October 10, 2024 • 39 mins
In our season finale, we're tackling the question, what's up with the future of cybersecurity? We sit down with CIRA's own Jon Ferguson to share what future trends he sees in cybersecurity over the next few years, including AI, ransomware and quantum computing.
Returning guest David Shipley (Beauceron Security) joins us to talk about the growing pressure on cybersecurity professionals, the risk of burnout, and the critical need for public education in implementing effective security measures. Our guests also sound off on deepfakes and AI-generated misinformation and explain why preparedness is crucial as digital threats become more sophisticated.
As we wrap up this season, we leave you with a final thought from our first guest Bruce Schneier, to discuss where he thinks the future is headed.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Takara Small (00:03):
Technology is evolving at a pace most of us
can barely keep up with.
We're moving towards a worldwhere the number of connected
devices far outweighs the numberof people alive.
By 2030, it's estimated therewill be more than 50 billion
connected devices globally, andeach one of these is a target
(00:25):
for cyber criminals.
So just what does the futurehold in cybersecurity?
David Shipley (00:31):
It is the Japanese high-speed train of
consequences compared to thelocomotive.
That was the internet for thelast 30 years.
Takara Small (00:42):
AI, deepfakes, quantum computing All of these
offer new possibilities forcriminals, but also new ways to
fight back.
This very modern battlegroundis constantly evolving.
This is the last episode ofthis season of what's Up With
the Internet, and we're going toclose with a look at what the
(01:04):
future trends are incybersecurity and how new
emerging technologies are goingto impact this space.
Moving forward, I'm TakaraSmall, and this podcast is
brought to you by CIRA, theCanadian Internet Registration
Authority, which is a nonprofitbuilding a trusted internet for
Canadians, which is a non-profitbuilding a trusted internet for
(01:25):
Canadians.
Okay, so, to break down allthis, we got Jon Ferguson from
the team here at CIRA.
John is the VP of Cybersecurityand DNS.
We asked him to look into hiscrystal ball and predict what
future trends he sees incybersecurity over the next few
years.
Jon Ferguson (01:44):
Certainly AI is the big one that everyone really
hears about the most in thenews, and that's really because,
if you consider sort of thenature of the cybersecurity
threats, there's really two bigthings that tend to be
generating all these bigbreaches or attacks that we see.
Generating all these bigbreaches or attacks that we see.
(02:04):
One is phishing orimpersonation of people or
businesses.
So you get an email, you get anSMS and it purports to be
somebody or something that youshould care about.
We all get mysterious packagesfrom a long lost uncle or king
of a nation that we apparentlyare an heir to a throne of, and
(02:26):
if you accidentally click onsomething like that, it may
expose your organization, yournetwork, your systems to a bad
actor getting in, and that's aphishing attempt.
And then the other side is sortof ransomware, which often
happens after that.
Once a bad actor gets in, whatare they going to do with the
data or the system which theyhave compromised?
(02:48):
Well, usually they block it,they shut it down or they
threaten to give away yourinformation for ransom.
And more and more those thingsare being exercised by
vulnerabilities in software.
So every piece of software thatends up being created or run
(03:26):
no-transcript, because AI islooking at the code and finding
these problems or being muchmore clever at finding the
mistakes at a much faster pace.
So the speed of all of theseattacks is definitely going up.
The sophistication of theattacks are going up, even
(03:48):
though sort of the mechanismsare very much the same as they
have been for quite a long time.
Takara Small (03:53):
So does that mean AI can help fight back against
hackers and online criminals?
Jon Ferguson (04:00):
Oh, 100 percent.
I mean, this is one of thegreat challenges of, I think,
any technology.
Good and bad things will resultfrom anything that comes along,
and quite often, I think,there's an adoption curve that
is very different for the badactors than it and grab an AI
algorithm or a system or aquantum crypto breaking tool and
(04:29):
try it right.
What's the worst case?
That thing that's going tohappen to them?
Well, they're already doingsomething illegal.
So worst case scenario for them, I suppose, is it doesn't work
and nobody ever knows about it.
But if you're a corporate entity, you're an individual person
and you use an AI tool and itdoes something bad or wrong or
gives you the wrong information,you can be li regulation, where
(04:51):
there isn't a sort of bestpractices developed yet, can
take longer for us to see someof the real benefit from it.
But we're already seeing AI andthis capability test better,
(05:27):
test faster, having what theycall co-pilot services, where an
AI can help a developer createtheir code, so it can even help
them do that work faster.
So we're seeing that adoptionhappen, but it's just not quite
the same rapid pace as some ofthe free-reeling malicious folks
can take advantage of it.
Takara Small (05:49):
So are there any other technologies, then, or
tools that are also going toimpact this space, kind of like
AI?
Jon Ferguson (05:58):
Yeah, I mean, I think the other big one you hear
about is quantum computing,right, and the shift away from
what we've sort of classicalcomputing that we've known about
to these you know, essentiallyby definition day as sort of
super computer, capable uhdevices which can and do tasks
that we're used to taking verylong periods of time, uh be very
(06:18):
quick, very uh easy for them touh to do these types of sort of
interactions.
And the big one is really onencryption resistance, so being
very quick to break anencryption key.
One thing we've always beentold about security if it's
secure data you're looking for,we'll encrypt it and protect it.
Well, that's because it used totake days, hours, years longer
(06:44):
to to break a security key.
Now we're talking about secondsin some cases, and so
encryption is the first use caseeveryone's really worried about
with quantum computing.
But just having this massiveincrease in computing power and
very specialized capabilities,it's going to mean a lot of sort
of our traditional thoughts onhow we secure things have to
(07:05):
change.
So I think the big challengearound all of this thinking
about the future of technologyit's not just one technology
that we can prepare for thething that we can count on is
that there's going to continueto be more innovation and change
and we're going to need to beagile and adapt.
And if you take some examplesthat are out there, don't think
(07:28):
about what's happened in thelast 10 or 15 years just as a
microcosm in, say, our cellphone world, now we go out and
want to buy a new cell phoneevery two or three years, partly
because there's a promise ofnew, bigger speeds.
Right, we went from 2G to 3G to4G, now we're on 5G.
Well, the period of timebetween each one of those
transitions from one network toanother, it's gotten shorter and
(07:51):
shorter and shorter every time,and so the innovation cycle,
the ability to create new, morepowerful tools, is happening at
a much higher frequency.
And the chat, gpt versions Ithink we're on version four now.
The first version was blows,blew us all the way and what it
could do, and now that's beenmaybe two years since that's
(08:13):
been out and it's doing theseamazing things more.
So we all have to kind of getinto this world of adapting for
the next thing, because it'scertainly going to come, and the
question is whether or notwe've sort of created this
ability to be adaptable andchange to deal with whatever
comes next, because there willbe good things that come too,
(08:34):
but it's easy to focus in on thebad things.
Takara Small (08:38):
Yeah, sorry, I didn't mean to laugh, but I mean
obviously a lot of it's like alot of doom and gloom.
So the good things is it okayfor me to ask, like, what are
those potential good things?
Jon Ferguson (08:51):
well, certainly, I mean there's.
There's what depends on yourperspective on everything, right
, yeah, there's a lot of uhopportunity to create these, uh,
these connection points.
I mean, if you look at some ofhow the language models are
being used, or ai are being usedfor instantaneous translation,
for example, is that a goodthing?
I think, for a lot of peoplewho struggle with languages,
(09:13):
that's awesome.
You can communicate with, witheverybody and anybody.
Maybe, if you really lovelearning languages, you're
you're not so happy about thefact that that's no longer a
thing, but just the, thatability to universally
communicate with everybody oranybody.
