September 26, 2024 • 32 mins
We're exploring the relationship between cybersecurity and national security—with a spotlight on recent cyber threats in Canada. We welcome guest Aaron Shull, Managing Director and General Counsel at CIGI, to share insight into Canada's election security, highlighting the resilience of our paper-backed ballot system. Next, we turn our attention to the increasingly prevalent cyber attacks on political campaigns and party infrastructures. We also delve into the risks associated with emerging AI technologies, emphasizing the urgent need for strategic governance to prevent their misuse.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:03):
It's the year 2008, and a Dutch engineer named Erik
van Saben is on a vacation tosee his wife's family in Iran.
Now Erik has something specialwith him A computer file not
much more than one megabyte insize.
In size, he makes a diversionto an Iranian nuclear facility
(00:29):
and uploads the file, changingthe face of warfare forever.
Speaker 2 (00:31):
We have entered into a new phase of conflict, in
which we use a cyber weapon tocreate physical destruction.
Speaker 1 (00:39):
Eric Van Saben was introducing a new cyber weapon
that became known as Stuxnet.
It was a computer worm thatsubtly interfered with settings
in the nuclear facility,crashing its technology over
years.
But staying hidden.
Stuxnet had been developed bythe US government to sabotage
(01:00):
Iran's development of nuclearweapons.
In terms of cyber weapons, thiswas the equivalent of the moon
landing, and when finallyrevealed years later, it stunned
the world, offering an insightinto the future of war,
terrorism and geopolitics.
Speaker 3 (01:19):
First sign of World War III is gonna be that your
lights are gonna turn off andyour water's gonna stop working.
Speaker 1 (01:24):
Hackers now have the ability to cause physical damage
to critical infrastructure, aswell as interfering in elections
.
So today, on what's Up with theInternet, we want to look at
the way cybersecurity isimpacting politics, both
nationally and globally.
Both nationally and globally,this show is created by CIRA,
(01:45):
the Canadian InternetRegistration Authority, which is
building a trusted internet forCanadians, and I'm your host,
takara Small.
This is an issue that isalready impacting Canadians.
Last year, hackers in Indiadisabled government websites,
(02:06):
all in retaliation after PrimeMinister Trudeau accused India
of being involved in a murder inBC.
It was a relatively smallincident, but it demonstrated
how political decisions can leadto cyber attacks here.
The government's baseline cyberthreat assessment last year
also held this message.
(02:27):
The center is warning Canadiansthat cyber criminals will
likely target Canada's nationalsecurity and economic prosperity
within the next two years.
Many experts believe dormantmalware could already be
embedded in parts of ourinfrastructure, just waiting to
be activated by an enemy in theevent a conflict breaks out.
(02:49):
In fact, leaked US intelligencedocuments last year said that
Russian-backed hackers havegained access to Canada's
natural gas distribution network, and Russian hackers have
promised to attack countriesthat provide support to Ukraine
in the ongoing war.
So what is the current state ofplay when cybersecurity
(03:12):
intersects with nationalsecurity?
To discuss all of this, we'vegot a really great guest.
Aaron Schull is the ManagingDirector and General Counsel at
CIGI, that's the Centre forInternational Governance and
Innovation in Waterloo, ontario.
Aaron is a senior legalexecutive and is a leading
(03:34):
expert on public policy,emerging technology and cyber
security.
Can you explain the ways inwhich cyber security can impact
or threaten our politics inCanada?
Speaker 3 (03:46):
Yeah, sure, I mean, there's actually a lot going on
in that question.
It sounds kind of simple, butthere's a couple of pieces.
And you know it's hard becauseyou're living in Canada.
But a lot of our news comesfrom the US and so we tend to, I
think, infuse our understandingof elections and cybersecurity
(04:07):
with stuff that we're seeing inthe US, and the biggest thing
that we saw down there was the,let's say, attacks on Dominion
voting systems.
You know, fox News got sued tothe tune of about a billion
dollars as a consequence ofdefamation about those voting
systems, and so, you know, evensome of former President Trump's
(04:30):
lawyers were making prettyoutlandish claims about.
You know, hugo Chavez, you know, doing the source code or
whatever for Dominion Systemslike a whole bunch of just
nonsense, right.
And so I'm going to answer thequestion as it relates to Canada
.
But I don't think we can divorceour public understanding of
what's going on in Canadawithout a little bit of you know
(04:52):
pepper from the United States.
So, with that giant footnote atthe front end, you know, canada
, we have a paper backed ballot,and I have yet to see a hacker
that can, that can hack a pieceof paper, right, like it just so
like that.
That is the starting point,right, like all in in federal
elections, we've got a paperbackballot system.
In the next election, you willwalk into a booth and you will,
(05:16):
you will take a pencil and youwill put your vote on that piece
of paper and and then they gothrough a Scantron.
The same way, as you know,every single undergraduate exam
in the country, they go througha scantron to count them.
But if you want to count themby hand, it's possible, right,
and so all that to say,cybersecurity threatening the
(05:37):
actual voting process in Canadais unlikely by virtue of that
paperback ballot.
That being said, there's a lotof other stuff going on here,
right, and so the big one isgonna be cyber attacks on
political campaigns andpolitical party infrastructure.
That's a live issue, right, andso the big thing there is gonna
(05:58):
be potential breaches of senseof political communications, and
so we saw this a little bit inwhen it kind of started in 2016.
The Secretary Clinton'scampaign manager was this guy
named John Podesta.
The Russians hacked JohnPodesta's emails and started
(06:18):
leaking sensitive orembarrassing stuff, and then
that can be used to manipulatepublic opinion through social
media and other outreach.
And so, while our electioninfrastructure itself is safe
because of that paperback ballot.
I would expect that if we'retalking about cybersecurity and
politics, it's going to beprincipally attacks on political
(06:41):
campaigns and partyinfrastructure, and then the
misinformation or disinformationmachine that spins up once
they've got access to sensitivepolitical communications or
internal emails.
Speaker 1 (06:53):
Okay.
So now it feels like this is athreat not just to the Canadian
political system, but nationallyand internationally as well.
At the same time, Is this goingto continue to grow?
I can only imagine what thenext five, 10 years will be like
then.
Speaker 3 (07:09):
Yeah, yeah, I mean.
So think about it like this,right, like what's the point of
attacking elections to beginwith?
Right, like so, because youknow someone's doing this.
It's not like it's not ethereal, right, it's not a state of
nature, like someone's actuallytaking a positive action here to
try and do this stuff.
And I think, if you're a hostilestate actor, they're looking at
(07:30):
a couple of things, right.
The big piece is they want toerode public trust and electoral
processes, right and so, andpotentially like, sometimes
that's just enough, right, throwin a Molotov cocktail and watch
it burn.
Right, so, just to mess withdemocracy.
