 Welcome back to ThinkTech. I'm Jay Fiedel here on a Thursday at the 11 o'clock rock hour. And today we're going to do ThinkTech Talks. And we're going to talk about cybersecurity. In fact, the name of this show is Cyber Intrusion Colon, The New Normal. And notice I didn't say Cyber Intrusion Colon, The New Normal. I said the New Normal. It's not a question. It's a fact. And we have Frank Haas, even on the show before. Hello, how, Jay? Welcome. Welcome aboard yet again. And Dave Stevens. Hi, how you doing? Good to be here. Good to be here with you. And these guys are both teachers. They're teaching cybersecurity. Am I right? Did I get that right? Yes. Talk about how you got into it and what you do every day. My course is a brand new course, and it's in the hospitality department. The reason we started offering this course is that we looked at what's going on in the hospitality industry and said, if you're not paying attention to cybersecurity and hacking and all those other mean things that can go on out there, especially in the hospitality industry, you're missing a big chunk of what our students need to know. Briefly, why is the hospitality industry a target? Well, hospitality embraced e-commerce very early. And if you look at any of the stats on e-commerce, travel is a huge part of that. So, you know, John Dillinger was asked why do you rob banks. That's where the money is. And the money in the hospitality is very, very enticing. So, that's one reason. And the other reason is the amount of data that we collect. It's not just a transaction when you're buying something from Amazon.com. We're getting information on your travel dates, your family names, your credit card numbers, all kinds of stuff. And your frequent flyer points and your amenity points and your preferences. We have all that data. And the more data you have, the more valuable that is on the dark web. So, it's a very hot property. But you need to get the data. It's part of the 21st century to have the data. Right. And you actually facilitate their travel. Right. And people want to get it. I mean, if you want to take a trip, you want to tell the hotel when you're traveling, how many people are traveling with you, all that good stuff. And that gets to be a very rich source of information that the bad guys want to steal. And Dave, tell me about your, you know, entry into the field. What do you do every day? Well, I started out in about 2005. I was doing embedded programming for cryptographic microprocessors, kind of a really heady game. And then, like Rick was saying, e-commerce came up. And I worked for a company that did a lot of e-commerce. And I told them, hey, there's a lot of ways to get your data that you might not know. And I started securing their servers and locking down their network. And I kind of got into the business. I came out here to Hawaii to work for HMSA in 2005. And I just fell in love with the place. They have data. And they have a lot of data. In fact, they had it on tape drives back then. And they were doing mash-up networks where different disparate networks from different time periods had to talk to each other. So I kind of did that. And then I got into teaching. Now, right about 2015, the TACT Grant Trade Assistance Adjustment Community College and Career Training Act came out. And we had a grant out here in Hawaii for healthcare workers and cybersecurity. And about $5 million went into the community college system for cybersecurity. I was hired as the coordinator for cybersecurity to get all those community colleges to create cybersecurity certificates for their students. So now we offer a course curriculum pathway to be trained in cybersecurity so you can go into the field as a cybersecurity expert or to transfer to UH West that does a Bachelor's of Applied Science and Information Assurance. This is very good, because this is a field that is expanding. You know, our world is changing. And we need to identify the sea changes. This is definitely one of the sea changes. You said intrusion isn't a question. It's a statement of fact. There's job security and cybersecurity. Job security and security. I'd like to tell my students that the unemployment rate right now for cybersecurity professionals is zero. If you come out and you have the experience and you have the qualifications, you've got a job. So big question. Are those jobs here? Many of them are, yes. And we work with federal agencies. Everybody from the DOD, FBI, CIA, and NSA. And in fact, one of my students is going for a security clearance is going to do a cybersecurity internship with the NSA and hopefully work for them. Well, that brings us to our top story, doesn't it? It does. You know, I asked Frank, well, we can talk about it first. And you know, I told him I heard a big story and okay, the big story is here. And of course, our rule is top down. This is news. We've got to cover this. So, wow, WikiLeaks. This is different. It's a different kind of WikiLeak. This is a WikiLeak about the government hacking us. No search warrant involved. Yeah. Right. And I think also what's disturbing is if you know what the law enforcement agencies in America are supposed to be doing, CIA hacking us internally is a little out of their realm. We have the National Security Agency for that. We have the FBI for that. We have local law enforcement. CIA is supposed to do external from the borders and this is a little different. The other disturbing thing that I thought about this was this is only what America does. WikiLeaks hasn't released what Russia does or what China does or what North Korea does. So it's exposing us to our enemies, but