 This is Think Tech Hawaii, Community Matters here. Welcome back to the Cyber Underground, everybody. I'm the professor, no longer the cyber guy, because there's somebody else out there as a cyber guy. So I'm the professor now. Once again, I teach for the University of Hawaii, Kathy Alani Community College. Shout out to our new department chair for the Business Legal and Technology Department, Laura Burke. Welcome. And we're happy to have you. I know you're just watching the show. She just found out we have a show. She didn't even know. Welcome. Today we've got some updates and some great topics for you and some really lively discussion I have with me here, again, our great guest, JT Ash, HIPAA Compliance Officer from the University of Hawaii. Welcome, brother. Welcome. How you doing, man? Happy New Year, my friend. Happy New Year. Happy New Holidays. First show of the year, right? Yeah. Wow. 2019. So this is Blade Runner year. Is it Blade Runner year? This is Blade Runner year. It was in Los Angeles, 2019. Little different than the movie, unless everybody's a replicant, and I don't know. You might be onto something, you definitely might be onto something. I love when we hit those years that people predicted would be a certain way. In 1984, there was a sci-fi show about the year 1999, BBC had it, the moon broke away from the earth. You remember this one? I'm not a big movie fan, but I always remember Y2K and how we spent, was it 18 months to two years trying to fix everything that we're supposed to break when Y2K came around and everybody was sitting there in their data center at midnight or whatever it may be. Yeah, but there's a lot of great drinking and parties in there. All the IT people were capping around. Yes, because everybody was at the data center at midnight. It was good money. I remember working at the two years old code. Yeah. Right? It was a cobalt, Pascal, all that stuff we had to update. All the good stuff. That was good. That was good money back then. I missed that. We're old today. We need to go back to those. 20 years ago. Yeah. It is 20 years ago. Wow. We're old. We're old. Okay. Let's do some quick updates. I always give some updates to my folks out there. Android again, malicious updates. We got Google Play, had Flappy Birdog, Flappy Bird, Flashlight, and several others that are all now removed, but we're collecting data in the phones and sending a lot of stuff back, including your passwords and the websites you visited, your behavior, your geolocation, and would pop up every once in a while a fake screen saying you had to re-log into Google or you had to re-log into Facebook, and of course people will of course do that. So you're sending your credentials to what they have as a commanding control server. So that's what's happened. There's another one out there that this one looks like it's collecting data and they don't want to call it malicious yet, but it is odd. It's called Weather Forecast. It's on the Google Play Store. It's made by China's TCL Corp or Communications Corp and they actually make TVs that you can get in Costco. So this is a big company and they made this application and it's collecting IMEI numbers. Any relation to ZTE or Huawei or anything like that? I don't know, but we should repeat. Huawei and ZTE, as of February last year, all the security services said don't use these devices, we don't recommend using them, then I guess Trump made a deal. Yes, he did. He said ZTE put 400 million in this account and we can let you do business in the US and then all I can imagine is the money must have run out because he changed his mind and he said you can't do this anymore. I need more money. Kind of like that ransomware in his own little way. This is like White House ransomware. Exactly. Perfect. Perfect. I think he's too smart, but it just seems like he's got it going on in that particular sense. Wow, well done. I got 400 million and then, oh, I'll stop you doing what you need to do. This is more like the mob. Yes. No, Trump and the mob never. Well, this one's interesting now. The first ones that I just mentioned that have been taken off the Play Store, they took advantage of something that we haven't been really focused on or monitoring very well. So when you want to put something in the iOS store, the App Store for Apple, or you want to put something in Google Play Store, they will examine your code. They'll give it a cursory look to see if there's any malware in there and the signatures always pop up if you've pasted code in there. However, if you deliver an app to the store and later you update it, the updates come directly from your kidding, the manufacturers, very seldom do they come through the App Store. Wow. They are not checked. So you can, and this one was, delivering the malicious payload via the first update. China delivering malicious payload? You're kidding. I'm not. Okay. It's hard to believe. It's just stunning to me that China would do something like that. Haven't forbid they have to invent anything on their own. They get pretty good to just steal everything, right? Well, that's their gimmick, right? They want to be in the everybody's play field. I think maybe the United States might have set the standard many years ago and everyone just said, okay, we'll play that game. Sure. We're on the same playing field. Yes, we are. We are. I think that's just the way it is. These software applications that you can download for your desktop, too, come with some software that runs in the background and you know about helper applications. These are little things that run in the background that help you update and tell you that Java needs an update or Adobe needs an update. Well, we're seeing a lot more malicious code directed at those helper functions so they