 For the kind introduction actually two more companies actually, but the other ones are in offense, so they're not supposed to be Okay, yeah any questions where'd you get the time I Wonder to Anyhow, so two apologies up front first of all my assistant didn't get a hold of me for two weeks So he had to come up with a title. I would have chosen a different one Somehow I'm also talking about bridging technology and society But you'll see what the main talk will be about science strategic cyber security and defense in the military area And the second apology is that I didn't brought the wrong adapters So I can't show you a sexy prezi presentation, but this is a PDF. I just took from the prezi So I have to live with it. I'll try to make it up to make up for it by entertaining First of all, we have to say that the the internet by now and computers are really absolutely everywhere You look around in room you have a professional you find easily in this room a bunch of computers the cameras have computers in there Bunch of other machines have computers by now And it gets worse and worse the more technologized things are and it's really every everywhere we have computers and unfortunately We have to say and that all these computers and are basically castes of sands because from a security point of view It got a bit harder, but it's still the basic truth that everything is heck It's not not just not to say that everything is easily heckable. That's a completely different story It's very very hard right now to hack certain things Like the black market prices although even though the white market prices for this thing here If you want a full chain what we call a full chain in the offense market An entire attack to attack an iPhone for remotely without having the user interact with any stupid cat pictures Is 2 million right now for Android is 2.5 million euros if you want to buy something like that is very hard to get So you always get it. It's no no problem, but it's getting more difficult and more expensive Unfortunately, however, most of the stuff that's just floating around that's this only up the very high prices only apply to mobile phones Those are the best protected devices. We have in the whole ecosystem But everything else and unfortunately including cars nuclear power plants weapons systems fighter jets is super heckable It's very easy to get in there never takes more than three to five days to Hack these things and do fun stuff So unfortunately everything is heckable and unfortunately we have to say that we have quite a few takers on on this Hackability of our society. So the one thing you will have heard about is industrial espionage is one of the core problems in Germany Germany because it costs us a ton of money The Chinese are at the forefront of this of course in Germany. We always catch Chinese spies every week On the other hand, we have to say that it's a big trend in the offense industry to offer something that is called refactoring refactoring By now is a service that offense companies offer If you have a cyber attack and you want to do industrial espionage in Germany, for example And to find the new blueprints of a car Then you can give your cyber attack to a refactoring company and the refactoring company will make it look a hundred percent as if it's from China So the Germans think are stupid Chinese again And they stop looking because it has an advantage They don't look behind that if they see the Chinese what they expect so that they're not asking any more questions Which is nice for you if you're a france, for example Not put your fingers in any direction However, we have industrial espionage all over the place. Everybody's doing it The Germans unfortunately are not doing it because Germans are very nice Pretty much everybody else is doing it unfortunately and We're having a bunch of groups by now Which have professionalized these are the professional groups on industrial espionage, which have very clear methodologies Technologies they use bunch of target ranges, but then again It's very easy to mimic this of these groups as well. So you never really know if it's actually the group or just somebody trying to mimic them And there's also some surprising trends every now and then in industrial espionage this for example here has Taken some people by surprise that one of the core areas right now, especially of Chinese industrial espionage is law firms It's not the the factories anymore I mean they're doing the factory as well But they're also looking at law firms and the reason why they're doing that is because they want to subvert merger and acquisition processes And they're all buying scheme buying companies buying land buying real estate They usually tend to hack the law firms involved if there are other bidders to see what the other bidders are bidding and to go Higher of just a bit higher than that. So that's how they win all these bits They're not that smart actually in strategy or bidding, but they simply hack their adversaries So that's an industry espionage Apart from that, what's more worrisome right now in Germany is industrial sabotage. So industrial sabotage happens in a bunch of different ways First of all, we have the blackmailing thing that's still going on mostly in the smaller medium enterprise segment in Germany Where hard drives are being encrypted and you have to pay bitcoins to get them back again But there's also some more professional actors So one thing that is not well known about North Korea We know that North Korea has very capable hackers and they started hacking in 86 when they got a helpful aid program from China where the Chinese were inviting them to Shenzhen What's are still the base of operations for the North Korean hackers and they have some got some very good education And the way they're using it is quite funny The one