That seems really exciting andpowerful yeah, it's definitely
futuristic.
Takara Small (09:31):
I'm thinking star trek right now, the universal
communicators that's the promise, right?
Jon Ferguson (09:36):
hey, you know if I can bury it in my sunglasses or
uh, or something else evenbetter, right?
Takara Small (09:42):
okay.
So, speaking of how fast thingsare changing, one of the really
big trends over the last coupleof years has just been the
number of attacks on majorCanadian institutions.
I'm thinking the Toronto PublicLibrary, toronto Transit
Commission, I mean evenNewfoundland's healthcare system
.
It just seems like there are somany big organizations that are
(10:03):
falling victim to onlinecriminals.
Is this a trend likely tocontinue?
I mean, can we expect this tocontinue happening, or will
organizations, regardless ofwhere they're located in Canada,
just get a little bit better?
Jon Ferguson (10:20):
Yeah, I guess you said you wanted to avoid the
doom and gloom, but I don'tthink you set up a question that
lets us do that, did you?
Yeah, it's, I mean those are.
I mean, frankly, those are theones you've heard about, right,
right, and that's theunfortunate part of the scenario
is that we hear about a verysmall percentage of them.
I think that's one thing thatis changing.
People are organizations arewaking up to the fact that if
(10:45):
they don't sunshine these issues, it makes it far easier for
others to be compromised as well.
I think we are moving towards apoint where I mean, we've been
saying this for years.
I get back to the doom andgloom world of cybersecurity,
the conversation.
The cliche is it's not if it'swhen.
(11:05):
Um and there's there's a fairdegree of truth to that right
you need to be prepared to dealwith recovery of your systems.
You know where your data is.
You need to know what you'redoing in terms of exposing your
organization to, you knowthreats.
Whether or not you really needto do certain things online is a
(11:26):
question.
There isn't any one solutionthat is going to come in and
secure your entire organization.
It's about defense in depthright, having multiple security
layers and capabilities.
Those things need to happen,but that still doesn't make you
foolproof, if you will, from abreach.
Some of the most sophisticatedorganizations are getting
(11:52):
breached because they have veryvaluable information and,
despite these massive budgets,it makes it very hard to keep on
top of it because the bad actoronly has to succeed once.
Right, this is the hard thing.
You see all these things in thenews and all the sound clips
and the sound bites about.
Are these technical peopledoing enough?
(12:13):
Why didn't they do it?
Well, they have to be 100 for100.
Well, for the one time they getbreached, you're on the news
for a huge amount of time.
And that's, I think, one of thebiggest challenges we've got as
a sector right now incybersecurity is how do we keep
the professionals from burningout?
(12:33):
You can't always be perfect andit's hard to hold people to
that bar, because for the, youknow entire career.
If you know the one day thatthey had that they got breached,
that be what is remembered, notthe 99.9 of other days where
they kept the place secure.
(12:54):
And I think that's a realchallenge to continuing to
attract, uh, the biggest and thebrightest to the the job,
because often it's a thanklesstask, um, and we're seeing a lot
of change in the, in the in thelandscape right now.
You seeing a lot of change inthe landscape right now.
You see a lot of legislationcoming in, certainly in the US
they've changed the rules ondisclosure, so there's an
(13:17):
obligation for organizations todisclose certain types of
breaches.
So, in turn, you're seeing moreof that in the news cycle,
because now they are obligatedto disclose.
Now they are obligated todisclose, and there are
certainly situations now wherepeople are being held
individually accountable in theexecutive suite for
(13:38):
cybersecurity.
So I think, at a high level,some of that stuff's great and
good that we need to makecybersecurity a very definable,
very important part of everybusiness strategy.
Right, if you're equivalent toyour CISO, if you're a smaller
organization, your IT personwho's responsible for security,
if they are not sitting at thetable with your overall business
(14:00):
strategy, then you are missingthe message right now.
Right, it security andcybersecurity has to be part of
your business strategy just asmuch as marketing and product
and everything else.
Takara Small (14:15):
You know, one of the other really big challenges
associated with improvingcybersecurity is also educating
the general public Right andthen asking them to implement
steps as well.
I'm thinking multi-factorauthentication to implement
steps as well.
I'm thinking multi-factorauthentication.
How, you know, does someone inyour role get Canadians to?
Jon Ferguson (14:41):
care and actually put in place those types of
defensive mechanisms.
Yeah, I mean, one of the greatthings about working for CIRA is
just our focus as anot-for-profit and a focus as a
Canadian entity on the Canadianmarket.
That's one of the things that Ilove about this job is being
able to speak to my country andbe focused in on what we can do
to make people more aware here.
(15:01):
I do think there is thisbaseline level of cybersecurity
which we're trying to geteverybody aware of right, and we
had our antivirus moment, Iguess in the 90s right, where
you used to buy a computer andgo online and maybe you
installed antivirus.
Then we got to that point whereyou had to have it or else
(15:22):
you're yeah, you're going tohave a problem to a point now
where you can't buy a computerwithout it having antivirus
baked into it, and so we'regetting there.
I think, in terms of educatingthe younger crowd, educating a
lot more people, there's a tonof free resources out there.
If you look at something likethe Canadian Shield that CIRA
(15:44):
provides ourselves.
It's a protected DNS you canput on your phone and put on
your router at home and that'llblock a lot of bad websites that
might infect your computer.
It's a free service.
The Canadian Center forCybersecurity offers a whole ton
of resources on how to identifymalicious stuff.
It's got to be part of ourprofessional training and our
(16:08):
school education to.
Frankly, in my opinion, it isone of those things right now
which is, you know, just asimportant as teaching your kid
how to cross the street.
You know, look both ways.
Well, don't go on the internetwithout some basic security has
to be part of that education andit's going to be a challenge
when you think of, you know, thewhole world of deep fakes and
(16:31):
and all these things that arehitting us right now.
No doubt there will be ways tobetter detect these things as
the technology catches up on theon the good side, but I think
there's a large degree ofskepticism or curiosity that we
need to bring to things.
You know, if I'm getting emailsfrom places I don't recognize,
(16:53):
or for getting asked for lots ofpersonal information, is it
really worth my personalinformation to be able to get a
10% discount coupon code forsomething I'm buying?
Yeah, we have to start toconsider what's being done with
that data and that informationthat we've been freely handing
out, because a lot of cases.
(17:14):
A little bit of restraint, alittle bit of extra criticism or
a critical eye on information,and people will protect
themselves from a lot of thedangerous things that they're
running into.
Takara Small (17:30):
Is there anything at CIRA that your team and the
organization is advocating forsupporting to help create a
safer online space?
And I'm, you know, immediatelythinking of Bill C-26.
Jon Ferguson (17:45):
Yeah, so you already answered your own
question.
C26 is definitely one of them.
So again, maybe I guess a quickrundown on what C26 might make
sense for some of the listeners.
But it's really you know thisfocus.
I mean the act is an act forrespecting cybersecurity.
Um, you know it's been in thelegislative process for quite a
(18:12):
while now and we have been partof a number of working groups
and consultations.
We actually submitted somerecommendations to improve the
bill.
Now we're generally supportivebecause the goal of the bill is
to improve internet security anda primary focus really on
critical infrastructure.
Right, how do we protect thingslike waterworks, utilities, you
know all that type of thing.
But really we've been focusedin on just improving oversight.
(18:35):
Right, if you're going to putnew regulation in, who's going
to make sure that it'simplemented properly, that
privacy is respected, that thereis safeguards around the data
that's collected?
You know we've heard in thepast.
You know, at one point, you know, metadata became a big news
phrase.
