 ThinkTechAway, civil engagement lives here. Wow, are you in store? ThinkTechTechTalks, OK, with Terry Yanni and Isabelle Yanni. And we are going to be talking about our new Achilles' heel, Internet of Things and many other vulnerabilities that have come about. In recent years, we're talking about things that have happened recently. And you guys both work for Cisco, one of my heroes in the world, Cisco. Wow. And we have you here in the studio. Wow, to have you here in the studio. We are so happy. Welcome. Thanks for having us today. Thank you. Yeah. OK, so let's talk about the new vulnerability. Everybody knows the Internet is getting more sophisticated, more complex, more powerful every day. All that new software, my new phone. Oh, my God, it does amazing things. And yet it's more dangerous all the time. How does that work? I'd like to start. Well, I think it's important to step back and look at the big picture of how much technology has just invaded our everyday lives. And it's only going to become more and more so. So by 2030, it's estimated that there will be five hundred billion devices on the planet, devices and things, billion, billion. It's it's it's an unfathomable number. But because of the power of technology, we want to connect more and more things to the network, and it just opens up all of these potential windows to to attacks and vulnerabilities. Yeah, I remember learning that every cargo container that travels the world has an IP address. Yeah, how about that? Yeah, talk about Internet of Things and half the stuff that's inside the cargo container has an IP address. Oh, yeah, probably all of it at this point. Really? Yeah. When we think about it from the position of the of the miscreant or the the attacker or the threat actor, how we want to draw some these days. That's called attack surface. So when I think about that, you know, from that perspective, that attack surface is exponentially increasing. I have a multitude of ways now for myself to find a vulnerability and get in and maybe get whatever is valuable to me, whatever was valuable to use, probably valuable to me, too, as a miscreant. So there's a lot of things we we have to start to consider as we see this explosion of devices. And so what's the worst case analysis? Let's look at that. Oh, wow, so many possibilities. Worst case scenario, because it's high leverage. You know, one person with one, you know, bad program can. What can he do? Well, yeah, let's let's kind of let's kind of step back a bit on that as well. So so typically and not to paint a doomsday scenario, but it's one person could do some damage. And a lot of times what you see is if it's one person, it's potentially a hacktivist who wants to get a point or a message across something like that, a threat actor acting alone, not to say that there aren't folks out there who could do that. But what what really keeps me up at night is is the state sponsored and or organized crime where it's it's folks who come to a job. I could be I could be sorry. I could be coming to a job and my job could be research. So I could be in charge of researching your entire social media history, understanding the things you like, understanding the people you're connected to, understanding who you might answer an email from. And then I could have a whole bunch of the United States government or the Russian government or the or the North Koreans. Yeah, they have a whole Bureau 121, right, which is their organized state sponsored cyber warfare division. But all of this stuff, I could have a whole team of folks writing malicious code on the back end to deliver some type of payload onto something that I have socially engineered my way into. So think about that. I have a small piece of the pie and I just understand this is my job. I get paid well to do it. I come to work. I have health insurance. I have benefits. I'm just coming to work. But somebody is putting all these pieces together and a team of threat actors can really do some serious damage. Yeah, that reminds me of the story about those kids. I say kids because they were young in their late teens, early 20s and in a basement in St. Petersburg, you know, and they were smart kids. And I think they were taken out of school so they could, you know, do smart things. And their job was to write social media on certain points. And they were told what key words to use and who to address it to. And when it was done, send it off to someone else in the system. And that other person would figure out where to send it in the United States. So it was, what do you call it, it was specialization of labor. It was a large organization and the ones who were indicted were only a small part of it. Yeah, and you have and that's literally campaign orchestration. So if I want to launch a campaign where I'm either affecting social media or I'm trying to infiltrate some either critical infrastructure, for example, or financial institution, there is a campaign orchestrator. But then there's all the, like you said, specialization of labor that goes behind that. So the organized cyber activity is one that really scares me. So who gets on top here? I mean, if you had this kind of competition around the world, I guess you have state actors is very troublesome. But there's a lot of actors who are sort of semi state actors, independent contractors or something who do it for maybe reasons other than the state reasons. How do you, how do you and then you have this happening in multiple countries? How do you stay on top? How do you get ahead? How do you deal with this risk? Aside from losing sleep at night, I also lose sleep at night. I mean, I definitely don't think putting your head in the sand and acting like there's nothing to worry about is an approach that we can take anymore. We have to have an awareness of what the potential threats are and take action around it. And, you know, every single person is responsible for their own actions and the way that they interact with media. So to your point about, you know, kids sitting in a room somewhere, typing up fake news and