 Okay, we're back. We're live. Community Matters. I'm Jay Fidel. This is Think Tech, and the fellow next to me is Tung Boy. He's a luminary at the Shiloh College of Business, and he's a Madsen professor there. And, wow, I know him a long time. We are good friends. Welcome to the show, Tung Boy. Thank you, Jay, and thank you for having me back. That's great. So we had a very big event coming up next week, March 20th, and this is a major event, in my opinion, because it's a major issue. Let's talk about the issue. You know, we live in a time like it or not when we are dependent on the internet. We're dependent on technology, information technology. Fact is that there are those people in the world who would like to hack us and bring us down, and we have to protect ourselves. And there was an article in the newspaper, just concomitant with, you know, the development of your event next week about cyberterrorism, cyberwar, cyberattacks, and the like, indicating that according to the FBI, we were the number one vulnerable place the state of Hawaii to cyberterrorism, cyberattacks, and the like. And, you know, this raises hackles, I tell you, because, you know, we don't realize, you know, on the way in just now, Tung Boy, I was listening to a story about Venezuela. And there was a lawyer there who managed to get his phone charged in the course of the blackout. He managed to be able to call National Public Radio. He managed to be able to, you know, have an articulate experience describing what it's like for an extended blackout, just for example. And it was really horrendous what happens to people, what happens to society, and we're at risk for that. That's only one of the various things we're at risk for. So your show, your event comes at exactly the right time. Can you describe the risk? Can you tell us more about what the newspaper article, you know, advised us? Well, that is actually unfortunate to know that we are ranked number one on that area, being exposed to the Internet. And the basic reality is that the very minute that you turn your business or your private life and put it on the Internet through your cell phone, through your TV, through your setup box, whatever that has access to the Internet, that basically you are exposed to bad guys that are out there trying to steal your identity or whatever possibility they can do in order to take advantage of your openness. Yeah. And, you know, for the point of view of the Schuyler College of Business, I mean, this is a particularly important issue because like it or not, if business becomes the victim of cyberterrorism, cyberwar, cyberattack, cyberhacking, whatever it is, that affects us all. If the business community cannot function because of an attack like that, then we can't function. I mean, you know, in fact, the leverage that the attacker gets by attacking the business communities is much more profound than if it attacks us individually. That is very correct. As from the perspective of the business school, what we would like to convey to the business community out there is that cybersecurity, cyberattack, all of those hackers out there, it could be from our own country. It could be from overseas. We heard a lot about the Russians. We heard a lot about the Chinese. The matter of the fact is that for the business layman, the most important issue is not to worry about how do I set up an IT expertise in order to do that. You can expect a medical doctor to do that. You cannot expect a dentist to do that. You cannot expect a restaurant owner to do it. But the textbook recommendation that any business school would want to convey to the business community is that whatever the threats are out there, the most important thing is to keep your business going. And then this is what we should care about. And this is what we would like to do on the March 20th workshop. We would like to tell people four things. Number one, do just a checkup about the risk, the potential risk that your company might have. For example, do your secretary or your friendless people handle credit cards of your clients properly? Have you managed the password properly? Have you changed more often or not? And then so those are the issues that we need to do. How do you set up your router to have access to the internet? Have you changed password often? And these things are important to do. So this is one thing. Another thing that we would like to get people to be aware of the workshop is that for God's sake, if by any chance or mischance, I would say that we got hacked or we got attacked. Our employee left the company and took away all of the social security numbers of our clients. What should we do? Should we call the FBI or should we call the CIA? Or should we call NSA, the National Security Agency or should we call the HPD? So they are actually in the government sector a proper chain of command on how to report a situation like crisis in terms of cyber attack. A major problem that we have seen in our research in terms of how business community should be handled cyber security is basically three phenomena that is actually quite interesting. Number one is that it's like the elephant in the room. The problem is so overwhelming, so complicated, so difficult, so fearful. No one wants even to talk about it. Right. So if you talk to an dentist, worry about your computer server, watch out this one guy who kept looking at your computer screen. They don't want to hear these things. They just want to focus on what they do best. So people tend to give up or some kind of denying what the real problem out there. Denial. Denial. The