2017 - Return Of The Jedi Considering The Role Of The Security Professional In Exceptional Times

thank you well good afternoon everybody thank you very much for having me I'm very excited to be here to real it's a real privilege for me so my name is Sean I work for Saints Post I'm based in Cape Town actually I live by the sea but I'm I happen to be over you know for a few weeks at the moment so I haven't come all the way this yeah from from there I want to I want to kick off today and and just kind of tell you what I'm going to say right up right up front so that you've got it and then you can decide if you want to stick around for the next hour or not but

please stick around oh and by the way if you if you decide at the end of this that I'm not a them all so please that's my Twitter handle follow me on Twitter we can stay in touch so the bottom line is this is listening to this radio lab podcast in the car the other day and they're talking about this this technology this real-time facial reenactment does anybody come across this face to face is the project that some people have right it's an academic project it's it's mind-blowing that they found a way using a video model of somebody talking to map facial expressions from one person onto this video model in real-time over a wire so

literally the guy in the front in this video is like remote controlling the face of Donald Trump in the in the video behind and he can make all kinds of weird facial expressions and then Donald Trump makes the same facial expressions but using like literally his face and you know it's a little bit like low res so you can't see perfectly but I mean even the shadows and his face move right the inside of his mouth is rendered properly and it's absolutely terrifying and in the same podcast date they talk about another technology from Adobe called voco where they can do the same thing with voice and in the voice thing what they do is they they take a audio

snippet of somebody talking like I'm talking now they record it they do like a voice to text then they edit it and they just go back from text to voice in the speaker's original voice even using words that the original speaker never used in their in in the in the record and the point of these Radiolab guys is that they've got this whole like WTF moment going because obviously the journalists and they're very interested in things like like fake news and and they're saying like what does this mean for media if literally we can put words in people's mouths and just say one more thing about it the one Senhora they talk about is they talk about like using an

actress like Jennifer not Jennifer what's-her-name Elliston Aniston Coniston you know who I mean they're using her to promote a product right so they have her like promoted in English in America and then they hook up to one of these systems and they have a Chinese speaker literally do the same ad using her face and voice for the Chinese version of the ad so that her mouth is like making the Chinese you know movements as the Chinese voice comes out of her the Chinese words come out of her mouth but spoken in her voice and these and these and these Radiolab guys are they're they terrified you you can see and they go and they speak to one of the

researchers on this project he's very excited to talk about the technology she's German so I kind of understood why the conversation was so awkward but when they when they like say to it have you thought about what this means for society especially at this time in our history where things feel so fragile and this literally just like this awkward radio silence she just she just has nothing to say she's like but technology like this you know she has no thought about what it means for for society and the thing that struck me about all of this was you know they spoke to the researchers they spoke to philosophers they spoke to journalists they spoke to

psychologists they're never in any way in this podcast did they speak to a security person and I thought to myself but hang on isn't this a security problem is this absolutely a security problem we've got authenticity and we've got non-repudiation right those are the two problems we're trying to solve here you need to be able to determine where this piece of data originated and you need to be able to prove that it could not have originated anywhere else and those are you know there's a quintessential security problems so so where were the security guys in this conversation and that's really that the the crux of my of my talk today is that as security guys there are a

whole lot of conversations that we have to start getting involved in and in order to getting those involved in those kinds of conversations we maybe need to think a little bit differently about how we do things but what our role is in the world that we live in and I just sat in in gosh what was his first name Ian Ian Trump's presentation and it was really good he touches on a lot of the same things that that I touched on him one of the things of course that he talks about which o is just story that I want to remind you guys of which I think it's kind of common it's a it's a frequently told

story now but I just want to rehash it to give a bit of context my presentation and it's a story of Donald Trump not en Trump but Ian's distant cousin being being elected and I don't know how it was for you guys but for us back home in South Africa this was a traumatic event like my wife who's a psychologist she was like genuinely you could see she was upset for days by by this event and and you know what it meant for the world and and how it could have happened and it was just so you know disconnected with a view of reality and how things were supposed to be and she said to me at the

time when I walked in that evening she said to me the Russians hacked it that's what she said to me and and I explained to all the reasons you know why voting machines and bla bla and not really feasible and there's other easier ways to to do it but but more and more as the kind of story of the elections unfolded it became more and more apparent that there was some degree of manipulation of these results happening by by the Russians and it was ambiguous at first and it sort of focused on Podesta and the emails and and almost if you like a meta attack an attack on the system rather than on the on the technology

