The Get Cyber Resilient Show Episode #80 Transcript
Daniel: Welcome to episode 80 of the Get Cyber Resilient Show. I'm Dan McDermott, and I'll be your host today.
This week is our in the news episode, and I'm joined by our resident cybersecurity experts, Bradley Singh, and Garrett O'Hara.
And we will begin this episode by reviewing the latest developments in this year's highest profile ransomware attack, Colonial Pipeline. With a $10 million bounty now being offered to bring down the hackers.
Closer to home, we'll explore how the office of the Australian Information Commissioner, or OAIC, and how they've ruled out the use of AI-based facial recognition software being in breach of privacy laws, and have ordered the deletion of records.
And finally, with New South Wales council elections on the horizon, the Electoral Commissioner has said that the polling body's cybersecurity won't meet the government's own standards in time for the polls.
Brad, let's kick of today's episode by going back into this year's highest profile attack, Colonial Pipeline, and now with a bounty being offered to bring down the hackers themselves.
Bradley Sing: Yeah, I guess it's, sort of, of no surprise, Dan, that we've seen more and more of a reaction from... the American government American law enforcement, but I guess the West as a whole.
I, for those who don't remember, [inaudible 00:01:20] Colonial Pipeline was probably one of the most highly publicized ransomware events that we kind of saw early in year, back in, when was it? It was, back in the, on the 10th of May.
But, we've continued to see news about it, in terms of America in some instances g-, I think the, they initially recovered quite a large amount of the, the, the ransom money.
But now it looks like they're going on the offense, so, you know, actually offering a bounty, if you will. And then, I guess, kinda further to that as well... Just thinking about that group itself, I believe in total it was estimated something around 80 million or so, dollars in total was, you know, allegedly stolen by that group, so...
Yeah. It's [laughs] of no surprise that we're starting to see a reaction.
Garrett O'Hara: Yeah, feels like it's part of... it's part of a bigger reaction overall, isn't it, globally. I think [inaudible 00:02:07] of a bunch of indictments out of the U.S., of indictments outta... against people involved in ransomware in in Russia, and, and sort of other countries also, seems to be a... a who's who of countries when you look at the indictments, but it, like, to me, it, it sort of signals what we've talked about on the show quite a few times. The... escalation in attention that governments are paying to this stuff.
you know, we've, we definitely see it here locally in Australia. And you know, to pick up [laughs]... retail politics, as it's been described. But, yeah, it'll again be a, Biden's throwing a ton of money as well, I'm sure you guys saw the the [inaudible 00:02:43] infrastructure gone through the U.S., and there's a big part of that is carved out for cybersecurity.
So, it really feels like it's got the attention of the, the U.S. government and that probably has a lot [laughs], lot of people... I suspect, worried that, you know, the black ops helicopters are gonna arrive into some, you know, rural place, where people have thought they were safe, or, you know, there's gonna be a drone strike, or kinetic attacks as they, are, or kinetic response, is that what they describe them as? When... You know, you actually go and blow up buildings based on the presence of uh, cyber attackers.
Does it, it feels like this starts to point to, what Dr. Chase Cunningham was talking about, you know those cyber warfare. It's, it's really, everything's become digital. And, and I think the penny's probably dropped, just the, the massive spend, and, in the, the reward for information, but then also the, the huge amount that's been announced for the... Infrastructure bill in the U.S., where they're, like, they're gonna put money into... regional cybersecurity, tribal cybersecurity... Just, like, really throwin'... throwing money at the problem, which, you know, we... I think globally, we need to do, and I th-, guess we'll talk about a little bit late [laughs], later when it... comes to our polling and electoral systems here.
Daniel: Yeah, look, it's an interesting one, thought, that bill, right? Because, I mean... like, there's $2 billion for cyber, right? So it's like, awesome, like, what a huge amount of money.
The bill's a trillion. So, like, you know, i-, uh... is is cyber... actually still getting its, its fair share of actually what's required in terms of this, or is it still, you know, the crumbs at the end of the, of, of it, to make things sound good?
Bradley Sing: I think it's the crumbs.
Garrett O'Hara: How, how much did we spend on those subs? The nuclear subs?
It was more than 2 billion wasn't it, from...
Daniel: [Laughing]
Garrett O'Hara: ... was it? No? [crosstalk 00:04:27]-
Bradley Sing: And we can't even see them, just like cybersecurity, right, the [laughs]... kind of under water the entire time.
Quick note, guys, by the way. So this is allegedly, not allegedly, it's the, the largest ransom they've ever off-, sorry, largest bounty they've ever offered for this type of, kind of, attack.
The last one before, I think was 3 million. So, I guess if you're a hacker, maybe working for a nation state, do you dob in, you know, someone for a reward? There's also an extra 5 million going directly to anyone who can find anyone who conspired to help the group as well.
So, I think that kind of says it all there, where they're almost trying to, like, dismantle the framework, go in there and almost create distrust between... between maybe these groups themselves.
Interesting enough, also, from my understanding, the ma-, large majority of, of ra- bounties and kind of reward money offered by law enforcement, I think less than 1% is ever paid. Just an interesting fact as well.
Daniel: And I think that's the thing, right? Is, is that, they will know that, you know... you know, if you're outing, you know, a criminal organization, then you're putting yourself at risk of, you know, it, and if you're doing that, you probably have inside knowledge to a degree, and therefore are subject to prosection yourself, so...
You know, again, it, it's an, it's a very good headline. And, you know, will it really make any difference in terms of actually bringing down, you know, the, the masterminds who are behind it, and actually stop this. Because... you know, we're sort of seeing, you know, ransomware as a service continue to, to grow. Like, you know, as an industry almost, right?
And, and I think some of that [inaudible 00:05:59] Brad, as well, as you sort of look at, you know, being tied to, sort of, you know, cryptocurrency, and, and-
Garrett O'Hara: [crosstalk 00:06:05]
Daniel: ... what that means, and, and, you know, that's making the news for, you know, the, the highs and lows of that, but as I, you know, how much of it is the, sort of, fueling all of this behavior as well.
It, it's interesting, 'cause, if you look at the [laughs], the funny thing... funny thing... initially when the, when the, when the hack happened, I think Bitcoin or something had double, or halfed in price at the time, so the money they got back was, like, a lot less, or something.
But, since then, Bitcoin's now, I think, quadrupled in price [laughing], it's at an all time high again.
I wonder, to a degree, if there's any correlation between the price of cryptocurrency, and the rise of ransomware, and that, you know, the ecosystem of, of security. Because... the cryptocurrency, or Bitcoin itself is worth, I think [inaudible 00:06:46] like $10 trillion market cap, right? Potentially more.
So... how much ransom money of that... how, what's the percentage of that being paid in ransoms, and I wonder if there's any correlation because, there's obviously some value in having crypto, just to make sure that you can get your stuff back online.
And also just finally on that, and I think there was, a survey done a couple of years ago which said that one third of UK firms over a certain size held Bitcoin just in case the event of ransom.
Garrett O'Hara: That's, it's such an interesting one to me. I c-, I, well I c-... I don't really do much with crypto, but I suspect most of the price increases are speculative. Like, it feels like it's that more than ransomware.
But I, I think you're right, Bradley, that it's definitely fueled, far out, I mean there's... there's utility in, in crypto. that, that it wouldn't be popular at all so I think it's probably a combination of both.
Here's what I find interesting with the, the bounty, though. You know, we talk about... technical controls, and cybersecurity and, and so often in the conversation with the three of us is around technology. You know it, it's that.
And then, you look at the solution sometimes it is just throwing a big dollop of money at [laughs]... at a, you know, at the a-, the attackers with the hope maybe, you know, successfully or not that somebody somewhere goes, actually that sounds all right, I might, I might have a go at that.