second problem is that the problem is so convoluted and then the community out there trying to help us out. Each of them only look at one aspect of the problem. You remember the metaphor of blind people touching a big elephant? Yeah. So computer science people only look at the hardware and the operating system. HR people only look at watching the personnel. And then so there are different people looking at different aspects of cyber security, computer networking, people only worry about the routing, the telecommunications aspect of it. But no one has a complete view of the whole aspect of the problem. This reminds me. So you're really talking about, you know, prevention and you're talking about recovery. Right. And you have to have both in your mind. And this reminds me of an incident, an attack on MERSC, the Scandinavian shipping company, which is huge and global. And they were relying on, of course, computers to pick up their containers, drop off their containers, control their containers. A worldwide system. Somebody attacked them, brought them down. All the systems were brought down. Right. What do you do for recovery? They brought in people from all over the world. They brought in their best managers from far away places instantly, immediately, and had, you know, these 24 hour meetings in their headquarters. I think they met in the UK. And they tried to, you know, create a solution. They didn't have a solution ready. And they didn't have, you know, a resilient system in the first place. And that's why they were vulnerable. And I suspect that's the case for a lot of companies, even big companies. No prevention and no plan for recovery. Luckily, MERSC was able to recover in a matter of a few days because they did what you were suggesting. They brought everyone in. So everyone knew the whole story and everyone addressed the problem. But the fact, the matter of the truth is that not every company, especially in a small state like we are in the state of Hawaii, to have that many resources as a company. So especially we are targeting in our workshop. What can we help for the small mob and pop, small and small and medium sized enterprises? What can they do? Another issue to make the picture a little bit even darker is that even if we are in due diligence, try to do the best we can. Technology in cyber hacking gets better and better over time. Yes. So it's like a cat and mouse issue. Yes, we do the best we can. We have put together a plan in order to protect the business that we are in. And then surely enough, and sooner and too soon enough, that the hackers have something even better, that we don't have the tools to defend the new stuff. Let me ask you, though, you know, I mean, that you have bad, bad actors who are nation states who do this, not for sport, and not for financial gain, but for geopolitical reasons. And they could do hacking that would be devastating. They could attack a city, state, a country, and you know, with with the kind of process in Venezuela, they could bring it down, bring down the grid. And you know, everything else comes down to it's horrendous. And the longer it lasts, the more devastation there is. So they have the capability. They have that they have some of these nation states have every resource you can imagine. Look what happened with North Korea and Sony a few years ago. Why don't they just do that? Why do we see this only at random? Why do we see this only ad hoc? Why don't they just act? What are they waiting for? And can we figure out when, you know, they would apply their resources to bring, you know, jurisdictions, large jurisdictions down? And this is actually a billion dollar question. I think the problem is so complicated. There are so many moving parts in the whole issue. So again, going back to the perspective of a small business, I think the best thing we can do is to make sure that we do our own part to protect the best we can. So basically to me, there are a couple of basic principles that we could do. I'm not getting I don't think we can be 100% safe. But if we follow a certain best practices that we would be saying and recommending at the workshop, people might be able to I would I would say reduce the risk by a huge percentage. For example, principle number one, whatever you think truly sensitive that you do not want people to poke your nose in. Just don't put it on the internet. Save it on a safe box and then put it offline. Then you don't have to worry about it. A recommendation we have normally is not try not to store social security numbers anymore, or try not to store credit card numbers of the clients. Anytime we charge a client, just ask again, and tell the client that this is to protect your privacy, your security, and they would love to hear that. It takes two more minutes of your time, but then it puts you in the peace of mind. Because one more time, everything that is connected to the internet is open to is exposed to possible intrusion. And the second, the second thing is unfortunately, most of the problems in small businesses in terms of information leak came out from the people working for the company more than some guy from North Korea. No, that's absolutely true. Because I mean, these those big bad guys, they are looking for big companies. You heard about these things, but not as small dentists as a small restaurant owner. So I think that is that is the second principle that we do. And principle number three that I would argue is the timeliness of the whole thing. You don't wait until things got even worse before you report to the police. But you have got to have a