itself and that culminated in this in this report by the American intelligence community that said look guys it's pretty unambiguous we the Russians are in here they're messing around and they're missing a with with real intense and real purpose and they're using computer stuff to do it but what they're attacking is really the foundations of American democracy it's a big it's a big deal and and it's kind of a big deal we talk about a lot but I'm not sure that people really recognize how much of a big deal it is and then if we kind of jump ahead a little bit to can alga September timeframe you know the rhetoric in America is building up people are

getting more and more excited they're waving their hands and pointing their fingers at the Russians and then these guys the shadow brokers suddenly emerge some of you will remember that something appeared on on Twitter with this brand new handle and they started talking about these these NSA what are they called technical support operations TSO or something like that tea tea tea tea a oh yeah tailored access operations it's not talking about this toolkit from the TA oh that they had and that they were gonna that they were gonna auction and you guys remember they use like pseudo bad english and they they had the one auction and didn't really go well and it had another

auction but basically what they did over a period of time is they started to leet these NSA hacking tools onto the internet and they you know they claim to want to be making money for it but but really the consensus at the time which was generally you know widely accepted was really what was happening was a political play the Russians were sending a message out onto the internet that said effectively look sure maybe you caught us with our hands in the cookie jar so we messed with your elections are bad bastard but but look you guys are doing this stuff too right and here and here's evidence of canal you know how how busy the NSA really is with computer hacking

and we're going to show you firsthand the kinds of stuff that there would be not to and of course this this this this mo of of leaking has just been it's like defined our lives hasn't it over the last few months its leaks here leaks there dumps here dumps them it's just happening all the time and one of the consequences in yen touched on this too was ultimately this you know these two exploits or the expert in the backdoor eternal blue and and double pulsar which eventually a little bit earlier this year found them found their way into the into the wanna cry attack and what what resulted you know because of other reasons also but

very largely due to this leak was you know what was at the time the biggest ransomware attack that the world has the world has ever seen and you guys will remember one a cry was racing around the internet two hundred thousand machines infected I can't remember the exact numbers maybe it got bigger than that hundreds of countries it was a big deal and the whole world businesses individuals everywhere were impacted by this thing that was effectively the consequence of political mud throwing between two nation states right that's kind of at the heart of what was happening was political artful and of course when that happened the Russians couldn't they couldn't help themselves anymore it was

all too good and they repurposed the repurposed to kind of wanna cry stuff they did it a little bit better and and what resulted was then picture which which of course was not as big in scope as wanna try but in terms of its political implications was potentially even a bigger deal because what we saw was was really quite a focused act of political violence by one country on a on another country so what why do we talk about this why is all of this important why is everyone kind of hammering on about this incident and the reason is because everybody loves bagels and and more specifically the Danes love bagels okay snot bagels its rye bread

but this quote is from an article that came out I think just yesterday that talks about the impact of not piteå on the shipping line musk in pointed out musk estimates that they would have lost by the end of this somewhere between 350 and 400 million dollars that's one victim but what this article says is that in Denmark they are disgruntled slaves walking around going I can't get my rye bread and I can't get my rye bread because I can't bring it to me and they can't bring it to me because some guys messed with computers and so what you're seeing is on the one hand a story that starts with with kind of political

nation on nation as I said mudslinging takes form in technology that's developed by nation states ready to fulfill nation states strategic goals and then explodes out onto the internet and affects where the people can get their bagels or not right it's hitting us in the real world not just in terms of the money that most will lose but it like literally in terms of what you get to eat for breakfast so there's this leak and and what's happening in the government space particularly around cyber warfare but I think the point is much larger than this is affecting what happens in the civilian space because ultimately you know we all we all live on the same and the same intern I'm

gonna be telling a lot of stories today so see there's a bit of a theme and what I want to point out about this idea of things leaking is that it's not just about the technology it's not just about eternal blue and the code and the exploits what we're talking about is this is a systemic kind of spiral of escalation that kind of has these four main points and this is you'll see the steam coming out of my presentation a lot and the first is that governments have nation-state priorities particularly around cyber war so nation on nation but also in the in the realm of law enforcement right they want to do things they want to counter terror they

want to arrest bad guys they want to mess with their neighbors and in a way that outweighs kind of normal paradigms for people who operate in the commercial space what that means specifically is that they bring more money to it then then we can generally imagine what that leads us to a kind of a professionalization right so so the u.s. needs people who can do this and they train people and I know because our company makes I mean at one point our biggest client was the u.s. DoD was telling us we want trained guys inside but we mean other guys to get more cyber DUP and so these professionals starts finding their way into various fields of

