Security in a Volatile World by Abhay Ramen

Key Concepts

• Five Key Risks: Political tensions, sovereignty/nationalist policies, innovation, conflict, and difficult economic/social climate.
• Five Buckets of Risk:
  1. Potential threats due to trade and sovereignty arguments.
  2. Data sovereignty and localization.
  3. Regulation (increasingly prescriptive).
  4. Sharing reductions (threat and incident information).
  5. Growth of AI leading to brand exploitation and fraud.
• Types of Attacks: State-sponsored, credential theft, AI-driven fraud, malicious bots.
• Mitigation Strategies: MFA (Multi-Factor Authentication), screening, identity verification, client awareness, academic and industry collaboration.
• Supply Chain Risk: Concentration of technology, hardware, software, and people in specific global regions.
• AI and Impersonation: Sophisticated impersonation techniques, lack of suitable technology and response frameworks.
• Client Awareness: Importance of educating clients on safe and proper use of digital services, especially AI-enabled ones.
• Ransomware (New Form): Bundling of unwanted software functionality with essential software at increased cost.

Summary

The speaker begins by acknowledging the complexity of the current global landscape and the challenge of relating various volatilities to cybersecurity executives. They propose organizing these volatilities into five key risks that have proven useful over the past eight months. These risks are: political tensions, sovereignty and nationalist policies, innovation, conflict, and a difficult economic and social climate. This complex environment creates a tension between the need to provide new digital services, generate revenue, and protect national security and basic needs. The speaker emphasizes the importance of making a strong case for security investment, noting that often "blue button" (basic security measures) are overlooked in favor of other priorities.

Five Buckets of Risk

The speaker then elaborates on five specific risk categories they use to frame discussions:

1. Potential Threats due to Trade and Sovereignty Arguments: This refers to situations where access to technology or services can be withheld based on political or trade disputes. The core idea is "I invented this, therefore if I don't like you, I won't give it to you."
2. Data Sovereignty and Localization: As a global company operating in 26 markets, the speaker highlights pressure from countries demanding data localization. This means data must be stored and processed within national borders, with access restricted to citizens of that country. This trend extends to "technology sovereignty" in general.
3. Regulation: While some countries are moving away from regulation, the speaker's experience involves increasing and more prescriptive regulations. While beneficial in some ways, prescriptive regulation can also be a significant burden for businesses in regulated industries.
4. Sharing Reductions: The speaker stresses the importance of collaboration and information sharing (threat intelligence, incident data) for effective response. A reduction in sharing leads to greater problems, as organizations cannot independently process the vast amount of available information or focus on the right priorities.
5. Growth of AI Leading to Brand Exploitation and Fraud: This is a significant area of concern, particularly regarding misinformation and its potential to manipulate markets. The speaker raises the critical question of when misinformation will become so pervasive that it becomes impossible to distinguish truth from falsehood, leading to poor decision-making, especially in investment. As a large investment manager with over a trillion dollars under management, this is a direct concern.

Connecting Risks and Supply Chain Challenges

The speaker explains how these five risks can encompass emerging threats like quantum computing (fitting into emerging risks) or intelligence and response (fitting into sharing reductions). They also note that supply chain challenges, encompassing technology, processes, and people, are fundamental to addressing these risks.

A real-world example is provided from the week before Russia's invasion of Ukraine. The company conducted an analysis of their exposure in the region, assessed potential threat actors and their operating methods, reviewed their controls, identified gaps, and determined funding needs to address these vulnerabilities. This analysis also extended to their supply chain for technology, hardware, software, and people, revealing significant concentrations in certain global regions, a common issue for many companies. The speaker acknowledges that achieving technological self-sufficiency will be a long process.