But you know there can bepreferential outcomes, and so
(07:53):
you can think that they mightwish to influence the election
outcome or create politicalinstability and uncertainty or
damage the reputations ofpolitical figures and
institutions.
So I think that's going to beon the rise for a few different
reasons.
The first is relations withcertain hostile state actors are
(08:14):
not great, right and so, justlooking at the trend lines, if
this was something that theyprosecuted in previous elections
, it's not like relations havegotten much better, and so I
would expect it to continue forthat reason.
The second is, we haven'treally been very good at
consequences.
Right, if someone messes withour elections, there should be a
(08:36):
bill for doing that, and wejust haven't really got our act
together when it comes tomeeting out meaningful
consequences for that kind ofstuff.
And the third is that we'realso hooking everything we
possibly can up to the internet,right, and so there's just more
stuff to attack, right, there'smore information to get your
hands on, there's moremechanisms to distribute that
(08:59):
content, and so the trend linesin my mind don't look great here
.
So I guess the short answer toyour question is yeah, I would.
I would expect this to getworse over the near and medium
term, for sure.
Speaker 1 (09:14):
I would also assume there's some level of difficulty
, because it can be very hard toidentify hackers, right?
I mean, there's this element ofplausible deniability from
state, from government, fromother actors.
So how much confusion does thatadd to the mix as well?
Speaker 3 (09:31):
Yeah, no for sure.
So I mean there's a couple ofthings going on here, right.
So it creates confusion and itundermines accountability.
There's difficulties inattributing attacks, and so you
don't really know who it camefrom and maybe you don't trust
(09:51):
attributions, and that in and ofitself can lead to political
and social instability.
I wrote a book chapter on thisabout, oh God, I don't know, 10
years ago or something like that, and I wrote on attribution of
cyber attacks, and the argumentthat I made there is that
there's actually three thingsgoing on when you're talking
about attributing a cyber attack.
(10:12):
It's a technical calculation,right, like the ones and zeros
and where they came from.
It's a legal consideration, butit's also a political
calculation too, right.
So it's not just technical,it's not just legal, but there's
also politics that go into it,and so determining when you
(10:33):
attribute, when you don't, andto whom and on what basis, and
what evidence that you use tomake a public attribution
there's all sorts ofconsiderations that go into that
kind of stuff.
And so, yeah, just to say thatit's not simply a matter of
figuring out whodunit, butthere's even if you can get to
the whodunit piece, there'sstill other stuff you're going
(10:54):
to want to think about on top ofit, so that just to say that
you know it yeah for sure, likenot knowing who did it can can
create confusion.
It can undermine accountability.
It's certainly difficult toattribute attacks as a technical
matter, and this can create awhole bunch of problems for you.
Speaker 1 (11:14):
But even if you get over the technical hurdle,
there's still other stuff goingon there too I'm wondering,
globally, if there is agovernment or a country that is
really active in terms of cybersecurity.
You know attacks andinterference because we hear a
lot about it on the news.
You know we're always hearingabout certain governments or
entities, um, but is thataccurate?
(11:37):
Are we getting an outside senseof how much they're actually
doing, and is it reasonable forthe average person to be worried
about this?
Speaker 3 (11:47):
Yeah, I mean.
So maybe I'll just take yourquestion head on China, Russia,
iran, your question head onChina, russia, iran and North
Korea.
They're the ones that are mostactive and, for what it's worth,
for your audience, I'm notsecurity cleared, I'm just some
guy right.
So I'm reading the same stuffthat you are.
(12:11):
But the point is is based onall publicly available
information coming out of theintelligence services.
That's what's going on here,and these are concerns that are
well-founded and they're basedon historical patterns of
attacks and there's ongoingmonitoring and intelligence to
support these concerns.
But there may be within yourquestion there was a, should
people be concerned?
You know, yeah, I would say so,but it's maybe a little bit
(12:34):
different.
So we're talking about majorstate actors using advanced
cyber let's call them cyberweapons for the purposes of our
conversation.
It is unlikely that a majorstate actor is going to use
their best stuff to get to anormal person right, like
they're not going to use whatthey call zero day exploits or
(12:55):
any of that type of stuff, butwhat we are seeing is state
actors and proxies of statesdoing the malware stuff to get
some dough right.
So it's actually, like you know, I used to say, like no
self-respecting state actorwould ever go after an
individual.
Well, maybe some of these stateactors aren't self-respecting,
(13:16):
but the broad point being isthat they see malware as an
economic vehicle.
And so, yeah, I mean, you won'tsee a sophisticated state actor
using their best cyber exploitson an individual, but you can
see a relationship between themand organized crime that are
(13:36):
doing the malware stuff, that's,you know, taking hospitals and
schools and companies ransom andthat is just a smash and grab
straight up kind of cash powerplay.
Speaker 1 (13:47):
You know, there are a lot of really important
elections that are coming upthis year, for instance the US,
the UK, which is also quiteimportant, but Canada as well in
the coming year.
I'm just wondering what rolecybersecurity and this political
interference will have on it.
Speaker 3 (14:05):
Yeah, I mean it's a good question and it's a bit
tough to answer because it'ssomewhat speculative.
But I would say that whenCanadians are thinking about
whom to vote for, cyber securityand national security is not
top of top of mind as a ballotbox issue.
(14:26):
Like you know, people arethinking about the price of
groceries, taxes like that kindof stuff.
Like it's just it's a rareoccurrence that this type of
thing would capture the publicattention in a way that it makes
it something of fundamentalimport for an election.
So I would say, maybe that'spart of it.
(14:49):
But I mean, I think peopleshould take it a little bit more
seriously because and it's notjust individuals, right, like I
think we all know people whohave now been hacked or suffered
a ransomware breach orsomething like that but like,
what's going on right now isthat critical infrastructure in
Canada is being compromised,compromised.
(15:12):
So the bad guys are doingsomething called pre-positioning
, which is where they they putmalicious.
Yeah, but let me tell you, likethis is not great.
They're putting malicious codeon our critical infrastructure
and they're not using it yet.
But the idea is that if we endup in a conflict or they want to
exert pressure, they canactivate that stuff, and so I
(15:35):
don't want to be too depressingabout it, but the first sign of
World War III is going to bethat your lights are going to
turn off and your water's goingto stop working.
Oh my gosh, right.
And so when I'm thinking aboutthis stuff, people should care
about it.
Government databases andcommunication networks,
financial institutions, keyeconomic sectors like ports so
(15:59):
this is like we have people, somaybe I'll turn it on its head
and say people care about theeconomy.
The economy is top of the mindat the ballot box.
Everyone knows it.
It's everything from, like Isaid, the price of groceries to
the price of gas, to jobs, toinflation, to fiscal and
monetary policy all the stuff,right, people care about that,
(16:21):
people vote on that.
Well, we have a digital economy,right?
Like I said earlier, we'vehooked everything we possibly
could up to the internet, and sowe have to protect it.