operations governments worldwide and then of course what they need is tools they need they need a way to do the cyber stuff that they're what they that they need to do and that's where you know things like eternal blue came from and what that in turn does is it drives what I would call the industrialization of the offensive cyber market but in its simplest forms its its exports are buying exploits buying zero-days buying vulnerability information of the of the black market which in turn creates an industry but it's it's much more than that and the cycle continues right and it's escalating and it goes beyond just the technology but also to the people and also what I think is really interesting

to the experience that these people have right they worldview if you if you were the guy that wrote oh you're on the team that wrote and used eternal blue the way you think about the Internet is different to those of us are still using Metasploit and you know like simple frameworks like that and so what we're seeing I think as a result of this escalation is like a complete inversion driven by the capability that nation-states bring into our domain complete inversion of everything that we previously would have accepted to be normal and true and I want to use that idea to paint for you a kind of a dystopian view of our of our future now

in in the previous track did something simpler similarly you sort of ran far into the future with all the bad things that can happen and I just want to focus on on one particular kind of view of the bad things that can can happen so this is not the whole story and that's why I framed it as a story not as a kind of a fact or a thesis but it sort of gives you one insight into into how the sort of the changing sort of global political landscape will affect our our realities and it starts my story starts really about seven years ago with with Stuxnet I'm sure all of you remember Stuxnet and

I was kind of there watching Stuxnet when it broke too and I have to admit even though you know I had my own company I was full-time in security I really didn't understand I think what was happening with Stuxnet understand the impact it was having I couldn't understand what it meant for us as an industry and and for society but for those of you I haven't read Kim Zetas book on it it's called zero day I think it's really really a very interesting tale and it gives you some insight into how big this thing actually was you know the NSA had a lab somewhere in Maryland where they used their intelligence sources to figure out what

kind of uranium centrifuges the the Iranians were were using they bought those things they set them up in an actual lab and then guys were writing the PLC code that would kind of spin these things out of control and any of you remember how it worked but it was really quite sophisticated they would monitor the PLC s for six weeks and gather telemetry on how their normal operations looked and then they would play that telemetry back to the control systems while simultaneously but randomly changing the speed at which these things operated so if you were if you were a engineer sitting in one of these enrichment farms and you'd be seeing normal data coming kind of from

your telemetry systems but these but these centrifuges would be doing all kinds of weird things and then for a while they stopped doing weird things again and just act normal and just when you thought you know the world was everything was right again they would start acting weird again and all of this was set up in a lab in Maryland long before they even took it to the to the Internet and then and that's just the PLC stuff right that's before they started writing the malware and all those layers and layers of obfuscation and and and complexity that we read about in the Stuxnet malware it's before the operations to gather intelligence remember Dooku and flame and those other

malware strains that kind of proceeded preceded Stuxnet aside from all of that stuff eventually someone was coding the stuff on a PLC and what I what fascinates me about this is imagine you were there maybe some of you were there but imagine you were there imagine you sat on the team that watched one of those things start to like wobble in the factory and eventually like burn orphan do crazy things imagine you actually saw this operation go out imagine you were getting the intelligence reports that showed how a written Richmond outputs in Iran was starting to drop as your system was having effect imagine how that changes your view of the world what of how you

think about politics about how you think about conflict about how you think about the value of of espionage right you're different you're different to the rest of us after that you've got a different view of how things work and what's possible and that was now approaching ten years ago those guys have been thinking like that with that with that mindset and that thinking is is impacting the world we live in now and of course other governments were watching that they were watching how that played out their strategists were thinking about it and cyber started become a big thing cyber starts become a big thing for governments all over the world and the guys who stood out most in

those early days kind of after Stuxnet - of course the Chinese and the Chinese were most interested in intelligence particularly commercial intelligence what are they call it espionage right they were hacking formulas and designs and all kinds of data to further businesses and then not long ago like in 2015 they're kind of crossed the line with that OPM hacked hack were they were they're hacked into the big US government HR database and stole the details for what was it you know 400 million US federal government employees and Americans got pissed and ever already suddenly noticed because there were guys having to leave China because the covers were blown and you know people's lives really affected Sonny

because they'd filled out these security clearance forms that you know talked about like you know they're weird sexual fetishes and what kind of drugs they did in high school whether they inhaled or not and suddenly that stuff was out in the internet and people were like wow that's not cool you know the Chinese have got this I was kind of okay with my government having him I'm not okay with other people's governments having it and they start getting angry and so the Americans do the one thing that you would expect him to do they held a meeting with a summit with the Chinese leader at the time and Obama waves his finger very crossly and he says hey