No one cared about metadata forlike the first 15 years of the
internet and then, all of asudden, when we figured out that
(18:56):
you could put all this littletidbits of tags of information
together and you could, couldactually build a real compelling
picture of somebody or anorganization.
Then, all of a sudden, we caredabout that.
So there's these nitty grittydetails around how.
Then, all of a sudden, we caredabout that.
So there's these nitty grittydetails around how the wording
(19:16):
gets framed that allows data tobe shared, not shared, and
improving the transparency sopeople can better understand it.
Those are all things that weadvocate for, I know.
Generally speaking, a saferinternet everyone would benefit
from, but understanding howthat's being done is very much
important as well.
So we're definitely excited tosee how it will shape, because
it's still uh, it's still goingthrough the process.
It still has to go through thesenate.
No doubt there'll still be somemore changes.
(19:38):
So we'll we'll be following upthere.
But, um, but there's more thanc26 going on.
I already mentioned there's awhole bunch of international
initiatives going on right nowthat are looking at how do, how
do the network.
The internet is actually aseries of smaller networks that
all interconnect, and some ofthose could be looked at as
(19:58):
national infrastructures thatinterconnect, and so a lot of
that relationship, in terms ofcross-border relationship, is
going through a whole bunch oftransformation and ideation and
new technologies.
You know we've, we've gonethrough the bitcoin uh evolution
or revolution, or however youwant to phrase it, but that same
underpinning technology that'sunder bitcoin ledger technology
(20:21):
and it's it's permeating inother areas of the internet.
And so, uh, there are new, newinternets out there, which,
which are very niche servicesthat are going on out there, but
they're becoming moremainstream, not just
cryptocurrency, so those aregoing to potentially hit your
browser at some point in the nottoo distant future and it'll be
(20:45):
interesting to see how thosethings sort of come together.
The one surefire thing isthere's a million things going
on related to the internet, asthere always is, and it
continues to be really a placeof amazing innovation, so that
definitely keeps it interestingon a day-to-day basis.
Takara Small (21:04):
One of the things you mentioned that kind of stuck
with me was the burnout comment, and it's interesting because
it's rarely talked about andthere has been a very
coordinated push in Canada totrain and educate more Canadians
to take on cybersecurity roles,because there is a dearth of
them.
There aren't enough of them.
So I'm just wondering, like,how do you deal with that and
(21:29):
how does the industry come toterms?
Because all you really need isfor there to be one time where
maybe you don't have thecapacity to protect your org or
your company from a milliondifferent threats and you're
hacked.
But there's only a finitenumber of cyber security
specialists in Canada.
So I mean I mean that must meanpeople are completely working
(21:51):
100% all the time.
Jon Ferguson (21:54):
Well, I like to think people are busy, but, yeah
, there's just a couple ofelements to that question.
I think Takara One is the wholeCanadian landscape in itself.
It's not unlike a lot ofcountries where we're highly
dependent on businesses,countries that are not Canadian
(22:19):
and so I think there's a bigneed and a drive to build up
this national capacity.
The digital world is a bit of anew frontier, right?
You look at what happens thesedays in terms of conflict.
There's clearly a whole lot ofcyber threat that's being
generated by nation stateactivity, and so having our own
(22:42):
domestic experts andcapabilities is just good for
the country, and we do have alot of brilliant people really
in the AI and quantum space.
Canada in many respects, areworld leaders already, but,
you're right, as a generalpractitioner or role, there are
(23:05):
more roles than there are people, and that's where you see this
real hard push to automation, tosort of centralizing some of
these services with managedservices.
So cloud is an example oftrying to create the ability to
do bigger things with lesspeople not necessarily less
(23:25):
resources, but less people andthose things will continue to
happen.
I think partly where you getthe AI conversation gets to is
you can turn some more mundaneor people intensive processes
that we have now into moreautomated processes and you
hopefully redirect people intoto more high valued work.
(23:49):
But it's also about building upthese skill sets right.
We you know, 20 years ago asoftware engineer would not have
been coming out of universitiesor college programs at the same
rate they have been for thelast five to 10.
And we probably will see ashift again as we move forward.
Cybersecurity, I think, isstarting to have a moment.
(24:10):
I've been lucky enough to havesome good interactions with some
folks here in Ottawa at some ofthe universities who are
building up moremultidisciplinary training,
education programs at thepost-secondary level, but even
talking to secondary schoolcurriculum folks who are trying
(24:34):
to build in this idea ofcybersecurity.
I've got two young boys, I'vegot an eight year old who's
learning about passwords in hiselementary school class.
I mean, we're pulling thatstuff down to kids so they start
to learn about it earlier and Ithink that is just going to
(24:55):
probably proliferate the factthat your average kid or student
who comes out of school youknow we don't ask on a resume
right now you know how fast canyou type.
I remember when I startedapplying for jobs.
No, microsoft Word was a skillyou put on your resume.
We don't do that anymorebecause it's just a basic
(25:18):
digital literacy skill thateveryone who comes out of an
education system now has.
Quote unquote cyber skills, orknowledge that we today have to
train on, they're going tobecome second nature to
everybody.
Right now that we all have cellphones, we don't think as much
(25:40):
about a two-factorauthentication, right?
If you get a text message tolog into a webpage after you put
your password in, most peoplenow don't think twice about that
.
But that was a huge friction,you know, five, ten years ago to
get people to consider that asnot being a massive
inconvenience.
So we're getting places wherethe user experiences around
(26:04):
cyber security are becomingeasier, better, so we're able to
adopt things better.
Skill are are changing so thatpeople are more aware of some of
this stuff, and I think that'sit's a lot of this is about us
keeping, um, that idea of that,that knowledge, forward front of
mind, right, everyone's part ofthe cyber defense of their
(26:25):
organization and your home, forthat matter.
Um.
So what are you doing to makesure that you don't do the wrong
thing when you're onlinebecause we bring all those bugs
and issues and challenges withus, especially now that we work
so much from home.
There's really a big blurringof the lines between the secure
(26:49):
work networks quote unquote andyour home network.
So lots to think about.
Unfortunately, some days it'stoo much to think about, but
there is an evolution going onand that's the one thing we can
count on.
It's going to keep movingforward and keep changing.
Takara Small (27:06):
That was John Ferguson from CIRA.
So, as a nation, are we slowlywaking up to the magnitude of
this problem?
Well, cira has just publishedits cybersecurity survey for
2024, and the results showedthat 76% of organizations have
increased their staff devoted toIT system management and
(27:29):
cybersecurity in the past 12months.
System management andcybersecurity in the past 12
months.
So that's moving in the rightdirection, but there's a long,
long way to go.
David Shipley (27:43):
David Shipley has some big concerns about the
future.
We are so radically unpreparedfor the negative consequences of
this technology, and it is theJapanese high-speed train of
consequences compared to thelocomotive that was the internet
for the last 30 years.
What do I mean by that?
Let's start with deepfake videotechnologies that can be run on
(28:08):
an old Dell laptop.
That can now be used to createnon-consensual intimate images,
synthetic intimate images ofindividuals, and it is being
done.
There are telegram channelswhere you can drop pictures of
someone you want to target andwithin minutes it's going to
send you back pretty awful,realistic pornographic images
featuring that individual.
(28:28):
So how does that play into thisawful narrative that we've
already seen, where the internetdisproportionately impacts
women or people who identify aswomen, and so that's just going
to get worse?
How do we deal with this awfulstory of misinformation and
interference in a world whereevery possible news outlet is
(28:49):
getting polluted with AIgenerated garbage, and social
media is completelyirresponsible as its AI becomes
more sophisticated and it'sharmful algorithms, as we
mentioned Francis Hogan'stestimony, continues to go
unregulated in this country andin others.