plan of action like the story that you just mentioned, and take action right away. We have in theory a concept of what we call the escalation of conflict. We have a secretary, for example, she just discovered that her colleague steal all the credit card and go away and run away. So instead of reporting to the boss right away, she's afraid of getting yelled at or being fired. She just tried to hide it or probably call people in order to get help with reporting. And things could get even worse. Oh, yeah. So those are just the law. And it's against the law is fired by statute, right with penalties and all that. Yeah, to report any any invasion in your system. Right. So again, going back to the workshop, we are so blessed, literally to have about 30 best minds in the state, including the people from the FBI, Homeland Security, NSA, and the C, the CEOs and information security of corporate information security officer to come to the panel, sharing their problems, sharing what they can do in their companies, and even sharing what what they did as a victim of a former cyber attack. So I think this is actually quite exciting to listen to them. And there's two sides to this, it seems to me, one is the government itself. Because, you know, whether it's justified or not, we all walk around thinking the government will somehow protect us. That may not be true. But that's what we think. And to some extent, the government can and should protect us. And we ought to know what they are doing. Because then we can figure out what we need to do. It's got to have, as you said before, comprehensive look at this. And we have to, you know, compare notes. Otherwise, there'll be redundancy and there be gaps in our in our planning, our protection in our recovery. So, you know, I you have a very long list of people, luminary people who have been around who have been in government who have been in industry. I don't know how you establish this list. You must have been working on this for a while. Actually, I would like to give a lot of credit to all the partners of the Charlotte College of Business, like the University of Hawaii IT wide system. And then also the NSA station here. Oh, yeah, they are helping us quite a bit. Actually, the NSA even offered to UH Manoa every year a cybersecurity faculty in residence so that they could help us boost all the lectures we have on cybersecurity. And we also are blessed to have like people from like Joel from the senior vice president CIO at the Hawaii State Federal Credit Union. And she explained to us how her bank is dealing with cybersecurity. And then we have Robert Bonser, the NSA scientist residing in Hawaii, sharing with us a little bit about what is it they do and they have the plan for us. You know, what really appeals to me about this is that we have these experts in the room, they come from government, they come from industry, and we can hear what they have to say, not only in terms of the risk, you know, the risk seems clear from that newspaper article. But you know, what you have to do. There have been so many programs here in my observation in the past 10 years, where they tell you the risk, they tell you like climate change is a good example. They tell you all the awful things that can happen. And then the program is over. And nobody actually says, well, you should do this and you should do that. This program, it seems to me, it becomes extremely valuable because it's an action oriented program. That's right. It tells you what you can do, what you should do and what the other guy is doing. So everybody can get a hand on it. We can take a short break. Okay. When we come back, I want to get into the action points that people should be, you know, looking at and developing their own plan about. That is correct. That's where the rubber meets the road. Correct. I agree. Okay. We'll be right back with Troy Boy. Hello, I'm Dave Stevens, host of the Cyber Underground. This is where we discuss everything that relates to computers that's just kind of scare you out of your mind. So come join us every week here on thinktecawaii.com 1pm on Friday afternoons. And then you can go see all our episodes on YouTube. Just look up the Cyber Underground on YouTube. All our shows will show up. And please follow us. We're always giving you current relevant information to protect you. Keeping you safe. Aloha. Aloha. My name is Andrew Lening. I'm the host of Security Matters Hawaii airing every Wednesday here on thinktecawaii live from the studios. I'll bring you guests. I'll bring you information about the things in security that matter to keeping you safe, your co-workers safe, your family safe, to keep our community safe. We want to teach you about those things in our industry that, you know, may be a little outside of your experience. So please join me because security matters. Aloha. OK, we're back. We're live with Tung Boy. He's the Mattson Professor of Business at the Shiloh Business School. And we're talking today about a program that's going to take place on March 20th at the Hilton Hawaiian Village Coral Ballroom about cyber attack and cyber security. A very important thing for the business community, in fact, the entire community, all of us. Then we, you know, we need to get a handle on this together. We need to compare notes and with the speakers that he has organized, we have a pretty good chance of getting the comprehensive on this. So when you talk about the action points that the action issues and action, you know, points that are going to be discussed where, you know, you want to write them down, that sort of