is very far down, right? So it indicates high levels of or very low levels of development in terms of technology and then there's a second smaller bump where you've got the more developed advanced countries. So it's a very spread out uh range compared to if you go down and look at Europe at the bottom there, you see very high concentration of very developed countries, right? So I figure these kinds of numbers can give us some insight into why we would see more crime

in one place than in another place. Um and then the ITU also presents this cyber security maturity uh framework where they divide countries up into these five categories. Building means very immature. role modeling means very mature. Um, and they rank every country on a scale between zero and 100 to reflect how mature or immature they are. Um, and again, you'll see in Africa we have some countries out here on the right that are very mature. They're in the role modeling uh phase. Uh, and then we've got some countries right down at the bottom there. They're still in the building phase, but most of it is kind of in the middle there. Uh, which is kind of similar to what you would see

across Latin America. Okay, so I've got these numbers and the point is that I can put all of those numbers together and create this matrix, right? Create this framework that allows me to place every country in the continent uh at a grid point which is a reflection of how mature it is in terms of IT adoption and then how mature it is in terms of cyber security. And then I gave those quadrants names. So I said, well, if um if a country is highly developed in terms of it, but it's got low levels of cyber maturity, I'm going to call that an exposed country, right? There's lots to hit at, but very little to protect

yourself with. And on the other side, if you are very highly secure, you got very strong cyber security um structures, but you don't have any computers, then you're evolved, like then you're way ahead of the curve. Uh so then you can kind of organize it like that. And what I'm expecting to see is that the exposed countries are getting hammered and the evolved countries are cruising. Right? That's what that's the picture that you expect to see. This is the story that I'm hoping uh to tell. But when I map the data to those structures, I see like a very surprising picture. There's no countries in the evolved quadrant, but that stands to reason. Um, but actually

the countries where the cyber crime, the cyber incidents are concentrated are these so-called engaged countries. They where they have high levels of IT maturity, but also high levels of cyber maturity. There's laws and frameworks and regulations and capacity and education. Everything that you would think you need to defend yourself as a country is there. But they're the ones that are getting hammered, right? And I don't understand it. It's not the story that I wanted to tell. Very inconvenient when the data doesn't agree with you. So then I'm thinking, ah, but wait, the size of the economy is going to make a big difference, right? African countries is this massive range of economic sizes. And of course, the bigger countries are

going to get experience more crime than the smaller countries, right? That stands to reason. So I can normalize for the size of the economy. And then I get this picture. Now this picture shows the number of incidents of cyber incidents that we could record relative to the GDP, right? Cyber incidents per $1 billion of GDP. And but the picture doesn't actually change, right? I expected the picture would change now, but it doesn't. I'm even more disappointed. It's still all concentrated in that engaged uh quadrant. hasn't moved like I expected it to, you know, down into one of the other quadrants. The only exception, you see that 0.67 there? That's uh that's Namibia. Like there's one country in that quadrant. They're

having a hard time. Um but in general, the pattern is clear, right? It still sits up there in the sort of more evolved countries, not the less evolved countries. So I asked myself, well, what's the reason behind that? Why would it be that we're seeing this counter pattern? That's not what I what I would what I would want and I'm getting this report out so I need a story quick. Um, and the first thing I look at again is I look at GDP. What impact does GDP have on the number on the amount of crime that you see in an economy and it correlates very beautifully. Right? So the uh the orange number is the

proportion the percentage of all victims that we record globally and the pink is the percentage of global GDP. So I can compare these two things together and this makes a very satisfying curve. All right, which I like. So it shows that volumes of cyber crime correlate um I think quite cleanly with your the relative size of your economy. The bigger you are, the more cyber crime you get. But it's not 100% right because look at the difference between Egypt and South Africa. We have the same sized economy. We're equally developed in terms of both cyber maturity and IT maturity. And yet South Africa is experiencing almost twice as much cyber crime as Egypt is. Now that's confusing.