can pop up and say, hey, you need an Adobe update, click here. And you think it's coming from your computer, but you don't actually go to Adobe to get the update. That's the malicious link, right? So I would update Adobe Flash. Adobe just sent out critical updates on IS cert this morning. Also CleanMyMac X has not malicious code now. There's a dozen or so different places where you could insert a buffer overflow or memory exception to get into the computer and take command and control of that computer. Now when this malicious code activates, you always know it because you see a lot more internet activity. It's connecting to its command and control server somewhere on the internet. So it's one of the clear signs, you know, hey, my internet's spiked. Why? I'm not doing anything. I'm not doing anything. What's going on? Maybe it's probably beginning out or something. Right. Or someone's got Netflix running, right? So true. My daughter always has Netflix going on. Updates, Google's probably getting rid of Android. Really? Yeah. We're looking at a code base called Fuchsia. It's written, and check this out. It's written in C, C++, Dart, Go, Python, Rust, Shell, and Swift. Pretty much anything that you can imagine would run on any platform. So when you read the description of Fuchsia and you go and get, and you look at GitHub and all the updates, you're looking at the master line that they have could be compiled for any OS out there for any platform. This is mobile code. This is, you know, Intel processor, Motorola processor, your ARM processor. It'll run on anything. So we're looking at Fuchsia for the future. And it's crazy because from a healthcare perspective, I keep hearing about Amazon and Google and Apple all getting into the healthcare and EMR, EHR world. So that's going to be interesting to see. It sounds like it's just a piece of metal and they're just using code to access a platform. I think that's all it's going to become. I think that's how everything's going to become. It's going to be a hard choice, though. For like how many years have we had like three choices? Yes. That's it. Yes. We have the Linux Unix world. We have Mac and we have Windows. Now we're going to have Fuchsia. Now we're going to have an Apple OS. Now we're going to have a, how many other vendors are going to jump in the pool? I think laptops and desktops and actually physical servers, you're not going to have laptops anymore. You're not going to have desktops anymore. That's kind of scary, but if you open up like a Google Chromebook and you don't have access to the internet, I'm very limited in functionality. So now we have to have an internet. Well, what kind of functionality does a normal user need to really have? I mean, I could understand from an administrative perspective, you might want to have some elevated privileges, but most people, all they do is they go on email. They want to surf the web. They want to go get pictures of, you know, they want Siri to go get pictures of their grandkids or anything like that. So once again, I don't think the processing power is really as needed as if you're talking about doing some type of AI or machine learning or anything like that. That's going to be always in the background and almost kind of like a full circle. We're going back to the data center where the number of... The dumb turtles. Yes. The dumb terminal and all of the machines are going... As long as you can... I think that when we started with data centers and you needed access, you had to sit there and schedule access to the data center, but then we're going, okay, we could never get any access to the data center. So that's when we're getting distributed computers. Now I think we're going back to where we're putting everything back into a data center and as long as we can get access to the data center, we're good to go. Now this is a cycle we've seen. Now you and I have been in IT long enough. The people in the cheap seats, way back when when we were in college, you had to request access to the data center. You had to sit a dumb terminal and at your time slot you could log in and your terminal did nothing. No. You had a keyboard and a monitor. That was it. It didn't play pong back and forth. This is nothing. You just had access to a mainframe somewhere. Then we went to applications that were on a computer. We had PCs in the home. We thought that was great. Then in the 90s, we troubled ourselves with this cloud thing. We tried it. We had online applications and it worked for, I don't know, a year until we figured we just didn't have the bandwidth to do that. And now 20 years later, we're back to the same model. So we just keep coming back to it. There's something about the ease of distributing an application and updates to the application if everybody's accessing it on a single point. If you have the processing power and the bandwidth to access it, then it is good. It's a good ubiquitous target. You can use it. And everyone gets the latest, most secure addition all the time. There's a reason why you've been through the Windows 7, Windows 10, and probably NT back in the days. Once again, Office 365 is so available and so ready, plus they're making the new Windows 2016 so expensive that it doesn't make business sense to actually do it yourself. They want to force you to go and almost kind of like the storage places where you sit there and you store your old furniture or whatever it may be. You keep paying that bill every month and you're going, man, where did my furniture go? Oh yeah, it's in that storage place that I had three years ago that you've been paying every month. I have a feeling that Office 365 and all of those data centers are going to be like that where we just throw up all of our stuff in there and