And so, while cybersecuritymight not be top of mind for
Canadians, everything that theydo in their day is enabled by
this digital infrastructure, andwe're just talking about
(16:41):
protecting it.
And so I would just I wouldencourage, to the extent that we
can, to have people pay alittle bit more attention and to
have political parties take aposition on some of this type of
stuff.
Like I don't think this is thetype of area where the ostrich
maneuver of just putting yourhead in the sand will work.
I think we should all be allpolitical parties should be
(17:01):
asked to say something aboutthis.
Speaker 1 (17:05):
And that brings me to my next question, which is, you
know, wondering what extent hasmodern warfare moved out of the
trenches and into the digitalworld?
Speaker 3 (17:16):
Well, so here's an interesting thing, right, like,
so we always we talk aboutwarfare and it's a bit hard
because, like, and I understandwhy we do it, but when you think
about war and like, there's ananswer in this.
But I'll just have to wind upfor a second here.
I'm an international lawyer.
I'm an international lawyer bytraining, right, and when we're
(17:39):
talking about this type of stuff, we start from the UN Charter,
which says that there's aprohibition on the use of force.
So in the United Nations, thebiggest rule of all the rules is
you can't use force.
That's what it says, quote, useforce.
And then you're allowed todefend yourself if quote an
(18:01):
armed attack occurs.
So that's the status ofinternational law.
And you think, well, geez, like, is a cyber attack a use of
force?
Like that law was written in1945, like before there was
computers.
And so I'm saying, like is, isthat war?
Is it a use of force?
Is it an armed attack?
(18:22):
Like.
And so it makes it a little bitcomplicated when we're talking
about.
You know, to the extent thatthat that modern warfare has
changed, because when we wrotethe rules surrounding this stuff
, cyber was never contemplated,because it wasn't a thing.
But I say that to say this yeahfor sure, there's actively
(18:44):
hostile cyber operationshappening all the time, and
there's lower level stuff, andthen there's some real
sophisticated stuff, and theexample I'll give you of the
real sophisticated stuff iscalled Stuxnet, and I don't know
why they come up with theselike nifty names for all these
cyber things.
But anyway, stuxnet.
What happened there was theIsraelis and the Americans
(19:06):
wanted to delay Iran's nuclearprogram and so, as part of their
military strategy, theydeployed malicious software that
basically crawled around theinternet and it was looking for
two things.
It was looking for what'scalled a SCADA.
It's an industrial controlcomputer.
(19:28):
It was looking for thisparticular computer hooked up to
centrifuges, and it wascrawling around the internet
looking for this Iran'scentrifuge program where they
spin.
The uranium was air-gapped, soit wasn't even hooked up to the
internet, but I gather whathappened is that somebody was
using a flash drive at home andbrought it in and then it was
(19:51):
able to jump the air gap.
And then what this piece ofsoftware did like this is wild.
It sat and it watched Iran'snuclear program, it watched the
centrifuges and it looked atwhat normal operations looked
like, and then it went in and itstarted over spinning the
centrifuges and under spinningthem, but telling the control
systems that everything was justfine.
(20:12):
And so all these centrifugeswere destroyed as a consequence
of this software.
And so here's the interestingquestion is so those physical
centrifuges were destroyed inlike actual real world damage.
Had we used a missile, it wouldhave been clear like that's this
is.
We're in an armed conflict.
Now, right, but because we usecomputer code, was that an armed
(20:36):
attack?
Like, was it a use of force?
And so you know, we're at thisplace where all this stuff is
happening, but we're stillstruggling a little bit because
theant use of malicious cybertools against us and against
(21:01):
others, and we are in a placewhere we can do physical damage
in the real world with nothingbut computer code.
But the rules themselves arestill somewhat opaque and I
think part of our work will beto clean that up, just so that
you know what the speed limit ison the road and where the
center line is.
Speaker 1 (21:23):
So do we need new agreed terms for cyber war?
And I'm just thinking as anexample.
You know, during the Cold Warand after there were nuclear
arms race treaties that wentinto effect that were reached.
Are we at a point in time wherewe need to rethink what rules
already exist and how they applyto cyber warfare?
Speaker 3 (21:43):
Yeah, I mean, I think it would just be good to know
exactly what the red line isright Like, because you don't
want to bump into itaccidentally.
But the problem we're going torun into is that cyber weapons
and I'll use that term looselyhere, cyber weapons have three
characteristics that no otherweapon system on Earth shares.
The first is that they'redeveloped completely in secret.
(22:04):
The second is that they'redeployed in secret, and the
third is that the doctrinesurrounding their use is secret,
like there's no way to deploy anuclear bomb secretly.
Right Like, once you do that,like people know about it.
Right Like, once you do thatlike people know about it, and
so.
So this, this weapon system,doesn't lend itself well to that
kind of that conversation aboutclarity and red lines, because
(22:27):
everyone is developing theirstuff secretly and they're using
it against each other andthey're trying purposely to
obfuscate the source, like wetalked about earlier about
attribution, like one of thereason that attribution is hard
is because the people doing itwant to make it hard.
Right, like they're not.
Like you know, they're notleaving calling cards, and so
you know I I just in my mind,the the biggest, the biggest
(22:50):
thing would be just to clarifywhere the red lines are so that
you know, so that you don't tripover it by accident, right like
.
It could very well be thattaking down the Canadian power
grid as a member of NATO is whatthey call Article 5, meaning
that there's a collectiveresponse as a consequence of
that.
But you might wish to becrystal clear about that, and
(23:14):
just so that everyone knowswhere the center line on the
road is.
Speaker 1 (23:18):
Are we anywhere close to international bodies, to
governments, actually agreeingto terms when it comes to cyber
warfare?
I know that you have individualnations and their leaders
talking about cyber attacks andstate-sponsored attacks, but are
governments in any place toagree to internationally
(23:42):
recognized laws?
Speaker 3 (23:45):
No, not really.
I mean, like there'sconversations at the UN about
what like responsible practicesare in cyberspace and all that
type of stuff and, to be fair tothem, like they have moved the
conversation and it is gettingmore and more developed all the
time, and so kudos to mycolleagues that are doing that.
But the problem is, like youknow, states reflect the
(24:08):
geopolitical realities that theyexist in right, and so strong
states will interpret existingrules in a manner that befits
their geostrategic interest.
They will also seek to push newrules in a manner that befits
their geostrategic interest.
They will also seek to push newrules in a manner that befits
their geostrategic interest.
And what's happening right nowis that I think many states like
(24:31):
the flexibility to use cybercapabilities, right, and so they
don't necessarily want toconstrain that, and so that's
kind of point number one.
Point number two is thatthere's just such a huge
division at the UN right now,Like that crew could not pass a
non-binding resolution thatapple pie and ice cream go well
(24:51):
together, Like they just it'stoo divisive, right, and so yeah
, so I just don't, I doubt it,I'd love to see it, but I just
I'm not holding my breath.