So I look at another element and that is language. Now you see that those engaged countries, the ones where we're seeing most of the crime are also the countries where English is spoken as opposed to the other countries is much less English spoken. And that reveals an interesting statistic uh which is this one. What you see is that the average number of incidents relative to GDP tracks language groups very strongly and basically it's the English-speaking countries that are struggling with the cyber crime and they happen to be in that engaged quadrant right so the cause and effect is the other way around so it's the being smashed here um and the almost with respect the less spoken uh

language language is the less likely you are to see this form of crime, right? Um, and that actually stands to reason because when you think about it, the most prominent form of crime and certainly the thing that we were measuring is cyber extortion. And cyber extortion is fundamentally a crime of extortion, not a crime of cyber. And extortion requires you to develop a kind of an empathy with the victim. Sounds weird to use empathy and victim in the same sentence, but if you think about it really, you need to understand what's going on in your victim's head to identify the levers that you're going to use to extort them. And that requires you actually to have a sense of who they

are and what they've got and what this data is on this computer that I've hacked. And these cyber crime groups have specialized around environments where they have that. It's much easier to do it at scale in English-speaking countries than it is in Amoric countries, for example. Right? So, I'm feeling happier with this picture, but there's one thing that's very disappointing about it, which is that it's exactly the same picture wherever we look. This is not an African story what I just told you. This is just globally exactly how it works, right? The African story is exactly the same as the rest of the world's story. So, I was kind of hunting for this uniqueness like

what is our, you know, Jane Aqua, but um there actually are French speaking people in this room. I shouldn't have even tried that. Um so, so I'm like, okay, well, you know, we're just the same. We're just the same as all these other big places. Um and and then I'm like, well, why do I care? Why do I care whether Africa is the same or different? Right? We're on our own mission. And the reason I care is because I feel like, and you might have noticed this, but I feel like the world is changing. Like I grew up in a South Africa that had a very distinctive uh shape and flavor. And we know that over

the last uh um you know 30 years that has changed dramatically, right? there's been this very um traumatic seismic shift in the way our country works. And because we've experienced those kinds of seismic shifts, we can understand and appreciate that they happen globally also. And right now globally there is a significant seismic shift happening and it's uh best characterized by the the end of the Pax Americana. The pax americanor is the political geopolitical context that's existed for the last 75 years since World War II. There was mechanisms like the Marshall Plan and the Breton Woods agreements and NATO and the United Nations all created to give the world a sense of stability, right, of predictability. And it's been like

that for 75 years. And we like to shum on America. I like to sh America same as everyone else. But the truth is it is American power that has maintained that state of stability and predictability and everything that we take to for granted. The fact that you can jump on your iPhone and go via Cloudflare onto Google and from Google, you know, like there's a sort of a pattern that emerges there. Um, and that pattern is that it wasn't made here. Um, in fact, it wasn't made anywhere except in and by and through American power. that is changing and what's happening as that changes is that the the great powers of the world are shifting into a higher and higher

level of conflict of acrimony and you know we don't really feel it here maybe so much but uh if you're sitting in Europe if you're sitting in the east of Europe or up in the north in the Slavic countries um I promise you you are very aware if you're in Iceland or Denmark you are very aware that the world is changing and like you know the tanks are rolling and people are are anxious uh they're anxious about it and this conflict is going to affect us also because we in Africa are part of like the uncontested space right somebody was telling me something very interesting um I think it was Dmitri here was telling me he's got a colleague who works for

Kasperski and Kasperski says well one of the nice things about being Russian is Africa people like to buy from Russia. They don't want to buy from America. You know, there's a political element to this that is affecting us right here. And so that gets me thinking about conflict, right? Like what what does it mean to be in conflict? And what is that like, oh [ __ ] moment coming back to the beginning when you're in conflict? At what point do you say like, "Oh [ __ ] this is actually happening, right? I need to roll out the tanks, you know? I need to deploy the forces. I need to go to Defcon. What's the highest level?

Defcon 1. And so I've been looking at the, you know, I've been looking at these patterns for for the last year. We we just released our annual report and looking at the patterns and there's three things about those patterns that strike me. The one is that although in security we talk about different kinds of threat actors as if they are distinct as if they've got like very unique motives and different TTPs and you know special there's something special about them and we give them labels and we like to put them into little boxes so we can understand them but actually if you look across the range of threat actors between statebacked actors and um politically motivated state aligned

activists and cyber extortionist and I made like a little matrix on the airplane. Um, then what you'll notice is there's actually more about them that's similar than that is different. The one thing that's similar is they all come from the same place. You know, it's like you don't have to look far in the world to to if you wanted to catch a a cyber threat actor, you wouldn't have to look in too many places to find one. You know, you kind of know where they're going to be and they're going to be in these adversarial states. If you look at that conflict, they are definitely grouped. um around some of those political entities, you know, it's