our enemies aren't exposed to us. That's basically unfair. It's very unfair and it's tipped the balance of power now. The good news is that the CIA is going to have to do a quick 180 and start developing new stuff. So it's going to get us back in our game, but in the interim, we're vulnerable. I think one of the fallacies that it points out is that anything can be kept secret. Yeah. And in fact, nothing can be kept secret. You can't assume that anything's going to be kept secret. So, you know, what WikiLeaks did is they hacked the CIA who would have thought that they could do that, but they did. And a lot of times what the government does is it develops all these high-tech sophisticated intrusion devices with the assumption that they're always going to have it, and then they find out that somebody's using it for bad purposes. The government, in fact, developed one of the dark web browsers that's used by a lot of malicious sites, TOR. TOR, yeah. They developed it for a lot of legitimate reasons, but, you know, you can't keep the genie in the bottle. Right. You can't keep this kind of technology in the bottle. Can you keep any kind of technology in the bottle, you know? Not only that, it moves at the speed of light. So, it's a running game. You're trying to run ahead of the hackers, and if you trip or hesitate, they overtake you. Yeah. And it's just that constant game. And if you retire, go off the grid, put down your phone, put down the computer, go to the South Shore of France, and the only thing they can get you is satellites. Just to illustrate how this all connects to real business is TOR, which is a dark web browser, enables people to go on the web, and the bad guys the hackers have stolen, not only money and names and data, you know, because a lot of what the hospitality industry does is other forms of assets and values, like points, frequent flyer miles, things like that. You can go on to TOR and find websites where you can put together a vacation, you can buy with cybercoins, with bitcoins or whatever. You can buy hotel rooms, airline tickets, upgrades, attractions, and it's a whole separate little e-commerce nefarious world that's out there. Aren't bitcoins also exposed? They can be. Of course, they try hard not to be vulnerable. Right. They would make a natural effort. I would, too. It's monetary, right? So, put a lot of effort into it. Everything's exposed. Yeah. The world of bad guys is kind of a free market. And bitcoins, they're not the only people out there. They're Zcash. Oh, yeah. Yeah. Well, so, you know, the thing about it is, I mean, Walden Pond, John Henry Thoreau, you know, you kind of escape to the North Woods and, you know, separate yourself from society, that's impossible. You can't do that. Unfortunately, it's impossible. They do not have dentists in the Yukon. So, you have to stay, you know, with the flow, with the people, with the civilization. But the price of staying with civilization is you are exposed in every way. Well, you know, here's the conundrum. People want to share their data. They like the fact that Amazon kind of knows what you want. They like the fact that... Amazon, my friend, it knows what I want to buy next. It tells me what I should buy next. On the travel sites, it knows because of your behavior, because of where you've been before, or the kinds of purchases that you've made. It knows the kind of vacation you're going to like to do next. So, people willingly give up that data, and, of course, they'd like it to be safe and sacred and all that stuff, but the bad guys get to it. Well, you know, we had a show yesterday about security and energy, and the black box that, you know, that can tell what you're doing in your house, how much you're using for your appliances, and what time of day when you come, when you go, all that stuff. And people, you know, generally, they don't care. You can know that. And you have to be a cyberterrorist to make use of some of this. Well, maybe I would like to... I'm a terrorist now. I would like to know when you come, when you go. I'd like to know your habits, because then I can get it in your life and steal things from you, the like, what not. So, I think most people, as you say, Frank, they don't care. It's fine. You can know about me. I have nothing to hide. And yet, if, you know, the rule here is that, no, you don't think you have anything to hide, but if somebody does an analysis of all the data that's available from you, aside from credit cards and that kind, you know, they can hurt you. One of the bigger dangers is actually using you to get at somebody else. So, smaller vendors connected to larger vendors are actually an easier exploit than going after the larger vendor. For instance, if you want to hack the DoD, you go after a small vendor who supplies nuts and bolts to the aircraft supplier at the DoD. If you hack them, they have a connection to the DoD you're in. And you didn't have to go through this enormous penetration of, you know, the firewalls and their network system. You use the smaller vendor. And you can do that with people. And 90% of the hacks now are social, convincing people to do something. It's the con game, but only on the internet. And that's what all these phishing emails are for, this exploit, that connection to other people. And for the travel industry, it's not, I think it's not just the travel sites, but also people go on trips and then they accentuate the experience with posting to Facebook and all their other Pinterest, Snapchat. And then people that are trolling the web will put all those pieces together and see, oh, you're not in your house. You're in