way they're using it is to put pressure on South Korea and some critical infrastructure is banking and things like that Just to show that they're capable of doing this and the North South Korea should keep quiet Military signaling classic and the other interesting thing that how they're using is is that they're doing ransomware campaigns all over the world to undergo sanctions Due to the economic sanctions. There's no money in the country So one way to make money is to become a cyber criminal and so many of these I don't know if any of you have had this problem of encrypted hard drives and then sending money Bitcoin to somewhere if you had you my hair may have financed North Korea And in part also North Korea's nuclear weapons program because a lot of money for the nuclear weapons program is coming from ransomware campaigns in the West Think about it So another funny story that happened just to show you how bad and evil these things can be is with pacemakers so pacemakers had a sad history with cyber security already back in 2007 or something When there was a funny thing big Cheney watched the series homeland and then in homeland The vice president whom he could identify with that the moment because he was a vice president Was being hacked by a terrorist that the pacemaker was hacked and was killed by a terrorist by hacking the pacemaker in homeland And he got scared because he had a pacemaker. He was a vice president So he called NSA and asked them if they could hack his heart and they did a check and they said yes We can hack your heart and we can kill you. Yeah, so he said, okay But that was a big big story out of it went to all the big news that he got the pacemaker removed big big drama So what we thought the community thought then okay? Well these pacemaker idiots have learned their lesson and now they're going back to the drawing board and they're doing cyber security all over again And because pacemakers really have to be secure. There's no discussion about that But they didn't and surprisingly last year some some cyber boards hacking company Took a look at pacemakers and just scanned for common vulnerabilities You could use to hack these things again in the six There's only six big brands with that constitute more than 90% of the market and they had over 8,600 Easily find too easy to find vulnerabilities in these things So that was a big scare But then this one problem in cyber security if you're just pushing out numbers like that usually nothing happens Everybody's scared and then committees are being drawn together working groups and governments and they sit together for years and years nothing happens and everybody's happy and This time however something else happened and this this company Michelle Fox another hacking company Published a detailed report on some of these vulnerabilities how you can use them to actually kill a patient Which was really a how to report on how to kill people using one of the vulnerabilities Which in a way was good because that company with these vulnerabilities was absolutely forced to do something very quick So they took a look at the vulnerabilities. They delivered patches And then they had they recalled the pacemakers which were built into patients, which was not so nice for a patient But unfortunately they could be patched with a near fields device And so they didn't have to remove it and then afterwards of course people were asking why why were these hackers doing that? It's completely irresponsible and it turned out They were smart enough to team up with an investor who was betting on falling stocks of the pacemaker company Which is something that happened and which made them very rich and the funny thing about this story is that everything about that was legal Now nobody did anything illegal This is it's legal to test devices for security vulnerabilities legal to publish them And of course is legal to bet on falling stocks. So this is a nice kind of So the most profitable thing we could possibly do is if you're interested in joining me Great is with Airplanes Airplanes have the problem that they It's basically just boring and ever as you know that and then they have the problem that they share a large libraries of software and If you find one critical buck in one of those libraries then all boring or all ever's of a certain brand are grounded Because they're not allowed them safety restrictions are very strict there and for airplanes Because they're not allowed to fly unless this thing is patched and not just unless this thing is patched But unless the entire airplane has undergone the full cycle of testing which takes one and a half years So in other words if you find a vulnerability in Boeing or in Airbus and you publish it Then this particular kind of Airbus or Boeing is being grounded for one and a half years at least and of course You can imagine what that does to the stock horse of the company Especially if you're looking at a very big commercial like the a320 or the Boeing 77 So that would be a fun thing to earn money And we're also looking at strategic sabotage, which is also something that's going on It's not just a commercial sabotage But also all sorts of military actors right now are sabotaging the power grid They're they're planting sabotage attacks in petrochemical areas, which was one thing The German industry very scared because it was German components in German petrochemical installations in Saudi Arabia Which were being attacked and in this case with the petrochemical areas the attack was particularly Scary because it switched off the safety switches which they have in the in the industrial environment So the safety switches aren't charged job Cooling the thing down if something bad happens so it doesn't explode So in this case if they would have carried delivered another payloads onto this attack Which