going, oh, I guess we're just going to pay for it for the rest of our lives. This is more ways to lose stuff. Yes. You know, when are we growing up? It's always, oh, it's in the attic. Oh, it's in the closet. Yeah, how many people out there still have a storage room? Where are they going? I wonder what's in there. When's the last time I actually went out to the storage place and saw what was in there? There's a point when you're afraid to open the door. Yes. It's like, I just want to get into it right now. I'll buy a new hammer. Yes. Exactly. But that's when you're going to buy a new computer and it's like, oh, I don't know where my data went. Well, don't worry. It's in China or Russia or wherever the distributed stuff is going, right? That's a little scary. Okay, let's get into it now. We're talking about the leadership and companies of this week's topic. I'm saying that CEOs need to get behind cybersecurity in a way that's effective across the enterprise. And what I'm seeing is CEOs have been so budget conscious, focused on the bottom line and the share price of 90 days and satisfying the shareholders and the board of directors that they're forgetting that the stakeholders of the company, the employees and your customers are actually under a significant risk for the loss of data, the invasion of privacy, and a huge amount of money loss. So shareholders too can lose money if a company gets breached, right? I'm sure Home Depot and Target, they lost a lot of share price on that one. They're coming back up. They're coming back up, right? But if the CEOs had had, in my opinion, a little bit more foresight and not been so old school about share price, they could have prevented that and kept their stock on a very even keel and been able to tell their shareholders, we're taking care of you. And I'm going to agree with what you're trying to do, but I'm going to totally disagree with what you're trying to, how you're trying to go about it. And what I'm talking about is a friend of mine that I used to work with, a colleague where I used to work, always told me when he did different types of risk modeling, you have to have certain assumptions in the beginning, certain foundations in the beginning. If you don't have those assumptions in the beginning, you can always argue the outcomes or whatever it may be. Now, I believe that CEOs are smart. I cannot believe that a CEO ever gets hired if they're not smart. That has to be an assumption that I have to make that they're going to do the right thing. I believe CEOs and business leaders have limited resources. I think we could at least agree that they have limited resources. They do have limited resources. They have to do that. So with those typical things, I do believe that CEOs and business leaders have dealt with risk for 30, 40 years. It's nothing new to them. And I keep hearing from everybody telling me, fiber risk is business risk. Well, no, no, no. I think there's a divergence there too. I believe in my opinion, and we should get into this after the break, in my opinion, CEOs have understood risk for generations. What I don't think they understand is the risk in the information world and ones and zeros and what they cannot feel and touch and look at and see. And there's this information that's floating around that they really have not been able to conceptualize that risk. I agree with you 100% on that premise, but I'd like to get into the why. Okay, let's do that right after the break. We're going to take a break. Come back in about one minute. We'll pay some bills. Until then, base it. Konnichiwa, Hawai'i. Kakushu no getsu yōbi, nijikara. Sehima-na-san, mite kudasai. Osuto no Kunisei Yukari deshita. Aloha. Aloha. My name is Mark Shklav. I am the host of Think Tech Hawai'i's Law Across the Sea. Law Across the Sea is on Think Tech Hawai'i every other Monday at 11 a.m. Please join me where my guests talk about law topics and ideas and music in Hawai'i, Anna, all across the sea from Hawai'i and back again. Aloha. Welcome back. Thanks for staying with us over that minute. I hope you enjoyed the commercials. We're at the Cyber Underground. I'm here with JT Ash, and we got a lively discussion going. Two different opinions on how we should approach cyber risk in the enterprise. I'm saying CEOs need to step up and do more. I'm saying that CISOs need to step up and do more. Here's my perspective, and it's kind of like me and you kind of thing, because we're kind of like the yin and the yin. I'm more of the vulnerabilities internally, looking at myself, trying to figure out what I can do to protect myself. You're more of the external, let's look at the threats, and then once I understand the threats, you're an external facing things, but it's kind of an out of control type of thing. So instead of CEOs being cyber champions, I'm saying CISOs need to be business champions, because if I'm a business champion, if I understand from a healthcare perspective, if I understand how revenue is made, if I understand how controlled substances are done, if I understand those business processes, I can help protect their information better from an internal myself. What can I do myself? I can't control what a CEO is going to do. I can't control what a threat's going to do, unless I sit there and try to put a honeypot or something like that. I can control it that particular way, but other than that, I really have no control over the threats or the CEOs. I have control over what I can do as a CISO, and what I can do as eliminating or mitigating any vulnerabilities. I think we jumped forward here with the assumption we have a CISO. True, true, but I think you do have a CISO, because I was listening to a podcast or a webcast the other day, and actually you have had a CISO for the last 30 