And then how do we deal withincreasingly sophisticated fraud
(29:10):
and cyber attacks that thestakes are increasing.
The, the first generation ofransomware, the dumb criminality
that made billions of dollars,is coming to an end as
consequences emerge as theglobal counter ransomware
initiative takes hold.
That doesn't mean it's over.
It just means that the firstchapter is over and now we're
seeing nastier, moreconsequential attacks.
(29:33):
London drugs I mean this is thefirst major retail outage we've
seen in this country.
That went on for nearly a week.
How many millions of dollars?
How much harm did that cause?
And that's just the taste ofwhat's to come for the
healthcare sector in Canada.
That is woefully unprepared.
So it's going to get meaner,it's going to get harder and
(29:54):
honestly, I wish I had betternews on that side.
I have tried for years, sinceNewfoundland's attack, to raise
the alarm, but I feel like oneof those Old Testament hair
shirt wearing prophets.
These weren't very popularpeople back in the Old Testament
.
They're not popular today.
There's a reason why some wouldrather get swallowed by a whale
(30:15):
than go to the town and sayrepent.
And what I'm saying is investand prepare.
And it's not about being hackedanymore.
It's about resilience tohacking and building a better,
more fair society that betterprotects our most vulnerable
while we are increasinglydigital.
Takara Small (30:35):
I have to ask why even try, then you know, for
people who are listening smallbusiness owners, maybe you know
tech leaders, you know CEOs ofmajor corporations and down to
the individual.
They may think, okay, so wedon't have enough funding
nationally.
There is an ever increasingthreat.
(30:57):
There are criminals who aregetting faster, smarter and
better at hacking.
Should I even try?
Is there even any reason toattempt to protect myself?
David Shipley (31:10):
There is hope, basic measures and steps.
Microsoft has shown that evendoing something like turning
multi-factor authentication oncan cut your risk by 99.9% to
that digital lock picking that Imentioned earlier that got CRA.
So there are some basic stepsyou can take that can actually
(31:30):
dramatically reduce risk.
So there is proven, there'sstrong evidence doing something
can pay off.
Planning and preparedness arealways worth it.
But I'd say this I want thenext 30 years to be a better
story for the next generationthan this 30 years of the
internet has been.
And the journey starts small.
(31:53):
It starts with all of us doinga little bit better.
But this challenge ofcybersecurity, it's one of those
wicked problems like climatechange.
It's one of those things wherewe have to act individually and
collectively and we have to havehope.
I believe in the power of thehuman spirit.
I believe in our ingenuity.
I believe in our innategoodness as individuals in the
society to want to do the rightthing.
(32:15):
We will rise to the occasion wehave in every previous
civilizational challenge.
But we got to wake up, and thepart of that unfortunately means
making people uncomfortable.
It means taking away that last70 years of comfort that we've
lived under and realizing we'rein a whole new world and we all
(32:38):
have to step up.
Takara Small (32:40):
And I wonder what your thoughts are on innovative
privacy protecting technologiesthat can be used for good or bad
.
So we kind of mentioned Onion,tor.
There's obviously Signal aswell, and these are, you know,
programs, services, apps thatare designed to protect an
individual particularly.
(33:01):
You know, sometimes people incertain countries are not
allowed or even able to sharetheir thoughts or political
leanings, but they can also beused for nefarious reasons.
So is there a way to balancethem, or is it just, you know,
it is what it is.
David Shipley (33:18):
I think it's exactly what you said.
It's balance.
Right now we're in the nextversion of the encryption wars,
where end-to-end encryption isunder assault in the Western
world and certainly inauthoritarian regimes, to break
it for all kinds of reasons thatmake a lot of sense when police
(33:39):
articulate we want to break upcrimes in action, we want to go
after the perpetrators ofheinous crimes like child sex
abuse material, etc.
The problem is that policethemselves, empowered with this,
this tool, then become thetargets, and if the NSA and the
CIA can keep their hacking toolssafe and punchline they didn't
(33:59):
so far then no, you can't havethe global keys to the kingdom
on the nature of relationshipswhen it comes to data ownership,
and Tim Berners-Lee, the fatherof the modern World Wide Web,
is leading a movement that Ifind intriguing.
(34:20):
It's this idea of privacy, datapods that, instead of having
elements of my personal datareplicated throughout the world
in various pieces and forms thatcan then be lost, stolen and
recombined, that can then belost, stolen and recombined that
there would be a single,controlled instance of my
personal data that folks wouldseek my permission to access to.
That would be far easier for meto withdraw my consent and
(34:41):
access to and that would somehow, in digitally or physical form,
be under my control, and I lovethat idea.
And this is a return to thatdecentralized web, to shaking up
some of the power of big techand other things.
Whether or not that plays outor not, I don't know, but it's
the most fantastical and bestthought out idea to counter some
(35:04):
of these big challenges I'veheard.
Yet we often hold organizationsto account, particularly public
sector organizations,municipalities, healthcare and
we wag our finger how dare youget hacked?
But yet when politicians showup at our doorstep, are we
talking about how important wethink it is that they invest
time and laws and infrastructureand spending to protect
(35:26):
ourselves online?
No, so politicians follow us.
So if there is blame for thelack of security in this country
, it's.
We all own our piece of it.
Takara Small (35:38):
And that's David Shipley from Beauceron Security
Inc.
So where does all this leave us?
The future of cybersecurity isgoing to be both challenging and
exciting.
Emerging technologies willtransform how we protect
ourselves, but they'll alsointroduce new risks.
The growing threat landscapemeans that businesses and
(36:02):
individuals will need to be morevigilant than ever before.
As we wrap up this season, onething is certain Cybersecurity
is no longer an afterthought.
It's a critical component ofour digital lives and will only
become more important.
But rather than scaring you toomuch, we wanted our last guest
(36:26):
of the season to offer someperspective.
Bruce Schneier is a leadingexpert on cybersecurity, and we
first heard from him in episodeone.
Bruce Schneier (36:36):
You know my thoughts about the future have
nothing to do with computers.
They involve climate change,they involve democracy.
They involve some reallyserious problems that our
society and species has to solvepretty soon.
I mean, cybersecurity probablydoesn't hit the top 10.
But if you want to talk aboutcybersecurity, I think we're
(36:58):
doing okay.
You know we mess up around theedges and we as a culture tend
to get things wrong before weget things right.
But we eventually get thingsright, and I think we will in
this case as well.
I mean, I don't think societywill collapse because of a
cybersecurity problem.
Takara Small (37:16):
It's the other things.
Climate change it's the otherthings.
Bruce Schneier (37:18):
Right, you know, and we're not going to solve
climate change until we fixdemocracy, and we're not going
to fix democracy until we fixcapitalism.
Takara Small (37:26):
Right, ok.
So then I mean, how do you staypositive?
I mean, those are pretty bigissues we're facing, you know.
Bruce Schneier (37:36):
I think a positive outlook is more
internal than external, and evenin the years we were losing
policy battles left and right,you know the goal was to lose
them slower or to lose them less.
So I think you can maintainpositivity even if things are
going bad.
You know, it's really how youinterpret it.
Takara Small (38:00):
I think that's like the best way to answer to
end our interview.
Bruce Schneier (38:04):
It's funny.
And even if you don't have hope, you need to project hope,
because otherwise, if you'rehopeless, you're definitely
going to lose.
If you have hope, even ifthings are bad, you're
definitely going to lose.
Right, if you have hope, evenif things are bad, you might win
.
Takara Small (38:20):
It's your only shot.
A big thanks to Bruce and allour guests throughout this
series for being so generouswith their time and talking to
us.
If you're feeling inspired andyou want to learn more about
cybersecurity in Canada, you can, of course, check out siraca
slash cybersecurity and have alook through their social
channels as well.