would have caused things to heat up there would be a giant hole in Saudi Arabia right now because there would have been nothing That would have stopped this cyber attack from creating a giant Yes, and there's also some More scary stuff that's going on Some because some of those militaries were a bit more daring or stupid I also think that maybe they can hack nuclear weapon systems as well. That could be fun and Unfortunately, that's a bit scary because as a hacker you never really know what's happening with the heck I mean we can have some predictions and a lot of testing and simulation so on so forth But you can never tell a hundred percent especially not with an adversaries Nuclear arm system because that's highly secret and you don't know everything about it You don't know which kinds of interactions may come into place So it's a very very stupid idea to try to hack nuclear weapons But we're still having a bunch of militaries trying to do that North Korea is trying to do it to South Korea and South Korea is trying to do it You're not here right now and we heard rumors that the Pakistanis and the Indians are also interested in the idea I don't know how interested and if they're stupid enough to go there But we have to assume the worst Yes in real strategic scenarios these attacks are then frequently combined with information operations other measures like hacks on Voting systems or propaganda that's being you may have heard the news of today that Russia is now shutting off its own internet So it has a hundred percent control of everything which China has done a couple of years already But we're seeing in some real-world scenarios Good example was Ukraine although I think by now a lot of people have learned from Ukraine You would do smarter things than that, but we have seen a bunch of Information operations running alongside the entire Ukraine campaign were actually the internet was Cut off from the West so that they could only run through a Russian servers and everything was dominated by Russian propaganda They were coming out of the whole troll factories were in the censorship was going on and they had activists from anonymous which were Roaming the all sorts all parts of the internet saying I'll find a Russia is liberating those poor Ukrainians and stupid NATO And what's the language of activists? And In addition to that what what the Russian the Russians are very very clausovitzian. I don't know who's read clausovitz. You were German It's always good and when you have German generals and we have to mention clausovitz The Russians are actually more clausovitzians than the Germans because they Really taken a lot of this the lessons to heart and one thing that they think is very important is that When you're going to war or when you have anything you do with security policy is just creating a narrative You're creating a story And then they always tend to look at campaigns They have from this point of view of creating a story about what Russia is doing who Russia is and how this this Transports into policy or political interests and in this case We had a bunch of supporting hacks that they were doing just to support the narrative The narrative in this case of course was that Ukraine can't rely on NATO and nobody can rely on NATO in fact I mean still the main interest of Russia to break NATO apart So they did some hacks on the European Commission They did some hacks on NATO to slow down responses from from these institutions alongside the campaign They had the voting Commission in Ukraine in May 2014 Which also gave them an opportunity to say in the Russian media That the votes was votes were hacked and nobody would have voted for these stupid Ukrainian democratic governments They all wanted to go to Russia and They also cut the hacked power plant in Western Ukraine just to show show some muscle and do some military signals very classic Russian move and Then of course they also did a lot of surveillance So they did a lot of mobile phone surveillance to find and a lot of internet surveillance to find potential opposition forces In the areas they were controlling and they had a very funny approach to solving this problem because they didn't have the money or the capabilities to hack all the All the very good encryption on some of the better smartphones and the solution they had was that they would Just simply ask the people to show their smartphones in the street and if it was one they couldn't hack They would just confiscate it. So that was a very simple solution to undergo cryptographic problems So But that was Ukraine apart from that we're also looking at some worst-case scenarios that we're having I mean the attacking nukes is already pretty much worst case But we're having two other worst-case scenarios where we've been very close already in two cases The one is the loss or the mass manipulation of critical business data SAP for example is a very open Target for something like that We've seen attacks in a while where you could basically kill any SAP of any fortune 500 company overnight and The damages in real life are something we had one company that had 22 million US dollars per minute SAP is not working and If it's finally gone and all your business data are gone You can just close the doors and go home because and that applies to any sort of very big large enterprise So that would be something in an extinction event other very critical worst-case scenarios would be what we call safety critical fleet attacks That is if you're not just attacking one petrochemical plan But if you were taking a thousand which is also very easily possible sometimes Harder to attack one just one then attacking a thousand at once and the same applies to attacking 50,000 cars or something like that and then you have a massive amount of dead people So those are just some of the