Spain. Perfect. I can go in there now, because I know you don't have an alarm and monitoring them. Sell that information. It's a whole industry out there. It brings me to a question about, you know, this area as a matter of teaching, this area as a matter of teaching smart people how to hack. How to do this creative social hacking. You know, I agree, absolutely. I mean, it's always been the case. But if I'm a smart guy and I'm not worried about getting caught or I see the stakes are so high that getting caught is down on the food chain for me, why don't I go into that? Why don't I take what you teach and turn it against society? I'm not necessarily going to get a really great job that will pay me as much as the bad guys, the black hats will pay me. Why don't I do that? Are they doing that? Are your students doing that? I can't tell you that. I do not know. Okay. I don't go around dragging them. Hey, are you a criminal now? By the way, how's it going? You do crime now. No, the theory behind sharing that much information has always been, if we put all these hacks out in the open, then the people that need to defend against them will see how the people are hacking and develop exploit defenses. That's the theory of sharing all that information. One piece of logic that comes out of this discussion is if you say that 90% are social hacks, then that means that public education can really help. Oh, very much. That's sort of the orientation of the course that I teach. Dave teaches the technical stuff. I teach, you need to know this because you're vulnerable and you need to understand the management responses that you have to have. So what do we need to know? First of all, you need to be sensitive to the fact that that's out there. Secondly, you need to be willing to invest money in it. You can't just have McAfee and some security light. If you're serious about security, you need to have the right people on staff, the right budgets, the right software, and that's an important part of our course. It's just as important as everything else. The other issue that we have in hospitality is we want to be customer-friendly, but we also want to be secure, and there's a tension between those two things. If we just handle data casually, it's very easy for the customer. It's very easy for us, but it's very insecure. So what do we do with that? How secure do we want to be? Do we want two forms of authentication? Do we want passwords? That puts some barriers in between you and the customer for a sale, but that's what we may need to do to make it safe. So this is what we call the CIA triangle security confidentiality, integrity, and availability. If you lean too far in one direction, you lose the others, right? You've got to balance it out. Right now we're going to balance our show. We're going to have a break. It's a balance thing. So all this hacking has become a major topic. I'm Andrew, the security guy. Join me on Hibachi Talk and learn a little bit more about it. I have my friend Gordo and my puppet buddy Angus. Check us out on Fridays at 1 o'clock on Think Tech Hawaii. We're watching Think Tech Hawaii, meeting people we may have not otherwise met, helping us understand and appreciate the good things about Hawaii. Great content for Hawaii from Think Tech. Aloha, my name is Joe Kent, and I'm the vice president of research at the Grassroot Institute of Hawaii. The Grassroot Institute is a public policy think tank, and we try to build a better economy in Hawaii, and you can see us on the TV show Ehana Kako on the Think Tech Hawaii Broadcasting Network every Monday at 2 o'clock. We'll see you there, and let's build a better Hawaii together. Aloha. Okay, we're back for live, and you did it again. You missed our break discussion, because our break discussion is sometimes the best part of the show. We'd like to recapture that right after the break. So I was going to ask these guys to differentiate between what kind of advice system, software, companies you hire on a corporate level and compare that to what you hire individually, because you have a lot to lose individually, too. But Dave said, my answer to that is going to be a surprise. It might come as a surprise to many people. So if I'm the human resources director of HMSA, and I need to lock down my security and make sure I have cyber people working for me, most people will think, I need to go out and hire five cyber guys to handle every 1,000 people. That's not the way it works. You cannot do that. Security is a hive mentality. Everybody's got to know what's going on, and everybody has to know all the attacks that could come in, especially social. So company training of the employees is the most important thing. So you might not think that all these things have to happen. You just hire a couple of security guys, but you need a security guy to really get into the nitty-gritty. But then you also need the person, kind of like me, who talks the good game and can train people and be kind of entertaining while they do it, so it gets into people's minds. So people are aware that there's problems out there. Now, while those people are doing their regular job every day, they're going to be aware that these problems are happening, and you have the security guy monitoring this network in the background. So you need to... You need both. You need both. Yeah. So you can cut out, like, 90% of these social attacks, but you still have the 10% of the technical attacks. That's right. You still need to lock down the network, yeah. Yeah. Now, he's talking about a corporation. This is a corporation, yeah. Okay. Is that the same for the hotel industry, for your world? One