Speaker 1 (25:00):
I'm wondering what your thoughts are on the
capability for individuals to dogreat harm with some of the
resources that are createdthrough state entities.
So, for instance, if I happento be working on a nuclear
weapon for a government, it'd bevery challenging for me to take
home and use that specificweapon for myself.
(25:24):
But since you've mentionedbefore how code can easily be
adapted and used, sometimes foreconomic reasons, by proxies, is
there any worry that possibly arogue hacker could get their
hands on you know malicious codethat's been developed by
government entities and use itfor themselves, or maybe a gang
(25:46):
or other?
Speaker 3 (25:50):
Yeah, I mean, it's highly portable and replicable,
right?
So that's point number one.
Point number two is I'm notworried about someone stealing
it from a government.
I'm worried about thegovernment giving it to them and
asking them to do stuff.
Like I'm looking at you, russia, and so it is completely
foreseeable that there's goingto be more activity of what they
(26:11):
call state proxies.
So they're not part of theRussian government or they're
not part of the Chinesegovernment, but they're working
for them on the sly, and so yeahfor sure, that kind of stuff,
absolutely.
But the other kicker here isthat it's not hard now with
generative AI.
The other totally foreseeableset of circumstances that's
(26:33):
emerging is that people use likeanybody uses generative AI to
develop either cyber exploits inthe traditional sense or more
sophisticated informationcampaigns.
You know, and you don't evenneed a computer science degree
now to code, because you canjust ask ChatGPT to do it for
(26:54):
you.
So, again, all that to say likethe trend line here is probably
going in the wrong direction,and that's just something that
we're going to need to factorinto our strategy.
Speaker 1 (27:06):
I mean we're into James Bond territory here.
You know, like we're slowlyveering into the world of
tuxedos and shaken not stirredmartini glasses.
So you know, if there is.
You mentioned ChatGPT, thecapability for someone to use
generative AI.
As you mentioned ChatGPT thecapability for someone to use
generative AI for nefariousreasons to do much damage
(27:26):
increases.
Is there any caps then that youthink should be required on
this type of new AI that isreally growing at a rapid pace?
Speaker 3 (27:36):
Yeah, I mean.
So maybe a quick point on themartini.
You always want to stir yourmartini.
If you shake it, all the icebreaks and chips off and you
just end up with a weak martini.
So uh, uh with all, with all duedeference yeah, with all due
deference to mr bond, he gotthat wrong.
But, um, yeah, no, like we're,we have to.
We have to get our hands on onon generative ai like, and it's
(27:58):
not just for cyber stuff, butthere's um, there's a, there's a
storm storm coming here, andhow we choose to govern or not,
this technology will define theway that people live generations
from now and so.
But it's a little bit hardbecause in some ways, you're
asking policy makers to predictthe unpredictable Right, like if
we were having thisconversation 24 months ago and I
(28:20):
said to you hey, listen, I'vegot this cool tool.
You can just put in a couplewords and it can write a full
essay for you.
That sounds great.
Or it can make any pictures ofanything you want, or it can
create a movie about anythingthat you want.
It could do it in any language.
It takes two seconds and it'llcost you 20 bucks a month.
You would have thought I was outof my mind.
Like that conversation.
(28:40):
I would have been.
You would have thought I wasout of my mind.
Like that conversation.
I would have beenindistinguishable from magic two
years ago.
And here we are.
And so, yeah, like it's for me,it's not just cyber stuff.
I'm just like if we're going toconstrain the conversation to
the security side of the shop,this will turbocharge everything
bad.
That we've already seen in ahuge way, and so I think we need
(29:07):
to be realistic about that.
Whether or not that leads tosome form of international
regulation, it's tough to say,because there's so much
advantage in kind of the movefast, break stuff thing Like
here's a good example for you,right, like again, looking at
people's interests, there's abig fight going on right now
with the New York Times andOpenAI on copyright.
(29:28):
Right, they're like well, youknow the New York.
Speaker 1 (29:31):
Times and six other papers have joined.
Speaker 3 (29:32):
Yeah, yeah, right, so exactly.
And so I talk to people aboutit and they're like well, you
know, and I'm you know, like Isaid, I'm a lawyer, so I know a
thing or two about this stuff.
And they're like well, you know, is it just training it, like
because some people, you knowpeople can read textbooks and be
trained and that's not aninfringement of copyright.
Or is it actually like stealingthe text and modifying it, in
(29:54):
which case it could bederivative work or it could be
some other form of copyrightbreach?
And I'm like what if the answeris who cares?
And everyone's like, oh, like,what do you?
What do you mean?
And I'm like what if the answerit's a calculated risk, but the
answer is who cares?
So this thing, what, however, itgoes with the new york times at
all won't be resolved for, likeI don't know, three, four, five
(30:16):
years.
Yeah right, open ai will havecornered and dominated the ai
market by then and so.
And then it's like well, what?
What the New York Times gets atthe end of it is probably, if
they win damages, they'll get acheck, they'll get some money.
Well, open AI will havedominated the AI market.
They will have been built intoMicrosoft, they'll be built into
(30:41):
everything, they'll be in thevery fabric and DNA of digital
society and the digital economyand they'll be making dough, and
so it could very well be thatthe answer to that question is
who cares?
All that to say, like this is afundamental shift, and we're
just not there yet.
Like, and I mean maybe part ofit is that policymakers are
(31:03):
still getting their head aroundwhat this stuff is.
Part of it is that we don'treally know where it's going to
go, and part of it is thatthere's large incumbent players
that are parked on this space,that are going to, that are
going to throw their weightaround against regulation.
Right, this is?
This is old wine and newbottles.
Speaker 1 (31:18):
This is like you know this is early days of Facebook
type stuff, but that's kind ofwhere we're at, amazing.
Well, thank you for breakingall of that down, giving me new
nightmares.
Speaker 3 (31:28):
Yeah, I'm sorry about that.
Speaker 1 (31:31):
But no, nonetheless, this has been so incredibly,
it's been an incredibly greatchat, so thank you so much.
Speaker 3 (31:39):
All good, my pleasure .
It was great chatting with you.
Speaker 1 (31:41):
And that was Aaron Schull from CG.
Aaron talked about thechallenges of legislating at the
end there and that's going tobe the focus of our next episode
.
Yes, we're going to be lookingat what the Canadian government
is doing to combat everythingwe've talked about so far in
this series and where it'ssometimes falling short.
Speaker 2 (32:02):
We still have a federal government where we are
castle and moat, and so they areconcerned with protecting the
castle, without realizing thatthe castle lives off the
proceeds of the village, thatthey will starve to death
without the rest of us, and weare getting pillaged by the
cyber Vikings left, right andcenter.
Speaker 1 (32:21):
We'll hear more from Aaron, as well as some other
guests, from throughout theseries.
