 and welcome everybody. So I've got about 25 minutes or so to go through a pretty deep topic, so I will speak pretty quickly but hopefully keep you guys for those 25 minutes and happy to answer any question whatsoever once the video cameras turn off to any degree or any level. So a little bit about myself. I'm over 20 years in the world of cybersecurity, started off self taught, became a hacker so to speak. These days I'm an advisor to the likes of NATO, the Obama administration. I work with Mandiant in the area of cybersecurity around the world. So essentially when there are big attacks, large-scale attacks, people like myself will turn up and help deal with those attacks. We'll also help advise governments as well as large enterprises, Fortune 500 on how to deal with this sort of threat space. So if anybody hasn't heard of Mandiant, this isn't a sales page but just simply Google Mandiant and you'll find out that's better but these are the top authorities in relation to cybersecurity that would put Mandiant up in the top space and I would also have them there and that's why I recently joined them because they certainly own this space. So there's nothing in life that's certain but death and taxes and being hacked. If you're not already hacked you will be hacked at some stage or you already are. The average crime that we find that somebody has been hacked is about 243 days. So if you're a contact to a company like yourselves, go in, they think they've just been attacked, you look at it and say actually these guys are on your system nearly a year. In some cases well over a year and one of they're doing, they're extracting data for different reasons. We can talk about some of those reasons. So I'll split this presentation sort of into two halves. The first half I'm going to tell you all about cyber threats that I'm going to talk about from a sort of senior executive leaders perspective, the sort of things you need to do to deal with this sort of stuff. So my daughter asked me recently what do you do and I said well look it's a bit like fire extinguishers, we put fires out. People generally call us when there's something wrong, their system is being attacked, being degraded in some way, information is stored. But what we also do which is just as important is the smoke alarm side of it. It's actually the prevention side being able to put in controls and detections to stop this sort of stuff happening or detect when it is because it's inevitable that these attacks will occur. So cyber threats. I'm fairly straight talking so when it comes to cyber threats, there's an awful lot of hype around this, an awful lot of bull and marking spin around this to scare people. That's not my intention today but I will tell you some through the web stuff. I see cyber threats like a Venn diagram. You've got cyber crime, you've got cyber terrorism, you've got cyber warfare, we could add on cyber espionage, we could add on cyber scum. You know people that did the praying children and the more vulnerable online. All of these things they do not operate on silos, they interrelate with each other. So terrorists will get involved with cyber crime to make money to perpetrate the terrorism and so on. So they don't operate in silos. However sometimes our approach is in silos when we try and deal with this sort of stuff. You know we'll have a child protection unit or we'll have a fraud unit or whatever but it all interfaces with each other. So there's bird lines and that's what I refer to as evil because all different parts of this whether it's credit card frauds, whether it's a decent imagery of children, whatever it has to be. All of these things are basically evil. So is this real? This whole cyber warfare stuff? Absolutely. I mean we see it in the States since May 2010. They put a four-star general in charge of the cyber command unit there. So they see you know the comments referred to this as the fifth domain. So in relation to war terms we've got land, sea, air, space and now cyber space and it has to be protected. Obama has referred to this as the digital infrastructure, the national asset and an attack on that digital infrastructure is an act of war. So that's compelling especially when it gets to things like what is an act of war, what is criminality when it comes to to deal with these issues. So this is something that's deadly serious in some countries we're seeing conscription within the armies to hire hackers and so on and bring them in and actually train them up and use them for defensive purposes as well as offensive purposes which I'll get on to in a moment. We hear a lot in the media about all the things like you know Assange, WikiLeaks, we hear about groups like Anonymous, Lilsek, what are they all about? Basically because the internet is such a fantastic communication tool lots of like-minded people can be coordinated and pulled together to do one particular thing whatever that has to be. It could be that they decide that they don't like a particular payment provider like Mastercard or something and they'll all attack them, a particular government or whatever. I was speaking in Jordan not so long ago and I remember I had sort of desensitized my slides because I didn't want to offend anybody you know with that but just towards the end of the presentation this gentleman came running up towards me and he was screaming in Arabic and I was like oh god why are you doing that now what have you said now to offend somebody. But he was head of the cyber command in Jordan and the only thing they were interested in is how do you switch off social media because that's controlling the masses. So social media is controlling masses. We've seen that with civil unrest over in the UK and so on all organised through Twitter, Facebook, I live in Malachi there was massive riots there in Port Mary Beach all organised on Facebook and things like that so it's a tool for for drawing people together very quickly so authorities are watching through this. What does it mean in numbers terms? In numbers terms these are the cabinet office statistics in the UK basically 2% of the GDP of the United Kingdom is spent on cyber crime. To me that's conservative type of statistics based on the sort of crimes I see and the sort of tax I see as well. 27 billion a year that's a thousand pounds a second, 170,000 IDs are stolen, 39.2 billion. In real terms this is seen as a trillion dollar economy. This has surpassed drug trafficking and the reason being you're not going to get shot you're not going to have something burst in your stomach it's an easier time to get involved with and you can make a lot more money and the chances get a cut are pretty much