of the challenges we have in the hospitality industry is the willingness to spend the money to do things that aren't sexy. You know. Marketing is sexy. Upgrading the software in the rooms. You know, you're betting and things. That's sexy. You know, redecorating is sexy. Spending money on security is not sexy. So what we wanted to do with this course is to underscore the risk that's involved. And it's a huge risk. Just in the last few years, some huge names in hospitality have been hacked. Starwood, Hilton, Hyatt, Uber, British Air, all over the place. When you say hacked, you mean everything that was available. All of my data and my dealings with these companies was taken or just some of it? It depends. It depends. Some of it's very limited. Some of it's pretty huge. In fact, just some stats on this. And these are not necessarily hospitality sacks. Well, when Sony PlayStation was hacked in 2001, there were 100 million customer records that were taken. Including mine. You know this. Oh, I know this. They cost the company $170 million to recover from that. That was a warm-up for what happened in 2011. 2014. 2014. Sony, again, somebody stole and deleted terabytes of data. So they really got hacked. And that episode cost them $100 million. And American Express was estimating that the global cost of hacking is about $400 billion. So now it's become a bean counting, tipping the scales the other way. Most people would say, well, the risk, it doesn't outweigh the cost of implementation of a security solution. Now it's tipping the other way. And what most people are seeing is that you can't just, like he said, you can't just throw antivirus on their intrusion detection and a cyber guy. You've got to do the high mentality. But you've also got to come up with a plan. Most companies don't have a security plan. How do we handle our backups? Where do we secure our backups? How do we handle authentication and account management? What do we do when we terminate somebody? What do we do when we onboard somebody? How do we handle their security? What levels of security do we apply to? What departments and how do we separate them? I don't know if this has happened, but you mentioned a minute ago that when the Sony intrusion happened in 2001, it included your record. Oh, that's not the only one. Oh, yeah. I mean, it's not a question. It's a statement. We've all been hacked. And if we haven't, it's just a question of when. Big time. It isn't before the internet, but I had somebody stole my passport, and this is days before the secure passports, cut my picture out, replaced it with his picture, called American Express, called Visa, said, I'm Frank Haas, and I've lost my card. Can you give me a replacement? Oh, no. So he had identification. He had a legitimate card. Yeah. And he also, because he had my passport, he knew that I was going to Australia. So he knew I was out of town, and ran up about $10,000 in about five days. Wow. Wow. That's quite a party. Able to recover on that? It wasn't because it was fraud. The card companies were responsible. Yeah, yeah, yeah. It was a little exciting trying to check out a hotel in Australia. When you give them the card and they say, oh, that card has been canceled. Nowadays, the credit card vendors mask card Visa will employ a heavy fine. If you're a vendor who takes credit cards and you knowingly did something or were negligent and got hacked, and those numbers are exfiltrated off your network into criminal hands. So the merchants have a duty, have an obligation. They do. It's called PCI compliance. It's not a federally mandated thing, but it's a recommended thing. And the companies like MasterCard and Visa will impose heavy fines if you do not do your due diligence and get an audit for PCI compliance. You want to say, Fred? Well, when you think about the hospitality industry, there are so many points of transaction. I mean, there's the initial purchase, but then restaurants, bars, activities. So you're giving your information out all the time. All the time. You need to train our staff to be very sensitive to the sensitivity of that information. Well, as you guys have said early on in this discussion, it's a moving target. It's changing all the time. It's a cycle thing. It cycles up and cycles down and all. But one thing that strikes me is there are legal implications here. If you lose $10,000 or more, if somebody gets hacked for whatever, then somebody, experts like your own self, you can opine that that company was not doing a good job. It was not complying with those rules. It was sloppy. It didn't have any creditable security systems or people in place. It hadn't told its personnel. And if I know that, if I know all of that, I say, gee, I lost $10,000 just now. Why don't I sue those guys? Because they violated a duty to me as one of their customers. No, a business defense would be a security plan. We had a plan. We were doing all these things. We still got hacked. So it might be an honest mistake. But if you went to that company and they didn't even have a plan, they're just haphazardly doing things and it's all what they call tribal knowledge, then you'd have a great case. I don't know if it's happened, but I think it's just a matter of time before it does happen. Sure. It's on the clock. And it's not just companies. I mean, the Office of Professional Management, the OPM for the government, they handle all the information for security clearances for everybody in the DOD. They got hacked. It's really hard to fit the government in this landscape we're talking about. They get hacked. They've been hacked a number of times. They hack us. Everybody's