that's not okay you can't do that and the Chinese go that's right you know we're gonna have an agreement no more cyber espionage but nobody's taking it seriously of course and the word espionage is also very clearly defined it means some kinds of things and not other kinds of things so it's all kind of just window dressing everybody knows it of course for those who were following in the story at the time there was a funny segue because fire I felt differently they felt that this Accord was affecting their business and you remember they the revenues were dropping quite dramatically at the time and when they were asked you know what the deal was with their revenues they

complained about this accord and they said well since the stein Chinese have stopped hacking everyone in America no one wants to buy our product anymore but that's that's just an aside and so the conflict as governments watch all the stuff playing out the conflict escalates this is general Keith Alexander you guys will remember eventually made that big talk at at blackhat we sort of reached out to the to the hacking community but but before he did that he took a very hawkish stance and he said look if the Chinese are gonna do this to us if cyber criminals are going to do this to us if they're gonna hit things like our power grids then you know what I'm

gonna do I'm gonna go after them that's how we're gonna play this thing we're gonna meet force with force in in cyberspace and this as we'll see in a moment that starts driving part of this escalation this kind of very hawkish attitude by the Americans but it's not just the it's not just the military that's doing it law enforcement is doing it too because they're seeing firstly the effect that cybercrime is having and some of these numbers have been thrown around what was a two trillion dollars I don't like all these numbers there's big numbers so people law enforcement saying well we have to solve the cyber crime problem but at the same time law

enforcement is being confronted with another problem which is this whole notion of what they call going dark criminals going dark and really what they mean by that is that literally from about the first world war all the way through to the second world war right into the this decade and intelligence and law enforcement could see what people were saying and could see what people were talking about at the drop of a hat it's how they did their job they wanted to know you know what I said in my phone call to call they would switch a switch and they could listen to my phone call to call and suddenly through you know whatsapp and viber and signal and

iMessage and and all of these these technologies and that capacity starts going away and I think they feel genuinely you know terrified by the notion they feel handcuffed they can't do their jobs anymore they can't protect people in the way they did through you know numerous global conflicts because Facebook you know or Moxie Marlinspike it's kind of frustrating and so government's going well you know what we're gonna we're going to fight fire with fire here too and if we think there's someone in your computer that something in your computer we need to find we're gonna we're gonna empower our law enforcement officers to go after and get it because they need it and what that drives is this massive recruitment

and the numbers astound me you know I've I've run a consulting business for almost twenty years now when we started we were four people now we're like 70 people and it's traumatic you know like you walk into the room like I don't even know you who are you and and the American government like we need cyber guys we're gonna hire 3,000 just gonna get them and I'll find them somewhere to the extent that they said they said they would be prepared to hire cyber guys into the Marine Corps without them first going through the Marine Corps boot camp I mean the motto of the Marines is every Marine is a rifleman that's what you do

you go for three months you learn to shoot your gun and then after that you can learn to do other things like you know March or use a radio or cyber but no no they're so desperate to get the cyber guys on board they're like you know what if you got if you're a cyber guy you don't even have to do that whole gun thing everyone's every Marine is a rifleman except you guys you're the computer guys all right so they acquire these skills and then they start hacking and it's just gone crazy hasn't it you know they they hack the US elections and then the russians hacked Makran icon hacked them back I don't know if you guys even

followed that part of the story it was fascinating and then Americans are hacking the Koreans they had success with that success with Stuxnet in Iran and now they're figuring well maybe we can do the same thing with the Korean missile program at least that's the rumor obviously isn't working but they're trying someone hacked the Qataris you know maybe it was the UAE maybe it was the Russians maybe it was the Russians paid by the UAE I don't know exactly but somebody went after them and I don't know if you guys remember the story but they literally planted a hacker planted fake news on a major national news site and it sparked a global incident that's

still playing out now and it's nice for us you know we're here we're even some were him the silent you know up in the in the North Atlantic but but in other parts in other hot dusty parts of the world people are getting really angry and part of why they're getting angry is because some hacker who was paid by some government messed with a with a news website right it's got real-world consequences and another place that is even more real-world consequences right in in Ukraine the the lights keep going off and not once or twice but we're kind of hitting three times now that the lights have gone off and and effectively the Russians are perfecting and

practicing and demonstrating the ability to affect national infrastructure in a country at with which they are in conflict I said just be clear it's not like they're just playing around you know in another part of the country the guys are throwing stones at each other it's a big deal and at the same time the cyber guys are switching lights on and often in in places so at the very least they're experimenting with the cyber war capability or perhaps even this is a cyber war capability I mean it is there are people now that are arguing what's happening in in Ukraine is in fact cyber war the first real first real instance of it where you've got a kinetic impact