thing. Yeah. OK, so let me, in 30 seconds, to go through a little bit the concept that we put in the workshop together. As I mentioned very early in the talk today, a key problem dealing with this cyber security problem is the fear of it. And like a cancer disease, nobody wants to hear about it. So what we, what we, the way we start the workshop is to share with you respected companies in the state. They open the company and share with the audience that indeed some of them got hacked and how they solve the problem. Just to tell you that, Jay, I am much bigger than you are and I got hit. So don't be ashamed. So we want to build that trust and encourage people to have the courage to look into the situation as opposed to just deny it. That's really good. Tell all, tell all the honest. Yeah, we have people from HECO, from the banks, they're telling a little bit about some of the incidents they have and then how they have dealt with it successfully. So this is the first part of it. So the idea is that you are not alone, we are here and we are together in the thing. The second, the second part of it is that basically we do like a checkup, like we go to our internist on a annual health checkup. So the experts will tell you what you need to do. Have you have you checked, have you changed your password lately? How old has been your alter? What version of the operating system you have? How do you set up your browser so that you don't get cookies that you don't want, etc. etc. So have you done a screening of your personnel? And then so that is important. Antivirus or what do you do? Yeah. And number three is basically going through a case study provided by the FBI, FBI, running case study of a company of a small business being attacked, being stolen that data and then how would that company should do or did. So should they call the HPD or should they call the FBI and then what should they do? So we will go through the anti-case study so that people say that, oh, now I see what I should be doing if it happens to me. Yeah. And when you go to the FBI or the whatever agents or government agents it is, what can they do for you? You just to frame the question you should know what their what their range of tools are and what their jurisdiction is. That is precisely a question when you report it to them. But, you know, I wonder about a program like this, you know, there's a guy next to me in the audience, right? Right. And he looks a little suspicious. He looks like he might be a hacker. Is he there? Is he going to, you know, be able to get information from this program that will help him, you know, violate my cybersecurity or worse yet, to violate the cybersecurity of large companies? How do we protect ourselves from, you know, an invader right there in the room? You seem to have it dirty in mind, my friend. But you can't tell all. They can't. Well, basically to me, what is most important in the whole process is the process of doing things and not the outcome. We don't tell you what password you should put in. But we should tell you how do you what is the best way to set up a good passport, a good password. We don't tell you to hire employee A and not hire employee B. We don't say that. But we say that if you were to hire employee, how do you educate and train as a person so that it's so that your business is safer? Let me tell you the story about my wife about two months ago. She got a call from somebody, a bad guy, saying that the business forgot to pay the electricity bill for the last two months. And then they are going to shut down the electricity within 30 minutes if we don't get paid right away. And then, oh, by the way, for your convenience, we are going to you can give us your credit card that we can settle the balance. And then you are back to your business. Social engineering. I know at the secretary. God bless her. She went into my wife and she said, may I have your credit card so that we that we can settle the balance so that we don't have to. And then my wife gave the credit card and then the secretary gave the number and only after that minute, she realized that no, she just signed a check to pay HECO just a few days ago. So this must be a phony scam. So then they need to call the bank in order to cancel the credit card. So those are those are kind of best practices, education and training to the personnel that we need to do. And screening is also a very important thing. True. You'd be so careful. I mean, really, this goes back 10 years. But on our radio show, we had a bunch of guys who had actually been caught and gone to jail. And then they came back and, you know, they were community minded. They told us how and we disguised their names and everything. Right. They told us how they did it. More often than not, it was social engineering. You call one person in the company and get a little information about another person. And then from that person information about the third person, now you have enough information to sound like you are in the company. And then you call the fourth person and you say, this is Joe. I'm on the fourth floor. You know, I'm in the IT department, you know, and the problem we just forgot our password. Can you can you just let me have that password again. And it sounds like you work for the company. It sounds legit, but you're actually, you know, way outside the company. More often than not, they would get enough information to crack the company. And this is not a tech technological, you know, attack. It's a social, it's a social engineering attack. We heard story after story like that. So you really have to be