The question then for me would be, and depending on where they are... and the... suspicion that, you know, even the, the sorta... Hackers that... appear to be on the surface not aligned to state nations, or nation states... actually they're kind of, they're, they're potentially sort of sponsored, or they've got the nod from their governments.
So, that would, that would s-, you know, to your point Dan, the, the risk that you put yourself at is not just the criminal organization's, but... like, if you got the you know, the informal, or you got the nod from, from your government that what you've done is okay... then, you might, you know, get the wrath of, [laughs]... you know, one of those countries where you definitely don't wanna go, you get disappeared into a black van, you know, in the middle of the night... When they find out you're the g-, you're the person who can open their mouth.
Daniel: Yeah, that's right. I think the, the, those potential risks and consequences [inaudible 00:08:53] in, in some of the, some of these places is, is far out ways, you know, the money and, and then if they continue to be successful in terms of the ransoms that they are getting they're probably getting a fair share of, of coin anyway.
So, it y-, difficult one to, to sort of say whether that will work or not. You know, and it, it's the same we've said before... a lot of this, sort of, crime fighting is, is akin to what happened for a long time in things like, you know, the drug war and other things as well.
You know, or illegal arms trading, or anything of that, the, these tactics have been used before and, you know, those things continue to go almost without a, without a glitch, right?
So, they haven't worked previously, so I'm not sure why they're gonna work in this uh, in this modern fight as well.
Garrett O'Hara: S-, it seems to me what happens, though, is that you're, like, you're right, the war on drugs is clearly a failure, but what it does is create very, very powerful consolidation i-, of power into cartels. 'Cause they're the ones who can survive the you know, the, the sort of broad attacks.
It's almost like Darwinian survival of the best. Cyber attackers is probably what's gonna happen with this stuff, right? Where... if 10, you know, if 10 million's not enough to kind of shake the tree, and, and rattle out the, the attackers then... what you're probably left with is people who are very, very, very good at what they do, and are protected by very large organizations.
So... like, is that where we end up like th drug war. It's not, you know, it's not a bunch of, people in their [laughs] at home, you know, growing weed on the, the balcony, and, you know, trying to sell it to their friends, but it's large scale operations, and farming, and you know, the stuff that goes along with it.
Yeah, I don't know. It feels like that might be where we land with this stuff.
Bradley Sing: It, if we think of the profiles some of... these hackers are, I guess as well, like, there's been this growing dialogue of, exuberance Lamborghinis in Moscow, and, and, you know, all this money they're making from this, you know, obviously highly profitable trade.
You know, if we can't get Snowden out of Russia, like, what, what chance do we have getting some of these guys born and bred, and... you also wonder as well, if, if they were to become a risk, like, they'd be under surveillance I'm sure from their own government.
So... can't really do much, can we? Like [laughs]... they're kind of fenced off by thousands of kilometers of ocean.
Daniel: No, exactly, and I think that's the thing. I think the, the bottom line here is, is that, despite the, those eye-watering sums of money I've been offered by the U.S., the chances of the criminals facing justice is slim, so, and that's a, the reality of that situation.
Moving to our next story one that is an interesting one that, in terms of what's happened here locally and how... how, I guess, facial recognition software in particular, but I guess, you know, identity recognition, right, of people being utilized you know, for what would be, seem to be, you know you know, good purposes, if you like, as being visualized by law enforcement agencies, has been actually deemed as illegal from a privacy point of view.
This is, you know, fascinating on so many levels around the use of the technology, and then the, the growing implications of how technology and privacy do need to be interwoven together, otherwise we'll find ourselves in these situations, I think, many more times that, in the future.
Garrett O'Hara: Oh, look, yeah, it's funny. This one came up on the, we, you know, we do that threat intel webinar, kind of, a monthly basis, and Mark O'Hare who's our CISO was talking about deep fakes, and, you know, kinda discussing that, and... know, where that's all gonna go, and you know, in terms of voice and video...
That, you'll, it, it was funny, 'cause this story hit the same day when we were doing that webinar, and, and, you know, what I had in my head was that... you, like, absolutely it feels like an invasion of privacy, like, this thing of scraping, even though they're, I don't know, public website, it, it just feels a little bit off, that... These images are gonna get scraped indexed, and then used for recognition.
But then, you know... Like, do you get to the point where that becomes, like, training data, down the line... where you can't change your face. Well, I mean you can, if, with plastic surgery, obviously. But, you know, for most of us, we're, we're kinda stuck with what we have.
But... you know, using those images that are scraped in as, as datasets... think that's what we're starting to think, and not even Clearview AI... but just broadly, like, the availability of our videos, our images out there, and our voices. You know, like, the three of us, if, if somebody wanted to deep fake our voices... it's pretty trivial given how many how many hours of us talking there is out there.
So, it feels like, you know, it's the right thing to do to, to call out this, and, and I personally feel good about the fact that a you know, company was called to task about it.
But it's, there's a bigger conversation here beyond this one company which is just the prevalence of our data, our images... our voices, things that are used for potentially biometrics down the line, and the availability of that stuff online.
Bradley Sing: Kinda reminds me of, a weird old Robin Williams movie from 2004 called The Final Cut. Where, it's all about, I think the, the premise of the movie is bas-, if ev-, everyone's constantly being recorded but the idea is if you have this face tattoo with something weird, it blocks out the facial recognition.
So, you kind of go through as it goes... you know, it kinda, it al-, almost reminds me of that, because, I mean, the reality is, like, we're heading to a world of more and more... everything's connected... we want access to our data, we post our photos online willingly... the, you know, there's only some chance that it's gonna be end up in, end up in the database someday.
But, I think, scarily enough, like, this stuff has been happening for a very long time now. For, you know, for the past 5, 10 years, and even just as of today, our, South Australia council told South Australia Police they can't use their facial recognition anymore until there's some local state privacy laws updated.
So I feel like this is a, you know, c-, a continuous battle. But, but ultimately, I think... kind of need to have appreciation that, yeah, your face is kind of out there, right? Like, wh-, what can you, we really do... like, I don't think there's much as an individual, at least.
Daniel: What about the use, like, you know, even i-, i-, if it's being used for law enforcement, is that not a good thing, like, that, you know, that it's being used for good, and to, you know, to, you know, bring people to justice, and those type of things.
Like... like, is that an, is there not, you know, based on the use case of how it's being used, therefore, you know, allowing the technology to do that for good, rather than evil.
Garrett O'Hara: I think... I, I think in individual cases... there, the way I would look at it is, I would be so happy if they identified somebody who harmed me or my, you know, my family, based on this technology. And the thing I think societies have to do is go bigger than individual cases, and think about, like, what does it mean when you go to... like, a societal level.
And I don't, like, personally, I don't... I don't feel comfortable with that price. You know, you end living in Gattaca, or, you know, one of those kinda dystopian futures where, you know, every turnstile means you know bi-, biometric authorization. Again, and that is, you know, like it... it sort of gets a giggle, but, like, how far away is, is facial recognition from that, of you're walking around, and at any point somebody can just say... you know, where is Bradley, or where is Dan, where is Gar, and you get pinpoint accuracy, that... like, I don't, I don't really want that, you know? I don't want to live in that world, and yes, it might be safer, but... I don't know that safer is always better.
You know, I think... yeah, I mean, it's a personal opinion, and it's really easy to say that, right? Because I don't, you know, right now, I'm no-... there's not criminal out there that I'm really desperate to get my hands on.
Well actually, there, there's a guy who stole my Nissan Micra in the mid-90s, in Dublin. And drove it into a field, and then burned it out. So that guy yeah. If, if...
Daniel: Insurance job? Or...