and it's being used in the conflict of a you know an argument between two two nations so that's kind of my dystopian story that's sort of part of the the world we we live in and out of that as I was saying earlier what happens is a new the lastest me not for me they're not for you cool and new industry is a new industry is born and to just explain that industry I want to take you back to the story of of this guy whose name I just forgot Ahmed jeez I apologize I can't remember his name now but he's a UAE dissident and he's and he's cheesing the UAE government off he's making them angry is

pointing fingers he's revealing stuff about the state of their prisons and they don't like him they want to take him out they can't take him out politically and so they try over what is that almost six years to get onto his devices using various third-party providers of computer hacking software first it's finfisher in 2011 that doesn't work out it's not sophisticated enough then they go to hacking team 2012 that doesn't work and eventually they get all of these guys called the NSO group who do a really sophisticated attack against his iPhone remotely now I'm a lot of you guys would be pain tasters a lot of you guys will be in the red red teaming space when we can say

what we want about like the Mobile Security apocalypse and how bad it is but if you've ever actually tried to get onto a mobile device in a targeted way you'll know that is a non-trivial exercise right it's one thing to find a general class upon abilities and talk about it it's a whole other thing to say I'm actually going to read your SMS and they didn't just do it for Android they did it for iOS and ostensibly a patched iOS and they did it using this thing called the Trident exploit kit fried an export kit it's a chain of three different exploits it had to be chained together in order to get the remote control ovaries ovaries phone and just

to put that into context oh sorry and that was developed by these guys called NSO group which are an Israeli operation who do this kind of thing and they've been doing it for some time now they they got like 200 employees their revenue is $150 a year and these guys come out of an Israeli army unit called units 8200 which is the signals intelligence unit that's how it works in Israel you go to the army the army gives you skills creates a network for you you leave the army you start a private company you get rich you sell services back to the army they get more skills and more technology and so this whole thing works

dan gear called that the military industrial complex right it's happening in Israel happens in America it's happening here too so these are the guys that the you AE goes to when they want to get on to the dissidents phone and they build this this exploit kit for him and to put that into context the rhodium who buys zero days from the black market was offering early last year a million dollars for a single iOS zero day later they took that up to a standing bounty of like a million and a half for for iOS 10 zero day so they're paying big big money for a single exploit to get onto the dissidents phone the UAE government

needed three and they needed a third-party providers you can just imagine the kind of resources that got thrown into getting onto that one guy's phone and what that does of course is it fuels an industry like this right it creates a space where as a hacker you can make a choice between coming to work for four cents opposed to secure data like me and call and you know earning fifty thousand pounds a year or earning a million dollars for dropping your zero day on zero diem and has a massively disruptive effect on our space and but it also makes it possible because of this outsourcing of the capability because the creation of this industry it

makes it possible for everyone to play and this article talks about how the Vietnamese were daxing the Americans I think and don't think it's that an important story but it reminded me of something that I felt very passionate about coming from South Africa because South Africa's third world country record I suppose developing which is a nice way of putting it but what it means when you're a developing country is that you get to buy all the shiny things so we have all the shiny things that you guys have got nuclear power plants very sophisticated 4G networks internet banking we don't have a self-driving car but we'll get there we've got all of those things we just don't know how to

use them so good and we can't make any of our own so what that means is if you look for example at the state of government IT security in South Africa we have not it doesn't exist III don't even know where we would begin to look for for compromise within South African government networks let alone power stations transport networks factories dams we don't stand a chance that stuff we've lost control of it in the days of Stuxnet we lost it we don't have it anymore and I don't even know how we get it back because if we were to just literally replace everything we'd have to go to the Chinese and buy it and then it's all back doored you know out

of the box anyway so South Africa as a small country in the on the world stage has lost control of its IT I think it's fair to say we don't own our own IT and if we don't own our own IT in the modern world how can we assert ourselves as a as an independent nation state right if the Chinese can turn off our power stations and Americans can turn off our networks and the Israelis you know know everything we want to do before we do it we're just not playing anymore so if you're in South African government and you're smart enough to recognize that this is a problem you've got two choices the one choice is to say well you know

we're going to bring Accenture in and they're going to design a secure IT strategy to roll out over the next hundred and 50 years it's just about the time it's going to take the rail network to reach my house or you can say I'm gonna hire me some kickass Israeli cyber mercenaries and the minute somebody pretends or makes noises about touching my network in a place I don't like I'm gonna have these mercenaries go and touch them in a place they don't like and that'll show them now that's maybe not a smart strategy maybe that's not a good way to play it out but it's not entirely illogical and given the choices what do you do