zero. So they're the drivers that make people go into this instead of now drug trafficking and things like that so it is so a little bit of some break down there. So some other reasons why people might get into this is the recession has turned people to the dark side people need money. When they're internally within organizations it's sometimes easy to turn people to the dark side. I spoke earlier on over the lunch about some people being blackmailed as well in this space and being turned and coerced to the dark side. Relatively safe crime you don't generally read in the media about people being arrested for this sort of stuff or certainly going to jail they tend to get away with it and the people who are behind these sort of threats of crimes are the nation states or sophisticated criminal groups and organized crimes so they would use vulnerable people. We've seen cases where a lot of the people who are may suffer from Asperger syndrome so form of autism and they'll be weaker more vulnerable people who get brought into this sense of community online because they live their lives online and they feel I'm part of this gang I'm doing something good they don't really draw that moral compass dilemma of is this a crime or is this something I'm cool I'm part of a gang online and that's like we see things like politically motivated the Syrian electronic army is that a nation state or is that a group of young individuals who have decided and I get some backing from big supporters that aren't you know like Iraq or Atlanta or whatever it happens to be. There's this guy if anybody knows him he's behind the biggest ever David Theft in the world anybody know him? So it's Bradley Manning he is Chelsea Manning now started off a nice little guy and decided that you know he had a moral issue with what was going on around the data and leaked all of the records and the cables and so on. We've got this guy who's in the news all the time Edward Snowden the impact he has had on America being able to sell the technology and solutions across the world is profound it really is because now people are very you know cautious of this to me what's the surprise do you not think things are being listened into and they have the ability I mean I remember eight ten years ago they're both being in London and in a seminar talk similar to this I'd send an email and the first email would go from email address one to two and I'd say here's my holiday snaps and the second one would say Clinton assassination attempt and the other email would get there first because Clinton assassination attempt was rebooted to tell them and was checked because of the keywords in it of course things are monitored you know and I'm not defending or anything I'm just saying we do as that we have this for the latest US appropriations bill this is an FBI slide here and it's hard to see the detail but this is from the FBI site where they're showing the difference between the counterfeit Cisco equipment that has been developed by the Chinese and put in the market and some of the coding on the chips has been changed and this has had to spot the difference because the federal government is starting to use compromised equipment within their supply chain and that has led to wording such as such systems being produced manufactured or assembled by one or more entries that are owned directed subsidized by the people from over China has to go through special tests so and I see this very very often in relation to what is going on with equipment and nation states being involved in cyber espionage by way of illustration of some of the technologies available out there one of the groups that we'll often mention that groups like anonymous and so on it's not all bad and anonymous would say their ideological base so it depends on whether you agree with their ideology but one of the things they did was that they attacked a company called HB Gary released all their emails and one of those emails because this guy HB Gary was basically saying he knew who everybody was anonymous so they released all his emails and one of those emails proved that there was a security company selling cyber weapons online and you were able to get weapons which were worked almost like a computer game you could get packs for western europe you could see the parliament buildings the air truck control system so on see what vulnerabilities they were and you could sign up and subscribe to their botnets which was their attack army for like to bring down whatever you wanted so you get the power so in essence six million dollars would put you in the cyber terrorism game that you could actually affect the critical mass infrastructure of a country and those companies had deals with the likes of you know well-known providers in the space so people would see them as a bona fide company but but they essentially wouldn't that business um this lady i like because she speaks very clearly about what she means barnish neville jones is the ex cyber security minister in the uk and she said look this is a bit like terrorism the world of cyber crime forget about going to law enforcement for attribution and getting people arrested you have to look at disrupting the activities of cyber criminals and people like that and rely on the private sector for solutions to help you in this space the government would look after critical mass infrastructure and if you look at the database critical mass infrastructure that will include things like statues bridges that sort of stuff as well it's not always the stuff like atm's and the stuff we need actually to keep society going out of the database so it's not what you think is perhaps on the list in the space they've been very proactive in this space Cameron has got together all the major leaders they've put together a website and some other efforts around protecting critical mass infrastructure with name dropping on wednesday and over to present some Westminster to reflect in relation to uk resilience and how can the uk survive a storm around cyber if an attack is because most of these attacks over have not degraded networks of performance they have simply been on listening extracting data those sort of things but what if they change their approach and their way on that so uh mandiant has actually helped uh the the uk develop a standard for instant response handling i won the only couple certified so any government body that's attacked in the uk now knows that there's a list of people you go to to help you and that's those things are concrete things that then people can say well actually i understand this i'm not sure who to deal with the market who are the experts so things like that