DBS Economics & StrategyKopi Time E142 - Tech and security with Gaurav Keerthi
Gaurav Keerthi, Head of Advisory and Emerging Business at Ensign InfoSecurity, joins Kopi Time to provide a fascinating overview of the current state of affairs in cybersecurity. We begin with the intersection of geopolitics and cyberattacks. From state sponsored defensive and offensive teams to independent actors with a range of motives, the number of agents attacking the integrity of national power grids, airports, water supply, along with healthcare and education systems, has proliferated at an extraordinary pace in recent decades. In addition to nations, large companies and individuals face millions of attacks a day that are increasingly sophisticated. Even with a tiny fraction succeeding, cyber crimes have become an economy worth hundreds of billions of the dollars. Gaurav works through the processes behind building systems that are not 100% immune from cyberattacks, but capable of bouncing back in the event of an attack. With AI in play already, and quantum on track to disrupt cryptography, new waves to technology are making cyber defence more challenging, but the same tech is also being used to build tools and practices for higher degrees of surveillance and resilience. Gaurav’s views are more realistic than pessimistic, focused on risk management. A must listen.
Welcome to Copy Time, a podcast series on Markets and Economies from D BS Group Research. I'm Timur, big chief economist, welcoming you to our 142nd episode. We've had experts from many walks of life on copy time, but a former military officer, I'm quite sure if that's a first today. I'm looking forward to having a chat with gov Ky, head of Advisory and Emerging Business at Ensign Infosec Security. His advisory firm helps organizations boards and leadership navigate cybersecurity risks in their digital transformation.
Previously, Brigadier General Kirti was the Deputy chief executive of the cybersecurity Agency of Singapore and the Deputy Commissioner for cybersecurity. He was formerly a pilot in the Republic of Singapore Air Force and rose to become the Commander of the Air Defense and Operations Command K. Kirti. Welcome to Kobe Time.
Thank you so much for having me looking forward to the conversation.
It's
great to, great to have you. I've been looking forward to this chat gov, I'm going to try to get our conversation going with the intersection of geopolitics and cyber security.
I remember a couple of years ago when Russia's invasion of Ukraine began, there were all these fears, particularly in Europe
grids will shut down and hacking will take place and then with all the stuff that's going on in the Middle East, we've seen Israel, you know, do cyber attacks on Iran's nuclear facility. Iran has tried to match, I think they have failed to match the Israelis, but they've tried. So there are all sorts of things going on. So tell us a little bit about that area where geopolitics collides with cybersecurity.
Sure. So that's a fascinating question. It's a great place to start because there's so much happening there.
And it's probably the place where most people read about it in the news. That's the stuff that grabs the headlines. But let me step back a little bit just to help people understand why it's become such an intersection. Fundamentally, the internet is insecure. It was not built securely. It was built by a bunch of tech nerds and universities to help them share information. So it's never built to be that robust to withstand that kind of attacks, the stuff that we built on top of it, all the software or the content
also not built with security in mind. There's this whole movement now to make things secure by design because surprise they were not secure by design.
The second thing about the internet that we need to understand is that there is an asymmetry, Attackers have the advantage. It is the only place where you can get robbed from 1000 miles away. And in the physical world, you have your wallet, you have your phone in your pockets. As long as you keep your hands nearby, you can avoid being pickpocketed because somebody has to come up close to you. There's a physical proximity to a real world robbery. But in the digital world, firstly, it's built insecurely. And secondly, there's this geographical depth that people can have, the Attackers can rob anything anywhere
you put those two together and you have a toxic and potent combination for Attackers running wild. So that's the starting point.
There are three types of Attackers that we talk about when we talk about geopolitics and generally cyber attacks. The first are the ones that are state sponsored. There are some bad guys out there who it's their day job. They are funded by either the government or the military of that country to specifically go after digital targets. And that's that, that day job. Their mission, they work 9 to 5 hours and that's what they do.
There's another group which are ideologically motivated.
They can be sometimes state affiliated. They believe in the vision of their country. You mentioned Russia, Ukraine. That was a very good example. I'll talk about that later on and they want to push a certain message out. Sometimes it's cause based, sometimes it's country based, sometimes it's supporting their country in war.
The third group are the straightforward ones, criminals. They just want the money. But in geopolitical contest, sometimes they want money to sponsor activities that their cause is doing or sometimes they want the money to loot while there's a ramp, while there's chaos going on.
So those are the Attackers. Now we come to the geopolitics itself and the stuff that we're reading about. The most exciting event in the last couple of weeks was the US election.
Elections are a great time for Attackers to go to work for a number of reasons. Those who are state sponsored Attackers,
they want to influence the outcome. Some countries want their preferred candidate to win. Some countries want just so instability and discord within a country to make them less effective as a competitor. And there are all sorts of narratives that go on at play in an election anyways,
a lot of the attacks that you usually read about are information attacks, fake news about this candidate, fake news about that party, fake news about this incident. That's the information space,
but there's a lot of attacks that happened on not just election infrastructure but technical infrastructure in the run up to an election to cause people to lose a little bit of faith in the prevailing party or system.
One of the most compelling hacks that we saw in recent years was the Democratic National Congress hack where a whole bunch of emails were leaked out. Was there anything terribly damaging in the emails? Not really, but it cast shadow over the particular candidate that was hacked and in the end, that can be lost because of the hack, maybe not but became enough of a trending conversation. Obviously, since then, all of the candidates have learned how to protect themselves and to protect themselves a bit better in an election.