who else do you go and I think we're starting to see that kind of dynamic and the spiral that I spoke about earlier is feeding that because now a nation state like South Africa who could never secure their own networks can spin up an offensive capability in a very short amount of time and at a relatively low price and while governments are doing all of this of course the cybercrime industry is also not standing still forgive the complex grasp whether or not they're not supposed to be complicated they really just show two car relations the one shows how the top one shows that house as spam the volumes of spam and interest in spam decreased over

the last what is that ten years or so interest in ransomware grew and basically what it demonstrates is that as spam stopped making money for bad guys spam stopped working as a way of producing revenue things went quiet for a little while and then eventually they discovered ransomware and ransomware is now growing as a way for bad guys to make money because the bad guys are always gonna want to make money alright that's what they do and the other thing or elation you see at the bottom is how the the interest in ransomware grew at about the same time that the interest in cryptocurrencies grew so what these two graphs do is they tell a in a short way tell a long story

about an industry that used to make money through one form of cyber crime which was spam lost that way of making money because of things that happen on the internet that I won't bore you with now when searching for other ways suddenly discovered cryptocurrencies and cryptocurrencies created this whole new potential potentially new revenue stream for them and the result of those two trends together miniaturization on the one hand and adaption by cybercrime to new technologies creates this chain that ultimately resulted in wanna cry so you've got a cyber crime industry that's looking for ways to make revenue you've got cryptocurrencies that change the way bad guys can monetize what they do you've got government's fueling this

massive escalation in in technology and hacking technology and skills and what comes out in the end is some kind of weird Frankenstein esque lovechild between the two things which is what wanna cry and then ultimately not not picture was and I guess my point with this is to say these are not this is not a technology thing this is the function of two very big trains in society that are creating these symptoms that we ultimately see and as we said earlier in in what resulted was one a cry and one a cry was front-page news and the reason I say that it's because it's now things that affect people who go to hospital it's stories that my mom and your aunt hear

about are being shaped by these trends and the results of all of that is that people get scared they don't understand they're stiff they feel overwhelmed by you know dark forces Israeli hackers and Russian cyber criminals and technologies that came from the NSA you know zero days and I'm not just talking about like my mom getting scared I'm talking about us getting scared because when I talk to my customers how do you how do you how do you advise them to defend themselves against capability that's emerging from these two massive social movements right the guy's got like he's got a budget it's got two hundred thousand quid he can spin in a year you know in other

hands like in it's a GRU the Israelis what do you do right it's terrifying so people don't understand like how we can protect ourselves against this what do we do in the face of these like massively overwhelming odds and governments of course have have a view on that what they say is well what we got to do is we've got a government more you the people in the face of these overwhelming odds cannot possibly detect to protect yourselves you're too small it would be like asking you to protect yourself against this missile that the Koreans are building you know you can protect yourself against a guy hits you on the head with a hammer and steals

your phone maybe even then you'd go to the police right when he does but how are you ever going to protect yourself against the Korean North Korean ICMP you can't do it so we have to do it we the government have to do it and so they're going to throw up a big firewall around the UK that's going to protect us all against you know these these nasty things I'm not saying that's a bad idea incidentally it may be a good idea but it's a massive shift it's a significant change in the way the internet works in in the role that the internet plays in our society and the guys who are doing it is GCHQ it's the guys with the big

boot you know they wear hats helmets and they carry guns they're not you know does not Mark Zuckerberg anymore this is like these guys are badass and they're like don't worry don't worry ma'am you know I got this so governments step in and they say in the message that's increasingly being spoken about it's like this government has to solve this problem now because you can't the next thing that happens and I think this is pretty logical is we say to ourselves well if I'm a business and my job is to protect you know 5,000 desktops with a little bit of email and some Word documents on the on the one end is like you know the

the North Koreans with the ICM bees on the other end is the GCHQ stepping and saying I've got this the logical thing for me as a business to say then is look what I really want for my business is not cybersecurity what I really want for my business is risk management all right I want to know what is my potential downside if something really bad happens I don't really care if it's a if it's a Russian hacker or North Korea and you know cyber army guy what I really care about is I want stability and predictability and I want things to stay inside a budget so if the government is taking care of all the cyber what I'm

