September 5, 2024 • 38 mins
Host Takara Small is back for another season to explore the question: what’s up with cybercrime? and how can we protect ourselves online? We discuss cybersecurity’s history, evolution and how the alarming rise in cybercrime has impacted everything from our economy to our healthcare system—and even our elections. Guests include David Shipley (Beauceron Security) and security guru Bruce Schneier.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Takara Small (00:03):
It's estimated to cost us more than $5 billion
this year alone.
Almost all of us are beingtargeted Our hospitals and
critical infrastructure areunder attack, and even our
elections are being compromised.
Canada, it's time we talkedabout cybersecurity.
News clip (00:24):
Cybersecurity breaches have been on the rise,
for a recent string of cyberattacks on the federal
government Another Canadiangovernment agency hacked.
Experts say things will onlyget worse.
Takara Small (00:37):
We're facing an epidemic of cybercrime, and it's
not just money that's at stake.
Hackers targeting our healthcare system are deleting records
and leaving patients withoutaccess to critical treatments
and medication, putting reallives at risk.
There's also the emotional tollfor individual victims.
Cybercrime is now one of thebiggest security concerns,
(01:00):
facing not just Canada, butcountries right across the world
.
David Shipley (01:05):
It is effectively a hidden tax on the Canadian
economy.
Takara Small (01:09):
It's impossible to engage with modern society and
not put yourself at risk ofbeing a victim.
But how much do we really knowabout this invisible threat, and
how can we make the internet asafer place for all of us?
This is season two of what's UpWith the Internet, Canada's
internet podcast, and we'retalking about cybersecurity.
(01:32):
To help you wade through all ofthis, I'm your host, Takara
Small.
The podcast is brought to youby CIRA, the Canadian Internet
Registration Authority, which isa non-profit building a trusted
internet for Canadians.
During the six-part series,we're going to take a look at
the way cybersecurity impactshow we experience the internet,
(01:55):
what you need to worry about andwhat can be done about it.
Hacking goes way back.
You could say it even predatesthe internet.
When Alexander Graham Bellinvented the telephone, there
were phone operators who'd swapthe lines to prank callers.
Then Alan Turing's hacking ofthe Nazi Enigma machine helped
(02:17):
win the Second World War.
David Shipley (02:19):
It's the greatest encryption device in history
and the Germans use it for allcommunications.
Everyone thinks Enigma isunbreakable.
Takara Small (02:26):
But in the late 90s, when computers started
popping up in every home andoffice, that was when hackers
and criminals really started tospot opportunities.
But even then, cybercrime waslargely informal and for most
ordinary people, their onlysecurity fear was catching some
malware when you weredownloading music on LimeWire,
(02:50):
do you remember?
And then you'd have to navigateall these pop-up windows when
all you really wanted to do wastalk to your friends on MSN
Messenger yeah, all of that fora Limp Bizkit album.
Nowadays, hacking is oftenhighly sophisticated big
business and used by many statesas a weapon of war.
So the scope of cybersecurityis constantly evolving and, with
(03:14):
so much of our lives now online, cybercrime can devastate
families, ruin businesses andshape geopolitics.
To dive into all of this, wecaught up with a Canadian expert
, david Shipley.
David is a journalist who wenton to become the co-founder and
CEO of Beauceron Security Inc.
A cybersecurity firm based inFredericton, new Brunswick.
(03:37):
Can you tell me what the commonforms of cybersecurity threats
are?
David Shipley (03:42):
Well, the biggest thing is there's two types of
cybercrime.
There is cybercrime where thetechnology is the target, and
that's where you see crimes likeransomware, attacks into
organizations to stealinformation, espionage, those
type of activities.
And then you have technology asthe facilitator of crime, and
so this is where you're seeing,for example, the use of
(04:04):
technology platforms likeTelegram, which has helped
organize traditional fraud andcrime gangs in new ways, leading
to an 88% increase in checkfraud in the United States, for
example.
Takara Small (04:17):
So how many Canadians a year are actually
victims of cybercrime?
Is this something, consideringeverything you've talked about,
something you can even possiblymeasure?
David Shipley (04:28):
Well, I would say all of us, at least once a year
, are the victim of cybercrime.
It's whether or not we knowabout it, absolutely.
Let me back that up so you know.
Only a fraction of actualbreaches are ever known, ever
become public.
So when you've got high-profileones like London Drugs, where
(04:49):
you have a ransomware incidentthat shuts down stores, it's
impossible to hide.
But a lot of attacks are hiddenand there are a lot of reasons
for that.
So a lot of us are impacted.
Certainly all of us have beenimpacted at one point over the
last decade.
If you live in Ontario toBritish Columbia, you probably
(05:10):
lost personal health informationin a LifeLabs breach.
If you're in Newfoundland, youwere probably impacted by the
cyber attack there on theirhealth system.
Several hundred thousand peoplein Nova Scotia when they were
part of the Move it hack hack,and on and on and on.
600,000 students when HRDC losta laptop or, excuse me, an
(05:31):
external hard drive.
So so we're all victims.
How much, how significant it is,varies.
For some folks it's incrediblypainful and traumatic.
So we're talking about the tensof millions of dollars lost
last year in romance and fraudscams, so-called pig butchering,
where relationships are builtup over time and then
(05:52):
consummated with some form offraud.
So that's at a record level,whether or not we work for
businesses that are hit withransomware attacks.
If you were an employee ofChapters, indigo, sobeys, suncor
, you were impacted bycybercrime.
So it's all over the place andit's effectively a hidden tax on
(06:12):
the Canadian economy, and whatI mean by that is both the
direct cost, the $600 million inknown losses, as well as the
$10 billion a year that theprivate sector is paying, on top
of the multiple billions ofdollars being paid by the public
sector in Canada.
Takara Small (06:30):
Pause for a moment to let that sink in.
So many of us rely on a varietyof modern devices, some for
convenience, but also fornecessity, and I'm wondering
what are the risks associatedwith that?
David Shipley (06:48):
Absolutely.
What we have to realize is that, fundamentally, we ran
headfirst into the internetwithout thinking about any of
the consequences.
What do I mean by that?
Politicians and others oftenused to describe the internet as
the information superhighway.
There were some famous speeches, including here in New
Brunswick, where our premier ledNorth America in the adoption
(07:11):
of broadband technologies.
Like little known fact, newBrunswick had broadband to the
neighborhood and broadband tothe home before Silicon Valley.
We were leaders in that spaceand his famous speech, frank
McKenna, said the train isleaving the station, we can't
miss it.
And we were so enamored with thepossibility and potential of
this technology that not asingle person decently thought
(07:32):
what happens on the informationsuperhighway when we finally
meet the highway robbers.
And we are paying for our lackof foresight today from 30 years
ago.
All cybercrime is the logicalnext evolution of crime that we
just put our blinders on andpretended wasn't going to happen
.
And all technology that we havetoday is built by humans, which
(07:56):
means it's as beautifullyflawed as we are.
There is no perfect technologyand in fact the word technology,
which comes from two Greekwords, techne and logos,
actually tells us something.
Techne means the art or theskill of building or using
something.
Logos means the word, but whencombined with techne means the
(08:17):
careful consideration of whatyou gain or what you lose when
you build or use that thing.
So, to answer your question,every piece of technology has
inherent flaws, has bothbenefits and risks.
Let's take the smartphone.
The modern smartphone is amarvel.
It is a complete televisionstudio in your pocket.
(08:41):
You can broadcast in perfect 4Khigh definition at broadband
speeds, and this can lead to alevel of communication and
instant response that is bothamazing and frightening.