But geopolitics and cyber interface most sharply when it comes to elections.
Can I ask you one
question, elections, electronic voting
machines?
That's a great question. So look, there is this conference in the US called De Corner Love it. It's a conference where
many industries have conferences. This is an industry conference among the bad guys. So they come together and they're not really bad people. They just people who are interested in how things work and how to break things. So they get together, we call them white hats. Some of them are gray hats, some of them are black hats, which means they operate in the not so legal realm of work. But one of the things that they do is they look at election voting machines, electronic voting machines and they try to see if they can break it.
Surprise, surprise, all of the voting machines can be broken, they can all be interfered with. And the challenge is that actually building an an election system at scale in a large country which is completely immune to disruption or interference is incredibly expensive and difficult
as a result. Most countries still use paper ballot,
much harder to interfere with that. But even then, even if you're voting on paper at some point, you have to count the number of slips and send that electronically to somebody else. Those systems are also part of the whole machinery that people try to interrupt. And even if you can change the result, just disrupting the sending of data from one state back to central
has significant implications. There's timelines they need to meet if your system goes down and you can't meet that count before the clock ends.
What does that mean? Is it an invalid election? Do you need to do it again? Is there doubt over the quality of the results? Just showing that kind of doubt is enough. So electronic voting machines, people have been studying them for a while but the cost of implementing them at scale, I mean for a small country like Singapore, maybe you can get away with it. But for a much larger country which is geographically spread out, it's expensive.
We've had some really large elections this year. Indonesia, India, United States. So literally billions of people have voted this year.
So shall we take some comfort in that this year was not characterized by hiking related risks on elections?
I
think.
So we can take some comfort from it, but I will
color it slightly differently.
There were enough other reasons for cyber Attackers to go on war without having the elections as the primary target this year. As you mentioned at the start was there's conflict between Russia and Ukraine. Still the Middle East conflict has really expanded. The East West tensions have also grown quite significantly, particularly China and the West. In terms of tech application, there are layers and layers than the South China Sea in Taiwan. There's layers and layers of confrontations happening around the world.
There's enough reasons for people to be involved in cyberattacks already without having to target specifically elections. So that's the not so good news of it
when we talk about ju political actors who are adversaries. But are you telling me that sometimes they are also going after a very mundane private sector stuff which we might think that actually are targets of playing. They are bad guys. But actually those 9 to 5 guys who are getting paid to work for a country or a cause are also doing what we think are just like going after companies ransomware or companies. Yeah.
Yeah. So there's a really difficult line to draw between
pure espionage state actors and then the cyber criminal gangs. I'll give you one specific example. So North Korea, there's a group called Lazarus, the Lazarus group which is strongly affiliated to them. They go after the financial sector targets in ransomware. Usually if your browser slows down, they are the culprits, they're crypto mining on your, on your systems
and they've done some really fascinating hacks including I think a couple of years ago the Bangladesh Bank Heist, which in and of itself should at some point be made into a Hollywood movie. They are already podcasts and there's a show about it which you should watch, but
they are both financially motivated and state motivated in the sense that North Korea has a number of restrictions on what they can do to earn money.
Cybercrime is a great way to augment that. And there are some uh kind of uh studies floating around that suggest that close to a third of North Korea's income comes out of the Lazarus group.
It is. If you imagine what a third of your GDP A contribute to that would be looking like that's huge for a country. So that is the kind of scale that they operate in now. Are they purely commercial? Are they purely state sponsored? Nobody really knows, how much do they get to keep themselves? We're also unclear. But we do know that if you have access to high speed internet in North Korea,
somebody gave you that access, you didn't just walk into a store and buy a modem and like log in, somebody gave you that access, somebody is allowing you to have that kind of connectivity. If you're logging in through VPN servers that connect through places, we think our embassies in overseas countries, somebody is allowing you to route that traffic.
OK. I want to stay with your politics. But before that, on that very specific question, North Koreans who have massive sanctions and restrictions on receiving payments are still getting ransomware done. So they are settling in Cryptocurrency.
There are. Yes. So they are settling in Cryptocurrency. And in fact, if you look at the whole ecosystem of ransomware, which is another fascinating topic, might as well get into it. It's a fun area. Ransomware has evolved from being a very niche, bespoke technical attack to being an ecosystem. It's an entire economy out there. In fact,
there are estimates that if you add together the entire cyber criminal ecosystem in the world, it is the third largest economy,
it is the third largest economy in the world. That's how much money is being floating around. Now. Obviously, it's hard to estimate what it actually is because a lot of it is in Cryptocurrency and Cryptocurrency today could be the
could be 95,000, it could be 80,000, it could be 10,000 depending on what happens. So it's really hard to estimate the value, but it is huge. Cryptocurrency provides a great way for people to obfuscate their intentions and their transactions. Even though a lot of the legitimate cryptocurrencies, we talk about Bitcoins advertise themselves as having the ledger that give clarity and transparency of transactions.
There are alternative cryptocurrencies like Monro for example, and if you go to, please don't. But if you ever visit the Monro website, the logo is actually a policeman with a cross through it. That's their logo you can only imagine the kind of services that they offer and that is their logo.