China, it's Russia, it's North Korea. That at least from a Western perspective is where these adversaries are located. And it doesn't matter if they're criminal or state. That's where they're coming from. Um if you look at their um if you look at their political alignments, you've got the state act is obviously directed by the state. So there's a political alignment. the the the activist, the contemporary activist is maybe not directed by the state, but they're aligned with the state, right? They're doing it with a political motive which is aligned with the political agenda of that state. And the cyber criminal, well, maybe they're not doing it for the state, but they're being harbored by the state. They're they're

being supported. They're being, you know, given a free run by the state. And let's face it, what they're doing is in support of the state's agenda. So there's a political alignment. The TTPs are almost exactly the same. I almost had a coughing attack when I read the TTPs associated with the Vault Typhoon hacks because I swear I'd seen Rulof doing those attacks in 1997. I was like, "Okay, that's embarrassing." Um, but there's like not actually so much super magic gummy berry juice in what these state actors are are doing. And then if you get to the bottom of the list, if you look at the impact of all of these actors collectively, you see two very

clear patterns emerging. The one is there's a financial economic impact, right? Every time a business is hit by a state actor or by a activist or by a criminal, it imposes a cost on that economy. And we saw it very clearly in the Land Rover Jaguar hack, right? 2 billion pounds from one two billion. Yeah. 2 billion pounds from one incident. But this stuff is happening a thousand times a month, right? These costs being imposed imposed imposed on these economies. And the other thing that it does is it it sort of um it sort of in in instills a sense of uncertainty of discontent of anxiety in the places where these attacks are happening over

and over. And you only have to look at like modern uh contemporary uh series or podcasts or anything that's got like a spy verse spy thing and you'll see how clear how visceral the sense of um uncertainty and discontent is. So what we're experiencing I think is this like converged system of threat actors although we give them different names that are having a coherent that that act as like a coherent pressure system on us right we see them as different but politically they act in the same way they have the same effect as us it's like land sea and air you know it's they work differently but in the end they impose a cost on us that is

both uh economic and political so that was the first point um about the state of conflict that I wanted to raise. The next thing I wanted to raise is that the victim of all of these attacks is a kind of collective us. All right, we go and because I like to count things, we count things. There's a victim. There's a victim. There's a victim. There's a victim. There's a victim. And you put them into boxes and you say, "Well, the financial services industry is the most impacted or manufacturing is the most impacted or look how crime's gone up in equatorial Guinea or something." But actually, if you step back a little bit, what you recognize is that every impact

on one victim is an impact on on all of us. And you see it first when you look at it through the lens of vulnerability. So here's cyber extortion figures for cyber crime. On the left hand side, those are the raw numbers, right? America is the most impacted country in the world by raw by raw numbers. On the right hand side is the same data set but normalized for the size of the economy. All right. And I've taken out the outliers. So what you see suddenly is that the smaller um less central, less famous, less economically powerful nations are the ones that are actually bearing the brunt of the crime relative to their capacity. Right? So it's the

small guys. You see the same thing when you do a breakdown by victim size. Uh on the left is Africa verse the world and on the right is global figures. So I forgot to put the legend in there but but here's the bottom line number. 67% of victims of cyber extortion would be considered small or medium-sized businesses. And it's growing faster than any other sector. It's not the big guys. It's not our clients that are being hurt by this. It's small businesses. small mom and pop shops who will never get any help, who don't have cyber insurance, who don't know where to go, who still I get this question all the time. Don't know why did it happen to me? Why did

they target me? Look at me. And they target you because you are part of that infrastructure. All right? You're just part of it. You're in there. It's a we. It's not a it's not a me thing. And fundamentally, the point that emerges is that we we live in this in this web of interdependence within our societies and across societies. So that when there's an impact in one place, it has an effect on everyone. All right? And you got to like get your head around that, break away from this kind of isolated individualist view and start sort of surfacing a collectivist view. And then what you start to feel is like, oh, okay, so there's an adversary who's