It is also the NSA's absoluteperfect dream.
You know, I remember watchingthe Will Smith movie Enemy of
(09:03):
the State and gasping andthinking about all the ways that
they gather information, and weall carry an NSA surveillance
van in our pocket now.
Takara Small (09:12):
The level of stress.
If I was like hooked up to,like a machine right now, my
level of stress would be peakingright now because we don't have
the option to not have asmartphone.
I mean, depending on what yourlifestyle is and where you live,
having a smartphone is expected.
No it's required these days.
David Shipley (09:32):
Absolutely.
But here's the thing the amountof assumptions we make about the
protections that we don't haveis stunning.
Like look at the case in the USwhere the major
telecommunications carriers havejust been hit with a $200
million fine for sellingeveryone's location information
to thousands of data brokers,some of which that information
(09:53):
was used and weaponized in waysagainst people's reproductive
health choices.
So these tools, which haveamazing, immense potential, have
equal parts, the potential forharm when you don't understand
the consequences, when we don'thave checks and balances on
these things, the assumptionthat these technology companies
(10:17):
have our best interests in mind.
I hope that lie has been laidbare, I mean with Frances
Haugen's damning testimony overjust the known harm that
Facebook and other social mediahave on young teenage girls'
mental health and bodydysmorphic disorders.
So I mean you're probablyexpecting me to come up here and
scare you about ransomware, butthere's a bigger story here
(10:39):
about our intimate relationshipas individuals with technology,
as a society with technology,and the kind of place we want to
live in, including dealing withcriminality, which is a natural
part of human society.
Takara Small (10:52):
So you just hit on something that we've actually
discussed.
In our first season, we talkedto Frances Haugen, well known
for her M meta testimony, aboutthe data that Facebook uses and
how that can be applied toindividuals and advertising, etc
.
Which brings me to my nextquestion about why is our data
(11:15):
so valuable?
Why are people so obsessed withgetting their hands on it?
David Shipley (11:22):
Data is power.
Data, given shape and creatinginsight, can lead to the
manipulation of choices orbehavior.
I run a company that uses thiskind of approach for good.
We teach people aboutcybersecurity and we use
elements of behavior science,neuroscience, gamification,
(11:43):
other things, to drive thechoice architecture for
individuals.
So every piece of data inisolation may seem harmless, as
it is stitched together tocreate a picture of you, your
relationships and more, it isabsolutely possible to use this
to your benefit or to your harm,whether it's election
manipulation or whether it'sjust trying to sell you the
(12:06):
latest toothpaste.
Or, more accurately, as a storywas told to me, how someone's
mother elderly mother was beingtargeted for a particular brand
of toothpaste by targeting thesun to get him, hopefully, to
talk about this particulartoothpaste so you touched on
this a little bit earlier, butI'm wondering if you can talk me
through how much this actuallycosts the Canadian economy.
Takara Small (12:29):
How much is lost every year?
David Shipley (12:33):
So what we know is being reported is $600
million in losses.
In the most recent reports andthe RCMP and I work closely with
folks in the NationalCybercrime Coordination Centre
they estimate that that's only10 to 15% of the total amount of
losses that Canadianindividuals and businesses are
incurring.
So, with that number in mind,we're probably looking closer at
(12:56):
a $6 billion cost to the actualoutflow of money, funds and the
economic damage caused bycybercrime.
And I'll give you an example ofsort of the orders of magnitude
cybercrime.
And I'll give you an example ofsort of the orders of magnitude
.
When you look at the Sobeysbreach, the criminals probably
made out.
If Sobeys paid which we're notentirely sure if they did or
didn't, but if they paid theyprobably paid a couple of
(13:18):
million dollars out.
They suffered $50 million plusin damages in that one attack
alone, after their insurancecoverage costs.
So the damage done incybercrime is usually on the
order of magnitude of $13 indamage for every dollar in
criminal revenue that is reapedin.
So you know we've got $6billion in the estimated damage
(13:42):
cost.
And then, as I mentionedearlier, according to Statistics
Canada the private sector inCanada they were spending about
$7 billion in 2017.
Now, as recently as 2021, itrose to $10 billion.
That's a surge in spending, andshareholders don't absorb those
(14:02):
costs.
We talk a lot about theinflation story in Canada and,
while cyber is probably not thesingle largest contributor to
inflation, it is absolutely partof the inflation story.
Takara Small (14:18):
You know there's been a recent push to increase
the number of online servicesthat are available to Canadians,
but you know you could probablysee this around the world Also
post pandemic, there are morepeople who are expecting some of
the you know, maybe programs orofferings that were once in
person to also be online.
Does that have an impact on thetypes of cybersecurity breaches
we're seeing or on the overallnumber?
David Shipley (14:41):
Oh, absolutely.
Let's take the Canada RevenueAgency's big push to online, and
so here they've created amazingnew tools.
Big push to online, and so herethey've created amazing new
tools a web portal forindividuals, the ability to find
as I found out the other weekold tax money I never claimed.
That was a nice surprise.
(15:01):
You know a GST check from backwhen I was a kid that I forgot
to cash in.
So I filled that form outonline and got that easy $75.
So it's amazing.
But at the same time, bycreating that portal, they set
themselves up as a target for amassive cyber attack a couple
years ago, where attackers knowthat people reuse passwords.
(15:21):
They used giant billion datapoint plus databases to actually
digitally lockpick CRA andsteal millions of dollars from
people's tax refunds.
Because we didn't think to puttwo-factor authentication on,
because that created too manyperceived barriers to the
(15:42):
convenience of accessinggovernment services online.
Takara Small (15:47):
Let's talk a little bit about the dark web.
This is a term that's thrownaround online, in person, in
articles, hollywood all the time, but I don't think many people
know exactly what it means.
Can you break down what thisterm is, and is this a place
where some of that hacked datayou mentioned is actually sold?
David Shipley (16:07):
Absolutely so.
Picture the modern internet asan iceberg.
At the very tip of the iceberg,above the water, is the
internet that all of us know,the easily searchable, indexable
, referenceable internet andbelow the surface, between the
next layer down, is what we callthe deep web, and this is stuff
(16:29):
that's still open and publiclyavailable, but it's not very
well indexed, it's notreferenced properly.
You got to know what you'redoing to go for.
Go looking for it and you stillsee a shocking amount of
criminality taking place in thatpart of the net.
Then, at the very, very bottomof this giant iceberg, is this
awful lair that's kind of thefor Star Wars fans, the Mos
(16:53):
Eisley, the den of scum andvillainy and wretchedness of
humanity and the internet.
That's the dark web, and youusually have to use specific
types of technology like Tor orthe Onion Router protocol, which
was originally built with goodintentions to help dissidents in
authoritarian regimescommunicate, but has now been
used by criminal gangs andothers to facilitate every kind
(17:15):
of evil you can imagine drugtrafficking, weapons, human
smuggling, data breach exchange,and you see the evolution of
the professionalization ofcybercrime occur there.
So you have people who arebasically the digital equivalent
of B&E specialists.
So these are the folks that arethe so-called initial access
brokers.
So they break into places andthen they sell that for usually
(17:38):
a pittance, a couple thousanddollars to somebody else that
specializes in monetization.
So ransomware, data theft, youname it.
So this is that whole ecosystemthat law enforcement around the
world is cat and mousing allthe time trying to disrupt.
Takara Small (17:57):
So how have you seen cybercrime grow and evolve
then throughout your career?
Because things have changedquite quickly in the last couple
of years.