That's next week.
And remember if you have anyquestions or want to learn more
about cybersecurity in Canada,you can visit siraca slash
cybersecurity.
Please join us again next timeand thanks for listening you.
It's the year 2008, and a Dutch engineer named Erik
van Saben is on a vacation tosee his wife's family in Iran.
Now Erik has something specialwith him A computer file not
much more than one megabyte insize.
In size, he makes a diversionto an Iranian nuclear facility
(00:29):
and uploads the file, changingthe face of warfare forever.
Speaker 2 (00:31):
We have entered into a new phase of conflict, in
which we use a cyber weapon tocreate physical destruction.
Speaker 1 (00:39):
Eric Van Saben was introducing a new cyber weapon
that became known as Stuxnet.
It was a computer worm thatsubtly interfered with settings
in the nuclear facility,crashing its technology over
years.
But staying hidden.
Stuxnet had been developed bythe US government to sabotage
(01:00):
Iran's development of nuclearweapons.
In terms of cyber weapons, thiswas the equivalent of the moon
landing, and when finallyrevealed years later, it stunned
the world, offering an insightinto the future of war,
terrorism and geopolitics.
Speaker 3 (01:19):
First sign of World War III is gonna be that your
lights are gonna turn off andyour water's gonna stop working.
Speaker 1 (01:24):
Hackers now have the ability to cause physical damage
to critical infrastructure, aswell as interfering in elections
.
So today, on what's Up with theInternet, we want to look at
the way cybersecurity isimpacting politics, both
nationally and globally.
Both nationally and globally,this show is created by CIRA,
(01:45):
the Canadian InternetRegistration Authority, which is
building a trusted internet forCanadians, and I'm your host,
takara Small.
This is an issue that isalready impacting Canadians.
Last year, hackers in Indiadisabled government websites,
(02:06):
all in retaliation after PrimeMinister Trudeau accused India
of being involved in a murder inBC.
It was a relatively smallincident, but it demonstrated
how political decisions can leadto cyber attacks here.
The government's baseline cyberthreat assessment last year
also held this message.
(02:27):
The center is warning Canadiansthat cyber criminals will
likely target Canada's nationalsecurity and economic prosperity
within the next two years.
Many experts believe dormantmalware could already be
embedded in parts of ourinfrastructure, just waiting to
be activated by an enemy in theevent a conflict breaks out.
(02:49):
In fact, leaked US intelligencedocuments last year said that
Russian-backed hackers havegained access to Canada's
natural gas distribution network, and Russian hackers have
promised to attack countriesthat provide support to Ukraine
in the ongoing war.
So what is the current state ofplay when cybersecurity
(03:12):
intersects with nationalsecurity?
To discuss all of this, we'vegot a really great guest.
Aaron Schull is the ManagingDirector and General Counsel at
CIGI, that's the Centre forInternational Governance and
Innovation in Waterloo, ontario.
Aaron is a senior legalexecutive and is a leading
(03:34):
expert on public policy,emerging technology and cyber
security.
Can you explain the ways inwhich cyber security can impact
or threaten our politics inCanada?
Speaker 3 (03:46):
Yeah, sure, I mean, there's actually a lot going on
in that question.
It sounds kind of simple, butthere's a couple of pieces.
And you know it's hard becauseyou're living in Canada.
But a lot of our news comesfrom the US and so we tend to, I
think, infuse our understandingof elections and cybersecurity
(04:07):
with stuff that we're seeing inthe US, and the biggest thing
that we saw down there was the,let's say, attacks on Dominion
voting systems.
You know, fox News got sued tothe tune of about a billion
dollars as a consequence ofdefamation about those voting
systems, and so, you know, evensome of former President Trump's
(04:30):
lawyers were making prettyoutlandish claims about.
You know, hugo Chavez, you know, doing the source code or
whatever for Dominion Systemslike a whole bunch of just
nonsense, right.
And so I'm going to answer thequestion as it relates to Canada
.
But I don't think we can divorceour public understanding of
what's going on in Canadawithout a little bit of you know
(04:52):
pepper from the United States.
So, with that giant footnote atthe front end, you know, canada
, we have a paper backed ballot,and I have yet to see a hacker
that can, that can hack a pieceof paper, right, like it just so
like that.
That is the starting point,right, like all in in federal
elections, we've got a paperbackballot system.
In the next election, you willwalk into a booth and you will,
(05:16):
you will take a pencil and youwill put your vote on that piece
of paper and and then they gothrough a Scantron.
The same way, as you know,every single undergraduate exam
in the country, they go througha scantron to count them.
But if you want to count themby hand, it's possible, right,
and so all that to say,cybersecurity threatening the
(05:37):
actual voting process in Canadais unlikely by virtue of that
paperback ballot.
That being said, there's a lotof other stuff going on here,
right, and so the big one isgonna be cyber attacks on
political campaigns andpolitical party infrastructure.
That's a live issue, right, andso the big thing there is gonna
(05:58):
be potential breaches of senseof political communications, and
so we saw this a little bit inwhen it kind of started in 2016.
The Secretary Clinton'scampaign manager was this guy
named John Podesta.
The Russians hacked JohnPodesta's emails and started
(06:18):
leaking sensitive orembarrassing stuff, and then
that can be used to manipulatepublic opinion through social
media and other outreach.
And so, while our electioninfrastructure itself is safe
because of that paperback ballot.
I would expect that if we'retalking about cybersecurity and
politics, it's going to beprincipally attacks on political
(06:41):
campaigns and partyinfrastructure, and then the
misinformation or disinformationmachine that spins up once
they've got access to sensitivepolitical communications or
internal emails.
Speaker 1 (06:53):
Okay.
So now it feels like this is athreat not just to the Canadian
political system, but nationallyand internationally as well.
At the same time, Is this goingto continue to grow?
I can only imagine what thenext five, 10 years will be like
then.
Speaker 3 (07:09):
Yeah, yeah, I mean.
So think about it like this,right, like what's the point of
attacking elections to beginwith?
Right, like so, because youknow someone's doing this.
It's not like it's not ethereal, right, it's not a state of
nature, like someone's actuallytaking a positive action here to
try and do this stuff.
And I think, if you're a hostilestate actor, they're looking at
(07:30):
a couple of things, right.
The big piece is they want toerode public trust and electoral
processes, right and so, andpotentially like, sometimes
that's just enough, right, throwin a Molotov cocktail and watch
it burn.
Right, so, just to mess withdemocracy.
But you know there can bepreferential outcomes, and so
(07:53):
you can think that they mightwish to influence the election
outcome or create politicalinstability and uncertainty or
damage the reputations ofpolitical figures and
institutions.
So I think that's going to beon the rise for a few different
reasons.