scenarios one question of course is why is all this possible? Basically, the problem is that what we have is old IT what we call old IT the common legacy IT is basically broken full of vulnerabilities full of structural problems the technical complexity is much so much too high it grows Ever since they have more control of the architecture or the periphery of the architecture anymore This the suppliers apart from the mobile phone guys They did a very good job over the last years to harden the architectures, but it's only only applying to The core of the telephone again if you're looking at that one hack. What's that? For example, what's app hacks right now? I believe are very low price 80,000 or something sell very badly and Yeah, so unfortunately, it's With the kind of IT that we designed over the last 40 50 years It's very easy to get in there and to do certain things and it's a problem. That's quite structural and very hard to To address on a technical level So it's basically not not so long technical level and then the other problem is that the entire problem at large is Extremely difficult. So if you're really looking at the the cyber security problem at large and you know all this different dimensions like the Regulatory aspect the industrial aspect the IT security industry problems of the IT security industry problems of the tech industry Trying to implement cyber security problems Structure problems of the big IT vendors all this kind of stuff and all the stuff you would require to do to solve Just one little vertical of this problem. It's so complex that nobody's competent of doing it at all So I'll be honest here if we're among experts We just had a session like that with German insurance companies with some of the top worldwide leading cyber experts at a table and The first thing we agreed of them is that each of us only understands maximum 30% problem Because it's so difficult Yeah, so that's making things very difficult and One area where this is surprisingly bad and it's just something I want to Point your attention to is in the western militaries So this is a sort of a new problem because you would always think that are finding the good guys from Pentagon or DARPA They will know what to do and then they have the money and the understanding and the power to Get on a tough security problem and actually find out what you can do about it But you're wrong. They're there is surprisingly bad Many different respects. So I know we all like Britain's here so I brought an example from from the UK and one example was that That's actually plaguing the whole defense industry that they're based on old IT, which is very easily attacked So this is something you can easily remote control from from from your coast if you're seeing it to run by New coast you can just hack it a little and play around with it and But this is not only happening in the UK is also happening in the Pentagon Also from last year they made an assessment of all the weapon systems which were being produced by the defense contractors And they're all super vulnerable for cyber attacks, which is pretty bad because you can just simply hack into these things and then remote control the Predator drone and the hellfire missiles and Patriot missiles and everything. So it's really quite an open talk And One of the main reasons why this is the case is that militaries as to in as much as defense contractors and in general I mean, this is a problem. We have and leave and the higher deep tech startup field The doing your own startup or working in a start of an environment where you're earning a lot of money You're having nice working conditions. I mean for these high-ranking experts is a lot more attractive than working for a stupid Ministry of Defense or Stupid armed forces where you have to come up to service in the morning and then look proper And then you can't just go one will leave whenever you want to Things like that same in the defense industry. So nobody's going there None of the good cyber experts is going voluntarily to to where they should be going to to the militaries or to the intelligence services So they're constantly out of talent constantly. Oh, it's a very very bad situation You have I cannot tell you the numbers because that's super secret because it's so super embarrassing and The surprisingly many of the offense institutions are very good at defense as well So NSA loses all of its weapons on a regular basis because they're being hacked because they're having insiders and upset issues and whatnot So on a very regular basis the Russians get all the good stuff from NSA But unfortunately NSA is not getting the good stuff on the Russians. So that's an asymmetric situation on the other hand Unfortunately China and Russia are very good at this because China and Russia don't have to compete with the private sector for talent If you're a good hacker and an amazing AI developer or whatever You don't get a choice to open up a startup or to work for Amazon when you're in Moscow or in paper in Beijing You have to work for the government. It's no no discussion about that You're getting still a decent salary in comparison to other government entities, but you have to work for the government Unfortunately, we have to say that the due to this the Russians and the Chinese are far ahead in the game especially in offense This was one recent example how this is a borax chip board and the tiny little speck You see there is a tiny little super tiny little espionage chip the Chinese planted on there Absolutely brilliant engineering was delivered to tons of companies and government institutions and took them years to find out what they did So this is just showing on what they're doing and the same is also happening now in AI because Russia and China of course are also getting all the good AI experts into the armed forces