Garrett O'Hara: I, I, I doubt Dan, I wish we had their printed name for the Irish Police, which is Garda Siochana... But if you saw it written out, it's, it's ridiculous. But, yeah, if the Garda Siochana are listening from Dublin, and facial recognition would help you find the guy who burned out my Nissan Micra... I'm all for that [laughs].
Daniel: It's definitely, it's a, I think this is a, a, it's a fascinating area, right? And that it is l-, like... I think we all remember back to Google Glass from, you know, which is a few years back now, right? And... I mean that was, you know, so much of what w-, that was doing, you know, is the ability to, to look out, see people, bring u- could bring up their profile, it could bring up, you know, their Facebook account, it can bring up different, the information about them. You know, just by walking the streets.
And that can be complete strangers, right? And, I mean... it, surprisingly that didn't last so long, right? [Laughing] like, after, you know, and, and for all the trying to get it into police and enforcement, and that type of thing as one of the first use cases of good for Google Glass, right? They were scrapped fairly quickly afterwards.
Really, not because of the, not because of the technology, right? But because of the societal implications of, of what can happen from there.
Bradley Sing: The technology's also probably there to a degree already, right? Like, I mean... that was a quite a while that you're, you're point, Dan, and I think there's been quite a lot of advancements in that, that area recently.
And... just on the law enforcement aspect, as well, the-, there definitely have been, I guess in, in industry if you will, that have been known to use a lot of that type of recognition and technology around things like license plates, big databases, bit data... yeah that, just gonna see more and more of it, I suspect.
Garrett O'Hara: Yeah, that's the thing. I mean, you, you think about h-, I mean license plate recognition is so good at the moment.
Bradley Sing: It's too good, from what I hear. I watched a thing on it a while ago.
Garrett O'Hara: I'm about to, sort of, slightly dox my sister here who got a-
Bradley Sing: [Laughs]
Garrett O'Hara: ... she sent her family WhatsApp group a photo of the fine infringement where she... probably shouldn't say this, she was on a toll road in Dublin, she lives in the UK, so drives and English car. And, she got a notice in England, even though she paid the f-, she paid the toll, but just paid it late, so they basically pinged her on that, and then gave her a f-... [laughs]... a fine also.
But in the thing, they include the photo of the license plate. And, clearly, like, it's all automated. The overhead fragment is... minimal, and the can make a, I presume a ton of money from uh, you know, collecting... the infringements you know, using the, the license plate recognition, or all the carparks have it now, and it's accurate, and it's quick, and, you know, it's really efficient.
But, here's the question, like, are those license plates, like, right now, do they just exist in a carpark, or... do you see a point where... You stop at a traffic light, your license plate maybe gets snapped, and then... that, that all gets fed into a database, and then, you know, you know where cars are at any given time, and then, you know, the, the story that happened in Western Australia recently with the, you know, the young girl that everyone was so happy about, you know, the end of that story was brilliant.
But... you know, Dan, to your point, in that case, wouldn't it be wonderful for, like, the, the cops to be able to put a license plate in, and then literally look at a map and see where a car has gone.
Like, emotionally that just feels so, so good... and then the flip side is it just, the, I feel like the price is too high.
Bradley Sing: I think they're starting to get there, like, some states in America. Like-
Garrett O'Hara: Mm-hmm [affirmative]
Bradley Sing: ... from my understanding, it's the, basica-, it's, the system is crazy. So... it's a huge database which different police police stations will, will subscribe to, or police forces, rather, and the idea, I think that database is if they know the criminal, or someone's driving a certain car, they can put that license plate in, and then they'll just get pings about the location as the, the license plate is realized in real time.
And this database is huge, right? It's hundreds of millions of license plates. So, I believe in, in some use cases, it can almost do what you're saying, Gar, like, it's that real time feed almost where-
Garrett O'Hara: Mm-hmm [affirmative]
Bradley Sing: ... you could say, oh, this person was here then, then, there. We know his pattern, tomorrow we'll go ahead and, you know, perform and arrest or something.
Garrett O'Hara: Yep.
Daniel: I think from a privacy perspective, what we're, what we... under, need to understand though, as well, is, is that, you know, in this instance, Australia and the UK have gone down this path, and, and de-, declared, you know, that what was happening here in the collection, and the use of the, oh, of that information as, as being, ill-, illegal, and against the privacy laws.
But those images exist now globally, right? It's on the internet, it's in a database somewhere that can be accessed and shared. So, from a individual or consumer perspective, you know, if we feel like we can take some comfort that we're being protected, you know, b-, from, from our government, that doesn't mean that the information can't be used somewhere else.
So, I think that, you know, if this is going to be one that continues to evolve, and there, there will be constant, I think, flare ups in this space, of where things will happen, it will get shut down for a period, it will evolve, something else will occur... It will appear in a s-, in a, you know, in a subsequent, sort of... you know, market [inaudible 00:21:23] nearby, all of those type of things, so...
You know, I guess, from an international perspective at the moment, you know... [inaudible 00:21:30] borders are still pretty much closed, we can't go anywhere, nobody's moving [laughing], that sort of thing. So, we're probably okay, but if the, you know, if you think of, you know, somewhere like Europe and Asia where you can get around far easier, between countries and that, you may be, you may have been protected in one jurisdiction, but not in the next one.
Garrett O'Hara: Yeah, so true.
And, and, as you talk about international borders, I mean, every time you walk through the automated turnstile... I mean, that's an image right there, and they're using... facial recognition to, to know if it'd you or not, right?
So, like, we, we... we're partly already there but we're not, I don't think as far away from Gattaca as people realize, you know there's... and I know your, we joke about the tinfoil hat stuff, but this is... it's very, very real. You know? This is... this is happening right now, you know? It's, I find that, I find that really creepy.
Daniel: There's not doubting we're, we're on, we're feel-, we're getting closer and closer to the edge of where these things are, right? And then we're at that sort of point... and, and, decisions like this, and then privacy laws, and governments having to step in, and that type of thing... you know, you, needs to happen in order to stop it, sort of, proliferating and, and sort of running out of control as well.
So, definitely a, an interesting space, and one that I'm sure will continue to to evolve and, and come up over time.
Now, final story for this episode is looking at the New South Wales council elections that are coming up. And the commentary from the New South Wales Electoral Commissioner, John Schmidt, that, saying that the polling body's cybersecurity won't even meet the state government's own standards in time for the council ballots.
Brad, what's going on here, and, and what is the implications of, of the council body not being ready from a cyber perspective?
Bradley Sing: I mean, huge implications, and I feel like we talk a lot about councils, I'm not sure about you guys, but seems like it's a recurring theme here on the Get Cyber Resilient show, but... I think it's a, there's a few things there.
So, was a comment by the electoral commissioner, John Schmidt, who said the polling body's cybersecurity won't meet the state's, government's own standards. Mr Schmidt said he had over the past four years repeatedly called for greater funding to boost the commission's capabilities to prevent cyber attacks, saying last week that if he were given it immediately there, there would be no time to comply before the December 4 elections.
And, one thing I just mention around this, is I feel like this is recurring theme, where we're, we're hearing stories from, you know, public sector most of the time which is, hey, we've identified something from a report we did multiple years ago, or, you know, it's been ran before, and then, we were, and whereas the actual, whereas the followup, and what we're seeing here is... from, from Mr Schmidt is saying, there's not time now. Like, even if you were to give me the money, even if you were to, you know, give us stuff, by December the 4th, there's absolutely no chance we'll get it in.
So, I feel like there's this... probably a little bit of resentment potentially there, and you know, and understanding that, hey, we need to do things better, but also, you know, the politics behind this, as well. Like, cybersecurity is suddenly starting to become something a lot more political.