that going, you know, to someone else to distribute, we have to be responsible and really question what is it that we're reading here? And is this, is this a legitimate news source? Is this verified by other sources? So just like there are attacks happening on our society and really on U.S. society, those same types of approaches are being taken by hackers and people who want to take some kind of financial gain from attacking companies and businesses and even individuals. And in all of those cases, humans are making decisions to pass on fake news or click on a link that looks legitimate, but really is not. You remind me of the bullying thing, if you will. Something you said just a minute ago. So suppose I want to target somebody and bully him. I mean, and this happens sometimes. It's some justification, but lots of times there is no justification. I want to destroy this person. I can use social media to do that. Absolutely. I can focus on it and make up not necessarily all of it, but most of it. And then he gets the brunt or she gets the brunt. And I've achieved my purpose in destroying. I mean, this is very, what's the word, destabilizing. Absolutely. Socially, governmentally destabilizing. It isn't to take something really far back that the expression that pen is mightier than the sword. There's something about that written word and seeing something written about somebody and then believing it, because it's just simply because it's been written down. So orchestrating a campaign of a social media campaign to achieve an objective, a specific objective, may actually be more effective than dropping bombs. Yes. And that's, I mean, and we've known that for years, right? I mean, we lose confidence in the system, lose confidence in the government, the elected officials, lose confidence in the process. All of a sudden. Any number of things. It's all upside down. But, you know, you're talking about social. We've been talking about social up to this point, and we still have miles to go before we exhaust that. But I think we need to make the distinction, as you were talking before the show, about the Internet of Things. And we're not doing, with social media, we're doing to people, ultimately people. But we also can send bad messages, if you will, to things. And what's the worst case analysis on that? I'll ask you, what's the best case analysis? Oh, that would be wonderful. All right. So, not to paint another story of dooming gloom, but when I'm thinking about that incredible exponential attack surface that's evolving, we were concerned mostly with who can talk to who and how they can interact. I can put a policy between you and myself, and I say, okay, I, you know, I perhaps it's between me and the both of you. I'm certainly allowed to talk to you about certain things, and I'm allowed to talk to Isabelle about certain things, but I shouldn't be talking about certain things with you that I would normally talk about with her. Pretty, pretty easy concept. And a bit of a wall then, don't you think? Yeah, a bit of a wall. The challenge now is that there are so many devices that are IP enabled and connected to the Internet, and the explosion is just happening at such an exponential rate. I now have to be concerned about what is talking to what. And who is talking to what. And when I say that, a perfect example, and I have a customer that I work with, and one of their biggest concerns that they're just now trying to wrap their arms around is this high OT problem, this Internet of Things. All of my AC sensors are Internet enabled. And if, let's just say they're in a desert climate, and they own multiple properties that house hundreds of thousands of hotel guests, and somebody would hack into those sensors in the middle of summer when it's 120 degrees out, and they dial all of those things up to 99 degrees, you would have a mass exodus of folks trying to get out of these boiling hot hotels and find, at least shelter from the heat somewhere else. So think about A, what that would do to the business, and B, what a mass exodus of hotels that hold tens of thousands of people looks like. Injuries, and all kinds of liability, and all kinds of logistical issues, and just the chaos that you can instill by hacking the Internet of Things is amazing. I don't know why, but this reminds me of the Harvard Lampoon. One year, this is way back before even computers, one year the deal was that everybody would rent a car from this one national rent-a-car company, and drive it to a little town in the middle of Idaho, and leave it, and leave it, and it almost brought the company down. It's the mass aspect that you're talking about, unbelievable numbers, changes everything, we don't realize. And another aspect if you think about critical infrastructure, just not to throw it on a complete tangent, but a lot of the machinery that's in our utilities and our critical infrastructure, those are all what's as well. And more and more of those are becoming IP enabled and network connected so that we can automate processes. But if you're looking at state-sponsored warfare, an attack on critical infrastructure is something we've been concerned about a very long time. The possibilities sound like they are unlimited, un-virtually unlimited. And exponentially increasing. Yeah, and the creativity, that's a bad application of the word, but the creativity involved is unfettered. So what's the best case analysis? We all ignore it, and what? I don't think ignoring is an option, but really taking a look at doing an analysis of what are all of our vulnerabilities as businesses, really thinking about not just what maybe IT controls, but what about other departments where the department said, go ahead and bring in your own printer. We're not going to pay for it, but you can bring in your own printer, you can connect it to the network, you can bring in your own phone, your own devices, whatever you want, and we'll just connect it all to the network. Companies that really have to think about all of the different areas that they're opening themselves up to to