There's loads of great stuffgoing on right now for
(38:42):
Cybersecurity Awareness Month,including that survey I
mentioned earlier, and if youhaven't already listened to
season one of the show, why nothave a listen back to that as
well?
Thank you so much for listening.
Bye, guys.
Technology is evolving at a pace most of us
can barely keep up with.
We're moving towards a worldwhere the number of connected
devices far outweighs the numberof people alive.
By 2030, it's estimated therewill be more than 50 billion
connected devices globally, andeach one of these is a target
(00:25):
for cyber criminals.
So just what does the futurehold in cybersecurity?
David Shipley (00:31):
It is the Japanese high-speed train of
consequences compared to thelocomotive.
That was the internet for thelast 30 years.
Takara Small (00:42):
AI, deepfakes, quantum computing All of these
offer new possibilities forcriminals, but also new ways to
fight back.
This very modern battlegroundis constantly evolving.
This is the last episode ofthis season of what's Up With
the Internet, and we're going toclose with a look at what the
(01:04):
future trends are incybersecurity and how new
emerging technologies are goingto impact this space.
Moving forward, I'm TakaraSmall, and this podcast is
brought to you by CIRA, theCanadian Internet Registration
Authority, which is a nonprofitbuilding a trusted internet for
Canadians, which is a non-profitbuilding a trusted internet for
(01:25):
Canadians.
Okay, so, to break down allthis, we got Jon Ferguson from
the team here at CIRA.
John is the VP of Cybersecurityand DNS.
We asked him to look into hiscrystal ball and predict what
future trends he sees incybersecurity over the next few
years.
Jon Ferguson (01:44):
Certainly AI is the big one that everyone really
hears about the most in thenews, and that's really because,
if you consider sort of thenature of the cybersecurity
threats, there's really two bigthings that tend to be
generating all these bigbreaches or attacks that we see.
Generating all these bigbreaches or attacks that we see.
(02:04):
One is phishing orimpersonation of people or
businesses.
So you get an email, you get anSMS and it purports to be
somebody or something that youshould care about.
We all get mysterious packagesfrom a long lost uncle or king
of a nation that we apparentlyare an heir to a throne of, and
(02:26):
if you accidentally click onsomething like that, it may
expose your organization, yournetwork, your systems to a bad
actor getting in, and that's aphishing attempt.
And then the other side is sortof ransomware, which often
happens after that.
Once a bad actor gets in, whatare they going to do with the
data or the system which theyhave compromised?
(02:48):
Well, usually they block it,they shut it down or they
threaten to give away yourinformation for ransom.
And more and more those thingsare being exercised by
vulnerabilities in software.
So every piece of software thatends up being created or run
(03:26):
no-transcript, because AI islooking at the code and finding
these problems or being muchmore clever at finding the
mistakes at a much faster pace.
So the speed of all of theseattacks is definitely going up.
The sophistication of theattacks are going up, even
(03:48):
though sort of the mechanismsare very much the same as they
have been for quite a long time.
Takara Small (03:53):
So does that mean AI can help fight back against
hackers and online criminals?
Jon Ferguson (04:00):
Oh, 100 percent.
I mean, this is one of thegreat challenges of, I think,
any technology.
Good and bad things will resultfrom anything that comes along,
and quite often, I think,there's an adoption curve that
is very different for the badactors than it and grab an AI
algorithm or a system or aquantum crypto breaking tool and
(04:29):
try it right.
What's the worst case?
That thing that's going tohappen to them?
Well, they're already doingsomething illegal.
So worst case scenario for them, I suppose, is it doesn't work
and nobody ever knows about it.
But if you're a corporate entity, you're an individual person
and you use an AI tool and itdoes something bad or wrong or
gives you the wrong information,you can be li regulation, where
(04:51):
there isn't a sort of bestpractices developed yet, can
take longer for us to see someof the real benefit from it.
But we're already seeing AI andthis capability test better,
(05:27):
test faster, having what theycall co-pilot services, where an
AI can help a developer createtheir code, so it can even help
them do that work faster.
So we're seeing that adoptionhappen, but it's just not quite
the same rapid pace as some ofthe free-reeling malicious folks
can take advantage of it.
Takara Small (05:49):
So are there any other technologies, then, or
tools that are also going toimpact this space, kind of like
AI?
Jon Ferguson (05:58):
Yeah, I mean, I think the other big one you hear
about is quantum computing,right, and the shift away from
what we've sort of classicalcomputing that we've known about
to these you know, essentiallyby definition day as sort of
super computer, capable uhdevices which can and do tasks
that we're used to taking verylong periods of time, uh be very
(06:18):
quick, very uh easy for them touh to do these types of sort of
interactions.
And the big one is really onencryption resistance, so being
very quick to break anencryption key.
One thing we've always beentold about security if it's
secure data you're looking for,we'll encrypt it and protect it.
Well, that's because it used totake days, hours, years longer
(06:44):
to to break a security key.
Now we're talking about secondsin some cases, and so
encryption is the first use caseeveryone's really worried about
with quantum computing.
But just having this massiveincrease in computing power and
very specialized capabilities,it's going to mean a lot of sort
of our traditional thoughts onhow we secure things have to
(07:05):
change.
So I think the big challengearound all of this thinking
about the future of technologyit's not just one technology
that we can prepare for thething that we can count on is
that there's going to continueto be more innovation and change
and we're going to need to beagile and adapt.
And if you take some examplesthat are out there, don't think
(07:28):
about what's happened in thelast 10 or 15 years just as a
microcosm in, say, our cellphone world, now we go out and
want to buy a new cell phoneevery two or three years, partly
because there's a promise ofnew, bigger speeds.
Right, we went from 2G to 3G to4G, now we're on 5G.
Well, the period of timebetween each one of those
transitions from one network toanother, it's gotten shorter and
(07:51):
shorter and shorter every time,and so the innovation cycle,
the ability to create new, morepowerful tools, is happening at
a much higher frequency.
And the chat, gpt versions Ithink we're on version four now.
The first version was blows,blew us all the way and what it
could do, and now that's beenmaybe two years since that's
(08:13):
been out and it's doing theseamazing things more.
So we all have to kind of getinto this world of adapting for
the next thing, because it'scertainly going to come, and the
question is whether or notwe've sort of created this
ability to be adaptable andchange to deal with whatever
comes next, because there willbe good things that come too,
(08:34):
but it's easy to focus in on thebad things.
Takara Small (08:38):
Yeah, sorry, I didn't mean to laugh, but I mean
obviously a lot of it's like alot of doom and gloom.
So the good things is it okayfor me to ask, like, what are
those potential good things?
Jon Ferguson (08:51):
well, certainly, I mean there's.
There's what depends on yourperspective on everything, right
, yeah, there's a lot of uhopportunity to create these, uh,
these connection points.
I mean, if you look at some ofhow the language models are
being used, or ai are being usedfor instantaneous translation,
for example, is that a goodthing?
I think, for a lot of peoplewho struggle with languages,
(09:13):
that's awesome.
You can communicate with, witheverybody and anybody.
Maybe, if you really lovelearning languages, you're
you're not so happy about thefact that that's no longer a
thing, but just the, thatability to universally
communicate with everybody oranybody.
That seems really exciting andpowerful yeah, it's definitely
futuristic.
Takara Small (09:31):
I'm thinking star trek right now, the universal
communicators that's the promise, right?
Jon Ferguson (09:36):
hey, you know if I can bury it in my sunglasses or
uh, or something else evenbetter, right?
Takara Small (09:42):
okay.
So, speaking of how fast thingsare changing, one of the really
big trends over the last coupleof years has just been the
number of attacks on majorCanadian institutions.
