 back to this episode of Security Matters Away. I'm joined today by David Wilson Esquire. He's coming to us from Denver, Colorado, where he's trying to get himself unburied from the snow. Dave, thanks for joining us today. I really appreciate it. Sure. How are you, Andrew? Good, man. Good to see you again. So you're out plowing your driveway? Foot and a half of snow. We don't have that problem here. At least not yet. I don't know what will happen with global warming, but so far we're doing all right. So you're the principal of Titan Information Security Group, Dave. Go ahead and give our audience who may not be familiar with you, you know, just some of your background, much as you care to share and, you know, kind of bring us up to where you're at today. Sure. Well, I grew up in New York on Long Island. My goal was to join the FBI. I got an Army scholarship. I went to law school, became a JAG officer. I did that for 20 years. Throughout my career as a JAG officer, I did a lot of prosecuting and defending. And then I got into technology and started doing what's called operational law. Ended up at NSA, the National Security Agency, and worked for General Hayden and then General Alexander and helped stand up what's now considered a cyber column. And that's where I learned a lot of the technical background because I didn't really have a technical background at that point. And I did some space control as well, denying how we can deny our adversaries the ability to use satellites for communicating, taking pictures, things like that. And so from there, and then I helped stand up what's now Army cyber. And then in 2010, I retired and decided I'm going to start my own business and started a Titan Info Security Group in 2011, basically doing cybersecurity and the law, mostly from a risk perspective. And for about six years, I did a lot of policy work, risk assessments, advising companies on how to be more secure, what they can do to recover from a data breach. And then things were a little slow and my friend came to me, he's a reservist, and he said, hey, they're opening the contracts at the courts, you want to get back in the courtroom. Like, well, I love the courtroom, not really knowing what I was getting into. And so I signed up and took a contract as a court appointing attorney doing dependency and neglect cases, where I represent parents having their kids taken away. You would think normally for abuse, but around here it's usually for neglect, because we have a lot of people that are addicted to meth and now marijuana and things like that. Wow. And so I've been doing that, which basically consumed my life because I went from zero cases in 2017 to 95 cases in 2008. My gosh. In less than a year. Wow. But I'm trying to transition a little bit away from that and get more into cybersecurity. I think this time around, I want to do it more from the data breach perspective and do investigations and defend companies that have been breached versus trying to help with the preventive side. And as we'll get into it a little bit, but I'm just not seeing a whole lot of movement in the preventive side. Yeah, it's interesting. I concur. I mean, there's more awareness on the DOD side. We've now got this cybersecurity maturity model certification that's going to be or something we're going to be audited against, but that's just like win a contract. What they're going to do with the people who fail audits, I guess they'll lose business, but there's not the teeth of like law in a whole lot of cyber yet. The way I understand it, maybe could you give us a little bit of the what's the difference between like a statute and regulation and like where does law come in? I think most people are familiar if you steal something that that's theft and there's a law against that. But where does it come from? This is not the code of Hammurabi days. This has evolved from some place, but I'm just not aware of the where does the teeth of law come into play because there's civil law and like legal law or judicial law or whatever it is. I don't know the differences. Yeah. Well, so from a cyber perspective, there are very few laws. Yeah. It's mostly criminal. Okay. So if you're a hacker and you hack somebody's network and cause a data breach or you steal information or intellectual property would have you, every state has a law against that. Okay. And the federal government has laws against that. Okay. And that makes it criminal. When you get into other types of laws, more of the civil or administrative type law, then you're getting into regulatory requirements of things that companies have to do and like you were mentioning, primarily when they're dealing with the government. Okay. So you have to deal with forgetting some of the acronyms, but some of the regulations out there and those are laws, but they only apply to a specific sector of people, those dealing with like the federal government if it's a federal law or state government if it's a state law. Okay. But most states do not have sort of civil laws that are dealing with cyber security. With the exception of like California and Massachusetts, they've implemented some laws, but those are primarily to allow their attorney generals to go after companies that they feel have not implemented, you know, they were breached and then the attorney general is like, well, you haven't implemented good cyber security. And I guess the best example everybody's probably familiar with is HIPAA. If you violate HIPAA, you don't have good security and you allow patients personal information to be leaked and released, then you are subject to the HIPAA laws, which is not criminal, but your company can be fined by the FTC or one of those federal agencies. And are the federal laws, do they, is there like a subscription, like so if I'm a hospital administrator or let's say I own Kaiser or because I guess those are all non-profits. I mean, who's held responsible? There's just like a fiscal responsibility to the regulations. And so an investigation shows that I was negligent in applying some safeguards and then I'm, I get like a fine or is it a kind of, are there, is the board held liable or is that kind of stuff happening or? Yeah, well the FTC is finding people. People, let's say individuals. Especially