Akamai and you have to train your people to be Akamai. And the problem is, according to our research, the problem is that the bad guys out there, they come from all walks of life. You could have a unhappy employee, maybe he or she got yelled at or not happy about the pay. And they just do it in order just to revenge the boss. Yeah. Or you can have a very smart IT guy who just look up sneaking into your computer as a challenge. Oh, I managed to do it. Cool. Right. So, so they're all kind of, then you can have espionage, people trying to steal your information. So they're all kind of possibility, all kind of bad people out there. So we need to be really vigilant about how to take care of them. And I think one of the interesting points is a, you know, it's an underlying, a fundamental understanding here is that it's very hard to prosecute people who do this. Right. Very hard to identify them, to find them within your jurisdiction to arrest them, to prosecute them. There are units in government, I'm sure there are units in the FBI and, you know, really every state and federal agency which is involved where they can go out and prosecute, but they have a hard time. So when you go into this, when you look at how you're going to protect yourself and recover from an attack, you cannot should not assume that the individuals who were responsible will be caught and prosecuted. You have to look at it another way that is protection only. Actually, that reminds me of the famous French wisdom. They say in French, Chacune-Pouxsois-Dier-Poutous, but it means is that every one of us have got to take care of our own only God, take care of everything else. So, so I mean, I understand that all the governments in the world are trying to do the best they can in order to secure the national information infrastructure. But then there are certain precautions that we need to do. Think about this. I mean, as a driver, the code for driving is actually pretty perfect nowadays in terms of speeding and traffic lights and everything. But then if we are careless, then we would want to do a car accident anyway. So any business should be doing their own duty and take responsibility of cyber security. So to me, this is a textbook recommendation that is actually very hard for business to understand, but my recommendation is that in the age of the internet economy, we need to embed security and privacy as a strategy of the company. Yeah. For example, even if if you have a bank, you don't just manage people's money. But you should be telling to your client that if you trust us in giving us the money to manage for you, we will we will protect your privacy and your internet. It's part of the trust relationship that you do. The same thing if you go to a doctor's office, not only you take care of the health of the patient, but you would say, if you come to me, we'll make sure that your health information is not going to be stolen by anybody else throughout our society. Right. So let's go back to the details of the program. It's March 20th. That's next Wednesday or Wednesday. And it's what 10 a.m. is it? Actually, it starts at nine o'clock. Nine o'clock. And it's in the Hilton Hawaiian Village Coral Ballroom. Right. And it's free. And there's the flyer on the on the screen here. Actually, it's not exactly free. It's receptive that spread a bit. The hotel charge for the lunch and the coffee lunch, of course. So basically, we asked for a little bit of contribution from the participant for their enough for the lunch. But actually we cover at least half the cost of the event. Okay. Yeah. All right. So I'm, you know, I think everyone should go. You should have a huge crowd there of people who want to protect our society. There's no more, no more menacing threat than this threat. And this threat could bring us all down. So we all again be educated. I think this is a truly, as you mentioned a little bit earlier, we want the workshop to be hand hands on action oriented. So I guarantee that everybody who obtains the meeting will have some good take away to go home in order to do something about their about their business. So one step at a time, and the recommendations that you are providing are actually not very difficult to do. Example just cleaning your future employees a little bit better. Number two, requesting your employees to change your password more often and provide them some incentive to do that. And number four, making sure that you don't leave your USB or your password. You lay them around. Number five, like when you share your file on a iCloud or on Dropbox, make sure that you have password. So these things are or if you have the important document encrypted as supposed to get the password to open the file. So these things actually very doable. This doesn't require rocket science in order to implement them. But you have to think about them and you and you have to know and you have to make a conscious implementation. That is correct. We're out of time, but thank you so much for coming down. This is going to be a great and important program, not only for the business community, but for government and for individuals to protect us. And I would like just to take this opportunity to thank the 29 people speaking at the event. And they are very busy, but understand this is a very important problem for our businesses in Hawaii. So they are willing to do that time. It's great that you've got them together. Yeah. So yeah, I'm looking forward to welcoming everyone at the workshop. A very special program. Thank you so much. Yeah, most welcome. Thank you for having me. Aloha. Aloha.