threat, not just the ones that they're aware of. They have to start thinking, being able to see what they don't even, what they haven't even sponsored, what they don't even know about yet. It strikes me that if you say to somebody, look, this risk exists out there, and you have to do your part in order to not be sucked in, not to be the object of phishing and what have you, and we can talk about that too. But the problem is, A, the average person, it may be over their head, okay? And they may not be able to deal with it very well. B is if you want to go get the businesses to get around, I mean, I suppose in Cisco, you would deal largely with the businesses and try to make them more Akamai about this. And C, government, and we know that government falls on the left side of both businesses and individuals, I mean, in terms of getting things done, passing statutes, budgeting initiatives and so forth. So the problem I see is that this creativity you're talking about can reach into anything, anytime, in any creative way that we can't even imagine. If we spent two weeks in a room, we could come up with some really creative, you guys already know what those creative things are. But the fact is that in order to respond to that, we have to get the whole society organized. We have to get the whole society set up to defend and find protection and solution. Are we capable of doing that? Because our society has trouble doing things in a collaborative fashion, it seems like. And the guys who are attacking can undermine whatever collaborative possibilities we have with the very tools that are threatening us. Yeah, so if you don't mind. Yeah, so one of the things I would put out there is if I'm running a security program for a business or a business entity, one of the big parts of my budget that often gets overlooked is going to be around user education. So my biggest, and this is true of most of the customers I deal with, but one of the biggest vulnerabilities in your organization is your people. They're going to do things that amount to, and I hate to say it, stupidity, but ignorance is probably a better word for it. And that education is on me. It's on me to educate them on how better to do things, how more secure to do things. And a lot of it is common sense, but you have to practice. Just like anything else, you have to instill it and it has to be a practice that you then become accustomed to doing. Don't click on links and emails that you don't know who they're from. Simple, easy. Don't pick up, you know, one of the common easy attack is for an attacker or a threat actor to drop USB keys in a parking lot at a company that they want to hack into. Employees will inevitably pick up these brand new USB keys and think, Oh, free USB. Free memory. I'm going to go put that in my computer and before they know what they've taken down the whole network. So two, two. I'm going to tell you, I'm just going to add a small slide bit of color. I did actually have a customer who would super glue the USB ports on all the laptops that were corporate-issued because they didn't want anybody sticking those in there. Yeah, that's all cool. Yeah, you can't stick anything in that port anymore, but it's a horrible solution. It's cutting off the head for the headache, right? Well, we're going to take a short break, you guys. It's Terry Yanni and Isabel Yanni. Terry is a cybersecurity specialist. Wow, I want that job. Okay, and Isabel is manager of Pacific Operations, make that manager of partner operations, Pacific Southwest. That's big territory, I think. It is a big territory. So when we come back from this break, I like to explore the necessary solutions although we should cover that. But what the world is, oh, this is a hard one, what the world is going to look like going forward in two and five and 10 years, how are these computers going to change? It may not be super glue. Maybe we don't have any USB ports anymore. Who knows what? Yeah, building walls maybe. Okay, we'll be right back. You'll see after this break. Hi, I'm Ethan Allen, host of a likeable science on Think Tech Hawaii. Every Friday afternoon at 2 p.m., I hope you'll join me for a likeable science. We'll dig into science, dig into the meat of science, dig into the joy and delight of science. We'll discover why science is indeed fun, why science is interesting, why people should care about science, and care about the research that's being done out there. It's all great. It's all entertaining. It's all educational. So I hope to join me for a likeable science. Good afternoon. My name is Howard Wigg. I am the proud host of Code Green, a program on Think Tech Hawaii. We show at 3 o'clock in the afternoon every other Monday. My guests are specialists both from here and the mainland on energy efficiency, which means you do more for less electricity and you're generally safer and more comfortable while you're keeping dollars in your pocket. With this discussion, this is fabulous. This is the best that Think Tech Tech talks can do here. Terry Yanni, Isabelle Yanni, both with Cisco talking about, well, now we're going to talk about how the world is going to change because of the vulnerability. And as you called it during the break, the arms race. The arms race. We try, they try, we try. And the weapons get more sophisticated all the time. So we talked before about putting the USB port in your neck. Safer, suppose? Probably not. Probably not. Probably not safer. Is it surgery? Yeah. But what do you do? I mean, China, for example, wants to go anonymous instead of anonymous so that Xi Jinping can tell exactly who's on the Internet at any one time and he can go after anybody he feels is violating all of his rules. Is that, this is out of 1984, maybe in 2084. But what, where are we going on this? Because somebody's going to figure out some really draconian response. And I also think, I'll let you guys tell me what the future looks like. I also think that after a while, prosecution of these crimes is going to get to be much more serious than it is now. And people are going to go suffer