years. It's just been another name. It's called a CIO. The CIO is branched off into like five different C-suite. You've got a CISO, you've got a chief data officer, you've got a chief technology officer, and you still have the CIO there. So once again, the CIO was all of these things back when me and you were younger type of things. So I do believe that we've always had the CISOs, just like when we started working, when they branched off the CISOs to the CIOs, we had to sit there and convince the CIOs why it was in their best interest to do hardening, to do patching, to do different things. Because once again, it's going to expand their human capital. And once again, they've got only limited resources of where they like it. So once again, just like this particular perspective of business, I need to talk in money terms to a CEO, and I need to convince him why it's in his best interest to do certain things. Because once again, when you're talking, when something happens, when the target guy gets breached or whatever it may be, CIO wants a couple things. One, have we fixed it? Two, do I have a story to tell? And that's going to be the big thing. They want to have a story to tell that, hey, I had the NIST cybersecurity framework. Our maturity level was three. We had protections in place. We had detecting. We have a SIM in place. We have a vulnerability management system. We have an incident response plan that gets tested on a year basis. So once again, he wants to have that story to tell that says, hey, shareholders, hey, board of directors, we did everything human if possible, but both me and you know. You can do anything you want, everything humanly possible. And if somebody really wants to get your stuff, they're going to get it. Sure, if they spend enough resources. Yeah, you'd be a target of a nation state and there's no defense at all. I think I was more talking about, targets one of them. I think they both got breached through point of sale systems, right? Target and Home Depot. But my biggest gripe is breaches like WannaCry against the UK health system. The NHS went down. They were using Windows 7. They made a conscious decision not to upgrade that operating system or even patch it. Of course, that patch wasn't even available Microsoft had to customize it, but they could have upgraded their operating system but they made a conscious decision not to and in doing so, they accepted the risk. Yes. And it was complete fail. So you don't think that the leadership championing cybersecurity and knowing more about cybersecurity would have maybe changed that outcome? Yes and no. And the reason I say yes and no is because I love those answers. Yes and no. I believe the CEO and the board has to set the risk posture, the risk culture. And once again, I'm the CEO. I'm telling my business lines. This is our risk appetite. So once again, this is what I'm willing to accept. This isn't what I'm not willing to accept. CISO, here are the resources that you need to achieve the risk posture that I've sent out. And once again, if I'm not implementing his desires for that risk posture because once again, I've seen so many places where they're going, well, what's our risk appetite? It's like, well, what did the CISO say? Well, the CISO doesn't set the risk appetite because once again, we don't control the risk. We don't bring the risk into the company. It's that person who wants to sit down and do the new, we want to integrate all of these information feeds so we can put AI into practice and make better decisions or whatever it may be. So once again, when those guys bring risk into the environment, they have to understand the risk appetite. And once again, I have to go and let that CEO know this is what I need to meet and achieve your risk appetite that you've sent for the company. So if they say no. And once again, they've tacitly or overtly kind of accepted the risk. And once again, that's their job. They get, once again, they're juggling balls. And once again, I do believe this. And when I've worked for as many CAOs as I have, their number one main thing and where they get paid and where they get their money from is growth. They want their company to grow. Sure. And if you understand that their big thing is to grow the company. So once again, so the shareholders are happy, so the users are happy. How can I as the CISO help the company grow? And once again, you're looking at it from his perspective and you're helping him achieve his goal. He's usually pretty amiable to give you what you want and what you need because he knows you're not just in it for security. You're in it because you want to achieve the goal of growth for the company. That's a good point and we should talk about if we're helping achieve that growth for a company. So we're going from this, it's a corporate posture. We're an enterprise. We come in as a security person, a CISO, CIO maybe. And we say we want to help you grow. Do you think, and I'm going to tell you, this is my opinion. I think that CEOs, especially in the United States, have far too great an appetite for risk. They just, they see that six month or three month share price and that's all they can see. And if they see that you need to spend X number of million on a bunch of security upgrades and it's going to prevent them from getting another 20 cents per share, they're going to say no. And probably if you were a CEO, you'd probably say no too because once again, when I sit there and tell them, this is your risk posture, there's no guarantee that it's going to happen. One of the wonderful things about being in security is we used to talk about possibilities all the time. We'd go out to the bar, have a beer and say, well, if this happened, this would really happen or if this would happen, this