I'm thinking the Toronto PublicLibrary, toronto Transit
Commission, I mean evenNewfoundland's healthcare system
.
It just seems like there are somany big organizations that are
(10:03):
falling victim to onlinecriminals.
Is this a trend likely tocontinue?
I mean, can we expect this tocontinue happening, or will
organizations, regardless ofwhere they're located in Canada,
just get a little bit better?
Jon Ferguson (10:20):
Yeah, I guess you said you wanted to avoid the
doom and gloom, but I don'tthink you set up a question that
lets us do that, did you?
Yeah, it's, I mean those are.
I mean, frankly, those are theones you've heard about, right,
right, and that's theunfortunate part of the scenario
is that we hear about a verysmall percentage of them.
I think that's one thing thatis changing.
People are organizations arewaking up to the fact that if
(10:45):
they don't sunshine these issues, it makes it far easier for
others to be compromised as well.
I think we are moving towards apoint where I mean, we've been
saying this for years.
I get back to the doom andgloom world of cybersecurity,
the conversation.
The cliche is it's not if it'swhen.
(11:05):
Um and there's there's a fairdegree of truth to that right
you need to be prepared to dealwith recovery of your systems.
You know where your data is.
You need to know what you'redoing in terms of exposing your
organization to, you knowthreats.
Whether or not you really needto do certain things online is a
(11:26):
question.
There isn't any one solutionthat is going to come in and
secure your entire organization.
It's about defense in depthright, having multiple security
layers and capabilities.
Those things need to happen,but that still doesn't make you
foolproof, if you will, from abreach.
Some of the most sophisticatedorganizations are getting
(11:52):
breached because they have veryvaluable information and,
despite these massive budgets,it makes it very hard to keep on
top of it because the bad actoronly has to succeed once.
Right, this is the hard thing.
You see all these things in thenews and all the sound clips
and the sound bites about.
Are these technical peopledoing enough?
(12:13):
Why didn't they do it?
Well, they have to be 100 for100.
Well, for the one time they getbreached, you're on the news
for a huge amount of time.
And that's, I think, one of thebiggest challenges we've got as
a sector right now incybersecurity is how do we keep
the professionals from burningout?
(12:33):
You can't always be perfect andit's hard to hold people to
that bar, because for the, youknow entire career.
If you know the one day thatthey had that they got breached,
that be what is remembered, notthe 99.9 of other days where
they kept the place secure.
(12:54):
And I think that's a realchallenge to continuing to
attract, uh, the biggest and thebrightest to the the job,
because often it's a thanklesstask, um, and we're seeing a lot
of change in the, in the in thelandscape right now.
You seeing a lot of change inthe landscape right now.
You see a lot of legislationcoming in, certainly in the US
they've changed the rules ondisclosure, so there's an
(13:17):
obligation for organizations todisclose certain types of
breaches.
So, in turn, you're seeing moreof that in the news cycle,
because now they are obligatedto disclose.
Now they are obligated todisclose, and there are
certainly situations now wherepeople are being held
individually accountable in theexecutive suite for
(13:38):
cybersecurity.
So I think, at a high level,some of that stuff's great and
good that we need to makecybersecurity a very definable,
very important part of everybusiness strategy.
Right, if you're equivalent toyour CISO, if you're a smaller
organization, your IT personwho's responsible for security,
if they are not sitting at thetable with your overall business
(14:00):
strategy, then you are missingthe message right now.
Right, it security andcybersecurity has to be part of
your business strategy just asmuch as marketing and product
and everything else.
Takara Small (14:15):
You know, one of the other really big challenges
associated with improvingcybersecurity is also educating
the general public Right andthen asking them to implement
steps as well.
I'm thinking multi-factorauthentication to implement
steps as well.
I'm thinking multi-factorauthentication.
How, you know, does someone inyour role get Canadians to?
Jon Ferguson (14:41):
care and actually put in place those types of
defensive mechanisms.
Yeah, I mean, one of the greatthings about working for CIRA is
just our focus as anot-for-profit and a focus as a
Canadian entity on the Canadianmarket.
That's one of the things that Ilove about this job is being
able to speak to my country andbe focused in on what we can do
to make people more aware here.
(15:01):
I do think there is thisbaseline level of cybersecurity
which we're trying to geteverybody aware of right, and we
had our antivirus moment, Iguess in the 90s right, where
you used to buy a computer andgo online and maybe you
installed antivirus.
Then we got to that point whereyou had to have it or else
(15:22):
you're yeah, you're going tohave a problem to a point now
where you can't buy a computerwithout it having antivirus
baked into it, and so we'regetting there.
I think, in terms of educatingthe younger crowd, educating a
lot more people, there's a tonof free resources out there.
If you look at something likethe Canadian Shield that CIRA
(15:44):
provides ourselves.
It's a protected DNS you canput on your phone and put on
your router at home and that'llblock a lot of bad websites that
might infect your computer.
It's a free service.
The Canadian Center forCybersecurity offers a whole ton
of resources on how to identifymalicious stuff.
It's got to be part of ourprofessional training and our
(16:08):
school education to.
Frankly, in my opinion, it isone of those things right now
which is, you know, just asimportant as teaching your kid
how to cross the street.
You know, look both ways.
Well, don't go on the internetwithout some basic security has
to be part of that education andit's going to be a challenge
when you think of, you know, thewhole world of deep fakes and
(16:31):
and all these things that arehitting us right now.
No doubt there will be ways tobetter detect these things as
the technology catches up on theon the good side, but I think
there's a large degree ofskepticism or curiosity that we
need to bring to things.
You know, if I'm getting emailsfrom places I don't recognize,
(16:53):
or for getting asked for lots ofpersonal information, is it
really worth my personalinformation to be able to get a
10% discount coupon code forsomething I'm buying?
Yeah, we have to start toconsider what's being done with
that data and that informationthat we've been freely handing
out, because a lot of cases.
(17:14):
A little bit of restraint, alittle bit of extra criticism or
a critical eye on information,and people will protect
themselves from a lot of thedangerous things that they're
running into.
Takara Small (17:30):
Is there anything at CIRA that your team and the
organization is advocating forsupporting to help create a
safer online space?
And I'm, you know, immediatelythinking of Bill C-26.
Jon Ferguson (17:45):
Yeah, so you already answered your own
question.
C26 is definitely one of them.
So again, maybe I guess a quickrundown on what C26 might make
sense for some of the listeners.
But it's really you know thisfocus.
I mean the act is an act forrespecting cybersecurity.
Um, you know it's been in thelegislative process for quite a
(18:12):
while now and we have been partof a number of working groups
and consultations.
We actually submitted somerecommendations to improve the
bill.
Now we're generally supportivebecause the goal of the bill is
to improve internet security anda primary focus really on
critical infrastructure.
Right, how do we protect thingslike waterworks, utilities, you
know all that type of thing.
But really we've been focusedin on just improving oversight.
(18:35):
Right, if you're going to putnew regulation in, who's going
to make sure that it'simplemented properly, that
privacy is respected, that thereis safeguards around the data
that's collected?
You know we've heard in thepast.
You know, at one point, you know, metadata became a big news
phrase.
No one cared about metadata forlike the first 15 years of the
internet and then, all of asudden, when we figured out that
(18:56):
you could put all this littletidbits of tags of information
together and you could, couldactually build a real compelling
picture of somebody or anorganization.
Then, all of a sudden, we caredabout that.
So there's these nitty grittydetails around how.
Then, all of a sudden, we caredabout that.
So there's these nitty grittydetails around how the wording
(19:16):
gets framed that allows data tobe shared, not shared, and
improving the transparency sopeople can better understand it.