So they are deliberately trying to hide things. There are systems in place in that ecosystem of ransomware that allow you to money launder, they call them laundromats you put in Bitcoin, it mashes it up with 3040 different other currencies, sends it out to different accounts, sends it back, send it out, sends it back and eventually when it reaches the final destination,
it's untreatable.
And so that's why law enforcement has this huge challenge figuring out how did the money get out and how did money who's receiving it at the other end?
Um Cryptocurrency unfortunately means that these transactions can happen anywhere and everywhere. And the fiat banking system doesn't have the KC visibility into what happened. Um And again, there is a difference between the more legitimate cryptocurrencies that are out there and the ones that are illegitimate, but they all have the same function getting money from one place to the other. One of the more interesting functions that you see on the ransomware ecosystem is customer service.
You probably have no idea how to get my narrow. But if you get ransom, you can call somebody. And in any language you choose, they will walk you step by step how to set up a wallet, how to get the Cryptocurrency and how to transfer to their preferred account and their customer service. No offense is better than most banks because 24 7, they have a huge financial incentive to get you to pay them their $3 million. And these are not small sums of money we're talking about
just on that issue of
you, you share with us some estimates of how large this cybercrime economy is. How do we differentiate between things that we hear about? Gets reported to say Interpol or Singapore's security services and stuff that people just don't report because they're embarrassed or they feel that it will make their company look weak if they were to report that.
That's a, that's a real challenge. So, within the law enforcement system, we're quite aware that what we see in terms of reporting is the tip of the iceberg. And the vast majority of people who suffer some form of cyber attack either don't see a need to report it or like you said, have challenges in reporting it. Maybe I'll give two quick anecdotes. One is fascinating.
There was an attack on a financial institution in the US and the cyber Attackers came in, they attacked the company and the company tried to keep it quiet. This was a listed company. The cyber Attackers then filed an sec report complaining that the victim did not file a material breach notification in time with the sec.
The Attackers filed an S ECs EC reports are not easy to file. So these guys went through the trouble of filing that to basically punish this person punish the company like, hey, you're not paying me ransom and you're not revealing to the regulators. I got you.
So that's the level of kind of complexity that we live in. Now, these guys are really sophisticated.
The whole ecosystem has just evolved to a point where
there's a, so there's the open internet that we talk about your things that you can find with the Google search. There's the deep web, your whatsapp chats and signal chats and stuff that they're on the internet, but they're hard to search. And then there's the dark web
when we talk about estimates on the financial transactions that are happening out there, that's what people monitor. That's where we get maybe not a source of truth, but a second perspective on how much money is slushing around in this ecosystem because that's where you see people making the transaction. Like I will sell this data for this amount of money. I will pay you for that amount of service. I'll get this for you. So those transactions are where we see the liquidity happening. So
even beyond the realm of the reporting to the former law is absolutely fascinating.
Um I want to stay on the geopolitical side. Um There's a lot of talk about countries, critical infrastructure, electricity healthcare database or the way you know, systems run for hospitals and airports and so on. Um
Looking at sort of the data on how many times these things are getting compromised. How worried or how relieved are you? I mean, are we on top of these things?
Ok. Um So I am relieved. I live in Singapore and I'll say that because so a couple of years ago, we pushed this thing called the cyber Security Act. When we first pushed it out, it was seen globally as
a little bit extreme.
Um forcing private sector companies to meet some sort of technical standard by law with the threat of jail. Wow, that's an unusual requirement. And when we first push it out, there was a lot of pushback from the companies as well. I mean, people said, look, it's a, it's a free market. If you don't like my hospital, my power service get somebody else. Like why are you forcing me to comply to these standards?
But you have to remember that tech is probably the only industry that's been immune from regulatory standards for a very long time. If you drive a car, you have to meet all of these requirements, you fly a plane, there are all these requirements, even if you buy a toaster, there are requirements about what the toaster safety looks like. Tech for some reason has gotten by without it. So when we pushed it out, it was quite controversial today, more and more countries have some form of technical standard requirements in terms of the cyber security of critical infrastructure,
we've had a head start. So like I said, in Singapore, I'm relatively comfortable that most of our critical systems are well defended and if they're not well defended enough, they're better defended than at least the other targets that might be out there. So, I guess the game here is just to be to run faster than your neighbor rather than the lion. The Attackers are also after money. If they can find an easier target, they'll go for that
globally. Everybody is ratcheting up. So companies, the big companies are starting to ask their vendors like are you cyber secure? Are you going to introduce risks for me? Uh Countries are starting to ask their critical systems, you know, are, are my power grids secure? Are my banking systems secure? Is my country going to be held hostage or taken to its knees by criminal actors? Those are the right questions to ask
but the implementation of regulation to ensure that is incredibly difficult and takes a lot of political. Will I go back to the Singapore Cyber Security Act? And to some extent,
it takes almost a criminal negligence point of view. You built a hospital and you didn't make it secure. That's criminally negligent. People trusted you to build a hospital that they can feel confident in. And if you told us that you secured it and you didn't, that should actually be a jailable offense. So it is extreme, but it motivates behavior like more than fines do, at least from what we've seen
when I walk on T road, I walk by the international headquarters of Interpol and I think their cybersecurity wing is here. Are they and other multilateral organizations trying to come up with a set of codes that are universally implement?
Absolutely. So I spent the last five years prior to joining Ensign in the government. And one of the things that we did was engage a lot with Interpol and also engage a lot with the United Nations.