i find very useful um if i haven't convinced you enough in this very short period of time on the on the cyber threats i would encourage you to read what we call the apg one report on mandiant's website which is a report where we provided absolute concrete evidence that the chinese were running a unit within the rami to extract data from corporations in the united states and they were stealing all of that information the secret source the code all that good stuff that was being taken so at this point you go never use my phone again and we use it up top again the insense of bad thing the insense of brilliant thing um you know and i'm not here to to spread fear and certainty or doubt in relation to things but we need to realize that there's lots of threats and different forms in this cyberspace that we that we need to deal with so what do we do how do we handle this there's lots of different ways to approach that lots of different ways to handle one of those is through cyber governments generally speaking within this space uh this ends up within corporations being a it issue or those techy guys will look after that so that's the it security they'll do with that now responsibility is at the top you have to have the processes in place you have to have the nose place all those sort of things around doing this whether you're running a country whether you're running a global enterprise it's not coming it comes from the boss now who actually is responsible for dealing with this and putting all of those things that those uh supporting is in place so i see governance as like the steering wheel keeping the wheels on the car going in the direction where the business is going and those processes are a bit like sat nav that you need to put in place in relation to direct you as you're going from point a to point b with your business as your business model changes the landscape changes the threat landscape changes so what are the top 10 things uh that we can do in this space firstly board members should stay informed um you can't bury your head in the sand um i know we've got some leading experts here as well from uh person rather cocks and so on we would gladly i'm sure they're forming but the night kind of relation to the laws around this sort of space but if we look at even things like the european convention cybercrime and we look at uh how directors can be potentially held personally uh responsible um if they haven't taken all the actions they could have taken uh to prevent their systems being used as part of a cybercrime that's very interesting what's embarrassing for me as an irish man is to stand here in front of you and find that that we're on a short list of countries who haven't ratified the european convention cybercrime but we're in company like russia and china who would be seen as the main perpetrators of of uh cyber threats and criminality in the world uh i'm not sure what the reasons are for that but that's something we could talk about later uh responsibility the board should assign and make somebody responsible for this this is a risk issue so this generally should be speaking with a chief risk officer or a response for a risk within the organization not the it department uh they're not the people to to control this uh within an organization that can help out resources the board should allocate sufficient resources for all of the management activities involved in this one interesting statistic around this is that 20 percent of all at time these days goes on compliance compliance doesn't equal security but organizations are more fearful about being compliant than actually keeping the system secure so compliance has actually killed security in a way uh in in that space so it definitely doesn't lead to compliance it should make sure whatever you do doesn't breach the law i mean i've often been comic into a uh a situation where for example something monday like a phishing attack where they send out thousands of emails pretending to be a b bank or something like that and so the bank or wherever that entity is may contact me and say well what should we do should should we uh attack the site that's hosted in the age of like you can't do things like that because they're generally sitting on another comp on another compromise computer so you're going to take down something other than your cosmetic crime to do those things you need to make sure whatever you're doing is compliant with the law communication key within an organization we look at it in the banking crisis if i want to support one failure realm that was communication about between regulations what people thought was being done the directors on the board i mean you look at the emembrothers one of the directors was an 83 year old actress um what experts teased that lady have in relation to uh running a financial institution so as an emembrother so you have to have the right people on the board provided the right advice at the end of the day um reports that the board should get regular reports in relation to the status of cyber threats um and what is pertinent to your business this isn't about going out and seeing the top 10 risks because they might be pertinent to your business if you're in the mobile telco sector you need the risks pertinent to you if you're geopolitically uh based in and more sensitive zones and you need to be aware if there's activity in those zones around cyber terrorism or cyber attacks and those sort of things as well um capability you need to make sure that you have the people in house to do this from a legal perspective to your legal people understand cyber to the understand what those sort of risks are to your people understand how to put out the messaging if there is an instant and there will be at some stage and your IT people know how to actually handle an incident because remember your IT people who generally protect your data and your controls are generally almost afraid to tell you that what the real problem is because they see they really want to be judged as failing in their jobs um metrics make sure you can measure this stuff there is no such thing as 100 secure so what is your risk appetite be able to measure it not in vague terms but in real terms um are you happy to be compliant with you know the credit card standard of vulnerabilities are you happy to be whatever depending on your business means the level of security you need to have and you need to know those metrics are an integration you should integrate all cyber risk data activities within the business model itself um so hopefully I fitted that in 25 minutes uh thereabouts and um thank you for your time and attention I'm happy to answer any questions