Garrett O'Hara: Yeah... I mean, I... like [laughs]... it really. I... you... it f-, you know, if you can hear probably the exasperation in my voice here, but like, it just feels like we, we can't fix this stuff without spending money, and I appreciate governments... get votes by, you know, tightening our belts, and, you know, the, your budget's on track, and blah, blah, blah. And that's all fine.
There's actually a bit where we need to spend money to fix this stuff, because the implications of not fixing it are way, way more significant, and gonna be more expensive in the long run... than just doing this stuff, and doing it sooner rather than later.
And I think that's... I mean, I don't know, you know, Mr Schmidt uh, not, not aware of him, I haven't really, it's not across him at all, but, i, I get a sense of his frustration from the language, like, he described it as Kafkaesque, and, you know, circle of hell... you know, the, the process to try and get this budget stuff through, and, they, they're the words of somebody who clearly... I suspect really understands the importance of spending this money.
And, you know, to the point where he publicly said that... The [inaudible 00:25:27], I mean, he goes probably red that he went back and they had to do a you know, business case lite, as it was described... and got knocked back. And s- you know, is based on the, the numbers not stacking up, and his comment was that, you know, to rerun a s-, [laughs], state election... you're talking about about a hundred mil, and that's way, way, way more expensive than the 22 mil that they're, I think, requesting at the moment.
It just, it feels like false economies to push this stuff, you know, into the next year, to the next year... and then fundamentally as taxpayers we end up paying more money in the long run, because we don't just get this stuff sorted.
And it's not just, I mean, let's be honest, this and to your point Brad, we've talked about this, and, and Dan, like, how many times? Agencies failing their own audits... time and again, time and again, and this stuff takes, it takes money, it takes people to fix the problem, doesn't happen magically... Yeah, it, like, it just baffling, and for four years that it would get pushed down the, pushed down the the road, and then here we are with an election coming up, and we're not in a position to do that securely.
Seems crazy.
Daniel: And I think the, and the thing for this time around as well is, is that, it's the first time that electronic voting will be part of the council elections.
And, and we know, you know, the uptake that will be expected, you know, with, through the pandemic and everything, as well. Like, do you wanna go and stand in a line you know, maybe to get a sausage, but maybe n-, you know-
Garrett O'Hara: [Laughs]
Daniel: ... if they're not available, but... like, you know, it's, like, w-, you know... lot and lot of people are gonna choose to do this electronically. So, not only are, is it a, is it a risk, but it's at a time when, when, now, it's op-, this is how people will vote.
And I, I just thought it was amazing that it, he actually quoted the fact that if there was a state actor who, for whatever reason, decided to target any organization in New South Wales, it would be to... limitation to how much that that could be withstood.
I mean, that's, it's pretty indicting, right? In terms of where, where we're at. And like I say, and the fact that the election is basically going online... I mean, this had to get sorted before December 4th.
Bradley Sing: I mean, if we think about, like, America recently and the whole, you know, not recently, earlier in the year with the whole voting thing, and the polling staff, how the machines were potentially dodgy, I think there could potentially be bit of mistrust in something like an election from, you know, different individuals.
if you take that, then combine that with the fact that... [laughs] you have, you've effectively got the ability to... Sorry, I was think m-, more rather about the Census. Do you guys remember the Census? What happened with that.
Garrett O'Hara: Yeah.
Bradley Sing: The first digital Census huge project-
Garrett O'Hara: Census fail.
Bradley Sing: I don't know, I'm kinda getting... reoccurring thoughts, flashbacks to that [laughing], sorry.
Garrett O'Hara: Yeah.
[inaudible 00:28:14], I mean, I, I think that is an incredibly important point you just raised, Bradley, though. The... Trust I democracy, like, it's, it's not in a great place at the moment, I would say, in many of the kinda, you know, developed... developed parts of the world, and, you know, uh... let's call them more mature democracies, have all gone through a little bit of a... Existential, you know, threat, for many reasons.
You know, how the media's set up, and social and all of that stuff. I mean, the last thing, surely, the last thing we need... is that, yeah, l-, like electronic voting is gonna get any questions over it, and then having to rerun en election, I mean, apart from the expense, and the, the fact that it's coming out of our pockets [laughs]... as taxpayers, it's I mean, it... the hardest part will be having to listen to politicians campaigning on the run up to the elections, you know... really not looking forward to that part.
Bradley Sing: That's huge, though, right? I think, yeah, like, for misinformation, 'cause if you, say, to your point, you're a foreign nation state, and you decide that, hey, we wanna try and instill, or, you know... make it so people aren't confident about the, the, the democratic process they're part of... the easiest thing to target would be one of these elections.
Like... you've just suddenly, you know taken away, you, you create, you've created misinformation, you've created differences and you've also highlighted again how, how, I guess, potentially weak some of these defenses are, which our own people have told us, as well, and we all know that. Which is, I guess, the concerning thing, so, it feels like and accident waiting to happen.
Garrett O'Hara: Yeah, it really does. And there's a, a chap... who spends a lot of money on, on political advertising, and maybe that's all I'll say about that guy, but you can see those kind of people jumping on any potential failure of electronic voting to, you know, really stoke the flames of... conspiracy theories, and, you know the, the sort of nonsense that's driven a lot of the, the politics in the last, kinda, you know, few years.
Yeah, it's just a worry. It, it just seems like a shame we can't just throw some money at this and fix the problem.
Daniel: Yeah, and certainly I think that, you know, I guess this, hopefully then, is a, is a warning sign, if you like, as there's no doubting we're leading up to a federal election, right, at some point next year. So it's, you know, you know, these things, you know, need to get, you know, sorted out, and maybe it is sort of a, the final sort of warning flag to do something, you know, at a national level before we hit a national election as well.
Well, that brings this week's episode to a close. Thank you Brad and Gar again for, you know, great insights and knowledge around what's happening in cybersecurity, around the world, and here at Australia.
Gar, next week we have a, another special guest in, in our interview episode. A friend the Get Cyber Resilient blog, and now a part of the podcast fraternity Mr Andrew Pritchett.
Garrett O'Hara: Yeah, I, t-, we actually just recorded, a couple of hours ago, and, we, I always take it as a good sign when you end up going way over the time, and you don't even realize it.
We, we ended up recording for an hour, actually it was just over an hour, but we spoke for about 90 minutes, so we, like, it did, the conversation was off the back of the article that Andrew has written for the Get Cyber Resilient's website around cybersecurity culture. And, and he's written a, a really good field guide, actually... Based on, you know, like extensive experience that he has, and then kinda correlating that with some of the, the stuff that he's learning from a management perspective over the years.
So we really kinda dig into that that approach to change, and some of the frameworks that he recommends, and I, I think are actually very, very good.
And then some of the principles that he has... Through experience, I s'pose, kind of come to, to realize are very important, if you wanna get good cybersecurity um, oh sorry, I should correct myself, cyberculture in place in an organization.
And what I loved about the conversation with Andrew is the... the, sort of, realis-, the realism of it, and the... the, you know, this isn't a thing that happens in two weeks, like, it's, it's that conversation, which I think, for me, is just incredibly useful, 'cause it sets realistic expectations about what's really involved... in getting to a good place culturally for cybersecurity.
Daniel: Yeah, one of the the hottest topics and hardest things to deal with, and it's great to have practical insights from Andrew, so really looking forward to that episode.
So, as I said, that brings this week's to a close. If you would like to continue exploring key topics in cybersecurity, please jump onto the website at getcyberresilient.com, and check out some of the latest articles, including that last week was scam awareness week here in Australia. So, brush up on you on your scam spotting skills, with an article from Brad... have a look at how to modernize your security operation center, with some insights from Gar himself... as well as ransomware as a service, and how this is removing the barriers to cybercrime, and exploring further some of the commentary that we've had throughout the podcast in the last few weeks.