David Shipley (18:07):
I think the biggest thing that's probably
hard for a lot of people to gettheir head around is the
professionalization of thiscybercrime economy.
So oftentimes we still have thestereotype of the kid in the
hoodie, hacking from thebasement and while there are
still gangs of kids that havewreaked incredible havoc see
(18:28):
Scattered Spider, the Lapsusgang and the attacks on groups
like MGM and some major securityproviders like Okta so kids are
still out there doing the kidthing.
But you're talking about thesefascinating business structures
in ransomware as a service,phishing as a service crime as a
service, where sophisticatedtechnological criminals build
(18:53):
platforms and infrastructures,build up even HR departments and
have vacations, have schedules.
We know this from several ofthe groups that fell apart.
Just the level oforganizational design and
sophistication is amazing.
And then they use these fallguys and fall.
One of the top affiliates for aRussian ransomware gang and he
(19:30):
made you know, 20 million plusas an affiliate for NetWalker
knocked up some Americanentities that really upset US
law enforcement.
They got on his tail, theypicked up his tooling on a
server in Poland, kid you not,traced him back to Montreal and
he's going to spend a very longtime in US federal prison after
being found guilty here inCanada and in the US.
(19:52):
So that's how crazy the worldis.
Takara Small (19:56):
And how do you think people are responding to
this?
Do you think we as a countryreally grasp how important this
stuff is?
Because when I talk about this,when I write about this, I
slowly start to see people'seyes glaze over and start to
look around the room, losing ayou know, a little bit of
interest in this category, whichI can understand.
It's confusing, it'scomplicated, but what do you
(20:19):
think you know?
Individuals, companies, ournation as a whole are we
grasping how important this is?
David Shipley (20:26):
No, I think a lot of individuals, a lot of
companies have fallen into whatI call the valley of despair,
and so they've just given up.
What can I do against this?
You know it doesn't make senseto try.
It seems hopeless.
We have a federal governmentthat has never cared less about
national security, let alone thefact that cyber is part of
(20:48):
national security story, andit's not a good place for Canada
to be.
We already have major concernsemerging as a den for
international money laundering.
The fact that some of thebiggest criminal busts on the
dark web were founded byCanadians or former Canadians
should be alarming.
(21:09):
To been recovering from heartsurgery and, had you know, had
some health challenges over theyears and the emotional toll on
(21:34):
this that he took this fraudcase is set his health back
considerably and he didn't losemoney, thank God.
He was close.
He almost lost $10,000.
He didn't have to lose.
God, he was close.
He almost lost $10,000.
He didn't have to lose.
But the amount of guilt andshame he felt as he got pulled
into this absolute rabbit holeof villainy was stunning and
(21:55):
probably the most importantmessage that I want to get out
today about the folks out herewho are dealing with being the
victims of fraud.
You're not dumb.
Falling victim to incrediblysophisticated cyber-enabled
fraud in the 21st century hasnothing to do with intelligence
and everything to do with yourhumanity.
These criminals prey upon ournatural human emotions.
(22:18):
They leverage the fact that ouremotional brain is part of our
primal or old brain and it'spart of our survival instincts.
And if they can be successfullyhijacked, they can short
circuit all of that beautifulneocortex, that higher brain
function, to get us to do whatthey want.
And so biology is up against us, our humanity is against us,
(22:40):
but it is absolutely not abouthow smart we are.
Takara Small (22:44):
That is one of the things I tell people all the
time.
I mean, you see, withransomware and other forms, you
know, the idea is to create thislevel of immediacy, right Like
there's a clock, there's a timer.
You have to make thesedecisions quite quickly and our
human emotions take over and wedo or say things that we never
(23:06):
would have done if we had thetime to sit and think how do you
combat the shame aspect?
Because you could teach someoneevery cybersecurity skill they
need to live, you know, a verysafe, a very hack-free life.
But overcoming the biologicalaspects, as you mentioned, is a
(23:26):
lot trickier.
David Shipley (23:29):
Absolutely, and there's some really great
research that's given us a pathforward.
We're actually using proventechniques around.
Emotional intelligence, andmindfulness can have a dramatic
impact on repeat susceptibilityto cybercrime, on your ability
to detect the cues as phishingand other forms of social
engineering.
Get more sophisticated with AI,and so what we teach people
(23:51):
through our technology, whichmore than 800 organizations and
up to 900,000 people now haveaccess to, is slow down, take a
deep breath, allow yourneocortex to kick back in, calm
the emotions.
You are not in such a rush thatyou have to respond immediately
.
And then we also talk aboutsetting yourself up for success.
(24:13):
We know from our research thatthe most dangerous time to click
is Monday morning between 8 and10 am.
Why you haven't had your coffeekick in yet?
You've got way too much emailto process.
That happened over Friday andover the weekend.
You're now trying to get aheadof your week, so just slow down
and treat that email inbox likethat old, classic Windows
(24:35):
Minesweeper game.
You don't know which one ofthose emails may be loaded, so
just slow down.
Takara Small (24:42):
That was David Shipley talking to us from New
Brunswick.
Now Bruce Schneier is one ofthe world's foremost voices on
cybersecurity and privacy.
He's published many books andhe lectures on public policy at
Harvard Kennedy School.
We caught up with Bruce to geta veteran's view on his
decades-long journey through thecybersecurity world.
(25:03):
How has the space evolvedthroughout your years covering
it?
Bruce Schneier (25:09):
I was having dinner with a colleague the
other night and he ascribed itto the balloon is getting bigger
.
So we're interested in theballoon of secret codes,
cryptography, computer securityNow it's called cybersecurity
and that's our thing.
But what that encompasses hasgotten bigger and bigger and
(25:30):
bigger.
Now it involves cars, now itinvolves social media, which
these things didn't exist in the80s.
I write my book, my first bookin the early 1990s, and there
those battles and policy arearound telephones, those things
(25:51):
you use attached to a wall witha cord, and these devices that
would stick between thetelephone and the handset.
Remember handsets?
And that's what that was about.
And now it is about everything.
So the evolution has gone fromniche to mainstream.
Cryptography used to besomething you would use if you
(26:14):
needed to keep a secret.
You were a dissident.
You are a journalist working insome country.
You were a criminal.
You were a military.
You were just someone whodidn't want the police listening
in on you.
Now you're like a regularbusiness that is just concerned
about the world, or you're justa user of a smartphone and
(26:38):
cryptography is built into thesystem.
You don't even realize it.
So what's happened is thatballoon has gotten huge.
It's just gotten moremainstream and I teach right now
at the Harvard Kennedy School.
I'm teaching public policystudents cybersecurity, and
these are not even math people,these are not tech people.
These are policy kids.
Takara Small (27:01):
How would you define or describe the current
state of play in cybersecurity,and I ask that through the lens
of?
There have been several hacks,breaches, specifically in Canada
over the last couple of months.
I'm thinking TPL, I'm thinkingthe LCBO.
How would you describe whatwe're seeing now?
Bruce Schneier (27:22):
I would suspect there have been several cyber
attacks in Canada in the last 20minutes, but they don't all
rise to the level of thenational news.
So what you're talking aboutare the major attacks, ones that
are big enough to make thenational news, and in a sense,
that's the state of play.
That attack is much easier thandefense, and whether we're
(27:43):
talking about cyber crime ornation state cyber espionage or
any of the other nation stateactions against other countries,
it is all attack and verylittle defense, and that has
been true for a long time.
That attack is easier thandefense for a bunch of
complicated reasons.