Those are all things that weadvocate for, I know.
Generally speaking, a saferinternet everyone would benefit
from, but understanding howthat's being done is very much
important as well.
So we're definitely excited tosee how it will shape, because
it's still uh, it's still goingthrough the process.
It still has to go through thesenate.
No doubt there'll still be somemore changes.
(19:38):
So we'll we'll be following upthere.
But, um, but there's more thanc26 going on.
I already mentioned there's awhole bunch of international
initiatives going on right nowthat are looking at how do, how
do the network.
The internet is actually aseries of smaller networks that
all interconnect, and some ofthose could be looked at as
(19:58):
national infrastructures thatinterconnect, and so a lot of
that relationship, in terms ofcross-border relationship, is
going through a whole bunch oftransformation and ideation and
new technologies.
You know we've, we've gonethrough the bitcoin uh evolution
or revolution, or however youwant to phrase it, but that same
underpinning technology that'sunder bitcoin ledger technology
(20:21):
and it's it's permeating inother areas of the internet.
And so, uh, there are new, newinternets out there, which,
which are very niche servicesthat are going on out there, but
they're becoming moremainstream, not just
cryptocurrency, so those aregoing to potentially hit your
browser at some point in the nottoo distant future and it'll be
(20:45):
interesting to see how thosethings sort of come together.
The one surefire thing isthere's a million things going
on related to the internet, asthere always is, and it
continues to be really a placeof amazing innovation, so that
definitely keeps it interestingon a day-to-day basis.
Takara Small (21:04):
One of the things you mentioned that kind of stuck
with me was the burnout comment, and it's interesting because
it's rarely talked about andthere has been a very
coordinated push in Canada totrain and educate more Canadians
to take on cybersecurity roles,because there is a dearth of
them.
There aren't enough of them.
So I'm just wondering, like,how do you deal with that and
(21:29):
how does the industry come toterms?
Because all you really need isfor there to be one time where
maybe you don't have thecapacity to protect your org or
your company from a milliondifferent threats and you're
hacked.
But there's only a finitenumber of cyber security
specialists in Canada.
So I mean I mean that must meanpeople are completely working
(21:51):
100% all the time.
Jon Ferguson (21:54):
Well, I like to think people are busy, but, yeah
, there's just a couple ofelements to that question.
I think Takara One is the wholeCanadian landscape in itself.
It's not unlike a lot ofcountries where we're highly
dependent on businesses,countries that are not Canadian
(22:19):
and so I think there's a bigneed and a drive to build up
this national capacity.
The digital world is a bit of anew frontier, right?
You look at what happens thesedays in terms of conflict.
There's clearly a whole lot ofcyber threat that's being
generated by nation stateactivity, and so having our own
(22:42):
domestic experts andcapabilities is just good for
the country, and we do have alot of brilliant people really
in the AI and quantum space.
Canada in many respects, areworld leaders already, but,
you're right, as a generalpractitioner or role, there are
(23:05):
more roles than there are people, and that's where you see this
real hard push to automation, tosort of centralizing some of
these services with managedservices.
So cloud is an example oftrying to create the ability to
do bigger things with lesspeople not necessarily less
(23:25):
resources, but less people andthose things will continue to
happen.
I think partly where you getthe AI conversation gets to is
you can turn some more mundaneor people intensive processes
that we have now into moreautomated processes and you
hopefully redirect people intoto more high valued work.
(23:49):
But it's also about building upthese skill sets right.
We you know, 20 years ago asoftware engineer would not have
been coming out of universitiesor college programs at the same
rate they have been for thelast five to 10.
And we probably will see ashift again as we move forward.
Cybersecurity, I think, isstarting to have a moment.
(24:10):
I've been lucky enough to havesome good interactions with some
folks here in Ottawa at some ofthe universities who are
building up moremultidisciplinary training,
education programs at thepost-secondary level, but even
talking to secondary schoolcurriculum folks who are trying
(24:34):
to build in this idea ofcybersecurity.
I've got two young boys, I'vegot an eight year old who's
learning about passwords in hiselementary school class.
I mean, we're pulling thatstuff down to kids so they start
to learn about it earlier and Ithink that is just going to
(24:55):
probably proliferate the factthat your average kid or student
who comes out of school youknow we don't ask on a resume
right now you know how fast canyou type.
I remember when I startedapplying for jobs.
No, microsoft Word was a skillyou put on your resume.
We don't do that anymorebecause it's just a basic
(25:18):
digital literacy skill thateveryone who comes out of an
education system now has.
Quote unquote cyber skills, orknowledge that we today have to
train on, they're going tobecome second nature to
everybody.
Right now that we all have cellphones, we don't think as much
(25:40):
about a two-factorauthentication, right?
If you get a text message tolog into a webpage after you put
your password in, most peoplenow don't think twice about that
.
But that was a huge friction,you know, five, ten years ago to
get people to consider that asnot being a massive
inconvenience.
So we're getting places wherethe user experiences around
(26:04):
cyber security are becomingeasier, better, so we're able to
adopt things better.
Skill are are changing so thatpeople are more aware of some of
this stuff, and I think that'sit's a lot of this is about us
keeping, um, that idea of that,that knowledge, forward front of
mind, right, everyone's part ofthe cyber defense of their
(26:25):
organization and your home, forthat matter.
Um.
So what are you doing to makesure that you don't do the wrong
thing when you're onlinebecause we bring all those bugs
and issues and challenges withus, especially now that we work
so much from home.
There's really a big blurringof the lines between the secure
(26:49):
work networks quote unquote andyour home network.
So lots to think about.
Unfortunately, some days it'stoo much to think about, but
there is an evolution going onand that's the one thing we can
count on.
It's going to keep movingforward and keep changing.
Takara Small (27:06):
That was John Ferguson from CIRA.
So, as a nation, are we slowlywaking up to the magnitude of
this problem?
Well, cira has just publishedits cybersecurity survey for
2024, and the results showedthat 76% of organizations have
increased their staff devoted toIT system management and
(27:29):
cybersecurity in the past 12months.
System management andcybersecurity in the past 12
months.
So that's moving in the rightdirection, but there's a long,
long way to go.
David Shipley (27:43):
David Shipley has some big concerns about the
future.
We are so radically unpreparedfor the negative consequences of
this technology, and it is theJapanese high-speed train of
consequences compared to thelocomotive that was the internet
for the last 30 years.
What do I mean by that?
Let's start with deepfake videotechnologies that can be run on
(28:08):
an old Dell laptop.
That can now be used to createnon-consensual intimate images,
synthetic intimate images ofindividuals, and it is being
done.
There are telegram channelswhere you can drop pictures of
someone you want to target andwithin minutes it's going to
send you back pretty awful,realistic pornographic images
featuring that individual.
(28:28):
So how does that play into thisawful narrative that we've
already seen, where the internetdisproportionately impacts
women or people who identify aswomen, and so that's just going
to get worse?
How do we deal with this awfulstory of misinformation and
interference in a world whereevery possible news outlet is
(28:49):
getting polluted with AIgenerated garbage, and social
media is completelyirresponsible as its AI becomes
more sophisticated and it'sharmful algorithms, as we
mentioned Francis Hogan'stestimony, continues to go
unregulated in this country andin others.
And then how do we deal withincreasingly sophisticated fraud
(29:10):
and cyber attacks that thestakes are increasing.
The, the first generation ofransomware, the dumb criminality
that made billions of dollars,is coming to an end as
consequences emerge as theglobal counter ransomware
initiative takes hold.
That doesn't mean it's over.
It just means that the firstchapter is over and now we're
seeing nastier, moreconsequential attacks.