The first is relations withcertain hostile state actors are
(08:14):
not great, right and so, justlooking at the trend lines, if
this was something that theyprosecuted in previous elections
, it's not like relations havegotten much better, and so I
would expect it to continue forthat reason.
The second is, we haven'treally been very good at
consequences.
Right, if someone messes withour elections, there should be a
(08:36):
bill for doing that, and wejust haven't really got our act
together when it comes tomeeting out meaningful
consequences for that kind ofstuff.
And the third is that we'realso hooking everything we
possibly can up to the internet,right, and so there's just more
stuff to attack, right, there'smore information to get your
hands on, there's moremechanisms to distribute that
(08:59):
content, and so the trend linesin my mind don't look great here
.
So I guess the short answer toyour question is yeah, I would.
I would expect this to getworse over the near and medium
term, for sure.
Speaker 1 (09:14):
I would also assume there's some level of difficulty
, because it can be very hard toidentify hackers, right?
I mean, there's this element ofplausible deniability from
state, from government, fromother actors.
So how much confusion does thatadd to the mix as well?
Speaker 3 (09:31):
Yeah, no for sure.
So I mean there's a couple ofthings going on here, right.
So it creates confusion and itundermines accountability.
There's difficulties inattributing attacks, and so you
don't really know who it camefrom and maybe you don't trust
(09:51):
attributions, and that in and ofitself can lead to political
and social instability.
I wrote a book chapter on thisabout, oh God, I don't know, 10
years ago or something like that, and I wrote on attribution of
cyber attacks, and the argumentthat I made there is that
there's actually three thingsgoing on when you're talking
about attributing a cyber attack.
(10:12):
It's a technical calculation,right, like the ones and zeros
and where they came from.
It's a legal consideration, butit's also a political
calculation too, right.
So it's not just technical,it's not just legal, but there's
also politics that go into it,and so determining when you
(10:33):
attribute, when you don't, andto whom and on what basis, and
what evidence that you use tomake a public attribution
there's all sorts ofconsiderations that go into that
kind of stuff.
And so, yeah, just to say thatit's not simply a matter of
figuring out whodunit, butthere's even if you can get to
the whodunit piece, there'sstill other stuff you're going
(10:54):
to want to think about on top ofit, so that just to say that
you know it yeah for sure, likenot knowing who did it can can
create confusion.
It can undermine accountability.
It's certainly difficult toattribute attacks as a technical
matter, and this can create awhole bunch of problems for you.
Speaker 1 (11:14):
But even if you get over the technical hurdle,
there's still other stuff goingon there too I'm wondering,
globally, if there is agovernment or a country that is
really active in terms of cybersecurity.
You know attacks andinterference because we hear a
lot about it on the news.
You know we're always hearingabout certain governments or
entities, um, but is thataccurate?
(11:37):
Are we getting an outside senseof how much they're actually
doing, and is it reasonable forthe average person to be worried
about this?
Speaker 3 (11:47):
Yeah, I mean.
So maybe I'll just take yourquestion head on China, Russia,
iran, your question head onChina, russia, iran and North
Korea.
They're the ones that are mostactive and, for what it's worth,
for your audience, I'm notsecurity cleared, I'm just some
guy right.
So I'm reading the same stuffthat you are.
(12:11):
But the point is is based onall publicly available
information coming out of theintelligence services.
That's what's going on here,and these are concerns that are
well-founded and they're basedon historical patterns of
attacks and there's ongoingmonitoring and intelligence to
support these concerns.
But there may be within yourquestion there was a, should
people be concerned?
You know, yeah, I would say so,but it's maybe a little bit
(12:34):
different.
So we're talking about majorstate actors using advanced
cyber let's call them cyberweapons for the purposes of our
conversation.
It is unlikely that a majorstate actor is going to use
their best stuff to get to anormal person right, like
they're not going to use whatthey call zero day exploits or
(12:55):
any of that type of stuff, butwhat we are seeing is state
actors and proxies of statesdoing the malware stuff to get
some dough right.
So it's actually, like you know, I used to say, like no
self-respecting state actorwould ever go after an
individual.
Well, maybe some of these stateactors aren't self-respecting,
(13:16):
but the broad point being isthat they see malware as an
economic vehicle.
And so, yeah, I mean, you won'tsee a sophisticated state actor
using their best cyber exploitson an individual, but you can
see a relationship between themand organized crime that are
(13:36):
doing the malware stuff, that's,you know, taking hospitals and
schools and companies ransom andthat is just a smash and grab
straight up kind of cash powerplay.
Speaker 1 (13:47):
You know, there are a lot of really important
elections that are coming upthis year, for instance the US,
the UK, which is also quiteimportant, but Canada as well in
the coming year.
I'm just wondering what rolecybersecurity and this political
interference will have on it.
Speaker 3 (14:05):
Yeah, I mean it's a good question and it's a bit
tough to answer because it'ssomewhat speculative.
But I would say that whenCanadians are thinking about
whom to vote for, cyber securityand national security is not
top of top of mind as a ballotbox issue.
(14:26):
Like you know, people arethinking about the price of
groceries, taxes like that kindof stuff.
Like it's just it's a rareoccurrence that this type of
thing would capture the publicattention in a way that it makes
it something of fundamentalimport for an election.
So I would say, maybe that'spart of it.
(14:49):
But I mean, I think peopleshould take it a little bit more
seriously because and it's notjust individuals, right, like I
think we all know people whohave now been hacked or suffered
a ransomware breach orsomething like that but like,
what's going on right now isthat critical infrastructure in
Canada is being compromised,compromised.
(15:12):
So the bad guys are doingsomething called pre-positioning
, which is where they they putmalicious.
Yeah, but let me tell you, likethis is not great.
They're putting malicious codeon our critical infrastructure
and they're not using it yet.
But the idea is that if we endup in a conflict or they want to
exert pressure, they canactivate that stuff, and so I
(15:35):
don't want to be too depressingabout it, but the first sign of
World War III is going to bethat your lights are going to
turn off and your water's goingto stop working.
Oh my gosh, right.
And so when I'm thinking aboutthis stuff, people should care
about it.
Government databases andcommunication networks,
financial institutions, keyeconomic sectors like ports so
(15:59):
this is like we have people, somaybe I'll turn it on its head
and say people care about theeconomy.
The economy is top of the mindat the ballot box.
Everyone knows it.
It's everything from, like Isaid, the price of groceries to
the price of gas, to jobs, toinflation, to fiscal and
monetary policy all the stuff,right, people care about that,
(16:21):
people vote on that.
Well, we have a digital economy,right?
Like I said earlier, we'vehooked everything we possibly
could up to the internet, and sowe have to protect it.
And so, while cybersecuritymight not be top of mind for
Canadians, everything that theydo in their day is enabled by
this digital infrastructure, andwe're just talking about
(16:41):
protecting it.
And so I would just I wouldencourage, to the extent that we
can, to have people pay alittle bit more attention and to
have political parties take aposition on some of this type of
stuff.