It's easier than defense for abunch of complicated reasons,
(28:10):
and we're in a world where thevulnerabilities outstrip our
ability to secure against them.
Takara Small (28:14):
I mean not say we can do nothing, but that there
is an inherent advantage to theattacker that is hard for us to
undo so if there's an advantagefor the attacker and it's hard
to undo, I'm wondering what youropinions are and how this
affects us personally, listenerspersonally.
How is it affecting ourpolitics?
Bruce Schneier (28:34):
well largely it isn't, and it's interesting that
in most countries I thinkcanada, united states this
doesn't become a campaign issuelike.
I have never seen a USpresidential candidate answer a
question about cybersecurity ina debate.
We're seeing AI come up, whichis kind of interesting, but not
(28:55):
cybersecurity, even though itreally is national security.
I think for most of us, we getthe security we are given.
So you have a phone in yourpocket it's likely an iPhone or
an Android and Apple and Googlehave built a lot of
cybersecurity into that objectand you largely don't pay
attention to it, but it worksreally well.
(29:17):
You have a laptop Remember, 10is Microsoft.
It could also be Apple.
There, too, there's a bunch ofsecurity built in.
Sometimes our defaults aren'tgreat.
We learned that our cars arenow computers with four wheels
and an engine, and the securityof them is not great.
There's also a lot ofeavesdropping that happens from
(29:38):
the companies that we interactwith.
Facebook's business model isspying on you.
United States is going allcrazy about TikTok, but it's
nothing Facebook doesn't do, andso we have a.
I want to say this we interactwith these systems at a daily
(30:03):
basis, constantly, in veryintimate ways.
We largely ignore the securityof.
That's not great, but it's notterrible.
You know your money is still inyour bank, even though you know
banking websites can beinsecure.
You likely haven't had youremail taken over, your accounts
(30:24):
compromised, but you know,sometimes it does happen and
there are lots of stories ofpeople getting victimized.
Takara Small (30:32):
Do you think we, general public, are sufficiently
concerned as a society?
I mean, you mentioned the factthat people engage and interact
with so many types of technologythese days cars, as you
mentioned as an example.
Do you feel it's something thatpeople should care more about?
Bruce Schneier (30:51):
No, yes and no, so I don't need people to be
experts in this.
I think one of the benefits ofsociety as a whole is that you
don't have to be an expert inthings to use them safely.
Now I happened to fly in anairplane earlier this week.
I know nothing about airplanemaintenance and airplane safety
and crew training and all ofthose things, yet there is a US
(31:16):
government agency that takescare of that for me and I could
get on that plane confident thatthe plane is well-maintained,
the pilot's well-trained andwell-rested and I'll get to my
destination mostly on time.
I could walk into a restaurantknowing nothing about food
safety and eat a meal that won'tmake me sick.
We expect that in all of ourthings.
(31:40):
So I don't want peoplelistening to need to be computer
security experts to use thesedevices.
I want them to know that theyare not getting the same level
of government protection as theyare with airplanes or
restaurants or consumer goods,that these devices, these
(32:05):
systems, this software are lesssecure than you think they are,
because the regulation,certainly in our countries, is
less than people think they are,because the regulation,
certainly in our countries, isless than people think it is.
Takara Small (32:17):
And why do you think this type of security
differs so greatly based on tobe specific Western countries?
So, for instance, obviously theEU has GDPR.
In Canada and the US, there areconstantly discussions about
pushing and enacting andadopting privacy, data
cybersecurity legislation, butwe just haven't seemed to pull
(32:41):
the trigger.
We haven't gotten there.
Why do you think there's thishuge, vast difference?
Bruce Schneier (32:48):
I understand Canadian politics less well,
even though my partner isCanadian, but in Europe they are
much more willing to regulatecorporations.
In the United States you don'tget laws passed that the money
doesn't agree to and the money,which is mostly corporate money,
doesn't want to be regulated.
So we don't have comprehensiveprivate regulations.
(33:10):
You in Canada have privacycommissioners, you have
provincial privacy commissioners.
You have provincial privacycommissioners, you have a
national privacy commissionerand most European countries do.
We do not in the United States.
So that's the reason we don'thave it here While you don't
have it.
You got to figure that out.
Takara Small (33:30):
Is the West specifically Canada and the US
ready?
Prepared for what's to come?
Because in the media we'realways hearing about how it's
the West versus China and how wehave to keep pace and innovate
when it comes to cybersecurity,data privacy, innovation in this
space.
Bruce Schneier (33:49):
You know.
So a lot of that US-China armsrace narrative, I think, is
pushed forward by industry, andit's not key pace in privacy,
it's not key pace in security,it's key pace in lack of privacy
.
It's key pace in spying onpeople.
The narrative you hear is Chinaspies on its users, so we have
to, otherwise they're going towin the AI arms race.
(34:10):
That's the narrative.
The narrative is put forward bythe tech billionaires.
They make money off spying onus.
They want to be able toinnovate without any regulation,
because they want to convinceyou that if they don't, china
will win some hypothetical race.
That is not the way the worldworks, and so I mean I really
(34:34):
want to put that to bed.
There certainly is this battlein cyberspace over critical
infrastructure.
So we know in the United Statesthat China, russia, to a lesser
extent, iran, are infiltratingour critical infrastructure.
So the power plants, watertreatment plants, and they are
(34:55):
there lying in wait, because nopoint in eavesdropping on this
stuff to disrupt things in theevent of global hostilities.
The idea is that they wouldmake us turn inward.
Nobody cares if China invadesTaiwan, if our power is not
working.
We're too busy dealing with ourown problems.
That is the thought and that'sreal, and I think we are not
(35:19):
prepared.
President Biden has tried to dowhat he could via executive
order, but here again theinfrastructure is in private
hands and it's going to costpeople money to make that more
secure and Congress isn'twilling to appropriate that
money or to regulate thoseindustries.
So we are vulnerable and Ithink we do care but we're not
(35:43):
doing anything about it.
Takara Small (35:45):
So what would it take to get us ready?
I mean, you mentioned that alot of this capacity right now
is in the private sector.
Would that change if this was apublic service?
Good, a public servicenecessity.
Bruce Schneier (35:59):
I don't know.
I mean I don't think we can,like you know, completely
rewrite our an economicpolitical system here.
I think we need regulation,like other industries have.
It really is the fact that thecomputer industry has been
unregulated for so many decades,which has been super fun but is
(36:19):
kind of untenable.
Today we're seeing some of itas computers go into your cars.
Cars are already regulated andas they go into medical devices
or devices that involve foodproduction or children's toys.
These are areas whereregulation exists and is pretty
robust, but largely it's stillan unregulated space, which is
(36:42):
why companies like Facebookcould damage democracy and they
get yelled at but nothinghappens.
Takara Small (36:51):
That was Bruce Schneier.
We'll be hearing more from bothDavid and Bruce later in the
series.
Next week we'll be looking atyour personal cybersecurity and
getting some advice on how youcan avoid getting scammed and
staying safe online.
He said I make $10,000 a monthselling people's TikTok accounts
(37:11):
.
You can have it back for $850.
So he's basically trying tohold it ransom.
I suppose make some money offof it.
That's next time.
We also want to hear yourstories about cybersecurity.
You can reach me online atTakara Small on Twitter and
Instagram, or you can email theshow at podcast@ cira.
ca.
That's podcast at C-I-R-A dotC-A.
(37:34):
If you're enjoying the show,then leave us a review on
Spotify and Apple podcasts.
It really helps other peoplefind us, so we'd appreciate it
so much.