And finally, look at how penetration testing can leave blind spots in your defenses. A great article from Scott McCullough.
So, until next week, stay safe, and enjoy.
Daniel: Welcome to episode 80 of the Get Cyber Resilient Show. I'm Dan McDermott, and I'll be your host today.
This week is our in the news episode, and I'm joined by our resident cybersecurity experts, Bradley Singh, and Garrett O'Hara.
And we will begin this episode by reviewing the latest developments in this year's highest profile ransomware attack, Colonial Pipeline. With a $10 million bounty now being offered to bring down the hackers.
Closer to home, we'll explore how the office of the Australian Information Commissioner, or OAIC, and how they've ruled out the use of AI-based facial recognition software being in breach of privacy laws, and have ordered the deletion of records.
And finally, with New South Wales council elections on the horizon, the Electoral Commissioner has said that the polling body's cybersecurity won't meet the government's own standards in time for the polls.
Brad, let's kick of today's episode by going back into this year's highest profile attack, Colonial Pipeline, and now with a bounty being offered to bring down the hackers themselves.
Bradley: Yeah, I guess it's, sort of, of no surprise, Dan, that we've seen more and more of a reaction from... the American government American law enforcement, but I guess the West as a whole.
I, for those who don't remember, [inaudible 00:01:20] Colonial Pipeline was probably one of the most highly publicized ransomware events that we kind of saw early in year, back in, when was it? It was, back in the, on the 10th of May.
But, we've continued to see news about it, in terms of America in some instances g-, I think the, they initially recovered quite a large amount of the, the, the ransom money.
But now it looks like they're going on the offense, so, you know, actually offering a bounty, if you will. And then, I guess, kinda further to that as well... Just thinking about that group itself, I believe in total it was estimated something around 80 million or so, dollars in total was, you know, allegedly stolen by that group, so...
Yeah. It's [laughs] of no surprise that we're starting to see a reaction.
Garrett: Yeah, feels like it's part of... it's part of a bigger reaction overall, isn't it, globally. I think [inaudible 00:02:07] of a bunch of indictments out of the U.S., of indictments outta... against people involved in ransomware in in Russia, and, and sort of other countries also, seems to be a... a who's who of countries when you look at the indictments, but it, like, to me, it, it sort of signals what we've talked about on the show quite a few times. The... escalation in attention that governments are paying to this stuff.
you know, we've, we definitely see it here locally in Australia. And you know, to pick up [laughs]... retail politics, as it's been described. But, yeah, it'll again be a, Biden's throwing a ton of money as well, I'm sure you guys saw the the [inaudible 00:02:43] infrastructure gone through the U.S., and there's a big part of that is carved out for cybersecurity.
So, it really feels like it's got the attention of the, the U.S. government and that probably has a lot [laughs], lot of people... I suspect, worried that, you know, the black ops helicopters are gonna arrive into some, you know, rural place, where people have thought they were safe, or, you know, there's gonna be a drone strike, or kinetic attacks as they, are, or kinetic response, is that what they describe them as? When... You know, you actually go and blow up buildings based on the presence of uh, cyber attackers.
Does it, it feels like this starts to point to, what Dr. Chase Cunningham was talking about, you know those cyber warfare. It's, it's really, everything's become digital. And, and I think the penny's probably dropped, just the, the massive spend, and, in the, the reward for information, but then also the, the huge amount that's been announced for the... Infrastructure bill in the U.S., where they're, like, they're gonna put money into... regional cybersecurity, tribal cybersecurity... Just, like, really throwin'... throwing money at the problem, which, you know, we... I think globally, we need to do, and I th-, guess we'll talk about a little bit late [laughs], later when it... comes to our polling and electoral systems here.
Daniel: Yeah, look, it's an interesting one, thought, that bill, right? Because, I mean... like, there's $2 billion for cyber, right? So it's like, awesome, like, what a huge amount of money.
The bill's a trillion. So, like, you know, i-, uh... is is cyber... actually still getting its, its fair share of actually what's required in terms of this, or is it still, you know, the crumbs at the end of the, of, of it, to make things sound good?
Bradley: I think it's the crumbs.
Garrett: How, how much did we spend on those subs? The nuclear subs?
It was more than 2 billion wasn't it, from...
Daniel: [Laughing]
Garrett: ... was it? No? [crosstalk 00:04:27]-
Bradley: And we can't even see them, just like cybersecurity, right, the [laughs]... kind of under water the entire time.
Quick note, guys, by the way. So this is allegedly, not allegedly, it's the, the largest ransom they've ever off-, sorry, largest bounty they've ever offered for this type of, kind of, attack.
The last one before, I think was 3 million. So, I guess if you're a hacker, maybe working for a nation state, do you dob in, you know, someone for a reward? There's also an extra 5 million going directly to anyone who can find anyone who conspired to help the group as well.
So, I think that kind of says it all there, where they're almost trying to, like, dismantle the framework, go in there and almost create distrust between... between maybe these groups themselves.
Interesting enough, also, from my understanding, the ma-, large majority of, of ra- bounties and kind of reward money offered by law enforcement, I think less than 1% is ever paid. Just an interesting fact as well.
Daniel: And I think that's the thing, right? Is, is that, they will know that, you know... you know, if you're outing, you know, a criminal organization, then you're putting yourself at risk of, you know, it, and if you're doing that, you probably have inside knowledge to a degree, and therefore are subject to prosection yourself, so...
You know, again, it, it's an, it's a very good headline. And, you know, will it really make any difference in terms of actually bringing down, you know, the, the masterminds who are behind it, and actually stop this. Because... you know, we're sort of seeing, you know, ransomware as a service continue to, to grow. Like, you know, as an industry almost, right?
And, and I think some of that [inaudible 00:05:59] Brad, as well, as you sort of look at, you know, being tied to, sort of, you know, cryptocurrency, and, and-
Garrett: [crosstalk 00:06:05]
Daniel: ... what that means, and, and, you know, that's making the news for, you know, the, the highs and lows of that, but as I, you know, how much of it is the, sort of, fueling all of this behavior as well.
It, it's interesting, 'cause, if you look at the [laughs], the funny thing... funny thing... initially when the, when the, when the hack happened, I think Bitcoin or something had double, or halfed in price at the time, so the money they got back was, like, a lot less, or something.
But, since then, Bitcoin's now, I think, quadrupled in price [laughing], it's at an all time high again.
I wonder, to a degree, if there's any correlation between the price of cryptocurrency, and the rise of ransomware, and that, you know, the ecosystem of, of security. Because... the cryptocurrency, or Bitcoin itself is worth, I think [inaudible 00:06:46] like $10 trillion market cap, right? Potentially more.
So... how much ransom money of that... how, what's the percentage of that being paid in ransoms, and I wonder if there's any correlation because, there's obviously some value in having crypto, just to make sure that you can get your stuff back online.
And also just finally on that, and I think there was, a survey done a couple of years ago which said that one third of UK firms over a certain size held Bitcoin just in case the event of ransom.
Garrett: That's, it's such an interesting one to me. I c-, I, well I c-... I don't really do much with crypto, but I suspect most of the price increases are speculative. Like, it feels like it's that more than ransomware.
But I, I think you're right, Bradley, that it's definitely fueled, far out, I mean there's... there's utility in, in crypto. that, that it wouldn't be popular at all so I think it's probably a combination of both.
Here's what I find interesting with the, the bounty, though. You know, we talk about... technical controls, and cybersecurity and, and so often in the conversation with the three of us is around technology. You know it, it's that.
And then, you look at the solution sometimes it is just throwing a big dollop of money at [laughs]... at a, you know, at the a-, the attackers with the hope maybe, you know, successfully or not that somebody somewhere goes, actually that sounds all right, I might, I might have a go at that.