To some extent, cyber security is in this odd space where it is a problem at state level, but a solution at the company level. And I'll explain that. So internationally, we need some sort of rules of the road. What are the norms and the expectations of countries in the way that they use the internet. It took us quite a bit of time, but the United Nations has come out with what we call the norms of responsible behavior
and there are 11 norms. They basically state the usual expectations of what you can and cannot do on the internet and what states should and should not do.
The good news is that the UN has agreed to them. There are some norms of what responsible behavior looks like. The bad news is that as with all international agreements, some countries are
more willing to abide by them and some countries blatantly flagrantly ignore them.
We portioned it
the portion of the countries that have agreed to the norms and are trying to implement it. That's, that's the ray of hope. That's the part where as more countries get on board, as more countries try to understand how to secure their critical infrastructure and agree not to attack critical infrastructure, we will start to see the seeds of a slightly more responsible secure internet coming up.
But unfortunately, it just takes one bad egg. And if they disrespect all of this, if they ignore all of it becomes a challenge, Interpol has a huge part to play as well because in addition to the states agreeing,
the police have to enforce the challenge. Now is that like I said, it's a state problem and a corporate problem
states on the outcome. So if your water supply is hacked, states deal with the problem,
but water supply is often provided by private companies. Banking is private companies. The cloud is private companies. Everything about the internet is owned by a private company, the government owns nothing of the internet. Even the Telco that provides data is a private company.
So the challenge here is that how do you get the private companies to internalize this externality? It is a classic economic problem. The cost is significant security is a cost.
The implications and the outcome of a negative incident is some on the company but significantly on the externality of the public. How do you internalize this cost? Singapore chose regulations to do it. Other countries are trying to find other incentives to do it. But no matter what happens, the private sector needs to be part of that wider solution. And today, not quite
is it really just a matter of managing the risk? Because it doesn't seem to me, you are giving me the sense of comfort to think that we can win this battle.
I know. So I'm, I hope I'm not giving you the confidence because I don't have that confidence. I, I'm a little bit of what we call an octo pass. A realist. I hope for the best plan for the worst, but I expect reality to come and kick me in the stomach. It's, it's a rough world out there. And again, cyber security is pretty much the only industry in the world which has this dynamic of bad guys. I mean, you as a bank, have other competitors. Me as a cyber security company, I have other competitors but these competitors operate within rules.
Cyber security and tech is the only space where you have an aggressor that doesn't operate within rules and is deliberately trying to break you down. We invest in fire alarms and buildings but you don't have ar is running around trying to set fire to every building to test whether your fire alarms work or not. But it cyber security. You do and on a daily basis, I'm willing to bet that a bank like yours at the scale that you operate thousands, hundreds of thousands of probing attacks every single day. If not every single minute, the biggest banks in the world experience a million attacks an hour,
a million attacks an hour. So if that scale of attacks are happening,
you just need one to leak through. So I am not optimistic that we will solve the problem, but in a sense, it's similar to disease control and I'm glad that they chose the term viruses for the cyber for technical work as well because it is like that
COVID is now endemic. Will it ever go away? No. Will it kill a few people? Unfortunately? Yes. But we have ways and strategies to manage the risk of its becoming a pandemic. Again, we have ways and risks of managing the overall population and its immunity and its ability to be resilient. So I guess part of the thinking is rather than thinking about how to defeat this whole problem, how do we become resilient? How do we as a society, as a company, as a, as an organization
build up resilience? So that even if it does come, we've got enough immunity. Yes, you took out database A
but it was all encrypted and I've got database B so I'm still working fine. There's a little bit of impact. We're down for 1520 minutes.
Sometimes we had to go back to manual processes like the incident at the airport with crowd strike. Unfortunate, but the airport went to manual processes and people even mocked that they were writing boarding passes. But that's actually a great answer. Look, if you have no it systems have a drawer full of boarding passes you can take out and write and every single organization needs to think about. How do you deal with the implications of the impact of a cyber incident in a way that
degrades gracefully that the customer still has some level of service, even if it's not the quality and the black level that they're normally used to experiencing.
So backups redundancies.
Absolutely.
This is
a paper.
Yeah, I know whatever works for your organization at the scale that you operated. So if you're a really sophisticated organization having a completely what we call a second chain, a completely backup system that fails over immediately and data centers have this all the time, they're supposed to be able to fail over instantly. But if you're a small shop,
maybe just have a print out at the end of the day, print out all of your customer records. And if really your systems get wiped out, you have a whole bunch of print outs in a drawer somewhere, you can take it back and reconstruct the systems. Is it tough? Is it painful? Yes, but it builds resilience. And so we've gone away from, and even though I'm a cyber security company and we provide advice, our solution is never to invest infinitely in protection.
It's great money for me, but it's not a wise strategy for companies. You need to think about investing in resilience and that's a balance between protection and bouncing back. And if you don't bounce back, that's a business closure event.
This is Danny K and I think President Turner's trampoline analogy. Yes, absolutely.
Absolutely. You will fall and you will hit. And we've seen when companies get a cyber attack of a ransomware or data breach, stock prices get impacted customer trust gets impacted. But we've also seen companies bounce back after that. And quite often, what we see is that in about 40 plus days, stock prices return to normal.
And if the incident is particularly well handled stock prices even improve because the company now takes the security much more seriously. They are proactive in managing customers expectations and trust and they build up better systems and governance around their technologies to be more resilient. And so after that, the customers and investors like
they will not get hit by the same thing. Again, it's actually a good strategy.