going to do is I'm going to buy insurance and the insurance will cover me for my residual my residual risk and what the government will do is they'll say look here are some standards that you must comply with in order to qualify for this insurance and what we'll get is compliance driven security right where people say I have to check these ten boxes and if I check these ten boxes I qualify for my insurance and by qualify from insurance I know what my risk is and actually as a business I'm pretty happy in the government takes care of the rest and this guy this ed Perlmutter would random the photo he's an American congressman from Colorado from Colorado

who's taping a proposal exactly like this in the states were in fact American businesses who comply with a certain set of cybersecurity standards get to offset the insurance costs against their taxes so there's an incentive for them to do it and for those of you have been through things like PCI and ISO all those different ISO 2700 standards etc etc what you'll notice is that those standards generally don't make security better they just kind of manage it down to the lowest common denominator that the goal becomes compliance not security and that's probably what these kinds of initiatives will do and again I'm not saying that's good or it's bad but I think it's a significant trend and it's

something we need to very carefully think about because I think it's going to change the way things work and of course when governments get involved it's very quick for things to go wrong and of course we're dealing with governments now that are all so scared they're all so scared of what it means the South African government is scared about what the Chinese can do to their email you know what if our president can't YouTube just during parliamentary meetings it would be catastrophic he wants to check his Twitter hits how many likes that I get it's important but they don't want it to happen but also there's this very scale of this whole going dark thing and so government's start to

assert themselves and we're seeing this play out in in the face of things like the battle between the FBI and and Apple and really what the FBI is saying to tech companies like Apple and others is guys somewhere somehow you have to let us look at this data and we don't really mind how you do that whether it's giving us a back tool to a phone or having a master key or having an office where we can give phones in and you do magic and give us the data back but somehow it needs to happen and if you're not going to let us do it overtly then we're going to do it covertly and that battle is

playing out in society right now and how we as a tech industry handle it is going to affect how governments handle it whether it's soft and easy or whether they you know becomes becomes hard and ugly but it's a significant trend and we need to be aware of it and a very jarring example of that which which are throwing just because it had such a visceral impact on me is is government's wanting passwords from people now right they can't read your facebook without you so now they need to read your Facebook with you and this is from the US visa application online visa application form where they ask you online to give them as many of your social media account

passwords as you think is appropriate not sure exactly how you're supposed to make that determination but their effective Lea planning to build the world's biggest database of social media passwords so they can check people's stuff when they come over the border to know if they're good or bad and it's not just Americans the UK government is doing it too a guy from an NGO called Rage just got arrested a few days ago for refusing to hand over passwords at at the UK border and he's a UK citizen so what all of this means is right now if you're at a security conference all of the stuff is happening in your space whatever realm of security you're busy

with this is your deal it's affecting you so like it or not you're in the middle of a set of global events that there are there are serious and have large consequences so my presentation was titled return of the Jedi why did I call it debts and I'm gonna make some Star Wars references not really a Star Wars person but but you'll kind of see the the the first point I wanted to make which is kind of a point I just made is there's a big thing happening in front of us I think it's much bigger than any of us recognise and we kind of need to look up a little bit at some point and

notice that it's taking shape it's taking shape in the battles with the FBI it's taking shape in the militarization of the internet it's taking shape in the creation of an insurance industry and it's going to affect us in a very very real way now if you had black hat this year you would have seen this as from the black head opening ceremony it was huge it's like a party it's like Rockstar you know guys step up on the stage like yeah it's a big deal and I think that's good and it's a it's appropriate a lot of good stuff happens at blackhat but part of what worries me is like while the death star is being built you know off

just like off a nearby planet the kinds of things that we're talking about the things that are getting us excited or like you know internet connect dildos and segways and things and and and I'm not saying those things aren't important I'm not saying there's not a there's not an impact for them but I think we'd be focused I think we focus on like small exciting things you know like whether we can make things blow up and and not only is like big picture things which is I think what should really be capturing our attention some of you may know this woman her name is Karen or Zuri she's an Israeli researcher with the singularity University she did this talk

on Ted which was really big called you know hackers as the Internet's immune system and the point that she makes is like hackers are constantly testing the technology were pushing it past its limits and and and in that way we're making the internet stronger and I think that's true and you know blowing up segways is one way of doing that but if you really think about how societies solve the problem of of disease for example it's not it's not because individuals in our species died out it's because as a society we tackle these things at a systemic level right we have Centers for Disease Control we have researchers working hard with government grants and we have treaties and in place

with other countries and we have processes for what do they call this thing where you put it on in a camp and you don't let them out that thing you know what I mean in anyway the the what is it called again quarantine that thing quarantine so I got to kind of thinking I got to kind of thinking about like what do we look like as a community if we want to have this effect on the internet that Karen envisages for us given this death star that's building and and I kind of figured we need to look like this we need to look like a Jedi and I want to make a specific point about the Jedi