Types of Attacks and Mitigation

The speaker simplifies the types of attacks observed into four main categories:

• State-sponsored attacks: Targeting critical infrastructure or financial institutions, or used to fund political agendas without attribution.
• Credential theft: A significant problem, especially in the retirement business, due to low barriers to entry. Passwords stored insecurely on browsers or stolen by malware (e.g., info stealers) can lead to substantial financial losses for individuals, particularly the elderly who may not be monitoring their accounts closely. The speaker notes the emotional toll and the financial burden of making victims whole.
• AI-driven fraud: This includes sophisticated impersonation techniques that are becoming "academically spectacular." The speaker points out a lack of suitable technology and frameworks for identifying and responding to these AI-driven impersonations. They advocate for greater academic and industry collaboration to address these complex issues, suggesting that deep research is needed beyond simple brainstorming.
• Malicious bots: The speaker humorously notes the prevalence of bots, even for seemingly minor issues like Facebook account access attempts. They observe a significant increase in these types of attacks.

To help people understand these risks, the speaker suggests synthesizing them into three or four key areas. For instance, when assessing the likelihood of credential theft, they use metrics like the percentage of properties with Multi-Factor Authentication (MFA) to quantify exposure and justify investment in remediation.

Mitigation Strategies and Their Limitations

The speaker discusses mitigation strategies from a business perspective:

• Screening: The speaker questions the effectiveness of screening, noting a lack of data or research to prove its efficacy. While it adds a process step and may create a false sense of security, individuals can often circumvent it.
• Identity Verification: An example is given of an elaborate in-person identity verification process for obtaining a company computer, which was then subcontracted to individuals in India, highlighting potential weaknesses.
• Whack-a-Mole Approach: The speaker describes current mitigation efforts as a "whack-a-mole" game, where solving one problem leads to another emerging issue. They believe a collective effort to develop a comprehensive framework across all dimensions would be more effective.

Credentials on the Dark Web and Client Awareness

Focusing on credentials on the dark web, the speaker, representing an insurance, health advisory, and investment management company, discusses the risks associated with client and advisor data. This includes info stealers, malware, and advisors who may manipulate SMS token delivery to their own phones, with clients willingly delegating account operations. The speaker states, "you can't solve stupid," emphasizing the need for significant client education. Many clients lack awareness of technological risks, making them vulnerable to AI-enabled services.

AI and Impersonation Collaboration

The speaker highlights AI and impersonation as a key area for academic collaboration. They are involved in research with the Irish Development Authority and Irish universities, supporting PhD students to identify traits for video and audio impersonation, particularly within Teams and collaboration platforms.

The Importance of Collective Action and Research

The speaker concludes by emphasizing the need for collective action and collaboration. They mention various organizations like the Canadian Cyber Centre, Cyber Threat Exchange, Canadian Anti-Scam Alliance, and NC3, and their role in providing resources. They advocate for these entities to come together to sponsor research that benefits everyone collectively, rather than pursuing fragmented, piecemeal solutions that may only yield limited results.

Notable Quotes

• "The blue button before they go patch their systems." (Referring to basic security measures being overlooked)
• "I invented this. I built this. Therefore, at some point, if I don't like you, I'm not going to give it to you." (Illustrating sovereignty-based threats)
• "It's our citizens, our data. You can't send it anywhere else." (Representing data localization demands)
• "You can't solve stupid." (Highlighting the need for client education)
• "To me, that's a whole different kind of ransomware." (Describing bundled software functionality)
• "Otherwise, we're just going to peace meal all of these things and it's just going to yield in a couple of papers." (Emphasizing the need for collective research)

Conclusion

The speaker presents a comprehensive overview of the complex and interconnected risks facing cybersecurity professionals in the current volatile global environment. By categorizing these risks into five key areas and detailing specific attack vectors like credential theft and AI-driven fraud, they underscore the need for a proactive and collaborative approach. The limitations of current mitigation strategies like screening and identity verification are highlighted, leading to a call for more robust frameworks and significant investment in academic and industry collaboration. Ultimately, the message is that collective action, shared research, and enhanced client awareness are crucial for effectively navigating the evolving threat landscape.