If you have any questions orwant to learn more about
cybersecurity in Canada, cira.
ca/cybersecurity can visit .
Thanks for listening and we'llsee you again next week.
It's estimated to cost us more than $5 billion
this year alone.
Almost all of us are beingtargeted Our hospitals and
critical infrastructure areunder attack, and even our
elections are being compromised.
Canada, it's time we talkedabout cybersecurity.
News clip (00:24):
Cybersecurity breaches have been on the rise,
for a recent string of cyberattacks on the federal
government Another Canadiangovernment agency hacked.
Experts say things will onlyget worse.
Takara Small (00:37):
We're facing an epidemic of cybercrime, and it's
not just money that's at stake.
Hackers targeting our healthcare system are deleting records
and leaving patients withoutaccess to critical treatments
and medication, putting reallives at risk.
There's also the emotional tollfor individual victims.
Cybercrime is now one of thebiggest security concerns,
(01:00):
facing not just Canada, butcountries right across the world
.
David Shipley (01:05):
It is effectively a hidden tax on the Canadian
economy.
Takara Small (01:09):
It's impossible to engage with modern society and
not put yourself at risk ofbeing a victim.
But how much do we really knowabout this invisible threat, and
how can we make the internet asafer place for all of us?
This is season two of what's UpWith the Internet, Canada's
internet podcast, and we'retalking about cybersecurity.
(01:32):
To help you wade through all ofthis, I'm your host, Takara
Small.
The podcast is brought to youby CIRA, the Canadian Internet
Registration Authority, which isa non-profit building a trusted
internet for Canadians.
During the six-part series,we're going to take a look at
the way cybersecurity impactshow we experience the internet,
(01:55):
what you need to worry about andwhat can be done about it.
Hacking goes way back.
You could say it even predatesthe internet.
When Alexander Graham Bellinvented the telephone, there
were phone operators who'd swapthe lines to prank callers.
Then Alan Turing's hacking ofthe Nazi Enigma machine helped
(02:17):
win the Second World War.
David Shipley (02:19):
It's the greatest encryption device in history
and the Germans use it for allcommunications.
Everyone thinks Enigma isunbreakable.
Takara Small (02:26):
But in the late 90s, when computers started
popping up in every home andoffice, that was when hackers
and criminals really started tospot opportunities.
But even then, cybercrime waslargely informal and for most
ordinary people, their onlysecurity fear was catching some
malware when you weredownloading music on LimeWire,
(02:50):
do you remember?
And then you'd have to navigateall these pop-up windows when
all you really wanted to do wastalk to your friends on MSN
Messenger yeah, all of that fora Limp Bizkit album.
Nowadays, hacking is oftenhighly sophisticated big
business and used by many statesas a weapon of war.
So the scope of cybersecurityis constantly evolving and, with
(03:14):
so much of our lives now online, cybercrime can devastate
families, ruin businesses andshape geopolitics.
To dive into all of this, wecaught up with a Canadian expert
, david Shipley.
David is a journalist who wenton to become the co-founder and
CEO of Beauceron Security Inc.
A cybersecurity firm based inFredericton, new Brunswick.
(03:37):
Can you tell me what the commonforms of cybersecurity threats
are?
David Shipley (03:42):
Well, the biggest thing is there's two types of
cybercrime.
There is cybercrime where thetechnology is the target, and
that's where you see crimes likeransomware, attacks into
organizations to stealinformation, espionage, those
type of activities.
And then you have technology asthe facilitator of crime, and
so this is where you're seeing,for example, the use of
(04:04):
technology platforms likeTelegram, which has helped
organize traditional fraud andcrime gangs in new ways, leading
to an 88% increase in checkfraud in the United States, for
example.
Takara Small (04:17):
So how many Canadians a year are actually
victims of cybercrime?
Is this something, consideringeverything you've talked about,
something you can even possiblymeasure?
David Shipley (04:28):
Well, I would say all of us, at least once a year
, are the victim of cybercrime.
It's whether or not we knowabout it, absolutely.
Let me back that up so you know.
Only a fraction of actualbreaches are ever known, ever
become public.
So when you've got high-profileones like London Drugs, where
(04:49):
you have a ransomware incidentthat shuts down stores, it's
impossible to hide.
But a lot of attacks are hiddenand there are a lot of reasons
for that.
So a lot of us are impacted.
Certainly all of us have beenimpacted at one point over the
last decade.
If you live in Ontario toBritish Columbia, you probably
(05:10):
lost personal health informationin a LifeLabs breach.
If you're in Newfoundland, youwere probably impacted by the
cyber attack there on theirhealth system.
Several hundred thousand peoplein Nova Scotia when they were
part of the Move it hack hack,and on and on and on.
600,000 students when HRDC losta laptop or, excuse me, an
(05:31):
external hard drive.
So so we're all victims.
How much, how significant it is,varies.
For some folks it's incrediblypainful and traumatic.
So we're talking about the tensof millions of dollars lost
last year in romance and fraudscams, so-called pig butchering,
where relationships are builtup over time and then
(05:52):
consummated with some form offraud.
So that's at a record level,whether or not we work for
businesses that are hit withransomware attacks.
If you were an employee ofChapters, indigo, sobeys, suncor
, you were impacted bycybercrime.
So it's all over the place andit's effectively a hidden tax on
(06:12):
the Canadian economy, and whatI mean by that is both the
direct cost, the $600 million inknown losses, as well as the
$10 billion a year that theprivate sector is paying, on top
of the multiple billions ofdollars being paid by the public
sector in Canada.
Takara Small (06:30):
Pause for a moment to let that sink in.
So many of us rely on a varietyof modern devices, some for
convenience, but also fornecessity, and I'm wondering
what are the risks associatedwith that?
David Shipley (06:48):
Absolutely.
What we have to realize is that, fundamentally, we ran
headfirst into the internetwithout thinking about any of
the consequences.
What do I mean by that?
Politicians and others oftenused to describe the internet as
the information superhighway.
There were some famous speeches, including here in New
Brunswick, where our premier ledNorth America in the adoption
(07:11):
of broadband technologies.
Like little known fact, newBrunswick had broadband to the
neighborhood and broadband tothe home before Silicon Valley.
We were leaders in that spaceand his famous speech, frank
McKenna, said the train isleaving the station, we can't
miss it.
And we were so enamored with thepossibility and potential of
this technology that not asingle person decently thought
(07:32):
what happens on the informationsuperhighway when we finally
meet the highway robbers.
And we are paying for our lackof foresight today from 30 years
ago.
All cybercrime is the logicalnext evolution of crime that we
just put our blinders on andpretended wasn't going to happen
.
And all technology that we havetoday is built by humans, which
(07:56):
means it's as beautifullyflawed as we are.
There is no perfect technologyand in fact the word technology,
which comes from two Greekwords, techne and logos,
actually tells us something.
Techne means the art or theskill of building or using
something.
Logos means the word, but whencombined with techne means the
(08:17):
careful consideration of whatyou gain or what you lose when
you build or use that thing.
So, to answer your question,every piece of technology has
inherent flaws, has bothbenefits and risks.
Let's take the smartphone.
The modern smartphone is amarvel.
It is a complete televisionstudio in your pocket.
(08:41):
You can broadcast in perfect 4Khigh definition at broadband
speeds, and this can lead to alevel of communication and
instant response that is bothamazing and frightening.
It is also the NSA's absoluteperfect dream.
You know, I remember watchingthe Will Smith movie Enemy of
(09:03):
the State and gasping andthinking about all the ways that
they gather information, and weall carry an NSA surveillance
van in our pocket now.