The question then for me would be, and depending on where they are... and the... suspicion that, you know, even the, the sorta... Hackers that... appear to be on the surface not aligned to state nations, or nation states... actually they're kind of, they're, they're potentially sort of sponsored, or they've got the nod from their governments.
So, that would, that would s-, you know, to your point Dan, the, the risk that you put yourself at is not just the criminal organization's, but... like, if you got the you know, the informal, or you got the nod from, from your government that what you've done is okay... then, you might, you know, get the wrath of, [laughs]... you know, one of those countries where you definitely don't wanna go, you get disappeared into a black van, you know, in the middle of the night... When they find out you're the g-, you're the person who can open their mouth.
Daniel: Yeah, that's right. I think the, the, those potential risks and consequences [inaudible 00:08:53] in, in some of the, some of these places is, is far out ways, you know, the money and, and then if they continue to be successful in terms of the ransoms that they are getting they're probably getting a fair share of, of coin anyway.
So, it y-, difficult one to, to sort of say whether that will work or not. You know, and it, it's the same we've said before... a lot of this, sort of, crime fighting is, is akin to what happened for a long time in things like, you know, the drug war and other things as well.
You know, or illegal arms trading, or anything of that, the, these tactics have been used before and, you know, those things continue to go almost without a, without a glitch, right?
So, they haven't worked previously, so I'm not sure why they're gonna work in this uh, in this modern fight as well.
Garrett: S-, it seems to me what happens, though, is that you're, like, you're right, the war on drugs is clearly a failure, but what it does is create very, very powerful consolidation i-, of power into cartels. 'Cause they're the ones who can survive the you know, the, the sort of broad attacks.
It's almost like Darwinian survival of the best. Cyber attackers is probably what's gonna happen with this stuff, right? Where... if 10, you know, if 10 million's not enough to kind of shake the tree, and, and rattle out the, the attackers then... what you're probably left with is people who are very, very, very good at what they do, and are protected by very large organizations.
So... like, is that where we end up like th drug war. It's not, you know, it's not a bunch of, people in their [laughs] at home, you know, growing weed on the, the balcony, and, you know, trying to sell it to their friends, but it's large scale operations, and farming, and you know, the stuff that goes along with it.
Yeah, I don't know. It feels like that might be where we land with this stuff.
Bradley: It, if we think of the profiles some of... these hackers are, I guess as well, like, there's been this growing dialogue of, exuberance Lamborghinis in Moscow, and, and, you know, all this money they're making from this, you know, obviously highly profitable trade.
You know, if we can't get Snowden out of Russia, like, what, what chance do we have getting some of these guys born and bred, and... you also wonder as well, if, if they were to become a risk, like, they'd be under surveillance I'm sure from their own government.
So... can't really do much, can we? Like [laughs]... they're kind of fenced off by thousands of kilometers of ocean.
Daniel: No, exactly, and I think that's the thing. I think the, the bottom line here is, is that, despite the, those eye-watering sums of money I've been offered by the U.S., the chances of the criminals facing justice is slim, so, and that's a, the reality of that situation.
Moving to our next story one that is an interesting one that, in terms of what's happened here locally and how... how, I guess, facial recognition software in particular, but I guess, you know, identity recognition, right, of people being utilized you know, for what would be, seem to be, you know you know, good purposes, if you like, as being visualized by law enforcement agencies, has been actually deemed as illegal from a privacy point of view.
This is, you know, fascinating on so many levels around the use of the technology, and then the, the growing implications of how technology and privacy do need to be interwoven together, otherwise we'll find ourselves in these situations, I think, many more times that, in the future.
Garrett: Oh, look, yeah, it's funny. This one came up on the, we, you know, we do that threat intel webinar, kind of, a monthly basis, and Mark O'Hare who's our CISO was talking about deep fakes, and, you know, kinda discussing that, and... know, where that's all gonna go, and you know, in terms of voice and video...
That, you'll, it, it was funny, 'cause this story hit the same day when we were doing that webinar, and, and, you know, what I had in my head was that... you, like, absolutely it feels like an invasion of privacy, like, this thing of scraping, even though they're, I don't know, public website, it, it just feels a little bit off, that... These images are gonna get scraped indexed, and then used for recognition.
But then, you know... Like, do you get to the point where that becomes, like, training data, down the line... where you can't change your face. Well, I mean you can, if, with plastic surgery, obviously. But, you know, for most of us, we're, we're kinda stuck with what we have.
But... you know, using those images that are scraped in as, as datasets... think that's what we're starting to think, and not even Clearview AI... but just broadly, like, the availability of our videos, our images out there, and our voices. You know, like, the three of us, if, if somebody wanted to deep fake our voices... it's pretty trivial given how many how many hours of us talking there is out there.
So, it feels like, you know, it's the right thing to do to, to call out this, and, and I personally feel good about the fact that a you know, company was called to task about it.
But it's, there's a bigger conversation here beyond this one company which is just the prevalence of our data, our images... our voices, things that are used for potentially biometrics down the line, and the availability of that stuff online.
Bradley: Kinda reminds me of, a weird old Robin Williams movie from 2004 called The Final Cut. Where, it's all about, I think the, the premise of the movie is bas-, if ev-, everyone's constantly being recorded but the idea is if you have this face tattoo with something weird, it blocks out the facial recognition.
So, you kind of go through as it goes... you know, it kinda, it al-, almost reminds me of that, because, I mean, the reality is, like, we're heading to a world of more and more... everything's connected... we want access to our data, we post our photos online willingly... the, you know, there's only some chance that it's gonna be end up in, end up in the database someday.
But, I think, scarily enough, like, this stuff has been happening for a very long time now. For, you know, for the past 5, 10 years, and even just as of today, our, South Australia council told South Australia Police they can't use their facial recognition anymore until there's some local state privacy laws updated.
So I feel like this is a, you know, c-, a continuous battle. But, but ultimately, I think... kind of need to have appreciation that, yeah, your face is kind of out there, right? Like, wh-, what can you, we really do... like, I don't think there's much as an individual, at least.
Daniel: What about the use, like, you know, even i-, i-, if it's being used for law enforcement, is that not a good thing, like, that, you know, that it's being used for good, and to, you know, to, you know, bring people to justice, and those type of things.
Like... like, is that an, is there not, you know, based on the use case of how it's being used, therefore, you know, allowing the technology to do that for good, rather than evil.
Garrett: I think... I, I think in individual cases... there, the way I would look at it is, I would be so happy if they identified somebody who harmed me or my, you know, my family, based on this technology. And the thing I think societies have to do is go bigger than individual cases, and think about, like, what does it mean when you go to... like, a societal level.
And I don't, like, personally, I don't... I don't feel comfortable with that price. You know, you end living in Gattaca, or, you know, one of those kinda dystopian futures where, you know, every turnstile means you know bi-, biometric authorization. Again, and that is, you know, like it... it sort of gets a giggle, but, like, how far away is, is facial recognition from that, of you're walking around, and at any point somebody can just say... you know, where is Bradley, or where is Dan, where is Gar, and you get pinpoint accuracy, that... like, I don't, I don't really want that, you know? I don't want to live in that world, and yes, it might be safer, but... I don't know that safer is always better.
You know, I think... yeah, I mean, it's a personal opinion, and it's really easy to say that, right? Because I don't, you know, right now, I'm no-... there's not criminal out there that I'm really desperate to get my hands on.
Well actually, there, there's a guy who stole my Nissan Micra in the mid-90s, in Dublin. And drove it into a field, and then burned it out. So that guy yeah. If, if...
Daniel: Insurance job? Or...