Right?
At the beginning of the conversation, we are talking about multiple actors and you said that there are state level actors, but then you alluded to this non stake idealistic. I don't know this crypto anarchists out there who do also, you know damage at the geopolitical level. So give us some examples and how do we sort of contextualize this entity?
There
are all sorts of fascinating examples. So I'll give one that's ideological and not
not state affiliated. So there's this group that operates in Indonesia, we think it's a group, it might be an individual called Burka.
And despite the European sounding name, it's actually we think it's an Indonesian person, he attacks Indonesian government systems, he or she or they attack Indonesian government systems purely to send the message that Indonesia needs to invest more in cyber security.
And after every attack, they will send out a message saying this system was not well encrypted. This thing was not patched.
It is fascinating to observe. This person is still a bad person is still taking down systems, but the ideology behind it is to improve cyber security. That's one kind of example,
I'll use Russia and Ukraine as one a separate example and probably the start of this whole HIV
at the initiation of the conflict. When Russia first came in, Ukraine was obviously the underdog and Ukraine needed help. What they did was they called for assistance from all of the Ukrainians living all around the world and all of the Ukrainian supporters around the world. They actually created a telegram group. I think it was called the Ukrainian Cyber army or something along those lines. And they asked people for help. It's like, please, you know, we're under attack, help us
at the start. It sounded like a great idea. Rally your friends, rally your troops, rally the people out there who could support you in this big conflict with an aggressor,
both for defense and offense. Like
so it got complicated
during that conversation. They were like, hey, there are all these Russian systems. If you could disable any of them, it would make them less effective. And it would help us
essentially what they were doing was they were motivating
cyber professionals, technical professionals who worked in companies that had access to Russian systems to use that privileged access to do bad things. Once you turn white hats, ethical hackers into unethical hackers by asking them to go after targets,
you would breach a very fundamental ethical boundary. And that's where things started to go a bit wrong once. And we, we, we accepted it because we thought Ukraine was the underdog and they need all the help that they could get. In fact, we even celebrated articles talking about how they were so innovative in getting people to support them. Now we realize what they've done is they've unleashed. I mean, they've opened Pandora's box, they've created a situation where legitimate technical professionals are now distrusted. If you are a Ukrainian or Russian working in a big tech company,
your boss is going to look at you and be like,
are you using your access to do bad things to the other guys? Are you an activist? So it's not just the traditional kind of criminal groups that are ideologically motivated that are going after things. Now it's professionals, once you open that space and you look at Now what's happening with Israel and Hamas,
the spectrum of types of Attackers that come out, some are directly enabled by States. Ukraine gave a target list in a telegram chat group. Israel and Hamas are giving motivation to people to support them,
what we see in particular in this region. So Southeast Asia is that there are a lot of ideologically aligned groups that are targeting companies that either for or against Israel or Hamas. And unfortunately, it's one of those situations where damned if you do, damned if you don't.
If you support Israel. There are groups who support Hamas who will attack you. If you support Hamas, there are groups that support Israel, they will attack you. If you support neither, both will feel that you need to take a stand and will attack you as well. So it's really a difficult situation with companies and we are seeing groups in particular in Malaysia and Indonesia going after targets purely on an ideological basis.
And it's a difficult situation. We're really far away from the conflict. It has very little to do with us on a day to day basis. But because again, the geography of the internet has collapsed,
I, I was only aware of the product boycott and things like that. I wasn't aware that even in this part of the world, we have seen cyber related incidents based on the Middle East conflict.
Yeah. So the most visible ones that we see are website defacements. So if you have a company website and it's poorly secure, some bad guy will take over it and put a message saying, you know, you supported either Israel or Hamas and you are therefore a bad company, you know,
so those are the most visible ones, but under the surface, we see a ton of attacks and sometimes those attacks are on systems that are either built by Israeli companies or that supporters or vice versa. So there is a ton of stuff happening below the sea level that you can't really see, but it is happening
China us.
That's going to be a fascinating thing to watch, especially in the next four years. Um I think one of the biggest challenges that we saw was at the start of China's kind of technical rise. People didn't quite take it as seriously and to some extent, the US industrial base had hollowed out already when we had the five G debates. A while back, it was not a choice between the American five G and the Chinese five G because there was no American five G,
it was all European and they had no alternative to offer
the rise of China's technical innovations in the last few years has been tremendous. And I think partly fueled by the lessons that they're learning from Russia, Ukraine, what happened and I'll kind of jump around a little bit. But what happened during Russia, Ukraine was the West decided that the best strategy to contain Russia was to isolate them on a technical level. So they took them off some backing systems, they took them off some international kind of technical situations systems and tried to isolate them as much as possible.
China watched and realized that having dependencies on Western technology and Western infrastructure was a risk. They already have their great firewall, but now they started building their own operating systems, their own cloud system, their whole infrastructure, the whole tech stack, they're looking at every layer and see which part of this do I have a dependency on something that if it's taken out, I crumble and they're replacing it. So instead of trying to encourage a situation where
they become more interdependent, they become more independent, I'll explain what the problem with that is now. So
that
maybe as an analogy that I think it's an African proverb, if you live in a village with one shared, well, no matter how much my family hates your family and your family hates my family, we will never poison that well, because there is absolutely no incentive for us to do so. The minute I have my well, and you have your, well, the incentives flip and the game theory outcome is I will try my best to poison your well and you will try your best to poison my well,
in an era where we had one banking system globally in an era where we had one technical infrastructure for the whole cloud, for the whole internet.