hacking everybody. Yeah, that's true. So cyber intrusion is the new normal. I guess the question is, how do you adjust your life to the sea chain? This is a closing area of the question. I'd like to share with you. What do we do here? We can't go to Walden Pond. We've got to engage in the society as it exists in the 21st. We've got to have a credit card. You've got to have a passport. Well, that stuff. So what do we do to minimize the risk individually and corporately? I mean, is it just a general principle? How do we stay clean on this? How do we stay safe on this? And how much hacking do we have to do? I think, in my opinion, from a corporate level at least, the level of denial has to go away. You can't just say, oh, well, this has never happened to us, so it's not a danger. It's not an if. It's a when. You've got a plan for that. If you put a plan in place, you have a security plan, you know it's going to happen, then you're planning for that. And because you made a plan, you took away an enormous percentage of the risk. Your exposure is much less. As a person, unfortunately, you just have to get paranoid. I mean, my students go around and put the tape over their webcam, and they don't have things like Amazon Echo, and they don't leave Siri on their phone, and they talk in the hallway instead of in their room in front of their TV because they think their TV has a microphone. Oh, my God. You could go paranoid very easily. You could go paranoid very easily, yeah. Do you find that people in corporations in the hospitality industry who are in charge of this area are slightly paranoid? If they're not, they need to be. That's just reality. And the course that I'm teaching is about all kinds of threats and security issues, not just cybersecurity. And one of the things you do need to get away from is this deniability. It's not going to happen to me. That's a number one objective of this course. Understand that the threat is out there. The threat is real. And then what do you need to do about it? Dave's talking about a plan. The more elements you have in a plan, the more you're on solid ground. So continually monitor your activity. What's going on? Is there something suspicious going on? Teach your staff to be situationally aware. That was a funny transaction. What's going on here? Spend the money. Do the budgeting that you need to do. Have strong security measures like two forms of authentication. But we also have to get our customers used to the idea that it's not quite so easy to do business anymore. To keep you safe. We care about part of hospitality, part of taking care of the customers. To keep you safe, you need to go through a little of that. How about... Well, if I give you a hospitality company or any company that has a gross say of $10 million, that's a small company in that business, but a gross of say $10 million, how much money can they afford to spend on cyber security? Do they have the data? Do they need to protect it? How much can they afford to spend? Well, American Express estimated that per every stolen record costs the company $158 each record. So when you talk about thousands of records being stolen, that's a lot of money. There's a lot of risk out there. Yeah, financially. So do you spend $10 million for the $10 million? So usually security companies will go to you and say, you know, if you want a security plan and they charge you per employee, you have 100 employees. I'm going to charge you $100 per employee. We'll give you a security plan and they'll just make recommendations to tell your IT people what to do and how to train your people. But that security plan is about $100 a person. And it's a little like any other risk assessment or risk management program insurance companies will come in and assess the risk. And they'll say, if you want us to ensure you, you need to do these things. And that's sort of a system that has an outsider taking a look at your own security systems and making sure that their risk is covered. Sure, it's like the credit cards. The credit cards, you know, they bear the risk. You pay extra, but they're bearing, you know, they're democratizing the risk, spreading the risk. You know, the other thing is that, you know, so you spend the money, you have the plan, you have contractors, security, cybersecurity contractors come in and, you know, pay them well and all this. And, you know, some of them, you know, there's one that I'm thinking of right now, an international cybersecurity company out of Russia, out of Russia, out of Russia, who you could hire. And I think Fortune 500 companies do hire companies that are global. How do we know there's no backdoor on that? The world is porous. It's all these companies are porous. Just because they say they're experts doesn't mean they can't get hacked. Yeah, the companies nowadays, unfortunately, have become what they call perimeterless. There is no defined network security perimeter anymore because we've connected to wireless. We have Wi-Fi. We have cellular. We have all these social networks. And then we have cloud storage, which is off-site. We have no idea how Amazon Web Services handles security, but we're directly connected to them. So if they get hacked, we can be hacked through them. Are you feeling comfortable about this? No. And not feeling comfortable is a good thing. Well, I started out this show feeling a little bit uncomfortable, and you guys have not helped me feel more uncomfortable. I think I feel more uncomfortable now. That's why we've got to cover this over and over again. It's a moving target. Thank you, Dave Stevens. Thank you, Frank Huss. Thank you for coming.