Garrett: I, I, I doubt Dan, I wish we had their printed name for the Irish Police, which is Garda Siochana... But if you saw it written out, it's, it's ridiculous. But, yeah, if the Garda Siochana are listening from Dublin, and facial recognition would help you find the guy who burned out my Nissan Micra... I'm all for that [laughs].
Daniel: It's definitely, it's a, I think this is a, a, it's a fascinating area, right? And that it is l-, like... I think we all remember back to Google Glass from, you know, which is a few years back now, right? And... I mean that was, you know, so much of what w-, that was doing, you know, is the ability to, to look out, see people, bring u- could bring up their profile, it could bring up, you know, their Facebook account, it can bring up different, the information about them. You know, just by walking the streets.
And that can be complete strangers, right? And, I mean... it, surprisingly that didn't last so long, right? [Laughing] like, after, you know, and, and for all the trying to get it into police and enforcement, and that type of thing as one of the first use cases of good for Google Glass, right? They were scrapped fairly quickly afterwards.
Really, not because of the, not because of the technology, right? But because of the societal implications of, of what can happen from there.
Bradley: The technology's also probably there to a degree already, right? Like, I mean... that was a quite a while that you're, you're point, Dan, and I think there's been quite a lot of advancements in that, that area recently.
And... just on the law enforcement aspect, as well, the-, there definitely have been, I guess in, in industry if you will, that have been known to use a lot of that type of recognition and technology around things like license plates, big databases, bit data... yeah that, just gonna see more and more of it, I suspect.
Garrett: Yeah, that's the thing. I mean, you, you think about h-, I mean license plate recognition is so good at the moment.
Bradley: It's too good, from what I hear. I watched a thing on it a while ago.
Garrett: I'm about to, sort of, slightly dox my sister here who got a-
Bradley: [Laughs]
Garrett: ... she sent her family WhatsApp group a photo of the fine infringement where she... probably shouldn't say this, she was on a toll road in Dublin, she lives in the UK, so drives and English car. And, she got a notice in England, even though she paid the f-, she paid the toll, but just paid it late, so they basically pinged her on that, and then gave her a f-... [laughs]... a fine also.
But in the thing, they include the photo of the license plate. And, clearly, like, it's all automated. The overhead fragment is... minimal, and the can make a, I presume a ton of money from uh, you know, collecting... the infringements you know, using the, the license plate recognition, or all the carparks have it now, and it's accurate, and it's quick, and, you know, it's really efficient.
But, here's the question, like, are those license plates, like, right now, do they just exist in a carpark, or... do you see a point where... You stop at a traffic light, your license plate maybe gets snapped, and then... that, that all gets fed into a database, and then, you know, you know where cars are at any given time, and then, you know, the, the story that happened in Western Australia recently with the, you know, the young girl that everyone was so happy about, you know, the end of that story was brilliant.
But... you know, Dan, to your point, in that case, wouldn't it be wonderful for, like, the, the cops to be able to put a license plate in, and then literally look at a map and see where a car has gone.
Like, emotionally that just feels so, so good... and then the flip side is it just, the, I feel like the price is too high.
Bradley: I think they're starting to get there, like, some states in America. Like-
Garrett: Mm-hmm [affirmative]
Bradley: ... from my understanding, it's the, basica-, it's, the system is crazy. So... it's a huge database which different police police stations will, will subscribe to, or police forces, rather, and the idea, I think that database is if they know the criminal, or someone's driving a certain car, they can put that license plate in, and then they'll just get pings about the location as the, the license plate is realized in real time.
And this database is huge, right? It's hundreds of millions of license plates. So, I believe in, in some use cases, it can almost do what you're saying, Gar, like, it's that real time feed almost where-
Garrett: Mm-hmm [affirmative]
Bradley: ... you could say, oh, this person was here then, then, there. We know his pattern, tomorrow we'll go ahead and, you know, perform and arrest or something.
Garrett: Yep.
Daniel: I think from a privacy perspective, what we're, what we... under, need to understand though, as well, is, is that, you know, in this instance, Australia and the UK have gone down this path, and, and de-, declared, you know, that what was happening here in the collection, and the use of the, oh, of that information as, as being, ill-, illegal, and against the privacy laws.
But those images exist now globally, right? It's on the internet, it's in a database somewhere that can be accessed and shared. So, from a individual or consumer perspective, you know, if we feel like we can take some comfort that we're being protected, you know, b-, from, from our government, that doesn't mean that the information can't be used somewhere else.
So, I think that, you know, if this is going to be one that continues to evolve, and there, there will be constant, I think, flare ups in this space, of where things will happen, it will get shut down for a period, it will evolve, something else will occur... It will appear in a s-, in a, you know, in a subsequent, sort of... you know, market [inaudible 00:21:23] nearby, all of those type of things, so...
You know, I guess, from an international perspective at the moment, you know... [inaudible 00:21:30] borders are still pretty much closed, we can't go anywhere, nobody's moving [laughing], that sort of thing. So, we're probably okay, but if the, you know, if you think of, you know, somewhere like Europe and Asia where you can get around far easier, between countries and that, you may be, you may have been protected in one jurisdiction, but not in the next one.
Garrett: Yeah, so true.
And, and, as you talk about international borders, I mean, every time you walk through the automated turnstile... I mean, that's an image right there, and they're using... facial recognition to, to know if it'd you or not, right?
So, like, we, we... we're partly already there but we're not, I don't think as far away from Gattaca as people realize, you know there's... and I know your, we joke about the tinfoil hat stuff, but this is... it's very, very real. You know? This is... this is happening right now, you know? It's, I find that, I find that really creepy.
Daniel: There's not doubting we're, we're on, we're feel-, we're getting closer and closer to the edge of where these things are, right? And then we're at that sort of point... and, and, decisions like this, and then privacy laws, and governments having to step in, and that type of thing... you know, you, needs to happen in order to stop it, sort of, proliferating and, and sort of running out of control as well.
So, definitely a, an interesting space, and one that I'm sure will continue to to evolve and, and come up over time.
Now, final story for this episode is looking at the New South Wales council elections that are coming up. And the commentary from the New South Wales Electoral Commissioner, John Schmidt, that, saying that the polling body's cybersecurity won't even meet the state government's own standards in time for the council ballots.
Brad, what's going on here, and, and what is the implications of, of the council body not being ready from a cyber perspective?
Bradley: I mean, huge implications, and I feel like we talk a lot about councils, I'm not sure about you guys, but seems like it's a recurring theme here on the Get Cyber Resilient show, but... I think it's a, there's a few things there.
So, was a comment by the electoral commissioner, John Schmidt, who said the polling body's cybersecurity won't meet the state's, government's own standards. Mr Schmidt said he had over the past four years repeatedly called for greater funding to boost the commission's capabilities to prevent cyber attacks, saying last week that if he were given it immediately there, there would be no time to comply before the December 4 elections.
And, one thing I just mention around this, is I feel like this is recurring theme, where we're, we're hearing stories from, you know, public sector most of the time which is, hey, we've identified something from a report we did multiple years ago, or, you know, it's been ran before, and then, we were, and whereas the actual, whereas the followup, and what we're seeing here is... from, from Mr Schmidt is saying, there's not time now. Like, even if you were to give me the money, even if you were to, you know, give us stuff, by December the 4th, there's absolutely no chance we'll get it in.
So, I feel like there's this... probably a little bit of resentment potentially there, and you know, and understanding that, hey, we need to do things better, but also, you know, the politics behind this, as well. Like, cybersecurity is suddenly starting to become something a lot more political.
Garrett: Yeah... I mean, I... like [laughs]... it really. I... you... it f-, you know, if you can hear probably the exasperation in my voice here, but like, it just feels like we, we can't fix this stuff without spending money, and I appreciate governments... get votes by, you know, tightening our belts, and, you know, the, your budget's on track, and blah, blah, blah. And that's all fine.