coherent, all right, and is placing pressure on us. And then there's a collectivist we. So this is starting to feel a little bit like conflict, right? And then the last thing you realize is that the damage inflicted by these attacks over time is substantial. And I've already um spoken about cyber extortion. Those numbers are going up and up. I find it almost embarrassing. Do you know that um recordable observable cyber extortion has increased 45% since last year. It's the sixth year that we've been looking at this problem. The sixth year that we've been measuring it. It's [ __ ] it's it's they send to fishing mail. They drop some malware. in crypto computer and they go they're not

doing anything special but it's growing year on year it's tripled since 2020. We've uh we've spoken about some of the other impacts the impacts on our our our relationship with critical infrastructure like telos. We've spoken about uh kinetic impacts like uh when they open and close dams and it wasn't just Norway. uh the Canadian uh C uh published an advisory about um critical infrastructure there being attacked and and manipulated by activists and there's a there's a financial impact but more importantly more importantly the collective result of all of this stuff is a um erosion of trust of coherence of a sense of safety in which we can build lives and economies. It's a kind of attacks on us. You know, my my

bosses don't like to to to hear this, but I'm like, you know, all this money that we're spending on all of this stuff, and thank you for your sponsorship, but imagine if that money couldn't have gone to something else that wasn't about just offsetting these costs. You know what I mean? It's a tax. It's like it's eating away at us from the bottom up and making us distracted and focused on other things and fearful and we can't operate, we can't grow, we can't optimize ourselves. So the so the cost is real and if you want to see the the accumulated result where that goes is look at the US look at what started in the US in 2015 2016 when the Russians

um intervened with the US electoral system to the extent that arguably maybe not necessarily but arguably they changed the course right it could have been a demo could have been Hillary Clinton last minute before the Democratic ational convention. Russian hackers leak the contents of their email into the public domain. Everyone gets a big fright. They're distracted and Clinton doesn't win the nomination or she does win the nomination, but she's yeah, she's uh completely undermined. And the last 10 years has been a story of the corrosion of of US like communal trust, right? And it's and it's driven not completely but it's driven also by the use of information technology computer hacking misinformation disinformation activism to steer that

discourse to fuel that sense of like uh disunityity unsafety etc. So that's the kind of the worst case scenario where it goes. So I think if you look at these three things together then we have to ask ourselves at what point collectively do those things become an oh [ __ ] moment right? At what point do we say well we have to shift out of this mindset or they are going to find four corpses in the back of a stinky car somewhere in a river crossing in national park. Is it time for that mindset? Um and and if we accept that it is then we can ask ourselves well like what does it look like? What does a crisis mindset look

like? What does it look like if we said to ourselves we actually are in conflict with another and they're imposing costs on us and it's not okay. It's got to stop now then. Um so I've mixed two metaphors there. That's London doing the blitz is the photo. And what I want to refer to is what we see happening in Ukraine because Ukraine is in that place very obviously, right? They're front and center. But a big element of what they're doing is cyerspace. And if you look at what's happening in Ukraine, basically you see two things happening. The first is this idea of a collective we it's volunteerism. It's community action. It's um you know people

enlisting. It's individuals saying I recognize that the country now is in a state of crisis and so it's worth me putting my time and energy into dealing with that. That's what I'm going to do now. And then you see it across the business sphere also with um companies who previously may have competed saying hey well let's collaborate around this this is bigger than us right this is a problem for everyone our country needs to keep this adversary out so like how do we do that what do we set aside in order to accomplish that and then you see the state stepping in to give that um kind of collective volunteerist energy a kind of a structure. So, you

know, you've got all these people running around now trying to help and then the state says, "Okay, well, hang on. We're going to create a program. We're going to give you a rank. We're going to give you some authority. We're going to put some rules around this so doesn't go all all wild." And so the point I want to um I want to end with today just to kind of wrap all of that up is that I I think I'm not saying we are but I think you need to think about the place where you go collectively as free democratic um emergent societies with hopes, dreams and aspirations for our futures and our children's futures. At some point this

is actually under threat. It's being assailed right. It's like there is a risk here. It's serious. And that requires us to take on another mindset. And if we take on that mindset, then the point I wanted to take home is that what the quote says is you can't outsource that to an army. You can't outsource that to a government. You can't outsource that to a provider. It is something that a society collectively has to stand up and own. say we are going to uh stand up against this adversary uh change the the trajectory of this conflict and that is the message I wanted to leave you with. So thank you very much for your time and listening to

me rant and uh enjoy the rest of the day.