I had no incentive to poison your. Well, our well, our shared well, but when you have a western technical ecosystem and an Eastern technical ecosystem and that tech by location is completely segregated, the incentives flip and we will spend all day trying to poison each other's wells. At the point where all of our companies rely on Microsoft Windows to power up our systems.
I'm not going to poison it. I need it as much as you do. But if I have my country's operating system and you have your country's operating system, it's going to be a much more fragile world. So this whole idea of de risking, which came about with this whole East West conversation came about at the start of this whole five G conversation while it addresses the tactical risk creates a strategic risk. The tactical risk is yes, I no longer depend on Chinese tech or Western tech, whichever side you're from.
But the strategic risk is now, I am going to be constantly under a barrage of attacks from the other side that will not lead to any sort of stability. There is no stable dynamic between this situation. So it's going to be very tough.
This is a fascinating insight. Why aren't people listening to you? Because this is, yeah, I I totally relate to this point and the fact that in the name of the scheme, we're actually increasing vulnerabilities
because on a very tactical, very short term level, it seems to make sense, right? It seems to make sense that hey, I I have concerns with the supplier ABC. I'm just going to remove supplier ABC. And if supplier abcs are from a country that I have general geopolitical concerns with, then yes, I'll remove all of those companies but that in the longer term and unfortunately most Corporates in most countries don't plan and act in very long term interests, creates a very unstable equilibrium.
I have made this point and I'm not alone. There are many others who are making similar points. But you look at like the Chips Act, you look at de risking, you look at all the conversations that are happening on Telco. It is a very similar line of logic. The other implication for all of this is in terms of great power competition. So part of the reason why the US started the Chips Act was because firstly, the risking they wanted to have onshore chip production capabilities. But secondly, they wanted to reignite the industrial base, get tech back up.
But by doing so, they've also incentivized China to double down on. It's their splitting moment. It is there, it is their moment to now suddenly spark off. And previously, when they would have been in a more interdependent economic system, they like, you know, it's OK. I'll get some stuff from them, I'll sell some stuff from them there, there's an ecosystem of buying and selling and we don't have to have all of it on our own.
But once you make it such an obvious strategy that you want to have your own capacity and capabilities, the other guy is going to do the same thing. And at this point in the technological evolution, China does have a little bit of a head start. They have the capabilities and the capacity to do a lot of things.
Actually, I've been thinking about this issue myself, which is I think the view in the West, particularly the US has been that if you sort of stop the Chinese from accessing the latest in tech technology or rather chip technology,
that there will be a widening gap. I think the lesson from the last eight years is that there is a whole range of stack on non chip specific technology from like building green transition related things to large tractors to protein folding. You don't need the two nanometers, what the Chinese have, they can get by and do very well. And even the journey from say 7 to 5. Now when I talk to chips especially, they don't say it's impossible. Four or five years ago, people told me it was impossible for the Chinese to ever come up with smaller chips on their own.
But even like lithography and stuff, nobody thinks that it is only a Sm L's game. Forever. Forever is a very long time. So
no I, so without getting to the technicalities of it, I also don't think it's impossible. But I will say that even if, even if it takes them a really long time, there's a lot of stuff you can do, which is more compute. I said it is more condensed, correct.
And they have scale, right? They have production capacity at enormous scale which does not require them to force that miniaturization that the West is looking at and it is more efficient, it is more effective, etcetera, etcetera. But they have scale and they have data, right? Put those two together, you look at what A I is happening in China and it's tremendous, the scale and the speed that they're moving
at.
OK. I was waiting for you to mention the word A I, all right. So cyber security and A I,
oh that I think is the game changer on both sides. Um I was just involved in conversations again at the United Nations looking at how A I is impacted cyber from the offensive and the defensive side.
It is a productivity tool for the Attackers just as it is for the defenders. And we're seeing it, we're seeing
amateur maybe beginner Attackers used their version of Chad GPT to build out and understand technical vulnerabilities and exploits.
One of the most apparent examples that ordinary people feel is that the quality of phishing emails has gotten better. There was an era where we used to all joke about the Nigerian Princes and how badly written those emails were
today, you cannot tell the difference between a human and a bot. And in fact, there was a period where we used to tell people spot the signs of fishing, look out for the spelling errors and the grammatical errors and the punctuation errors today. If there are no spelling errors and no grammatical errors, that's the, that's the phishing email because the humans still make typos. I still have punctuation errors in my emails.
We are now in a situation where telling fiction from reality is incredibly difficult because of generative A I and the Attackers are using it not just for the deep fake images and the fake news and all of that, but also just to lure people into clicking a link to create websites that look incredibly realistic on the fly. And that generative A I capability is tremendously powerful in their hands.
The challenges that we are going to see with A I being both a productivity tool as well as a tool for greater sophistication means that the quality and the volume of attacks are going to go up
on the defender side. It is incredibly useful. And I would say that A I in my view does two things very well. It finds needles and organizes haystacks, it finds needles in the sense that it finds unusual spiky behavior
on a daily basis. Go checks his email from 9 to 5 suddenly on a Thursday at 3 a.m. he sends out a one gigabyte file. That's a needle, that's a spiky behavior. That's unusual. Something was wrong, either legitimate but unusual or illegitimate. And so it will flag that up and say, look, sending out an email of three gigabytes is allowed by our system. But this guy, it's unusual based on our behavioral analysis and A I is great at that.