There's actually a bit where we need to spend money to fix this stuff, because the implications of not fixing it are way, way more significant, and gonna be more expensive in the long run... than just doing this stuff, and doing it sooner rather than later.
And I think that's... I mean, I don't know, you know, Mr Schmidt uh, not, not aware of him, I haven't really, it's not across him at all, but, i, I get a sense of his frustration from the language, like, he described it as Kafkaesque, and, you know, circle of hell... you know, the, the process to try and get this budget stuff through, and, they, they're the words of somebody who clearly... I suspect really understands the importance of spending this money.
And, you know, to the point where he publicly said that... The [inaudible 00:25:27], I mean, he goes probably red that he went back and they had to do a you know, business case lite, as it was described... and got knocked back. And s- you know, is based on the, the numbers not stacking up, and his comment was that, you know, to rerun a s-, [laughs], state election... you're talking about about a hundred mil, and that's way, way, way more expensive than the 22 mil that they're, I think, requesting at the moment.
It just, it feels like false economies to push this stuff, you know, into the next year, to the next year... and then fundamentally as taxpayers we end up paying more money in the long run, because we don't just get this stuff sorted.
And it's not just, I mean, let's be honest, this and to your point Brad, we've talked about this, and, and Dan, like, how many times? Agencies failing their own audits... time and again, time and again, and this stuff takes, it takes money, it takes people to fix the problem, doesn't happen magically... Yeah, it, like, it just baffling, and for four years that it would get pushed down the, pushed down the the road, and then here we are with an election coming up, and we're not in a position to do that securely.
Seems crazy.
Daniel: And I think the, and the thing for this time around as well is, is that, it's the first time that electronic voting will be part of the council elections.
And, and we know, you know, the uptake that will be expected, you know, with, through the pandemic and everything, as well. Like, do you wanna go and stand in a line you know, maybe to get a sausage, but maybe n-, you know-
Garrett: [Laughs]
Daniel: ... if they're not available, but... like, you know, it's, like, w-, you know... lot and lot of people are gonna choose to do this electronically. So, not only are, is it a, is it a risk, but it's at a time when, when, now, it's op-, this is how people will vote.
And I, I just thought it was amazing that it, he actually quoted the fact that if there was a state actor who, for whatever reason, decided to target any organization in New South Wales, it would be to... limitation to how much that that could be withstood.
I mean, that's, it's pretty indicting, right? In terms of where, where we're at. And like I say, and the fact that the election is basically going online... I mean, this had to get sorted before December 4th.
Bradley: I mean, if we think about, like, America recently and the whole, you know, not recently, earlier in the year with the whole voting thing, and the polling staff, how the machines were potentially dodgy, I think there could potentially be bit of mistrust in something like an election from, you know, different individuals.
if you take that, then combine that with the fact that... [laughs] you have, you've effectively got the ability to... Sorry, I was think m-, more rather about the Census. Do you guys remember the Census? What happened with that.
Garrett: Yeah.
Bradley: The first digital Census huge project-
Garrett: Census fail.
Bradley: I don't know, I'm kinda getting... reoccurring thoughts, flashbacks to that [laughing], sorry.
Garrett: Yeah.
[inaudible 00:28:14], I mean, I, I think that is an incredibly important point you just raised, Bradley, though. The... Trust I democracy, like, it's, it's not in a great place at the moment, I would say, in many of the kinda, you know, developed... developed parts of the world, and, you know, uh... let's call them more mature democracies, have all gone through a little bit of a... Existential, you know, threat, for many reasons.
You know, how the media's set up, and social and all of that stuff. I mean, the last thing, surely, the last thing we need... is that, yeah, l-, like electronic voting is gonna get any questions over it, and then having to rerun en election, I mean, apart from the expense, and the, the fact that it's coming out of our pockets [laughs]... as taxpayers, it's I mean, it... the hardest part will be having to listen to politicians campaigning on the run up to the elections, you know... really not looking forward to that part.
Bradley: That's huge, though, right? I think, yeah, like, for misinformation, 'cause if you, say, to your point, you're a foreign nation state, and you decide that, hey, we wanna try and instill, or, you know... make it so people aren't confident about the, the, the democratic process they're part of... the easiest thing to target would be one of these elections.
Like... you've just suddenly, you know taken away, you, you create, you've created misinformation, you've created differences and you've also highlighted again how, how, I guess, potentially weak some of these defenses are, which our own people have told us, as well, and we all know that. Which is, I guess, the concerning thing, so, it feels like and accident waiting to happen.
Garrett: Yeah, it really does. And there's a, a chap... who spends a lot of money on, on political advertising, and maybe that's all I'll say about that guy, but you can see those kind of people jumping on any potential failure of electronic voting to, you know, really stoke the flames of... conspiracy theories, and, you know the, the sort of nonsense that's driven a lot of the, the politics in the last, kinda, you know, few years.
Yeah, it's just a worry. It, it just seems like a shame we can't just throw some money at this and fix the problem.
Daniel: Yeah, and certainly I think that, you know, I guess this, hopefully then, is a, is a warning sign, if you like, as there's no doubting we're leading up to a federal election, right, at some point next year. So it's, you know, you know, these things, you know, need to get, you know, sorted out, and maybe it is sort of a, the final sort of warning flag to do something, you know, at a national level before we hit a national election as well.
Well, that brings this week's episode to a close. Thank you Brad and Gar again for, you know, great insights and knowledge around what's happening in cybersecurity, around the world, and here at Australia.
Gar, next week we have a, another special guest in, in our interview episode. A friend the Get Cyber Resilient blog, and now a part of the podcast fraternity Mr Andrew Pritchett.
Garrett: Yeah, I, t-, we actually just recorded, a couple of hours ago, and, we, I always take it as a good sign when you end up going way over the time, and you don't even realize it.
We, we ended up recording for an hour, actually it was just over an hour, but we spoke for about 90 minutes, so we, like, it did, the conversation was off the back of the article that Andrew has written for the Get Cyber Resilient's website around cybersecurity culture. And, and he's written a, a really good field guide, actually... Based on, you know, like extensive experience that he has, and then kinda correlating that with some of the, the stuff that he's learning from a management perspective over the years.
So we really kinda dig into that that approach to change, and some of the frameworks that he recommends, and I, I think are actually very, very good.
And then some of the principles that he has... Through experience, I s'pose, kind of come to, to realize are very important, if you wanna get good cybersecurity um, oh sorry, I should correct myself, cyberculture in place in an organization.
And what I loved about the conversation with Andrew is the... the, sort of, realis-, the realism of it, and the... the, you know, this isn't a thing that happens in two weeks, like, it's, it's that conversation, which I think, for me, is just incredibly useful, 'cause it sets realistic expectations about what's really involved... in getting to a good place culturally for cybersecurity.
Daniel: Yeah, one of the the hottest topics and hardest things to deal with, and it's great to have practical insights from Andrew, so really looking forward to that episode.
So, as I said, that brings this week's to a close. If you would like to continue exploring key topics in cybersecurity, please jump onto the website at getcyberresilient.com, and check out some of the latest articles, including that last week was scam awareness week here in Australia. So, brush up on you on your scam spotting skills, with an article from Brad... have a look at how to modernize your security operation center, with some insights from Gar himself... as well as ransomware as a service, and how this is removing the barriers to cybercrime, and exploring further some of the commentary that we've had throughout the podcast in the last few weeks.
And finally, look at how penetration testing can leave blind spots in your defenses. A great article from Scott McCullough.
So, until next week, stay safe, and enjoy.
Comments:0
Add comment