Like I don't think this is thetype of area where the ostrich
maneuver of just putting yourhead in the sand will work.
I think we should all be allpolitical parties should be
(17:01):
asked to say something aboutthis.
Speaker 1 (17:05):
And that brings me to my next question, which is, you
know, wondering what extent hasmodern warfare moved out of the
trenches and into the digitalworld?
Speaker 3 (17:16):
Well, so here's an interesting thing, right, like,
so we always we talk aboutwarfare and it's a bit hard
because, like, and I understandwhy we do it, but when you think
about war and like, there's ananswer in this.
But I'll just have to wind upfor a second here.
I'm an international lawyer.
I'm an international lawyer bytraining, right, and when we're
(17:39):
talking about this type of stuff, we start from the UN Charter,
which says that there's aprohibition on the use of force.
So in the United Nations, thebiggest rule of all the rules is
you can't use force.
That's what it says, quote, useforce.
And then you're allowed todefend yourself if quote an
(18:01):
armed attack occurs.
So that's the status ofinternational law.
And you think, well, geez, like, is a cyber attack a use of
force?
Like that law was written in1945, like before there was
computers.
And so I'm saying, like is, isthat war?
Is it a use of force?
Is it an armed attack?
(18:22):
Like.
And so it makes it a little bitcomplicated when we're talking
about.
You know, to the extent thatthat that modern warfare has
changed, because when we wrotethe rules surrounding this stuff
, cyber was never contemplated,because it wasn't a thing.
But I say that to say this yeahfor sure, there's actively
(18:44):
hostile cyber operationshappening all the time, and
there's lower level stuff, andthen there's some real
sophisticated stuff, and theexample I'll give you of the
real sophisticated stuff iscalled Stuxnet, and I don't know
why they come up with theselike nifty names for all these
cyber things.
But anyway, stuxnet.
What happened there was theIsraelis and the Americans
(19:06):
wanted to delay Iran's nuclearprogram and so, as part of their
military strategy, theydeployed malicious software that
basically crawled around theinternet and it was looking for
two things.
It was looking for what'scalled a SCADA.
It's an industrial controlcomputer.
(19:28):
It was looking for thisparticular computer hooked up to
centrifuges, and it wascrawling around the internet
looking for this Iran'scentrifuge program where they
spin.
The uranium was air-gapped, soit wasn't even hooked up to the
internet, but I gather whathappened is that somebody was
using a flash drive at home andbrought it in and then it was
(19:51):
able to jump the air gap.
And then what this piece ofsoftware did like this is wild.
It sat and it watched Iran'snuclear program, it watched the
centrifuges and it looked atwhat normal operations looked
like, and then it went in and itstarted over spinning the
centrifuges and under spinningthem, but telling the control
systems that everything was justfine.
(20:12):
And so all these centrifugeswere destroyed as a consequence
of this software.
And so here's the interestingquestion is so those physical
centrifuges were destroyed inlike actual real world damage.
Had we used a missile, it wouldhave been clear like that's this
is.
We're in an armed conflict.
Now, right, but because we usecomputer code, was that an armed
(20:36):
attack?
Like, was it a use of force?
And so you know, we're at thisplace where all this stuff is
happening, but we're stillstruggling a little bit because
theant use of malicious cybertools against us and against
(21:01):
others, and we are in a placewhere we can do physical damage
in the real world with nothingbut computer code.
But the rules themselves arestill somewhat opaque and I
think part of our work will beto clean that up, just so that
you know what the speed limit ison the road and where the
center line is.
Speaker 1 (21:23):
So do we need new agreed terms for cyber war?
And I'm just thinking as anexample.
You know, during the Cold Warand after there were nuclear
arms race treaties that wentinto effect that were reached.
Are we at a point in time wherewe need to rethink what rules
already exist and how they applyto cyber warfare?
Speaker 3 (21:43):
Yeah, I mean, I think it would just be good to know
exactly what the red line isright Like, because you don't
want to bump into itaccidentally.
But the problem we're going torun into is that cyber weapons
and I'll use that term looselyhere, cyber weapons have three
characteristics that no otherweapon system on Earth shares.
The first is that they'redeveloped completely in secret.
(22:04):
The second is that they'redeployed in secret, and the
third is that the doctrinesurrounding their use is secret,
like there's no way to deploy anuclear bomb secretly.
Right Like, once you do that,like people know about it.
Right Like, once you do thatlike people know about it, and
so.
So this, this weapon system,doesn't lend itself well to that
kind of that conversation aboutclarity and red lines, because
(22:27):
everyone is developing theirstuff secretly and they're using
it against each other andthey're trying purposely to
obfuscate the source, like wetalked about earlier about
attribution, like one of thereason that attribution is hard
is because the people doing itwant to make it hard.
Right, like they're not.
Like you know, they're notleaving calling cards, and so
you know I I just in my mind,the the biggest, the biggest
(22:50):
thing would be just to clarifywhere the red lines are so that
you know, so that you don't tripover it by accident, right like
.
It could very well be thattaking down the Canadian power
grid as a member of NATO is whatthey call Article 5, meaning
that there's a collectiveresponse as a consequence of
that.
But you might wish to becrystal clear about that, and
(23:14):
just so that everyone knowswhere the center line on the
road is.
Speaker 1 (23:18):
Are we anywhere close to international bodies, to
governments, actually agreeingto terms when it comes to cyber
warfare?
I know that you have individualnations and their leaders
talking about cyber attacks andstate-sponsored attacks, but are
governments in any place toagree to internationally
(23:42):
recognized laws?
Speaker 3 (23:45):
No, not really.
I mean, like there'sconversations at the UN about
what like responsible practicesare in cyberspace and all that
type of stuff and, to be fair tothem, like they have moved the
conversation and it is gettingmore and more developed all the
time, and so kudos to mycolleagues that are doing that.
But the problem is, like youknow, states reflect the
(24:08):
geopolitical realities that theyexist in right, and so strong
states will interpret existingrules in a manner that befits
their geostrategic interest.
They will also seek to push newrules in a manner that befits
their geostrategic interest.
They will also seek to push newrules in a manner that befits
their geostrategic interest.
And what's happening right nowis that I think many states like
(24:31):
the flexibility to use cybercapabilities, right, and so they
don't necessarily want toconstrain that, and so that's
kind of point number one.
Point number two is thatthere's just such a huge
division at the UN right now,Like that crew could not pass a
non-binding resolution thatapple pie and ice cream go well
(24:51):
together, Like they just it'stoo divisive, right, and so yeah
, so I just don't, I doubt it,I'd love to see it, but I just
I'm not holding my breath.
Speaker 1 (25:00):
I'm wondering what your thoughts are on the
capability for individuals to dogreat harm with some of the
resources that are createdthrough state entities.