it's not the point about him having the force it's not that there's kind of an element to it if you think about like the dark magical aspects of computer hacking but I also want to say it's not about the lightsaber which is kind of the bit that we're focusing on at the moment isn't it like you walk into blackout the lights come on and the guys like swinging and he's got his license swinging it around it was like ooh that's amazing and then the guy does a few cartwheels and you like slashes someone's head off and another robot drops and it's like that's it's amazing but if you but if you if you if you read

a but not read this on Wikipedia this is how I know it if you read about what really defined the Jedi then they were as much diplomats as they were warriors the like one whole school of Judaism the guy was only ever allowed he used his lightsaber in self-defense what he really was was a teacher right interested in helping other people understand he was a philosopher he was a scientist or she I'm sorry I'm saying he just the guys the pictures that he she was a physician she was a diplomat right these are the kinds of domains that we have to start moving into if we're going to tackle these like really global issues these things are bigger you're

not gonna take down the Death Star with your lightsaber doesn't matter how many somersaults you do and they did take it down with a lightsaber I think you get my I think you get my point we need to start reframing our role in society I'll be good in terms of these other things that the Jedi are known for and not just like swishing our lightsabers around then I want to leave with this I kind of plotted a trajectory towards you know being a Jedi Master this gyro is a Jedi Master and I defined a few phases and I know you're tired on notes the end but just bear with me for the last five minutes as I kind of trot

you through these the first phase of maturity of development I think is what I would call performance that's when you good at your job that's the lightsaber bit that's when you can reverse engineer malware and you know reconfigure BGP routes and build things that run on a Raspberry Pi set up an Apple TV you know it's like the real technical peak of performance but the thing about that is a solitaire like doesn't matter how good you are at configuring your Apple TV you could only ever configure one at a time you know and you and you're never gonna take Apple on because you're the world's best apple TV configure er it's just not going to happen so the next phase is to

look at processes the one that all the geeks hate the process means that you can just scribe what you do and repeat it and what that means is when I leave sense post you know being the world the best appletv configure that sense purses ever had the next guy that moves into my job can pick up the manual that I wrote amid oh okay this is how I configure an Apple TV and so the skills that I developed become transferable to two other people and so it's sustained right and that gives us a platform that we can build on after that what we need to do is look at people and a fix is like almost the most

important one and conferences like this really speak to this point if you can communicate what you do if you can transfer knowledge and skill and even passion to other people we start having the same effect that the militarization had in terms of the like Wow experience that the the Stuxnet authors had right it's like in infect other people with what you know what you love what you care about how you do it share knowledge share skill because what happens then is you have a force multiplier now you don't just have one guy with the lightsaber you've got a hundred guys with the lightsaber and you're starting to affect the death stop the next thing I think we need is to

understand purpose and what I mean by that is actually very simple it means understanding the why of security and not just the what of it security needs to exist for a purpose right it's either to make businesses successful or to make governments work or to ensure free societies or to support democracy it doesn't really matter but you have to understand the fundamental purpose that security supports and be able to speak that language we often hear people talking about like taking security into the boardroom you know speaking the vet that the language of business that's a clear example of that and we're failing at that as a society we're not even getting that right but it goes way beyond that we

need to understand the role that security plays in all these other things so that the guys with the you know the face puppetry are talking to security guys because they like y'all we took these security guys they can help us they understand what we're about and they understand how their domain impacts our domain I'm almost done just two more and the next one is you need to understand the principles which is really the underlying things that drive the why and this is where we start thinking about and talking about things like why is privacy importance like why does it matter that the government can or can't read my data my mom needs to understand this politicians need to

understand this law enforcement needs to understand it not technically but as a fundamental thing the role that privacy plays in underpinning democratic societies that's something we need to be able to communicate and so we're moving up the chain beyond just being able to talk in the boardroom or in the courtroom to really start talking to - the people that shape and form society's religious leaders political leaders and the like and if we do that we can start affecting policy and policy is where ultimately worlds get made or or destroyed policies where ultimately the Death Star gets built or broken down and that's what we need - and that's when we become significant that's when our

industry is going to start mattering is when people say geez we're making this big decision about whether to build this technology or not whether to allow that technology or not what are you guys what are you security guys think about that what impact is that gonna have how do we do it right then I think we can pat ourselves on the shoulder and say you know we're making a difference and that's the end of my presentation it's a call to arms let's let's see that the Daystar is coming rethink about how we interact with the world so we can be taken seriously thank you [Applause]