Takara Small (09:12):
The level of stress.
If I was like hooked up to,like a machine right now, my
level of stress would be peakingright now because we don't have
the option to not have asmartphone.
I mean, depending on what yourlifestyle is and where you live,
having a smartphone is expected.
No it's required these days.
David Shipley (09:32):
Absolutely.
But here's the thing the amountof assumptions we make about the
protections that we don't haveis stunning.
Like look at the case in the USwhere the major
telecommunications carriers havejust been hit with a $200
million fine for sellingeveryone's location information
to thousands of data brokers,some of which that information
(09:53):
was used and weaponized in waysagainst people's reproductive
health choices.
So these tools, which haveamazing, immense potential, have
equal parts, the potential forharm when you don't understand
the consequences, when we don'thave checks and balances on
these things, the assumptionthat these technology companies
(10:17):
have our best interests in mind.
I hope that lie has been laidbare, I mean with Frances
Haugen's damning testimony overjust the known harm that
Facebook and other social mediahave on young teenage girls'
mental health and bodydysmorphic disorders.
So I mean you're probablyexpecting me to come up here and
scare you about ransomware, butthere's a bigger story here
(10:39):
about our intimate relationshipas individuals with technology,
as a society with technology,and the kind of place we want to
live in, including dealing withcriminality, which is a natural
part of human society.
Takara Small (10:52):
So you just hit on something that we've actually
discussed.
In our first season, we talkedto Frances Haugen, well known
for her M meta testimony, aboutthe data that Facebook uses and
how that can be applied toindividuals and advertising, etc
.
Which brings me to my nextquestion about why is our data
(11:15):
so valuable?
Why are people so obsessed withgetting their hands on it?
David Shipley (11:22):
Data is power.
Data, given shape and creatinginsight, can lead to the
manipulation of choices orbehavior.
I run a company that uses thiskind of approach for good.
We teach people aboutcybersecurity and we use
elements of behavior science,neuroscience, gamification,
(11:43):
other things, to drive thechoice architecture for
individuals.
So every piece of data inisolation may seem harmless, as
it is stitched together tocreate a picture of you, your
relationships and more, it isabsolutely possible to use this
to your benefit or to your harm,whether it's election
manipulation or whether it'sjust trying to sell you the
(12:06):
latest toothpaste.
Or, more accurately, as a storywas told to me, how someone's
mother elderly mother was beingtargeted for a particular brand
of toothpaste by targeting thesun to get him, hopefully, to
talk about this particulartoothpaste so you touched on
this a little bit earlier, butI'm wondering if you can talk me
through how much this actuallycosts the Canadian economy.
Takara Small (12:29):
How much is lost every year?
David Shipley (12:33):
So what we know is being reported is $600
million in losses.
In the most recent reports andthe RCMP and I work closely with
folks in the NationalCybercrime Coordination Centre
they estimate that that's only10 to 15% of the total amount of
losses that Canadianindividuals and businesses are
incurring.
So, with that number in mind,we're probably looking closer at
(12:56):
a $6 billion cost to the actualoutflow of money, funds and the
economic damage caused bycybercrime.
And I'll give you an example ofsort of the orders of magnitude
cybercrime.
And I'll give you an example ofsort of the orders of magnitude
.
When you look at the Sobeysbreach, the criminals probably
made out.
If Sobeys paid which we're notentirely sure if they did or
didn't, but if they paid theyprobably paid a couple of
(13:18):
million dollars out.
They suffered $50 million plusin damages in that one attack
alone, after their insurancecoverage costs.
So the damage done incybercrime is usually on the
order of magnitude of $13 indamage for every dollar in
criminal revenue that is reapedin.
So you know we've got $6billion in the estimated damage
(13:42):
cost.
And then, as I mentionedearlier, according to Statistics
Canada the private sector inCanada they were spending about
$7 billion in 2017.
Now, as recently as 2021, itrose to $10 billion.
That's a surge in spending, andshareholders don't absorb those
(14:02):
costs.
We talk a lot about theinflation story in Canada and,
while cyber is probably not thesingle largest contributor to
inflation, it is absolutely partof the inflation story.
Takara Small (14:18):
You know there's been a recent push to increase
the number of online servicesthat are available to Canadians,
but you know you could probablysee this around the world Also
post pandemic, there are morepeople who are expecting some of
the you know, maybe programs orofferings that were once in
person to also be online.
Does that have an impact on thetypes of cybersecurity breaches
we're seeing or on the overallnumber?
David Shipley (14:41):
Oh, absolutely.
Let's take the Canada RevenueAgency's big push to online, and
so here they've created amazingnew tools.
Big push to online, and so herethey've created amazing new
tools a web portal forindividuals, the ability to find
as I found out the other weekold tax money I never claimed.
That was a nice surprise.
(15:01):
You know a GST check from backwhen I was a kid that I forgot
to cash in.
So I filled that form outonline and got that easy $75.
So it's amazing.
But at the same time, bycreating that portal, they set
themselves up as a target for amassive cyber attack a couple
years ago, where attackers knowthat people reuse passwords.
(15:21):
They used giant billion datapoint plus databases to actually
digitally lockpick CRA andsteal millions of dollars from
people's tax refunds.
Because we didn't think to puttwo-factor authentication on,
because that created too manyperceived barriers to the
(15:42):
convenience of accessinggovernment services online.
Takara Small (15:47):
Let's talk a little bit about the dark web.
This is a term that's thrownaround online, in person, in
articles, hollywood all the time, but I don't think many people
know exactly what it means.
Can you break down what thisterm is, and is this a place
where some of that hacked datayou mentioned is actually sold?
David Shipley (16:07):
Absolutely so.
Picture the modern internet asan iceberg.
At the very tip of the iceberg,above the water, is the
internet that all of us know,the easily searchable, indexable
, referenceable internet andbelow the surface, between the
next layer down, is what we callthe deep web, and this is stuff
(16:29):
that's still open and publiclyavailable, but it's not very
well indexed, it's notreferenced properly.
You got to know what you'redoing to go for.
Go looking for it and you stillsee a shocking amount of
criminality taking place in thatpart of the net.
Then, at the very, very bottomof this giant iceberg, is this
awful lair that's kind of thefor Star Wars fans, the Mos
(16:53):
Eisley, the den of scum andvillainy and wretchedness of
humanity and the internet.
That's the dark web, and youusually have to use specific
types of technology like Tor orthe Onion Router protocol, which
was originally built with goodintentions to help dissidents in
authoritarian regimescommunicate, but has now been
used by criminal gangs andothers to facilitate every kind
(17:15):
of evil you can imagine drugtrafficking, weapons, human
smuggling, data breach exchange,and you see the evolution of
the professionalization ofcybercrime occur there.
So you have people who arebasically the digital equivalent
of B&E specialists.
So these are the folks that arethe so-called initial access
brokers.
So they break into places andthen they sell that for usually
(17:38):
a pittance, a couple thousanddollars to somebody else that
specializes in monetization.
So ransomware, data theft, youname it.
So this is that whole ecosystemthat law enforcement around the
world is cat and mousing allthe time trying to disrupt.
Takara Small (17:57):
So how have you seen cybercrime grow and evolve
then throughout your career?
Because things have changedquite quickly in the last couple
of years.
David Shipley (18:07):
I think the biggest thing that's probably
hard for a lot of people to gettheir head around is the
professionalization of thiscybercrime economy.