if you have a huge HIPAA data breach. Okay. They are holding them accountable. Not significantly, but they are, they have put some teeth into the HIPAA law and everything. It's just, again, it's bureaucracy. So it's really hard to figure out what you can do, what you can't do. And I would say to get a little bit back to the basics. Okay. So you have a lot of jurisdictional issues. So the federal government doesn't have jurisdiction over you unless you're dealing with, like let's say for instance the internet. The internet allows the federal government to get involved because the internet goes all over the country, it goes from state to state. And the best example is like an interstate highway that goes from let's say Colorado into Kansas. Okay. That's pretty much controlled and there's federal funding for that because it's going between one state and another. Okay. Otherwise you'd have Colorado and Kansas trying to work out a deal between themselves. Okay. We will pay for everything up to the border here. You pay everything up to the border there. And you may have like a mile in between where neither side claims it and it's full potholes and it's all dirt. I see. Okay. That makes sense. Then pump money into that and make sure that highway is free flowing and you get into the same thing with utility companies that are crossing state lines and things like that. But then the states have their own laws that are supposed to regulate what's going on within the state. And it gets trippy when you do interstate commerce over the internet because a lot of states have talked about internet tax and things like that. And then you end up into the battle of like why should somebody in Massachusetts pay a tax to a company in Colorado when they're in Massachusetts and they've just bought something over the internet. Right. So we're like retail sales tax out of state. Let me understand that. Yeah. Let me ask. Let me pause it in a different way. So is would it be considered different if I'm let's say I'm hacking across the internet across from Kansas into Colorado into a company versus if I were in outside that company's parking lot and I was using their wireless network so it was only local. I'm truly not on the internet. I'm just hacked into their outdoor Wi-Fi or something. You know what I mean? So I'm not using the internet or transiting is that and then if there's no state law have I broken any law? I mean I don't even know. It gets tricky there because is their local Wi-Fi connected to the internet? Yeah. I mean like you know in our industry how we'll have like a maybe a camera with this a direct wireless shot right back into their local network you know it's out in the parking lot. So let's just say you jumped on that hot spot and you know you weren't really on the internet you're just direct into their network. If it's wholly contained and you can argue that it's wholly contained then no federal laws would apply. Wow. Imagine that. So that's an interesting thing. We shouldn't teach the criminals probably. And you know it becomes really difficult. The problem is most people in the courts and a lot of the sort of US Attorney and District Attorney's offices don't fully understand all the technology behind it. I would be looking to find an expert who can tell me is that somehow connected to the internet and does could there be a leak from that system out to the internet and then can you apply federal law based on that? So it would be a big fight depending on what side you're on. Yeah and I'm wondering I'm wondering if that's why there's still not a law. I know these are you know they when it's over the internet the attribution is very difficult and attribution is just that finding out who who's the party that started it and you know we know or we've talked on this channel a little bit about tour networks and the ability to hide you know enter a network and then exit a different place so you don't you know it's hard to figure out who you are because that's all encrypted. So do you think that that's why it's it's been a slow sell for like law enforcement to engage you know slight cyber crime and because it seems like the criminals aren't getting as much attention as the like the breach is like you said a HIPAA violation or a PCI violation or something like that. Well it would appear like most of the hackers are coming from outside the US. Yeah I would argue that they're coming from inside the US as well. Yeah. A good hacker is going to hide their tracks and bounce all over the place. Sure. If they're truly outside the US then you have extradition problems. Okay. So typically Russia is not going to allow us to extradite hackers from Russia and bring them over here. In most cases they get caught somewhere else like in England or somewhere like that and we snap them and bring them back. That's the big problem and then like you mentioned trying to figure out who it is and you know even the the attribution piece comes down to like the old adage. It could be a dog on the other side of that keyboard. Yeah. How are you going to prove who's actually pressing those keys even if you figure out what computer it's coming from. Yeah. Yeah it's interesting I know you know to your point we definitely had some good arrests this year from some Russian guys we caught no caught in the Mediterranean some in London and you know there's this big issue of using the internet for child pornography and actually the trafficking of kids and all this kind of stuff as well. I'm hoping that we're going to you know I hope we continue to have ways to do that if we encrypt everything I'm concerned that criminals may hide behind some of that you know I'm hoping it doesn't come to all that. Let's I want to talk about the difference between physical security and then cyber security and then in the next part I want to kind of tie that into the risk like what what companies ought to be thinking about. Real quick are there are there better laws about physical security today in your opinion than about cyber security. You know if I've if I've been attacked on a property is that property owner liable because he didn't have good security there. Are the children that you know we have these shooting incidents in schools are the schools liable