The other thing it's great at is organizing haystacks, small data points that on their own don't really mean much. But if you put them together in an interesting way, you get an insight. Like over time, your computer has been performing slower and slower over time, the data that is sending up to this particular address is increasing a little bit by little bit each day. Why would that be, what's an insight we can gain from that? So it's great at organizing these kind of haystacks.
You put those two needles and haystacks together and that's cyber security. It's trying to understand when there is malicious activity inside your corporate network and usually manifest in either spiky unusual behavior or a trend of unusual things. And if you can catch that early enough, you can stop it from becoming an impact. So the whole game now is for A I for defenders is to use A I in detecting malicious activity inside the networks.
Attackers still cannot use A I. Once they get it, they use it to knock on the door to break in. But once they get in, they're on their own, you can't bring it with you. It's a huge payload to bring into an attack. But defenders have the entire perimeter on their own so they can put A I to work. And I think at the scale of data that most companies are operating at now, you can get a lot of fascinating insights. And more importantly, humans can't do it.
The amount of data that a bank like yours would process on a daily basis internally would overwhelm your human operator. So you have to use some sort of algorithms or A I for it. The challenge we have is that A I is a little bit unpredictable by design. It is a statistical system and statistical systems inherently work on probabilities, which means that there is a 90% chance it's correct. There's a 10% chance it hallucinated and give you a completely bad answer.
And that will always be the case. So we need to figure out a way to design around that. There's a whole other interesting conversation about securing A I itself, which today is a very nascent area. We don't quite understand how to secure A I because it doesn't work like traditional software, traditional software is if this, then that, which means if I program a software to say what color is the sky, the answer is blue. And if it doesn't give me the answer of blue. I'll flag up an error and I know somebody hacked my system because the answer is not blue. But if you ask A I, what color is the sky? Where? Well, it's black at night.
That's true. It's red in the morning. That's true. It's gray in London also. True. So it may not ever give you blue. But is that an error, is that performing correctly?
You can't build those same security rules to determine if the A I is failed because it might just be performing as expected. And so securing A I is another huge challenge that we're going to see as more companies incorporate A I into the infrastructure.
Our cyber practices are largely driven by infrastructure created by very large companies from Aws to Google and then on the social media world, all the
Facebook of the world. So in this new A I wave that is now just about two years old. Are we seeing large companies play as dominant a role or is it becoming a more of a decentralized world?
But
you have, so I'll talk about the decentralized portion. First, you have a tremendous amount of tools available in the open source area in the open source domain that already empower a vast number of people to use A I at home. You can go to this place called Hugging Face, download a model, run it on your Macbook super easy and you can do everything from generating poetry to generating photographs by yourself. Without the internet, after you've downloaded the models, that's a few gigabytes. It's not difficult to do
at the same time. While it's decentralized to the extent that individuals can run their own and build their own models, it's also become a game of very high performance compute. So part of the reason why NVIDIA is kind of surged ahead is because they offer the kind of high powered computer that's optimized for A I.
These cloud service providers and chip manufacturers and the providers of high performance compute will run far ahead. The type of complex work that they can do. And I'm, you know, my company is building many of these tools with them.
The type of high performance A I things that you can do will be fascinating. We are already seeing the surge of activity in terms of use cases for A I and to some extent, I am far more bullish on A I than I ever was on crypto. But I do think that this whole space will continue to create a lot of productivity and a lot of interesting use cases and value for ordinary people and for companies
and the large companies that we're talking about which have all those great M one and M 100 chips. Are they being cognizant of the cybersecurity aspect?
We still operate in a world where the fundamental mantra for tech is move fast and break. That's right. And there is no better example of what move fast and break things looks like than what we saw in terms of the governance of open A I very few companies have the ability to fire their own board.
Yeah, very few companies have the ability to fire their own board. And at the point where you can fire the governance layer for your own company because you want to move faster, you have to ask real questions about what is the actual
risk management culture in that organization? How fast are they prepared to move and how slow are they prepared to take the risks? I offer an analogy with another domain of technology where we deliberately slow down cloning, we have the ability to do cloning. In the late nineties. I think we all read about Dolly. The shape and human cloning is eminently possible. Today, bioengineering is also very possible, but we as a human society decided, let's slow down.
This doesn't feel like a good idea. At this point, I don't think we should do this. So we slow that entire trajectory down.
That industry is heavily regulated, medical testing, medical experimentation is a heavily regulated industry. You cannot try cloning without getting into a whole bunch of problems in most countries.
But tech again is an unregulated space. So A I is doing a lot of things and it's adding value, but it's not managing the risks very well. And you'll see this in every single A I solution out there. It's trying its best to prevent it from being used to generate deep fake nudes, for example.
But we have an epidemic right now rampant deep fake news, South Korea. It's happening in Singapore. It's happening everywhere in the world. How do you stop that? Fake news is a general concept.
It's impossible at this point to stop because everybody has access to a simple tool that can create a photograph of me doing a bad thing and me and a story being written about that bad thing, I can't stop it. And you put companies on the defensive all the time. The challenge with the big companies is that they are going to keep pushing really far and really fast. They do say all the right things. So most of the big tech companies have great frameworks around ethical A I have great frameworks about responsible and secure A I.