horrendous punishment for having tinkered with the system because people are going to realize, government state actors are going to realize the stakes are so high they cannot tolerate. You can't be an innocent violator anymore. You are going to be punished. Anyway, what does it look like in five years? What do you think? Well, I think you talked a little bit about, or a lot about the creativity that's out there right now with the threat actors. And what's fascinating for us to see every single day is that working for a company like Cisco, which is global and huge in a world leader in networking technology, we have to continue our creativity and our development and our intense commitment to the security of these connections and these devices. And we've entered this era of software defined where more and more we're asking the technology to make the smart decisions for us. And we're giving companies and businesses and governments the technology tools they need to be able to adequately fight the creativity that's coming from these actors. So, I mean, it really is kind of an arms race. And it's important for everyone, whether you're in charge of a business or in charge of your household, to make the right decisions around user education but also the tools that you use to fight these potential attacks. Who are the good guys in this arms race? Do we know anymore who they are? I mean, for example, in Russia, they would say, well, we're the good guys. And we have to retain the power to damage and bring our enemies down. And that maintains our view of world order. We don't think that's so in the U.S. But it's like a relative term about who the good guys are. It's just who's on top. It's always a matter of perspective. Yeah. Yeah. So, but you talked about what you do, building walls, anonymous versus anonymous. How is this going to play out? Because ultimately it may be, may I say this? I want to say this in public. It may be that we can't solve the problem. Yeah. That it ultimately undermines our whole society. And there's just nothing we can do. Is this possible? Is my view of that possible? Anything's possible. Anything's possible. No, it's entirely possible. I think it's up to us. I think really the future is up to us. And I think that it's up to us to translate our ethics. So, you've entered the realm of ethics and understanding. So, you said it's a matter of perspective. It's up to us to really understand what we, as a society, deem ethically sound or ethically viable and try to take that almost like policy and instill it on the changing or the ever-evolving technology landscape. That piece is going to progress. It's just going to keep going. And we're going to hang on for the ride and we're going to have to figure out a way to manage our own moral fortitude, I guess over that. Well, and I think one of the good news pieces of it is, Harry talked earlier about how there are just these huge organizations of organized crime and or state actors who are planning these campaigns. But at the same time, we have amazing organizations like within Cisco. We have an organization called TALOS, which is literally 250 security experts keeping the world safe one network at a time because they're constantly gathering information from millions of networks all over the world. Billions of networks all over the world. They process over a billion web requests a day where they can see if there's malicious code in any of them. They look at about 40% of the world's email. Sorry to interrupt. I was just going to say that there, I mean, an organization like that is an army of the good guys and they're looking to keep our information safe, our businesses safe. So they're, you know, we're not without hope and we're not without help because we do have and there are other organizations like this too. It's encouraging. I want to tell you, last week here in Hawaii, I went over with the Pacific Health Communications conference last month and talked to one guy and he was doing cables. You know, it used to be satellites and now we've come back to cables. And the question is, what kind of mischief can you do to cables? Submarine cables. Because if you blow up the cable, you're disconnecting continents right there. And it's very hard on everybody to do that. And this fellow, he was English, a lot of them army. I don't know why so many people in this field. Telecom and internet, by the way, are wedded now. You know that. More than ever before they are one. I'm sure Cisco is involved in this sort of communications thing, of course. But what he said was interesting. He says, the bad guys are not necessarily going to bring the submarine cables down because they need the submarine cables to do their work too. So there's certain things that are sacrosanct that you can expect, you know, act as a break on the activities of the bad guys. Yeah, rather than break a cable or like a trans-specific cable, I would rather, if I were a miscreant, tap that cable and see the information flying by. That's more valuable to me than breaking the cable. You spoke before, Terry, about the idea of using artificial intelligence to defeat the bad guys. How does that work? How would you do that? And how would you keep ahead of it? What sort of mission would you give to artificial intelligence? So let's take it a step higher. And this is a great topic. So one of the things we're doing now, and we talked about the arms race, one of the things we're doing now, and let's tie a lot of things together, she had mentioned tallows, is we're taking a lot of information in and it's humanly not possible to process this information and do anything useful with it. So if I can begin to automate some of that, if I can use machine learning and artificial intelligence to spot and behavioral analysis to spot anomalies that normally a human would have to spot, if I can get it intelligent enough that I can say, you know what, Jay logged in from Hawaii on his laptop and at the same time, he logged in from China. That's a very basic example. Yeah, something about that doesn't add up. So let me