So oftentimes we still have thestereotype of the kid in the
hoodie, hacking from thebasement and while there are
still gangs of kids that havewreaked incredible havoc see
(18:28):
Scattered Spider, the Lapsusgang and the attacks on groups
like MGM and some major securityproviders like Okta so kids are
still out there doing the kidthing.
But you're talking about thesefascinating business structures
in ransomware as a service,phishing as a service crime as a
service, where sophisticatedtechnological criminals build
(18:53):
platforms and infrastructures,build up even HR departments and
have vacations, have schedules.
We know this from several ofthe groups that fell apart.
Just the level oforganizational design and
sophistication is amazing.
And then they use these fallguys and fall.
One of the top affiliates for aRussian ransomware gang and he
(19:30):
made you know, 20 million plusas an affiliate for NetWalker
knocked up some Americanentities that really upset US
law enforcement.
They got on his tail, theypicked up his tooling on a
server in Poland, kid you not,traced him back to Montreal and
he's going to spend a very longtime in US federal prison after
being found guilty here inCanada and in the US.
(19:52):
So that's how crazy the worldis.
Takara Small (19:56):
And how do you think people are responding to
this?
Do you think we as a countryreally grasp how important this
stuff is?
Because when I talk about this,when I write about this, I
slowly start to see people'seyes glaze over and start to
look around the room, losing ayou know, a little bit of
interest in this category, whichI can understand.
It's confusing, it'scomplicated, but what do you
(20:19):
think you know?
Individuals, companies, ournation as a whole are we
grasping how important this is?
David Shipley (20:26):
No, I think a lot of individuals, a lot of
companies have fallen into whatI call the valley of despair,
and so they've just given up.
What can I do against this?
You know it doesn't make senseto try.
It seems hopeless.
We have a federal governmentthat has never cared less about
national security, let alone thefact that cyber is part of
(20:48):
national security story, andit's not a good place for Canada
to be.
We already have major concernsemerging as a den for
international money laundering.
The fact that some of thebiggest criminal busts on the
dark web were founded byCanadians or former Canadians
should be alarming.
(21:09):
To been recovering from heartsurgery and, had you know, had
some health challenges over theyears and the emotional toll on
(21:34):
this that he took this fraudcase is set his health back
considerably and he didn't losemoney, thank God.
He was close.
He almost lost $10,000.
He didn't have to lose.
God, he was close.
He almost lost $10,000.
He didn't have to lose.
But the amount of guilt andshame he felt as he got pulled
into this absolute rabbit holeof villainy was stunning and
(21:55):
probably the most importantmessage that I want to get out
today about the folks out herewho are dealing with being the
victims of fraud.
You're not dumb.
Falling victim to incrediblysophisticated cyber-enabled
fraud in the 21st century hasnothing to do with intelligence
and everything to do with yourhumanity.
These criminals prey upon ournatural human emotions.
(22:18):
They leverage the fact that ouremotional brain is part of our
primal or old brain and it'spart of our survival instincts.
And if they can be successfullyhijacked, they can short
circuit all of that beautifulneocortex, that higher brain
function, to get us to do whatthey want.
And so biology is up against us, our humanity is against us,
(22:40):
but it is absolutely not abouthow smart we are.
Takara Small (22:44):
That is one of the things I tell people all the
time.
I mean, you see, withransomware and other forms, you
know, the idea is to create thislevel of immediacy, right Like
there's a clock, there's a timer.
You have to make thesedecisions quite quickly and our
human emotions take over and wedo or say things that we never
(23:06):
would have done if we had thetime to sit and think how do you
combat the shame aspect?
Because you could teach someoneevery cybersecurity skill they
need to live, you know, a verysafe, a very hack-free life.
But overcoming the biologicalaspects, as you mentioned, is a
(23:26):
lot trickier.
David Shipley (23:29):
Absolutely, and there's some really great
research that's given us a pathforward.
We're actually using proventechniques around.
Emotional intelligence, andmindfulness can have a dramatic
impact on repeat susceptibilityto cybercrime, on your ability
to detect the cues as phishingand other forms of social
engineering.
Get more sophisticated with AI,and so what we teach people
(23:51):
through our technology, whichmore than 800 organizations and
up to 900,000 people now haveaccess to, is slow down, take a
deep breath, allow yourneocortex to kick back in, calm
the emotions.
You are not in such a rush thatyou have to respond immediately
.
And then we also talk aboutsetting yourself up for success.
(24:13):
We know from our research thatthe most dangerous time to click
is Monday morning between 8 and10 am.
Why you haven't had your coffeekick in yet?
You've got way too much emailto process.
That happened over Friday andover the weekend.
You're now trying to get aheadof your week, so just slow down
and treat that email inbox likethat old, classic Windows
(24:35):
Minesweeper game.
You don't know which one ofthose emails may be loaded, so
just slow down.
Takara Small (24:42):
That was David Shipley talking to us from New
Brunswick.
Now Bruce Schneier is one ofthe world's foremost voices on
cybersecurity and privacy.
He's published many books andhe lectures on public policy at
Harvard Kennedy School.
We caught up with Bruce to geta veteran's view on his
decades-long journey through thecybersecurity world.
(25:03):
How has the space evolvedthroughout your years covering
it?
Bruce Schneier (25:09):
I was having dinner with a colleague the
other night and he ascribed itto the balloon is getting bigger
.
So we're interested in theballoon of secret codes,
cryptography, computer securityNow it's called cybersecurity
and that's our thing.
But what that encompasses hasgotten bigger and bigger and
(25:30):
bigger.
Now it involves cars, now itinvolves social media, which
these things didn't exist in the80s.
I write my book, my first bookin the early 1990s, and there
those battles and policy arearound telephones, those things
(25:51):
you use attached to a wall witha cord, and these devices that
would stick between thetelephone and the handset.
Remember handsets?
And that's what that was about.
And now it is about everything.
So the evolution has gone fromniche to mainstream.
Cryptography used to besomething you would use if you
(26:14):
needed to keep a secret.
You were a dissident.
You are a journalist working insome country.
You were a criminal.
You were a military.
You were just someone whodidn't want the police listening
in on you.
Now you're like a regularbusiness that is just concerned
about the world, or you're justa user of a smartphone and
(26:38):
cryptography is built into thesystem.
You don't even realize it.
So what's happened is thatballoon has gotten huge.
It's just gotten moremainstream and I teach right now
at the Harvard Kennedy School.
I'm teaching public policystudents cybersecurity, and
these are not even math people,these are not tech people.
These are policy kids.
Takara Small (27:01):
How would you define or describe the current
state of play in cybersecurity,and I ask that through the lens
of?
There have been several hacks,breaches, specifically in Canada
over the last couple of months.
I'm thinking TPL, I'm thinkingthe LCBO.
How would you describe whatwe're seeing now?
Bruce Schneier (27:22):
I would suspect there have been several cyber
attacks in Canada in the last 20minutes, but they don't all
rise to the level of thenational news.
So what you're talking aboutare the major attacks, ones that
are big enough to make thenational news, and in a sense,
that's the state of play.
That attack is much easier thandefense, and whether we're
(27:43):
talking about cyber crime ornation state cyber espionage or
any of the other nation stateactions against other countries,
it is all attack and verylittle defense, and that has
been true for a long time.
That attack is easier thandefense for a bunch of
complicated reasons.
It's easier than defense for abunch of complicated reasons,
(28:10):
and we're in a world where thevulnerabilities outstrip our
ability to secure against them.