(29:33):
London drugs I mean this is thefirst major retail outage we've
seen in this country.
That went on for nearly a week.
How many millions of dollars?
How much harm did that cause?
And that's just the taste ofwhat's to come for the
healthcare sector in Canada.
That is woefully unprepared.
So it's going to get meaner,it's going to get harder and
(29:54):
honestly, I wish I had betternews on that side.
I have tried for years, sinceNewfoundland's attack, to raise
the alarm, but I feel like oneof those Old Testament hair
shirt wearing prophets.
These weren't very popularpeople back in the Old Testament
.
They're not popular today.
There's a reason why some wouldrather get swallowed by a whale
(30:15):
than go to the town and sayrepent.
And what I'm saying is investand prepare.
And it's not about being hackedanymore.
It's about resilience tohacking and building a better,
more fair society that betterprotects our most vulnerable
while we are increasinglydigital.
Takara Small (30:35):
I have to ask why even try, then you know, for
people who are listening smallbusiness owners, maybe you know
tech leaders, you know CEOs ofmajor corporations and down to
the individual.
They may think, okay, so wedon't have enough funding
nationally.
There is an ever increasingthreat.
(30:57):
There are criminals who aregetting faster, smarter and
better at hacking.
Should I even try?
Is there even any reason toattempt to protect myself?
David Shipley (31:10):
There is hope, basic measures and steps.
Microsoft has shown that evendoing something like turning
multi-factor authentication oncan cut your risk by 99.9% to
that digital lock picking that Imentioned earlier that got CRA.
So there are some basic stepsyou can take that can actually
(31:30):
dramatically reduce risk.
So there is proven, there'sstrong evidence doing something
can pay off.
Planning and preparedness arealways worth it.
But I'd say this I want thenext 30 years to be a better
story for the next generationthan this 30 years of the
internet has been.
And the journey starts small.
(31:53):
It starts with all of us doinga little bit better.
But this challenge ofcybersecurity, it's one of those
wicked problems like climatechange.
It's one of those things wherewe have to act individually and
collectively and we have to havehope.
I believe in the power of thehuman spirit.
I believe in our ingenuity.
I believe in our innategoodness as individuals in the
society to want to do the rightthing.
(32:15):
We will rise to the occasion wehave in every previous
civilizational challenge.
But we got to wake up, and thepart of that unfortunately means
making people uncomfortable.
It means taking away that last70 years of comfort that we've
lived under and realizing we'rein a whole new world and we all
(32:38):
have to step up.
Takara Small (32:40):
And I wonder what your thoughts are on innovative
privacy protecting technologiesthat can be used for good or bad
.
So we kind of mentioned Onion,tor.
There's obviously Signal aswell, and these are, you know,
programs, services, apps thatare designed to protect an
individual particularly.
(33:01):
You know, sometimes people incertain countries are not
allowed or even able to sharetheir thoughts or political
leanings, but they can also beused for nefarious reasons.
So is there a way to balancethem, or is it just, you know,
it is what it is.
David Shipley (33:18):
I think it's exactly what you said.
It's balance.
Right now we're in the nextversion of the encryption wars,
where end-to-end encryption isunder assault in the Western
world and certainly inauthoritarian regimes, to break
it for all kinds of reasons thatmake a lot of sense when police
(33:39):
articulate we want to break upcrimes in action, we want to go
after the perpetrators ofheinous crimes like child sex
abuse material, etc.
The problem is that policethemselves, empowered with this,
this tool, then become thetargets, and if the NSA and the
CIA can keep their hacking toolssafe and punchline they didn't
(33:59):
so far then no, you can't havethe global keys to the kingdom
on the nature of relationshipswhen it comes to data ownership,
and Tim Berners-Lee, the fatherof the modern World Wide Web,
is leading a movement that Ifind intriguing.
(34:20):
It's this idea of privacy, datapods that, instead of having
elements of my personal datareplicated throughout the world
in various pieces and forms thatcan then be lost, stolen and
recombined, that can then belost, stolen and recombined that
there would be a single,controlled instance of my
personal data that folks wouldseek my permission to access to.
That would be far easier for meto withdraw my consent and
(34:41):
access to and that would somehow, in digitally or physical form,
be under my control, and I lovethat idea.
And this is a return to thatdecentralized web, to shaking up
some of the power of big techand other things.
Whether or not that plays outor not, I don't know, but it's
the most fantastical and bestthought out idea to counter some
(35:04):
of these big challenges I'veheard.
Yet we often hold organizationsto account, particularly public
sector organizations,municipalities, healthcare and
we wag our finger how dare youget hacked?
But yet when politicians showup at our doorstep, are we
talking about how important wethink it is that they invest
time and laws and infrastructureand spending to protect
(35:26):
ourselves online?
No, so politicians follow us.
So if there is blame for thelack of security in this country
, it's.
We all own our piece of it.
Takara Small (35:38):
And that's David Shipley from Beauceron Security
Inc.
So where does all this leave us?
The future of cybersecurity isgoing to be both challenging and
exciting.
Emerging technologies willtransform how we protect
ourselves, but they'll alsointroduce new risks.
The growing threat landscapemeans that businesses and
(36:02):
individuals will need to be morevigilant than ever before.
As we wrap up this season, onething is certain Cybersecurity
is no longer an afterthought.
It's a critical component ofour digital lives and will only
become more important.
But rather than scaring you toomuch, we wanted our last guest
(36:26):
of the season to offer someperspective.
Bruce Schneier is a leadingexpert on cybersecurity, and we
first heard from him in episodeone.
Bruce Schneier (36:36):
You know my thoughts about the future have
nothing to do with computers.
They involve climate change,they involve democracy.
They involve some reallyserious problems that our
society and species has to solvepretty soon.
I mean, cybersecurity probablydoesn't hit the top 10.
But if you want to talk aboutcybersecurity, I think we're
(36:58):
doing okay.
You know we mess up around theedges and we as a culture tend
to get things wrong before weget things right.
But we eventually get thingsright, and I think we will in
this case as well.
I mean, I don't think societywill collapse because of a
cybersecurity problem.
Takara Small (37:16):
It's the other things.
Climate change it's the otherthings.
Bruce Schneier (37:18):
Right, you know, and we're not going to solve
climate change until we fixdemocracy, and we're not going
to fix democracy until we fixcapitalism.
Takara Small (37:26):
Right, ok.
So then I mean, how do you staypositive?
I mean, those are pretty bigissues we're facing, you know.
Bruce Schneier (37:36):
I think a positive outlook is more
internal than external, and evenin the years we were losing
policy battles left and right,you know the goal was to lose
them slower or to lose them less.
So I think you can maintainpositivity even if things are
going bad.
You know, it's really how youinterpret it.
Takara Small (38:00):
I think that's like the best way to answer to
end our interview.
Bruce Schneier (38:04):
It's funny.
And even if you don't have hope, you need to project hope,
because otherwise, if you'rehopeless, you're definitely
going to lose.
If you have hope, even ifthings are bad, you're
definitely going to lose.
Right, if you have hope, evenif things are bad, you might win
.
Takara Small (38:20):
It's your only shot.
A big thanks to Bruce and allour guests throughout this
series for being so generouswith their time and talking to
us.
If you're feeling inspired andyou want to learn more about
cybersecurity in Canada, you can, of course, check out siraca
slash cybersecurity and have alook through their social
channels as well.
There's loads of great stuffgoing on right now for
(38:42):
Cybersecurity Awareness Month,including that survey I
mentioned earlier, and if youhaven't already listened to
season one of the show, why nothave a listen back to that as
well?
Thank you so much for listening.
Bye, guys.
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
24/7 News: The Latest
The latest news in 4 minutes updated every hour, every day.