look further into it. Let me take action. Let me kick off an automated process. It's going to say, well, what device did he log in on? What time of day was it in China? You know, or what not? And start comparing some of those things and add up what we would call a risk score. As soon as I cross a threshold, this is something that a human now needs to take a look at. What I've done there is I've taken my limited amount of human resources that I have who are sharp as attack and ready to fight these battles and I've limited the amount of noise that they're going to see and I've really qualified or validated the threats that they're going to analyze because we just don't have the bandwidth to do it. So that automation, that behavioral analysis and machine learning and AI can really help us to do that. One stat I was going to add with Talos and it's probably the most telling stat is Talos actually feeds all of the Cisco devices out there with threat intelligence. That threat intelligence and what it feeds those devices blocks three times as many threats in a day as Google gets searches. So think about the magnitude of that. Billions, huh? Yeah. Billions of threats a day. I think 21 billion, something like that. Yes, but we only have one minute left. I want to ask you one question. Oh, God. We referred to, we have talked before in this discussion about educating people, educating individuals, educating companies and so forth. And you're always subject to fishing and they get a profile on you. They know how smart you are, how Akamai you are about what comes down your email and if you're not so smart, you've been a target for them and all that. And fishing at the same time can be very sophisticated and so can false fake news in a bunch of good news. So and then of course we have, we have multiple generations in this country that have ignored computer science. They may use it for play toy and for, you know, social media but not to understand it. I remember when Bill Gates was traveling around from campus to campus trying to find people who had worked for Microsoft. And in a terrible time he thought he was studying the subject. We had a show involving three, you know, star employees who came to Hawaii from Microsoft and all three of them were born in countries other and had recently arrived from countries other than the US. We don't have as much talent as we should have, actually. And not for that matter, go a step further and say in civics and other subjects in school, we're not teaching them enough to be Akamai about making these decisions and choices and protecting themselves from bad data or from losing good data. What do we do about education? I mean, how important is it, you know, in dealing with this? So what do we do about it? I mean, it's so incredibly important. It's our first line of defense. And, you know, I think two things there. First, just with the everyday user, those people who interact with the Internet out of necessity, but they're not really interested in going beyond that. Just having the basics of what does email security look, you know, how does, what does a good email look like? If you get a link from your bank, and it says, click here to revalidate your security password and your username, better not to do that. Just go to the main website for your bank that you know and trust. That's a trusted website. And go in and see if you're getting that same message in your message inbox from your bank as an example. But I think the bigger question is, and in thinking about how do we, how are we going to stay ahead of all of these threats as a society, as businesses? We really need to increase our investment in STEM programs. Science, technology, engineering, and math programs for young kids are the way of the future. And that's the way that jobs are going to change. I mean, there is a massive shortage of security professionals today. 12X. 12X is the traditional IT professional. There is 12X shortage in security professionals right now. The talent is hard to find. If you're looking for a new career. I am, as I mentioned. If I, yeah. You got the application for me. If I could go back to school today, I would want to study, probably, security or data science and data analytics. Because that's the way of the future. And that's the direction. And it's fascinating. The fields are fascinating. So just encouraging kids, college students, and especially, I'm just going to put a plug-in for women to really get engaged in STEM programs is an absolute key to the future for our success. Let me add one point I'd like to add and throw at you is that, you know, kids like games. Sometimes much more than they like studying computer science. But it strikes me that we have, it's a mindset issue. If I inculcated in every kid the notion that there were those guys out there that were playing a game with him or her. And his job was to play back and win. And every email he gets, even if he gets 5,000 emails a day, every email he gets is an intellectual challenge, a game challenge. You know, everything, his engagement, his interaction with the computer, and all the things that happen around him. It's a test, it's a game. And he can win or lose, but he can have fun spotting the bad guys because they're everywhere. Yeah. You know, that would be a good mindset, wouldn't it? Yeah. It's fine. How do you mention that? I think I saw an IT security professional with two video monitors, one inbound email, one outbound email, and he was playing it like a video game. So, my only argument would be, I would automate all that process, and I would only look at the bad ones. But yeah. Oh, you are professional. Well, okay, Terry Yanni and Isabella Yanni. Terry, the cybersecurity specialist with Cisco and Isabella, the manager, partner, operations, Pacific Southwest. It is great to talk to you, and I wish we had more time, but maybe you'll come back soon, and we can talk to you again and explore the situation as it then exists. I would love that. Thank you so much for having us, Jay. Thank you. Thank you, Jay. Thank you, guys. Thank you.