for not having good physical security. Do you think those laws are clearer or they just as kind of murky today as like cyber law. I would say murky because and a lot of it is regulatory. They're trying to regulate you can do this or you can't do that and then a lot of it comes down to if you're going to accept state money or federal money then you have to comply with certain standards like FISMA and you know all those those different things. Sure. You know unfortunately we have a lot more regulation and a lot more theories but not a lot more security. Interesting. And as far as I'm concerned it still comes down to the basics and people just aren't doing the basics. Yeah that's a fact. We'll tell you what we're gonna we're about on our break time we're gonna take about one minute we're gonna go pay some bills and we'll be right back with David Wilson. Hi my name is Amy Ortega Anderson inviting you to join us every Tuesday here on Pinoy Power Hawaii. With Think Tech Hawaii we come to your home at 12 noon every Tuesday. We invite you to listen watch for our mission of empowerment. We aim to enrich, enlighten, educate, entertain and we hope to empower. Again Maramin, Salamat Bo, Mabuhay and Aloha. Aloha I'm Wendy Lo and I'm coming to you every other Tuesday at two o'clock live from Think Tech Hawaii and on our show we talk about taking your health back and what does that mean? It means mind, body and soul. Anything you can do that makes your body healthier and happier is what we're going to be talking about whether it's spiritual health mental health, fashion health, beautiful smile health whatever it means let's take healthy back Aloha. Aloha welcome back to this episode of Security Matters Hawaii we're in the Think Tech studio Hawaii we're live with Dave Wilson from Denver Colorado. Dave thanks for joining us today we were kicking around this this this difference between physical and cyber like law and you mentioned that you know there's there's regulations based on if the state's funding things or the better funding things for example for school systems I'm I'm interested where where is this liability going to fall you know how does a how would a school principle be either guilty of negligence or guilty of non-compliance if they're getting let's just say funding from both you know what's the what's the measure how how does this happen I'm just not a I don't know what they walk in and do and say hey you did nothing well then you're you're negligent but if you've done some things and you think those are your best practices or all you could afford is there is there liability still there from a you know from a law standpoint I guess is my question. Yeah there is I guess it would come down to what level of negligence okay and like if it was gross negligence that would be easier to prove and it's in most cases it's going to be a civil matter I see or decided hey we're going to fire this principle because he didn't do his job okay um the the problem is we don't like here's a good example okay when I was prosecuting in the military I would get commanders who would come to me and say hey I got to get rid of the soldier he's a bad dude he's screwing up and I would ask him okay you got the paperwork can you show he knew what the standard was and he wasn't performing to that standard or he was screwing up or what have you no no we just you know reprimanded him or chewed him out I said you need a paper trail you can't just say suddenly here's a standard you didn't meet it now we're getting rid of you he's going to come back and say well it would have been nice to know what the standard was before I started sure or that was trained properly sure understood another good example is the deputy sheriff down in Florida after that shooting yeah they literally prosecuted him oh wow claiming that he didn't meet the standard for and I don't know what they actually charged him with but um he they said he hid while the shooting was going on right instead of they're going in before um that's to me that's very unusual hopefully you can figure out who's gonna go forward and who's not like when I was in Iraq there were people that I knew that I was told oh so and so over there he's you know says I'm not going outside the wire you can't make me go that's like saying dude you're in the navy and you won't go in the water um so you gotta figure out who who will do that and who won't um but it's mostly from a civil perspective you're gonna get people suing and um it's tragic but when you really think about it things happen you know and sometimes you just can't control it and you can't legislate your way out of it it says you have to life is not perfect and things are gonna happen you know granted you need to go back and do lessons learn where did we go wrong what could we've done differently how could we've been more alert but you know it's always everybody wants somebody held accountable and yeah that's interesting right and then but yeah no one I find that no one wants to participate in the the earlier on stages when we had indicators of problems and people don't stay engaged with you right they want to they want someone else to deal with that too like somebody else is always accountable never me right that's a problem you know with security in general right yeah which is a great segue I am not a fan of the trial bar in this country they keep initiating all these class action suits for data breaches okay and pointing at the companies and saying you did this wrong you did that wrong and I was reading on the site on I think it was the trial bar bar.org or something like that and they were describing all these class action suits that have been dismissed because they couldn't show the plaintiffs couldn't show that they had a natural harm you can't go in there and say well my social security number was stolen so I'm assuming I'm going to suffer identity theft and I'm going to have all these damages it's like how about you wait till you actually have a damage and then you suit so it's like a bandwagon effect oh yeah and they were all thrown out of court personally and this may not be the you know the popular side I would rather defend all these companies that are breached because that is such an easy argument and you know what