would really happen. But I think we've evolved as a community in security and we start talking about probabilities, not possibilities. Don't tell me what's possible because I know that anything's possible when it comes to technology. But tell me what's probable. Give me a probability statement that's saying, okay, I think there's a 10% chance that there's going to be a tsunami this year. And if there's a tsunami this year, it's going to have this range of damage or impact or whatever it may be. And if you can give him something like that, he's going to say, I have enough information to make an informed decision. If you sit there in Nebraska and you tell them that there's a 10% chance of having a tsunami, they're going to probably tell you to go pack sand. That's just how it goes. So once again, I think we've evolved as a community and as a security community that we don't come to them with possibilities. We come to them with probabilities. This is a probability that it might happen. And if it does, this could be, this is the range of impact that could happen. And once again, if you have insurance, that will bring the impact to maybe a tolerable lever or within the risk appetite of the company. Once again, it's a whole shell game. No, I agree with you. I just think we've been changing at such a rapid pace, right? We were level for many years through the 90s and early 2000s, and then we started to increase the risk of these cyber breaches and cyber incidents. And now we've done this asymptotic launch curve, right? And we're at the last two years, this is two shows ago, I believe. I brought up the statistic that out of a survey, 2,500 companies were surveyed over six countries. And 90% of them said, we've had at least one cyber incident that brought us to our knees and interrupted business services at least in the last 24 months. Now, out of those 24 months, 75% of the same company said they'd had more than one. Maybe even three in the same 24 month period. So I don't think before that, we were so sure we were going to get a cyber incident. Now, it's almost assured. Now, instead of there's a 10% probability that it's going to happen, now we're saying there's 10% chance you're going to escape it. And it's funny that I think if there's that fulcrum and you can help me with this, right? We have to achieve a balance on a company, right? How much security do you want to put into something versus how much it's worth, right? And if you say, well, we got to put four billion dollars into security, well, what are we protecting? Four billion dollars. Well, now it doesn't really have any value, right? It has no value whatsoever. We got to balance the equation. So how do we effectively tell the CEOs and CIOs, listen, balance the equation by putting this much into it. Because you're protecting this. Sometimes I think the value is missed when you say it's not just the fact that you lost a million credit card numbers and you're going to get fined a $1.75 per number, right? It's not just that. It's bad PR, right? No faith in your business at the point of sale, right? You're going to lose money. Your share price is going to go down. There's a lot of loss to put into a breach. And as of last year, the average, this is 2018 data, now the average breach data loss in financial dollars came out to $7.5 million per breach. Small companies wiped out. Medium companies on the brink, a medium company might be able to weather one of those, but two, you're dead. So this is a big company tolerance that you could do. But everybody else, the risk tolerance has got to be pretty low, don't you think? Well, what I think we've done, and I think we missed the boat when we started doing all of these particular things because it was very easy back in the days when everything was in a data center. But then you had new businesses saying, I want to do this, this, this, and this. IT helped me out. I need to do this, this, and this, and IT's gone. I don't have the skill set. I don't have this. Okay, I'm going to go put it in the cloud. I'm going to go put it in Amazon. I'm going to go put it at AWS. And once again, the threat surface jumped. Exponentially. Exponentially. So once again, I'm a big proponent of the NIST cyber framework and all that stuff. And you have identify, protect, detect, respond, and recover. And we missed the boat when it was coming time to identify because the CISO doesn't identify where your jewels are. The CIO doesn't identify where your jewels are. The businesses have to come in. And then having their, once again, Value your assets. Business line, come in and tell me, okay, you're using this application. Application A. And application A supports this business process. If this business process is not working for a day, how much money do we lose? And we haven't had those. We've got about 30 seconds left. I know this is an awesome topic. Let's just do this again. I want to keep doing this. With the last 30 seconds, do you got anything to tell us about the University of Hawaii and what you're doing? University of Hawaii. We've been maturing as a program. And we're actually going through our assessments program right now. So once again, we're maturing as a program. A lot of the clinics are taking a really hard look at and actually identifying where their crown jewels are and making sure that at least we understand where our information flow and our information exists. Where to apply the security. Yes. So once again, we're starting at the beginning where you should. Hey, thanks for being aboard. Sir. I really appreciate it. Aloha. Yeah. Thanks again for being on the Cyber Underground with us, everybody. Join us next week for another exciting episode. We'll try to make it as good as this one. Aloha, everybody. Stay safe.