But the actual implementation lacks many of those safeguards because it's hard and because it's hard, they may not prioritize them all the time. I'm not optimistic that companies will take the cloning path for example and slow down deliberately so that they're comfortable with
it.
The money talks girl, you said that you're very constructive on the productivity gains from A I, not as much as you have been on crypto,
but there seems to be a lot of people who are really bullish crypto these days as you and I speak it's hitting 95,000 Bitcoin. Um One of the appeals of crypto is that, you know, it's compute heavy to, you know, counterfeit and therefore there's a fixed number of bitcoins and the mining gets progressively increased, expensive because of all the cryptography element of boundary. And leading us into the question of quantum, will that entire infrastructure
become sort of completely undermined if quantum computing becomes ubiquitous?
So it will be uh there's a transition, there's a journey. And I I do think that there are risk. I sit in both conversations. So I'm in conversations with folks who are very optimistic on cryptography. I'm also in conversation with folks who are very optimistic on quantum.
Those two conversations rarely intersect because it's it's it's a bit of oil and water.
The whole Blockchain and kind of Cryptocurrency world exists on the basis of cryptographic fundamentals. And as you mentioned, the cryptographic fundamentals are robust enough such that you need a lot of compute in order to break it.
But if you could break it,
if you can break the cryptographic fundamentals behind Bitcoin or whatever it is,
you undermine the entire value proposition that that thing offered.
The argument is that quantum will come out in stages. The first stage is the ability to decrypt things
and the ability to decrypt things will be destructive. It will undermine for example, Bitcoin
more so than some of the other ones because the crypto referendums are rather old.
The challenge with cryptocurrencies is that if you try to change the cryptographic fundamentals halfway through, it's really hard. Once you end up doing a hard fork, you actually lose the previously, you actually lose all of the previous value. And it's very difficult to transition that value into the new fork. And you've seen this with other cryptocurrencies that they have done a hard fork and have lost previous value.
There are some cryptocurrencies that will come out that are newer, that will use more modern cryptographic standards, perhaps even quantum resistant post quantum cryptography, but they will be new and they won't be the $95,000 guy. So there will be this era of transition and difficulty because the first use case of quantum computing will be to decrypt.
Once enough people have access to a quantum computer, then you can use it to encrypt,
then you can have a Blockchain that uses quantum as the cryptographic fundamental generator. But we're very far away from that at the point where quantum cryptography becomes something that's accessible to the ordinary person. We're a decade at least away. And the reason why it's different from cloud is because quantum is a physics problem. It's not just a scaling problem cloud is a scaling problem. If you know Zimbabwe wants it. If Brunei wants it, if Singapore wants it, it's a scaling problem. And in fact, you don't even need to have your own cloud, you just need to have access to the internet
quantum will be different. You will need to have a physical environment that's stable enough to actually build a quantum computer and very few countries will have access to that. And if you look at the programs around the world, most of the quantum programs are being sponsored by militaries, which indicates, I mean, I'm sure many militaries are interested in curing cancer,
but there will also be other use cases that they have for it in terms of espionage. And once you start to decrypt internet protocols, decrypt transaction protocols, decrypt cryptographic fundamentals, you create that instability. That makes me wonder whether today's cryptography based tokens products tools will survive,
right? So let me broaden that specific discussion in the context of geopolitics.
Um who has the lead in quantum is the us way ahead of the Russians and the Chinese and the North Koreans.
It
is really hard to tell. Um So the Europeans, so what we know about is what the West openly declares and I think they are quite transparent in terms of what they are building and what they're doing. There are many open quantum initiatives I was talking to leads at some in Geneva and they're pushing this idea of openness because they want quantum to be something that people talk about and understand
and used responsibly.
But there are many other countries who invest in quantum that don't tell people what they're doing.
And so I have no idea whether they are ahead or not. My assumption is that the West is currently likely to be ahead.
But we have another trajectory that's come in, that's kind of
made things a bit harder to assess. And I'll explain why we assume that research in quantum was a straight line. More phd students studying quantum, it will move a little bit faster. But now I've got a I
that a conversation has become a productivity tool for phd S as well for the researchers, the types of work that they are asking their models to do overnight before they come back previously, took a year of phd research systems to produce. So we are now seeing a sudden change in the trajectory of research in quantum.
Does that mean it move faster? Does that mean countries will suddenly be able to accelerate countries that have A I at scale in their domestic environment? Can they do more with it? I don't know. So that's the disruptive power which I'm not quite sure how the trajectory plays out. All I do know is comment everybody A I is making a difference in their research and we're seeing things move faster.
This is just so cool. I was going to end our conversation with your advice for corporate leaders. I think we have talked about it already. We should really stop in that really fascinating, brave new world phase go Kirsty. Thank you so much for your insights.
Thank
you so much. For having me and I hope I didn't scare you too much. I am still an optimist at heart. I just plan for the worst and we figure out how to deal with reality a lot. What was the phrase octo realist, realist?
You heard it for the first time here?
Uh Thanks to our listeners as well. All 142 episodes of copy time are available on youtube and on all major podcast platforms including Apple Google and Spotify. Uh The podcast was produced by Ken Delbridge from spy studios, Violet Lee and Daisy Sherman provided additional assistance. Uh As for our research publications, webinars, you can find them all by Googling devious research library. Have a great day.