I would do is say okay let's put consumer X on the stand they say oh Walmart suffered a data breach I used my card there I suffered identity theft therefore you're liable you owe me money and I would ask them okay let me see where else did you use your card that that day or that week or that month well I used it at Target I used it at King Supers I used it at Home Depot said oh okay well because they were breached they were breached they were breached and they were breached how can you prove your identity theft was because of something that happened at Walmart and they can't make that link yeah and especially I think most consumers wouldn't have that capacity I mean that's a there's a lot of forensics there and I don't know if it's you know typically it's probably can be found in the log files I don't depend on what evidence they would have right for or where the data typically this data that these big data bins will show up on on a paste bin or a reddit or somewhere and then you know so there's some assumed attribution but that doesn't mean it's true so somebody has to go through that I guess and forensically confirm where the data came from and I don't know that you've got to get into the underground and then start doing an investigation and try and pull that all that information and from what I've seen the these attorneys or these law firms initiating these class actions they're not doing that and I know what they're doing they're filing this lawsuit they're getting all these victims and then they're they're settling trying to get a settlement yeah nothing has gone to the point where a court has to make a ruling on whether there was negligence or a lack of reasonable security on the part of these companies and they settle the law firm gets a big payout and the plaintiffs the consumers get maybe a hundred bucks each I see and then so and then when we read about these big fines so those are regulatory like because because the I guess if you have on your website you know I'll protect your information so you've said you would and then they get breached so is that where the FTC comes in and says because you didn't uphold this clause you get like a fine or something like Experian I think got fined and I don't know if Target got fined that is that is that what's the mechanism there because it's not criminal right it's a regulatory or is that considered a crime I just don't I don't know the difference no it's it's regulatory and you know potentially false advertising and I I won't I won't name names but there's a very large company that does a lot of software and hardware and they they advertise oh no don't worry about it we're secure we have XYZ and I'm like that's a lawsuit waiting to happen ouch and I I did an assessment one time with uh with another guy and we were told hey oh you can't get into our company because we have this you know again an ABC software or whatever I'm like okay really five minutes this guy was into their network yeah and I'm like you people need to rethink and I'm not bashing the software you got to have the software you got to have the antivirus it's just you need a sort of a whole suite of security and then awareness and and you got to do the risk assessment yeah and the people are the people are always still is it's still always that easy link yeah we've got a few minutes let's let's let's talk about what what are the what should the business community walk away with from a risk perspective you know based on what you're seeing today you know let's what what what's the advice you would give them um they've got to do the hard work it's it's too easy to say okay well we've got this hardware and this software we're secure we don't have to worry about it it goes back to the people you could have the best security in the world and then one person clicks on an email and opens a door and allows the hackers in a perfect example is when i was in the military we had the supernet the secret internet and bradley manning went in with a thumb drive and downloaded a bunch of secrets off of the supernet and then gave him away or sold him or whatever he was convicted of espionage he or she whatever that person is now yeah and you know he was a bad actor and it's not even it doesn't even have to be a bad actor it could be i'm not paying attention an email comes across it looks like it's from the boss you click on the link next thing you know you've opened the door or you've sent off a payment to china or somewhere like that and sure so it's it's human error that is the weak link yes it is i agree is is the um are you think if the company's like that if so i've done if i've done no awareness training and then we get victimized like that and there's a breach and we have to report it is do you feel that that is negligence if i had did not train that employee and he did that i mean is that would i be open as a ceo or an owner perhaps to like a gross negligence type of a criminal charge um not a criminal charge but a civil certainly yeah to a lawsuit okay and that's a lot of what i would tell ceo's is that you have to be aware of what's going on with the security of your company if i come to you and i talk to you and your response to me is we'll talk to my it guy i'm like no the it guy is not going to be on the stand you're on the stand you have to be able to answer the questions if you can't then you're negligent because wow and i and i tell him i bet you if i ask you how are your financials you could give me detail about all your financials but when it comes to security they're like uh i don't know ask the it guy that's a lot harder yeah that's not going to cut it hey i hope you're paying attention out there in in security matters land to what dave's telling you um you may be liable you need to be engaged from the top on down in your organization you need to understand what's going on because you may be on the stand dave thanks you thank you so much today i really appreciate your time i hope it hasn't snowed another foot for you while we've been on the air um anyway and i i can say real quick i love cross examining people so i'm coming after them nice go get them go get them i hope to get you on here again soon we'll get an update from you maybe in q2 take care dave aloha thank you