into the intelligence forces developing weapons systems Developing intelligence systems. Whereas all the brilliant good AI experts in the West are working for consumer electronics to make your experience with Ziri exciting so and unfortunately that creates a situation where we are having much better entertainment, but much very big geo strategic losses and comparison to Russia and China and unfortunately that is bad situation because Russia and China you may not know this but they are Trying to convince a lot of countries right now, especially in Africa and South America to turn more towards their model of government and That's sort of a hidden Game going on there in diplomacy, especially where we are trying to come to these countries and tell them hey democracy is great and Why don't you try that and they say well, what do we get in return and say I'm gender-draining maybe and Then the Russians and Chinese come and say hey totalitarianism is great You come from know everything everything's super secure. Don't worry and here's a bunch of tanks and some guns and infrastructure So we're not very good in the game So now finally to close up what are we doing at our institute? We're we're trying to because this is such a complex problem We're trying to question what is considered to be conventional wisdom in space and we're doing a lot of government consulting and also building technologies also Propose more disruptive solutions to basically shake the shake the boards of the game little So some some things that we're doing is We're trying to beat on standard IT security solutions and not just tell people that they're bad But also show them that they're bad. So we're hacking IT security solutions for example, it turns out that they're surprisingly bad at security themselves and it's sometimes easier to get into a Large system if you're hacking the firewall and not trying to hack some core system or something So that's something that we know we come out of something that we did in practice We came up with a buyer's guide for small and medium enterprises in Germany. We came up with criteria for insurance Which they're putting out now on industrial insurance that that had a big effect actually in Germany because we told the insurance companies If you really want to do industrial insurance for big production sites because they have to pay of course when the production side breaks apart and Then you have to have these I think it was a hundred and eighty criteria for IT security Fulfilled to this level so you can be sure that there's no cyber attack happening Which you cannot exclude from the contract because in retrospect you will not find out that it was a cyber attack and Due to that two two of the large German enterprises lost their industrial insurance because they were too too too speedy doing industry industry 4.0 things and They now have some shabby insurance The other thing we do is that we're trying to point out the market and policy failure We have a very strong market failure in this field is a standard egg aloft Lemon market problem and IT security because you cannot assess the quality of the product upfront you're just buying what is cheapest to get you through compliance and that's usually not a good choice and On top of that we're having policy failure because in such a case of a market is failing to deliver what it promises Then of course the standard rules that policy should come in there and regulate the market So it delivers something like a functioning seating belt. I'm not just a seat that looks like a seat belt But unfortunately policy makers are too stupid to understand the problem So they like to invite lobbyists to tell them what to do and that only deepens the market Another thing that we're doing is that we're having We do know of solutions actual solutions of the problem one solution for example is called high assurance cyber military systems That's a paradigm in research international research Which is building unhackable micro systems. It's they're not use of useful for a standard Laptop computers or something because those are too complex But something like a car or a sensor or a camera For for low low end stuff you can use an unhacker build something that's unhackable action So this is something a paradigm that we're pushing into the German industry right now successfully and then we plan to showcase more often and export more from the US is doing this by the way as well and They're currently giving a lot of money to Northrop Grumman and Ray Theon to develop these paradigms Yes, and then we're trying to come up with a new common sense. So just to Two examples out of that list the one the one Example is that software companies are not liable if their products are shabby and if they have tons of security vulnerabilities That's a friend of mine a hacker used to say the only two industries We're not liable for their products and call their customers users is the cocaine mafia and the software industry so So this is something that we pushed into the German government that liability gaps are not acceptable And there has to be software liability for very bad bucks and very bad software issues And another thing what we're trying to create more common sense is that safety and security must be on on par So if you're having Something like a pacemaker and you have a ton of safety engineering So the thing works under any given condition no matter what happens But absolutely no security and any teenager can hack into that and kill a thousand people a day Then that's just not acceptable. It's not not a proper common sense. So security has to be on the same level of safety So this is also some something where we're trying to develop a new common sense At least for the regulators Yes, so this is some stuff we do and That ends my talk and I'm open for questions