Takara Small (28:14):
I mean not say we can do nothing, but that there
is an inherent advantage to theattacker that is hard for us to
undo so if there's an advantagefor the attacker and it's hard
to undo, I'm wondering what youropinions are and how this
affects us personally, listenerspersonally.
How is it affecting ourpolitics?
Bruce Schneier (28:34):
well largely it isn't, and it's interesting that
in most countries I thinkcanada, united states this
doesn't become a campaign issuelike.
I have never seen a USpresidential candidate answer a
question about cybersecurity ina debate.
We're seeing AI come up, whichis kind of interesting, but not
(28:55):
cybersecurity, even though itreally is national security.
I think for most of us, we getthe security we are given.
So you have a phone in yourpocket it's likely an iPhone or
an Android and Apple and Googlehave built a lot of
cybersecurity into that objectand you largely don't pay
attention to it, but it worksreally well.
(29:17):
You have a laptop Remember, 10is Microsoft.
It could also be Apple.
There, too, there's a bunch ofsecurity built in.
Sometimes our defaults aren'tgreat.
We learned that our cars arenow computers with four wheels
and an engine, and the securityof them is not great.
There's also a lot ofeavesdropping that happens from
(29:38):
the companies that we interactwith.
Facebook's business model isspying on you.
United States is going allcrazy about TikTok, but it's
nothing Facebook doesn't do, andso we have a.
I want to say this we interactwith these systems at a daily
(30:03):
basis, constantly, in veryintimate ways.
We largely ignore the securityof.
That's not great, but it's notterrible.
You know your money is still inyour bank, even though you know
banking websites can beinsecure.
You likely haven't had youremail taken over, your accounts
(30:24):
compromised, but you know,sometimes it does happen and
there are lots of stories ofpeople getting victimized.
Takara Small (30:32):
Do you think we, general public, are sufficiently
concerned as a society?
I mean, you mentioned the factthat people engage and interact
with so many types of technologythese days cars, as you
mentioned as an example.
Do you feel it's something thatpeople should care more about?
Bruce Schneier (30:51):
No, yes and no, so I don't need people to be
experts in this.
I think one of the benefits ofsociety as a whole is that you
don't have to be an expert inthings to use them safely.
Now I happened to fly in anairplane earlier this week.
I know nothing about airplanemaintenance and airplane safety
and crew training and all ofthose things, yet there is a US
(31:16):
government agency that takescare of that for me and I could
get on that plane confident thatthe plane is well-maintained,
the pilot's well-trained andwell-rested and I'll get to my
destination mostly on time.
I could walk into a restaurantknowing nothing about food
safety and eat a meal that won'tmake me sick.
We expect that in all of ourthings.
(31:40):
So I don't want peoplelistening to need to be computer
security experts to use thesedevices.
I want them to know that theyare not getting the same level
of government protection as theyare with airplanes or
restaurants or consumer goods,that these devices, these
(32:05):
systems, this software are lesssecure than you think they are,
because the regulation,certainly in our countries, is
less than people think they are,because the regulation,
certainly in our countries, isless than people think it is.
Takara Small (32:17):
And why do you think this type of security
differs so greatly based on tobe specific Western countries?
So, for instance, obviously theEU has GDPR.
In Canada and the US, there areconstantly discussions about
pushing and enacting andadopting privacy, data
cybersecurity legislation, butwe just haven't seemed to pull
(32:41):
the trigger.
We haven't gotten there.
Why do you think there's thishuge, vast difference?
Bruce Schneier (32:48):
I understand Canadian politics less well,
even though my partner isCanadian, but in Europe they are
much more willing to regulatecorporations.
In the United States you don'tget laws passed that the money
doesn't agree to and the money,which is mostly corporate money,
doesn't want to be regulated.
So we don't have comprehensiveprivate regulations.
(33:10):
You in Canada have privacycommissioners, you have
provincial privacy commissioners.
You have provincial privacycommissioners, you have a
national privacy commissionerand most European countries do.
We do not in the United States.
So that's the reason we don'thave it here While you don't
have it.
You got to figure that out.
Takara Small (33:30):
Is the West specifically Canada and the US
ready?
Prepared for what's to come?
Because in the media we'realways hearing about how it's
the West versus China and how wehave to keep pace and innovate
when it comes to cybersecurity,data privacy, innovation in this
space.
Bruce Schneier (33:49):
You know.
So a lot of that US-China armsrace narrative, I think, is
pushed forward by industry, andit's not key pace in privacy,
it's not key pace in security,it's key pace in lack of privacy
.
It's key pace in spying onpeople.
The narrative you hear is Chinaspies on its users, so we have
to, otherwise they're going towin the AI arms race.
(34:10):
That's the narrative.
The narrative is put forward bythe tech billionaires.
They make money off spying onus.
They want to be able toinnovate without any regulation,
because they want to convinceyou that if they don't, china
will win some hypothetical race.
That is not the way the worldworks, and so I mean I really
(34:34):
want to put that to bed.
There certainly is this battlein cyberspace over critical
infrastructure.
So we know in the United Statesthat China, russia, to a lesser
extent, iran, are infiltratingour critical infrastructure.
So the power plants, watertreatment plants, and they are
(34:55):
there lying in wait, because nopoint in eavesdropping on this
stuff to disrupt things in theevent of global hostilities.
The idea is that they wouldmake us turn inward.
Nobody cares if China invadesTaiwan, if our power is not
working.
We're too busy dealing with ourown problems.
That is the thought and that'sreal, and I think we are not
(35:19):
prepared.
President Biden has tried to dowhat he could via executive
order, but here again theinfrastructure is in private
hands and it's going to costpeople money to make that more
secure and Congress isn'twilling to appropriate that
money or to regulate thoseindustries.
So we are vulnerable and Ithink we do care but we're not
(35:43):
doing anything about it.
Takara Small (35:45):
So what would it take to get us ready?
I mean, you mentioned that alot of this capacity right now
is in the private sector.
Would that change if this was apublic service?
Good, a public servicenecessity.
Bruce Schneier (35:59):
I don't know.
I mean I don't think we can,like you know, completely
rewrite our an economicpolitical system here.
I think we need regulation,like other industries have.
It really is the fact that thecomputer industry has been
unregulated for so many decades,which has been super fun but is
(36:19):
kind of untenable.
Today we're seeing some of itas computers go into your cars.
Cars are already regulated andas they go into medical devices
or devices that involve foodproduction or children's toys.
These are areas whereregulation exists and is pretty
robust, but largely it's stillan unregulated space, which is
(36:42):
why companies like Facebookcould damage democracy and they
get yelled at but nothinghappens.
Takara Small (36:51):
That was Bruce Schneier.
We'll be hearing more from bothDavid and Bruce later in the
series.
Next week we'll be looking atyour personal cybersecurity and
getting some advice on how youcan avoid getting scammed and
staying safe online.
He said I make $10,000 a monthselling people's TikTok accounts
(37:11):
.
You can have it back for $850.
So he's basically trying tohold it ransom.
I suppose make some money offof it.
That's next time.
We also want to hear yourstories about cybersecurity.
You can reach me online atTakara Small on Twitter and
Instagram, or you can email theshow at podcast@ cira.
ca.
That's podcast at C-I-R-A dotC-A.
(37:34):
If you're enjoying the show,then leave us a review on
Spotify and Apple podcasts.
It really helps other peoplefind us, so we'd appreciate it
so much.
If you have any questions orwant to learn more about
cybersecurity in Canada, cira.
ca/cybersecurity can visit .
Thanks for listening and we'llsee you again next week.
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
24/7 News: The Latest
The latest news in 4 minutes updated every hour, every day.