So, for instance, if I happento be working on a nuclear
weapon for a government, it'd bevery challenging for me to take
home and use that specificweapon for myself.
(25:24):
But since you've mentionedbefore how code can easily be
adapted and used, sometimes foreconomic reasons, by proxies, is
there any worry that possibly arogue hacker could get their
hands on you know malicious codethat's been developed by
government entities and use itfor themselves, or maybe a gang
(25:46):
or other?
Speaker 3 (25:50):
Yeah, I mean, it's highly portable and replicable,
right?
So that's point number one.
Point number two is I'm notworried about someone stealing
it from a government.
I'm worried about thegovernment giving it to them and
asking them to do stuff.
Like I'm looking at you, russia, and so it is completely
foreseeable that there's goingto be more activity of what they
(26:11):
call state proxies.
So they're not part of theRussian government or they're
not part of the Chinesegovernment, but they're working
for them on the sly, and so yeahfor sure, that kind of stuff,
absolutely.
But the other kicker here isthat it's not hard now with
generative AI.
The other totally foreseeableset of circumstances that's
(26:33):
emerging is that people use likeanybody uses generative AI to
develop either cyber exploits inthe traditional sense or more
sophisticated informationcampaigns.
You know, and you don't evenneed a computer science degree
now to code, because you canjust ask ChatGPT to do it for
(26:54):
you.
So, again, all that to say likethe trend line here is probably
going in the wrong direction,and that's just something that
we're going to need to factorinto our strategy.
Speaker 1 (27:06):
I mean we're into James Bond territory here.
You know, like we're slowlyveering into the world of
tuxedos and shaken not stirredmartini glasses.
So you know, if there is.
You mentioned ChatGPT, thecapability for someone to use
generative AI.
As you mentioned ChatGPT thecapability for someone to use
generative AI for nefariousreasons to do much damage
(27:26):
increases.
Is there any caps then that youthink should be required on
this type of new AI that isreally growing at a rapid pace?
Speaker 3 (27:36):
Yeah, I mean.
So maybe a quick point on themartini.
You always want to stir yourmartini.
If you shake it, all the icebreaks and chips off and you
just end up with a weak martini.
So uh, uh with all, with all duedeference yeah, with all due
deference to mr bond, he gotthat wrong.
But, um, yeah, no, like we're,we have to.
We have to get our hands on onon generative ai like, and it's
(27:58):
not just for cyber stuff, butthere's um, there's a, there's a
storm storm coming here, andhow we choose to govern or not,
this technology will define theway that people live generations
from now and so.
But it's a little bit hardbecause in some ways, you're
asking policy makers to predictthe unpredictable Right, like if
we were having thisconversation 24 months ago and I
(28:20):
said to you hey, listen, I'vegot this cool tool.
You can just put in a couplewords and it can write a full
essay for you.
That sounds great.
Or it can make any pictures ofanything you want, or it can
create a movie about anythingthat you want.
It could do it in any language.
It takes two seconds and it'llcost you 20 bucks a month.
You would have thought I was outof my mind.
Like that conversation.
(28:40):
I would have been.
You would have thought I wasout of my mind.
Like that conversation.
I would have beenindistinguishable from magic two
years ago.
And here we are.
And so, yeah, like it's for me,it's not just cyber stuff.
I'm just like if we're going toconstrain the conversation to
the security side of the shop,this will turbocharge everything
bad.
That we've already seen in ahuge way, and so I think we need
(29:07):
to be realistic about that.
Whether or not that leads tosome form of international
regulation, it's tough to say,because there's so much
advantage in kind of the movefast, break stuff thing Like
here's a good example for you,right, like again, looking at
people's interests, there's abig fight going on right now
with the New York Times andOpenAI on copyright.
(29:28):
Right, they're like well, youknow the New York.
Speaker 1 (29:31):
Times and six other papers have joined.
Speaker 3 (29:32):
Yeah, yeah, right, so exactly.
And so I talk to people aboutit and they're like well, you
know, and I'm you know, like Isaid, I'm a lawyer, so I know a
thing or two about this stuff.
And they're like well, you know, is it just training it, like
because some people, you knowpeople can read textbooks and be
trained and that's not aninfringement of copyright.
Or is it actually like stealingthe text and modifying it, in
(29:54):
which case it could bederivative work or it could be
some other form of copyrightbreach?
And I'm like what if the answeris who cares?
And everyone's like, oh, like,what do you?
What do you mean?
And I'm like what if the answerit's a calculated risk, but the
answer is who cares?
So this thing, what, however, itgoes with the new york times at
all won't be resolved for, likeI don't know, three, four, five
(30:16):
years.
Yeah right, open ai will havecornered and dominated the ai
market by then and so.
And then it's like well, what?
What the New York Times gets atthe end of it is probably, if
they win damages, they'll get acheck, they'll get some money.
Well, open AI will havedominated the AI market.
They will have been built intoMicrosoft, they'll be built into
(30:41):
everything, they'll be in thevery fabric and DNA of digital
society and the digital economyand they'll be making dough, and
so it could very well be thatthe answer to that question is
who cares?
All that to say, like this is afundamental shift, and we're
just not there yet.
Like, and I mean maybe part ofit is that policymakers are
(31:03):
still getting their head aroundwhat this stuff is.
Part of it is that we don'treally know where it's going to
go, and part of it is thatthere's large incumbent players
that are parked on this space,that are going to, that are
going to throw their weightaround against regulation.
Right, this is?
This is old wine and newbottles.
Speaker 1 (31:18):
This is like you know this is early days of Facebook
type stuff, but that's kind ofwhere we're at, amazing.
Well, thank you for breakingall of that down, giving me new
nightmares.
Speaker 3 (31:28):
Yeah, I'm sorry about that.
Speaker 1 (31:31):
But no, nonetheless, this has been so incredibly,
it's been an incredibly greatchat, so thank you so much.
Speaker 3 (31:39):
All good, my pleasure .
It was great chatting with you.
Speaker 1 (31:41):
And that was Aaron Schull from CG.
Aaron talked about thechallenges of legislating at the
end there and that's going tobe the focus of our next episode
.
Yes, we're going to be lookingat what the Canadian government
is doing to combat everythingwe've talked about so far in
this series and where it'ssometimes falling short.
Speaker 2 (32:02):
We still have a federal government where we are
castle and moat, and so they areconcerned with protecting the
castle, without realizing thatthe castle lives off the
proceeds of the village, thatthey will starve to death
without the rest of us, and weare getting pillaged by the
cyber Vikings left, right andcenter.
Speaker 1 (32:21):
We'll hear more from Aaron, as well as some other
guests, from throughout theseries.
That's next week.
And remember if you have anyquestions or want to learn more
about cybersecurity in Canada,you can visit siraca slash
cybersecurity.
Please join us again next timeand thanks for listening you.
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
24/7 News: The Latest
The latest news in 4 minutes updated every hour, every day.